2020-09-30 16:53:55 +02:00

728 lines
21 KiB
C++

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright(C) 2001 - 2002 Microsoft Corporation
//
// File: auditing.cxx
//
//----------------------------------------------------------------------------
#include "..\pch\headers.hxx"
#include "authzi.h"
#include "msaudite.h"
#include "security.hxx"
#include "auditing.hxx"
AUTHZ_RESOURCE_MANAGER_HANDLE ghRM = 0;
AUTHZ_AUDIT_EVENT_TYPE_HANDLE ghAuditEventType = 0;
HRESULT
AuditATJob(const AT_INFO &AtInfo, LPCWSTR pwszFileName)
{
HRESULT hr = S_OK;
//
// Impersonate the caller
//
DWORD RpcStatus = RpcImpersonateClient(NULL);
if (RpcStatus != RPC_S_OK)
{
hr = _HRESULT_FROM_WIN32(RpcStatus);
return hr;
}
//
// Open the thread token
//
HANDLE hThreadToken = NULL;
BOOL bTokenOpened = OpenThreadToken(GetCurrentThread(),
TOKEN_QUERY, // Desired access.
TRUE, // Open as self.
&hThreadToken);
//
// End impersonation.
//
if ((RpcStatus = RpcRevertToSelf()) != RPC_S_OK)
{
ERR_OUT("RpcRevertToSelf", RpcStatus);
schAssert(!"RpcRevertToSelf failed");
hr = _HRESULT_FROM_WIN32(RpcStatus);
}
if (SUCCEEDED(hr))
{
if (bTokenOpened)
{
DWORD cbAccountSid = MAX_SID_SIZE;
BYTE pbTaskSid[MAX_SID_SIZE];
hr = GetNSAccountSid(pbTaskSid, cbAccountSid);
if (SUCCEEDED(hr))
{
hr = AuditJob(hThreadToken, pbTaskSid, pwszFileName);
}
CloseHandle(hThreadToken);
}
else
{
hr = _HRESULT_FROM_WIN32(GetLastError());
CHECK_HRESULT(hr);
}
}
return hr;
}
HRESULT
AuditJob(
HANDLE hThreadToken,
PSID pTaskSid,
LPCWSTR pwszFileName
)
{
//
// Caller has already been impersonated and thread token opened prior to calling of this function
//
HRESULT hr = S_OK;
//
// Get the user SID
//
BYTE rgbTokenInformation[USER_TOKEN_STACK_BUFFER_SIZE];
TOKEN_USER* pTokenUser = (TOKEN_USER*) rgbTokenInformation;
DWORD cbReturnLength;
if (GetTokenInformation(hThreadToken,
TokenUser,
pTokenUser,
USER_TOKEN_STACK_BUFFER_SIZE,
&cbReturnLength))
{
//
// Get the Authentication ID
//
BYTE rgbTokenStatistics[sizeof(TOKEN_STATISTICS)];
TOKEN_STATISTICS* pTokenStatistics = (TOKEN_STATISTICS*) rgbTokenStatistics;
if (GetTokenInformation(hThreadToken,
TokenStatistics,
pTokenStatistics,
sizeof(TOKEN_STATISTICS),
&cbReturnLength))
{
DWORD dwRet = GenerateJobCreatedAudit(pTokenUser->User.Sid,
pTaskSid,
&(pTokenStatistics->AuthenticationId),
pwszFileName);
hr = _HRESULT_FROM_WIN32(dwRet);
}
else
{
hr = _HRESULT_FROM_WIN32(GetLastError());
}
}
else
{
hr = _HRESULT_FROM_WIN32(GetLastError());
}
return hr;
}
HRESULT
GetJobAuditInfo(
LPCWSTR pwszFileName,
DWORD* pdwFlags,
LPWSTR* ppwszCommandLine,
LPWSTR* ppwszTriggers,
FILETIME* pftNextRun
)
{
if (!pwszFileName || pwszFileName[0] == L'\0' || !pftNextRun || !ppwszTriggers)
{
CHECK_HRESULT(E_INVALIDARG);
return(E_INVALIDARG);
}
//
// Init
//
*pdwFlags = 0;
*ppwszCommandLine = NULL;
*ppwszTriggers = NULL;
//
// Instantiate the job to get its run properties.
