NT4/private/ntos/se/rmaudit.c
2020-09-30 17:12:29 +02:00

222 lines
5.2 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
rmaudit.c
Abstract:
This module contains the Reference Monitor Auditing Command Workers.
These workers call functions in the Auditing sub-component to do the real
work.
Author:
Scott Birrell (ScottBi) November 14,1991
Environment:
Kernel mode only.
Revision History:
--*/
#include <nt.h>
#include <ntlsa.h>
#include <ntos.h>
#include <ntrmlsa.h>
#include "sep.h"
#include "adt.h"
#include "adtp.h"
#include "rmp.h"
VOID
SepRmSetAuditLogWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,SepRmSetAuditEventWrkr)
#pragma alloc_text(PAGE,SepRmSetAuditLogWrkr)
#endif
VOID
SepRmSetAuditEventWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
)
/*++
Routine Description:
This function carries out the Reference Monitor Set Audit Event
Command. This command enables or disables auditing and optionally
sets the auditing events.
Arguments:
CommandMessage - Pointer to structure containing RM command message
information consisting of an LPC PORT_MESSAGE structure followed
by the command number (RmSetAuditStateCommand) and a single command
parameter in structure form.
ReplyMessage - Pointer to structure containing RM reply message
information consisting of an LPC PORT_MESSAGE structure followed
by the command ReturnedStatus field in which a status code from the
command will be returned.
Return Value:
VOID
--*/
{
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
POLICY_AUDIT_EVENT_TYPE EventType;
PAGED_CODE();
SepAdtInitializeBounds();
ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
//
// Strict check that command is correct one for this worker.
//
ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand );
//
// Extract the AuditingMode flag and put it in the right place.
//
SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
AuditingMode);
//
// For each element in the passed array, process changes to audit
// nothing, and then success or failure flags.
//
EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
EventAuditingOptions;
for ( EventType=AuditEventMinType;
EventType <= AuditEventMaxType;
EventType++ ) {
SeAuditingState[EventType].AuditOnSuccess = FALSE;
SeAuditingState[EventType].AuditOnFailure = FALSE;
if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) {
SeAuditingState[EventType].AuditOnSuccess = TRUE;
}
if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) {
SeAuditingState[EventType].AuditOnFailure = TRUE;
}
}
//
// Set the flag to indicate that we're auditing detailed events.
// This is merely a timesaver so we can skip auditing setup in
// time critical places like process creation.
//
//
// Despite what the UI may imply, we never audit failures for detailed events, since
// none of them can fail for security related reasons, and we're not interested in
// auditing out of memory errors and stuff like that. So just set this flag when
// they want to see successes and ignore the failure case.
//
// We may have to revisit this someday.
//
if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) {
SeDetailedAuditing = TRUE;
} else {
SeDetailedAuditing = FALSE;
}
return;
}
VOID
SepRmSetAuditLogWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
)
/*++
Routine Description:
This function carries out the Reference Monitor Set Audit Log
Command. This command stores parameters related to the Audit Log.
Arguments:
CommandMessage - Pointer to structure containing RM command message
information consisting of an LPC PORT_MESSAGE structure followed
by the command number (RmSetAuditStateCommand) and a single command
parameter in structure form.
ReplyMessage - Pointer to structure containing RM reply message
information consisting of an LPC PORT_MESSAGE structure followed
by the command ReturnedStatus field in which a status code from the
command will be returned.
Return Value:
None. A status code is returned in ReplyMessage->ReturnedStatus
--*/
{
//
// Strict check that command is correct one for this worker.
//
/* BUGWARNING - SCOTTBI - Auditing is disabled
ASSERT( CommandMessage->CommandNumber == RmSetAuditLogCommand );
*/
PAGED_CODE();
#if DBG
DbgPrint("Security: RM Set Audit Log Command Received\n");
#endif
//
// Call private function in Auditing Sub-component to do the work.
//
SepAdtSetAuditLogInformation(
(PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams
);
ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
}