无法使用 c++ 在 windows 中为对象访问(文件夹)添加审核策略 (ACE)

Not able to add Audit policy (ACE) for object access (Folder) in windows using c++

我正在编写一个 c++ 程序来添加 ACE 以对 SASL 进行对象访问审计。虽然所有功能 return 成功,但当我手动检查文件夹的属性时,我看不到任何策略已设置。

下面是我的代码。我已经修改了下面 link 的 MSDN 站点中给出的示例代码,以添加到 SASL 而不是 DACL。

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379283(v=vs.85).aspx

BOOL SetPrivilege(
    HANDLE hToken,          // access token handle
    LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
    BOOL bEnablePrivilege   // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;

if (!LookupPrivilegeValue(
    NULL,            // lookup privilege on local system
    lpszPrivilege,   // privilege to lookup 
    &luid))        // receives LUID of privilege
{
    printf("LookupPrivilegeValue error: %u\n", GetLastError());
    return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
    tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

if (!AdjustTokenPrivileges(
    hToken,
    FALSE,
    &tp,
    sizeof(TOKEN_PRIVILEGES),
    (PTOKEN_PRIVILEGES)NULL,
    (PDWORD)NULL))
{
    printf("AdjustTokenPrivileges error: %u\n", GetLastError());
    return FALSE;
}

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

{
    printf("The token does not have the specified privilege. \n");
    return FALSE;
}

return TRUE;
}


DWORD AddAceToObjectsSecurityDescriptor(
LPTSTR pszObjName,          // name of object
SE_OBJECT_TYPE ObjectType,  // type of object
LPTSTR pszTrustee          // trustee for new ACE
)
{
DWORD dwRes = 0;
PACL pOldSACL = NULL, pNewSACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
HANDLE hToken;

if (NULL == pszObjName)
    return ERROR_INVALID_PARAMETER;

// Open a handle to the access token for the calling process.
if (!OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES,
    &hToken))
{
    printf("OpenProcessToken failed: %u\n", GetLastError());
    goto Cleanup;
}

// Enable the SE_SECURITY_NAME privilege.
if (!SetPrivilege(hToken, SE_SECURITY_NAME, TRUE))
{
    printf("You must be logged on as Administrator.\n");
    goto Cleanup;
}

// Get a pointer to the existing SACL.

dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
    SACL_SECURITY_INFORMATION,
    NULL, NULL, NULL, &pOldSACL, &pSD);
if (ERROR_SUCCESS != dwRes) {
    printf("GetNamedSecurityInfo Error %u\n", dwRes);
    goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for the new ACE. 

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
//ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessPermissions = GENERIC_ALL;
//ea.grfAccessMode = AccessMode;
ea.grfAccessMode = SET_AUDIT_SUCCESS;
//ea.grfInheritance = dwInheritance;
ea.grfInheritance = INHERIT_ONLY;
//ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.ptstrName = pszTrustee;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;

// Create a new ACL that merges the new ACE
// into the existing SACL.

dwRes = SetEntriesInAcl(1, &ea, pOldSACL, &pNewSACL);
if (ERROR_SUCCESS != dwRes)  {
    printf("SetEntriesInAcl Error %u\n", dwRes);
    goto Cleanup;
}

// Attach the new ACL as the object's SACL.

dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
    SACL_SECURITY_INFORMATION,
    NULL, NULL, NULL, pNewSACL);
if (ERROR_SUCCESS != dwRes)  {
    printf("SetNamedSecurityInfo Error %u\n", dwRes);
    goto Cleanup;
}

// Disable the SE_SECURITY_NAME privilege.
if (!SetPrivilege(hToken, SE_SECURITY_NAME, FALSE))
{
    printf("You must be logged on as Administrator.\n");
    goto Cleanup;
}

Cleanup:

if (pSD != NULL)
    LocalFree((HLOCAL)pSD);
if (pNewSACL != NULL)
    LocalFree((HLOCAL)pNewSACL);

return dwRes;
}

int _tmain(int argc, _TCHAR* argv[])
{
LPTSTR objstrname = L"C:\path\to\folder\Test_Folder";
LPTSTR trusteeName = L"UserName"; // I have mentioned username here
AddAceToObjectsSecurityDescriptor(objstrname, SE_FILE_OBJECT, trusteeName);
return 0;
}

虽然所有功能 return 都成功了,但我看不到正在设置任何新的审核策略。可能是我设置的参数有误,在这种情况下,我预计函数会失败。请帮助解决问题。

我认为问题在于您设置了错误的继承标志。

INHERIT_ONLY表示ACE不应用于对象,只能被子对象继承。

但是,您还没有设置 CONTAINER_INHERIT_ACEOBJECT_INHERIT_ACE。所以 ACE 不适用于子对象。

由于 ACE 既不适用于父项也不适用于子项,因此它没有任何作用,因此 Windows 丢弃它。