//
CJob* pJob = CJob::Create();
if (!pJob)
{
return E_OUTOFMEMORY;
}
HRESULT hr = pJob->LoadP(pwszFileName, 0, FALSE, TRUE);
if (FAILED(hr))
{
schDebugOut((DEB_ERROR, "GetTriggerAuditInfo: pJob->LoadP failed with error 0x%x\n", hr));
}
else
{
//
// Get the flags
//
pJob->GetAllFlags(pdwFlags); // this call returns void
//
// Get the application
//
WCHAR* pwszApplicationName = NULL;
hr = pJob->GetApplicationName(&pwszApplicationName);
if (FAILED(hr))
{
schDebugOut((DEB_ERROR, "GetTriggerAuditInfo: pJob->GetApplicationName failed with error 0x%x\n", hr));
}
else
{
//
// Get the parameters
//
WCHAR* pwszParameters = NULL;
hr = pJob->GetParameters(&pwszParameters);
if (FAILED(hr))
{
schDebugOut((DEB_ERROR, "GetTriggerAuditInfo: pJob->GetParameters failed with error 0x%x\n", hr));
}
else
{
//
// Produce command line by concatenating application name and parameters
//
size_t cchBuff = lstrlenW(pwszApplicationName) + 1 + lstrlenW(pwszParameters) + 1;
WCHAR* pwszCommandLine = new WCHAR[cchBuff];
if (!pwszCommandLine)
{
hr = E_OUTOFMEMORY;
}
else
{
StringCchCopy(pwszCommandLine, cchBuff, pwszApplicationName);
StringCchCat(pwszCommandLine, cchBuff, L" ");
StringCchCat(pwszCommandLine, cchBuff, pwszParameters);
//
// Return pointer to the command line string.
// This string will need to be deleted by the caller.
//
*ppwszCommandLine = pwszCommandLine;
//
// Zero out next run time return value in case of any failures.
// Get the next run time, convert it to a local file time then to UTC.
//
//pftNextRun->dwLowDateTime = 0;
//pftNextRun->dwHighDateTime = 0;
//
// due to temporary issues, use a different value than 0
// 1/1/1700 00:00:00,000
pftNextRun->dwLowDateTime = 0xAEC64000;
pftNextRun->dwHighDateTime = 0x006EFDDD;
SYSTEMTIME stNextRun;
hr = pJob->GetNextRunTime(&stNextRun);
if (S_OK == hr)
{
FILETIME ftNextRunLocal;
if (SystemTimeToFileTime(&stNextRun, &ftNextRunLocal))
{
LocalFileTimeToFileTime(&ftNextRunLocal, pftNextRun);
}
}
//
// Now get the triggers.
//
// Build up a string consisting of formatted string
// representations of all the triggers for the task.
//
WORD cTriggers;
hr = pJob->GetTriggerCount(&cTriggers);
if (FAILED(hr))
{
schDebugOut((DEB_ERROR, "GetTriggerAuditInfo: pJob->GetTriggerCount failed with error 0x%x\n", hr));
}
else
{
//
// Allocate initial buffer for concatenation of all trigger strings
//
const DWORD INITIAL_BUFFER_SIZE = 256; // start with enough space for 256 chars including null
const DWORD BUFFER_SIZE_INCREMENT = 256; // if necessary, grow buffer by this amount
DWORD dwSize = INITIAL_BUFFER_SIZE;
WCHAR* pwszTriggers = new WCHAR[dwSize]; // this will need to be deleted by the caller
if (!pwszTriggers)
{
hr = E_OUTOFMEMORY;
}
else
{
pwszTriggers[0] = L'\0';
DWORD dwSizeRequired;
WCHAR* pwszTemp;
WCHAR* pwszTriggerString;
for (short nTrigger = 0; nTrigger < cTriggers && SUCCEEDED(hr); nTrigger++)
{
hr = pJob->GetTriggerString(nTrigger, &pwszTriggerString);
if (FAILED(hr))
{
schDebugOut((DEB_ERROR, "GetTriggerAuditInfo: pJob->GetTriggerString failed with error 0x%x\n", hr));
}
else
{
//
// If not big enough, create larger buffer, copy, and delete old
//
dwSizeRequired = lstrlenW(pwszTriggers)
+ 2 // two spaces
+ lstrlenW(pwszTriggerString)
+ 2; // period plus null terminator
if (dwSizeRequired > dwSize)
{
dwSize += BUFFER_SIZE_INCREMENT;
if (dwSizeRequired > dwSize) // if still not big enough (very unlikely),
dwSize = dwSizeRequired; // make it big enough
pwszTemp = new WCHAR[dwSize];
if (!pwszTemp)
{
hr = E_OUTOFMEMORY;
}
else
{
StringCchCopy(pwszTemp, dwSize, pwszTriggers);
delete [] pwszTriggers;
pwszTriggers = pwszTemp;
}
}
if (SUCCEEDED(hr))
{
if (lstrlenW(pwszTriggers) > 0)
StringCchCat(pwszTriggers, dwSize, L" ");
StringCchCat(pwszTriggers, dwSize, pwszTriggerString);
StringCchCat(pwszTriggers, dwSize, L".");
}
CoTaskMemFree(pwszTriggerString);
}
}
if (SUCCEEDED(hr))
{
//
// If all was a success, return the pointer to the string of triggers.
