Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Directory Permission Watcher in c#

Tags:

c#

I have created the program which is monitoring a directory (e.g. \\server\share\folderXYZ) for changed events (like created, deleted, renamed and permission changes). I also got the notification if anything changed but I can't get exact details what has changed.

For example I have changed the permission for above directory from folder properties (Properties -> Security -> Edit ->Add new user or group or change permission for user and groups). File system watcher give notification if something changed but I can't get other details like:

  1. For which user permission has changed?
  2. Who changed the user permissions?
  3. If any new group has been added(need to get all users in the group if new group added)?
  4. If any new user is added to group and who added and need to get added user details?
  5. If any user or group is removed than removed group or user details?
  6. If any permission is added or changed for user than what permission are added or changed?
  7. If any permission are changed for group than what permission changed?

Example Scenarios:

Action: At 11am, the Admin added User A to Trainees (Existing group)

Expected Result:
Access to \\server\share\folderXYZ changed: User A now has Read access, given by Admin at 11am, because he is now member of Trainees, which has Read Access.

Hope question is clear. I have done lots of search and couldn't find the solution. Please let me know if any API or Service available or any alternatives available?

-Thanks

like image 408
vivek Avatar asked Jul 04 '11 07:07

vivek


2 Answers

The way to get the information you want is to use Windows Security Auditing, esp. since you want to know who made a change, not just what the change was.

The following code (and settings), produce output like this:

11-07-2011 17:43:10: 'Fujitsu\Grynn' changed security descriptor on file 'C:\Users\Grynn\Documents\ExcelTools\test.txt'
from
'D:AI(A;;0x1200a9;;;BU)(A;ID;FA;;;S-1-5-21-559386011-2179397067-1987725642-1000)(A;ID;FA;;;SY)(A;ID;FA;;;BA)'
to
'D:ARAI(A;ID;FA;;;S-1-5-21-559386011-2179397067-1987725642-1000)(A;ID;FA;;;SY)(A;ID;FA;;;BA)'
using 'C:\Windows\explorer.exe'

12-07-2011 17:55:10: 'Fujitsu\Grynn' changed security descriptor on file 'C:\Users\Grynn\Documents\ExcelTools\test.txt'
from
'D:AI(A;ID;FA;;;S-1-5-21-559386011-2179397067-1987725642-1000)(A;ID;FA;;;SY)(A;ID;FA;;;BA)'
to
'D:ARAI(D;;FA;;;S-1-5-21-559386011-2179397067-1987725642-1001)(A;ID;FA;;;S-1-5-21-559386011-2179397067-1987725642-1000)(A;ID;FA;;;SY)(A;ID;FA;;;BA)'
using 'C:\Windows\explorer.exe'

Turning on Auditing has 2 steps:

1. Use gpedit.msc to turn on "Audit Object access" Group Policy

2. Modify "Auditing" for the folder you want to watch Auditing Entry for an example folder 'ExcelTools'

Now whenever a File System Change event occurs (or via polling) query the security event log.

Code to query 'Security' event log:

var props = new EventLogPropertySelector(new string[] { 
                "Event/System/TimeCreated/@SystemTime",
                "Event/EventData/Data[@Name='SubjectDomainName']",
                "Event/EventData/Data[@Name='SubjectUserName']",
                "Event/EventData/Data[@Name='ObjectName']",
                "Event/EventData/Data[@Name='OldSd']",
                "Event/EventData/Data[@Name='NewSd']",
                "Event/EventData/Data[@Name='ProcessName']"  });

using (var session = new System.Diagnostics.Eventing.Reader.EventLogSession())
{
    //4670 == Permissions on an object were changed
    var q = new EventLogQuery("Security", PathType.LogName, "*[System[(EventID=4670)]]");
    q.Session = session;

    EventLogReader rdr = new EventLogReader(q);

    for (EventRecord eventInstance = rdr.ReadEvent();
            null != eventInstance; eventInstance = rdr.ReadEvent())
    {
        var elr = ((EventLogRecord)eventInstance);
        Console.WriteLine(
            "{0}: '{1}\\{2}' changed security descriptor on file '{3}' from \n'{4}' \nto \n'{5}' \nusing '{6}'\n----\n", 
            elr.GetPropertyValues(props).ToArray());
    }
}
like image 160
Grynn Avatar answered Nov 17 '22 12:11

Grynn


From what i know/been reading, FileSystemWatcher can only tell you the file that was affected along with the change type only.

One way to go is for you to maintain a cache of the file attributes you're interested in, an in the presence of an event notifying a change, you query the cache to get the changes made and update it as necessary.

like image 41
nick2083 Avatar answered Nov 17 '22 11:11

nick2083