// This string will need to be deleted by the caller.
//
*ppwszTriggers = pwszTriggers;
}
else
{
//
// If something went wrong, let's go ahead and clean up now.
//
if (pwszTriggers)
delete [] pwszTriggers;
}
}
}
}
CoTaskMemFree(pwszParameters);
}
CoTaskMemFree(pwszApplicationName);
}
}
if (pJob)
{
pJob->Release();
}
return hr;
}
/***************************************************************************\
* FUNCTION: StartupAuditing
*
* PURPOSE: Creates the resource manager and the audit event type handles.
*
* PARAMETERS:
*
* RETURNS: win32 error code
*
* History:
* 12-05-2001 maxa Created
*
\***************************************************************************/
DWORD
StartupAuditing(
)
{
DWORD dwError = ERROR_SUCCESS;
BOOL fResult = FALSE;
BOOL fWasEnabled = TRUE;
if (ghRM && ghAuditEventType)
{
goto Cleanup;
}
dwError = EnableNamedPrivilege(
L"SeAuditPrivilege",
TRUE,
&fWasEnabled);
if (dwError != ERROR_SUCCESS)
{
goto Cleanup;
}
fResult = AuthzInitializeResourceManager(
0, // no special flags
NULL, // PFN_AUTHZ_DYNAMIC_ACCESS_CHECK
NULL, // PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS
NULL, // PFN_AUTHZ_FREE_DYNAMIC_GROUPS
L"Scheduler", // RM name
&ghRM
);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
fResult = AuthziInitializeAuditEventType(
0,
SE_CATEGID_DETAILED_TRACKING,
SE_AUDITID_JOB_CREATED,
7,
&ghAuditEventType
);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
Cleanup:
if (!fWasEnabled)
{
EnableNamedPrivilege(
L"SeAuditPrivilege",
FALSE,
&fWasEnabled);
}
if (dwError != ERROR_SUCCESS)
{
ShutdownAuditing();
}
return dwError;
}
/***************************************************************************\
* FUNCTION: ShutdownAuditing
*
* PURPOSE: Deletes the resource manager and the audit event type handles.
*
* PARAMETERS:
*
* RETURNS:
*
* History:
* 12-05-2001 maxa Created
*
\***************************************************************************/
VOID
ShutdownAuditing(
)
{
if (ghAuditEventType)
{
AuthziFreeAuditEventType(ghAuditEventType);
ghAuditEventType = 0;
}
if (ghRM)
{
AuthzFreeResourceManager(ghRM);
ghRM = 0;
}
}
/***************************************************************************\
* FUNCTION: GenerateJobCreatedAudit
*
* PURPOSE: Generates an audit-event indicating that a job has
* been created.
*
* PARAMETERS: pUserSid:
* SID of the account that created the job.
* pTaskSid:
* SID of the account the job is to run as.
* pLogonId:
* LogonId of the account that created the job.
* pszFileName:
* File name of the newly created job in the Tasks folder.
*
* RETURNS: win32 error code
*
* History:
* 10-01-2001 maxa Created
* 11-07-2001 shbrown Updated for use with tasks rather than AT jobs
*
\***************************************************************************/
DWORD
GenerateJobCreatedAudit(
IN PSID pUserSid,
IN PSID pTaskSid,
IN PLUID pLogonId,
IN PCWSTR pwszFileName
)
{
DWORD dwError = ERROR_SUCCESS;
BOOL fResult = FALSE;
AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent = NULL;
AUDIT_PARAMS AuditParams = {0};
AUDIT_PARAM ParamArray[10] = {APT_None};
PSID pDummySid = NULL;
ASSERT(pUserSid);
ASSERT(pTaskSid);
ASSERT(pLogonId);
ASSERT(pwszFileName && pwszFileName[0]);
ASSERT(ghRM);
ASSERT(ghAuditEventType);
//
// Get the job audit info
//
DWORD dwFlags;
LPWSTR pwszCommandLine = NULL; // this will need to be deleted after use
LPWSTR pwszTriggers = NULL; // this will need to be deleted after use
FILETIME ftNextRun;
HRESULT hr = GetJobAuditInfo(pwszFileName, &dwFlags, &pwszCommandLine, &pwszTriggers, &ftNextRun);
if (FAILED(hr))
{
goto Cleanup;
}
AuditParams.Parameters = ParamArray;
fResult = AuthziInitializeAuditParams(
APF_AuditSuccess,
&AuditParams,
&pDummySid,
L"Security",
7,
APT_String | AP_Filespec, pwszFileName,
APT_String, pwszCommandLine,
APT_String, pwszTriggers,
APT_Time, ftNextRun,
APT_Ulong | AP_FormatHex, dwFlags,
APT_Sid, pTaskSid,
APT_LogonId, *pLogonId
);
if (!fResult)
{
goto Error;
}
//
// this is ugly, but currently there is no other way
// do we still need this?
//
ParamArray[0].Data0 = (ULONG_PTR)pUserSid;
fResult = AuthziInitializeAuditEvent(
0, // flags
ghRM, // resource manager
ghAuditEventType,
&AuditParams,
NULL, // hAuditQueue
INFINITE, // time out
L"", L"", L"", L"", // obj access strings
&hAuditEvent
);
if (!fResult)
{
goto Error;
}
fResult = AuthziLogAuditEvent(
0, // flags
hAuditEvent,
NULL // reserved
);
if (!fResult)
{
goto Error;
}
Cleanup:
if (pwszCommandLine)
{
delete [] pwszCommandLine;
}
if (pwszTriggers)
{
delete [] pwszTriggers;
}
if (hAuditEvent)
{
AuthzFreeAuditEvent(hAuditEvent);
}
if (pDummySid)
{
LocalFree(pDummySid);
}
return dwError;
Error:
dwError = GetLastError();
goto Cleanup;
}
/***************************************************************************\
* FUNCTION: EnableNamedPrivilege
*
* PURPOSE: Enable or disable a privilege by its name.
*
* PARAMETERS: pszPrivName:
* Name of privilege to enable.
* fEnable:
* Enable/Disable flag.
* pfWasEnabled:
* Optional pointer to flag to receive the previous state.
*
* RETURNS: win32 error code
*
* History:
* 12-05-2001 maxa Created
*
\***************************************************************************/
DWORD
EnableNamedPrivilege(
IN PCWSTR pszPrivName,
IN BOOL fEnable,
OUT PBOOL pfWasEnabled OPTIONAL
)
{
DWORD dwError = ERROR_SUCCESS;
BOOL fResult;
HANDLE hToken = 0;
DWORD dwSize = 0;
TOKEN_PRIVILEGES newPriv;
TOKEN_PRIVILEGES oldPriv;
fResult = OpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
fResult = LookupPrivilegeValue(
0,
pszPrivName,
&newPriv.Privileges[0].Luid);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
newPriv.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
newPriv.PrivilegeCount = 1;
fResult = AdjustTokenPrivileges(
hToken,
FALSE,
&newPriv,
sizeof oldPriv,
&oldPriv,
&dwSize);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
if (pfWasEnabled)
{
if (oldPriv.PrivilegeCount == 0)
{
*pfWasEnabled = fEnable;
}
else
{
*pfWasEnabled =
(oldPriv.Privileges[0].Attributes & SE_PRIVILEGE_ENABLED) ?
TRUE : FALSE;
}
}
Cleanup:
if (hToken)
{
CloseHandle(hToken);
}
return dwError;
}