Main Page | Class Hierarchy | Class List | File List | Class Members | File Members

adtinit.c

Go to the documentation of this file.
00001 /*++
00002 
00003 Copyright (c) 1991  Microsoft Corporation
00004 
00005 Module Name:
00006 
00007     adtinit.c
00008 
00009 Abstract:
00010 
00011     Auditing - Initialization Routines
00012 
00013 Author:
00014 
00015     Scott Birrell       (ScottBi)       November 12, 1991
00016 
00017 Environment:
00018 
00019     Kernel Mode only
00020 
00021 Revision History:
00022 
00023 --*/
00024 
00025 
00026 #include <nt.h>
00027 #include "sep.h"
00028 #include "adt.h"
00029 #include "adtp.h"
00030 
00031 #ifdef ALLOC_PRAGMA
00032 #pragma alloc_text(PAGE,SepAdtInitializePhase1)
00033 #pragma alloc_text(PAGE,SepAdtInitializeBounds)
00034 #pragma alloc_text(PAGE,SepAdtValidateAuditBounds)
00035 #endif
00036 
00037 
00038 BOOLEAN
00039 SepAdtValidateAuditBounds(
00040     ULONG Upper,
00041     ULONG Lower
00042     )
00043 
00044 /*++
00045 
00046 Routine Description:
00047 
00048     Examines the audit queue high and low water mark values and performs
00049     a general sanity check on them.
00050 
00051 Arguments:
00052 
00053     Upper - High water mark.
00054 
00055     Lower - Low water mark.
00056 
00057 Return Value:
00058 
00059     TRUE - values are acceptable.
00060 
00061     FALSE - values are unacceptable.
00062 
00063 
00064 --*/
00065 
00066 {
00067     PAGED_CODE();
00068 
00069     if ( Lower >= Upper ) {
00070         return( FALSE );
00071     }
00072 
00073     if ( Lower < 16 ) {
00074         return( FALSE );
00075     }
00076 
00077     if ( (Upper - Lower) < 16 ) {
00078         return( FALSE );
00079     }
00080 
00081     return( TRUE );
00082 }
00083 
00084 BOOLEAN
00085 SepAdtInitializePhase1()
00086 
00087 /*++
00088 
00089 Routine Description:
00090 
00091     This function performs Phase 1 Initialization for the Auditing subcomponent
00092     of Security.  Global variables are initialized within the Nt Executive
00093     and Auditing is turned off.
00094 
00095 Arguments:
00096 
00097     None
00098 
00099 Return Value:
00100 
00101     BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
00102 
00103 --*/
00104 
00105 {
00106     PAGED_CODE();
00107 
00108     RtlInitUnicodeString( &SeSubsystemName, L"Security" );
00109 
00110     return( TRUE );
00111 }
00112 
00113 
00114 
00115 
00116 VOID
00117 SepAdtInitializeBounds(
00118     VOID
00119     )
00120 
00121 /*++
00122 
00123 Routine Description:
00124 
00125     Queries the registry for the high and low water mark values for the
00126     audit log.  If they are not found or are unacceptable, returns without
00127     modifying the current values, which are statically initialized.
00128 
00129 Arguments:
00130 
00131     None.
00132 
00133 Return Value:
00134 
00135     None.
00136 
00137 --*/
00138 
00139 {
00140 
00141     HANDLE KeyHandle;
00142     OBJECT_ATTRIBUTES ObjectAttributes;
00143     UNICODE_STRING KeyName;
00144     UNICODE_STRING ValueName;
00145     NTSTATUS Status;
00146     PSEP_AUDIT_BOUNDS AuditBounds;
00147     PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
00148     ULONG Length;
00149 
00150     PAGED_CODE();
00151 
00152     //
00153     // Get the high and low water marks out of the registry.
00154     //
00155 
00156     RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
00157 
00158     InitializeObjectAttributes(
00159         &ObjectAttributes,
00160         &KeyName,
00161         OBJ_CASE_INSENSITIVE,
00162         NULL,
00163         NULL
00164         );
00165 
00166     Status = NtOpenKey(
00167                  &KeyHandle,
00168                  KEY_QUERY_VALUE,
00169                  &ObjectAttributes
00170                  );
00171 
00172     if (!NT_SUCCESS( Status )) {
00173 
00174         //
00175         // Didn't work, take the defaults
00176         //
00177 
00178         return;
00179     }
00180 
00181     RtlInitUnicodeString( &ValueName, L"Bounds");
00182 
00183     Length = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) - sizeof( UCHAR ) + sizeof( SEP_AUDIT_BOUNDS );
00184 
00185     KeyValueInformation = ExAllocatePool( PagedPool, Length );
00186 
00187     if ( KeyValueInformation == NULL ) {
00188 
00189         NtClose( KeyHandle );
00190         return;
00191     }
00192 
00193     Status = NtQueryValueKey(
00194                  KeyHandle,
00195                  &ValueName,
00196                  KeyValuePartialInformation,
00197                  (PVOID)KeyValueInformation,
00198                  Length,
00199                  &Length
00200                  );
00201 
00202     NtClose( KeyHandle );
00203 
00204     if (!NT_SUCCESS( Status )) {
00205 
00206         ExFreePool( KeyValueInformation );
00207         return;
00208     }
00209 
00210 
00211     AuditBounds = (PSEP_AUDIT_BOUNDS) &KeyValueInformation->Data;
00212 
00213     //
00214     // Sanity check what we got back
00215     //
00216 
00217     if(!SepAdtValidateAuditBounds( AuditBounds->UpperBound, AuditBounds->LowerBound )) {
00218 
00219         //
00220         // The values we got back are not to our liking.  Use the defaults.
00221         //
00222 
00223         ExFreePool( KeyValueInformation );
00224         return;
00225     }
00226 
00227     //
00228     // Take what we got from the registry.
00229     //
00230 
00231     SepAdtMaxListLength = AuditBounds->UpperBound;
00232     SepAdtMinListLength = AuditBounds->LowerBound;
00233 
00234     ExFreePool( KeyValueInformation );
00235 
00236     return;
00237 }
00238 
00239 
00240 
00241 NTSTATUS
00242 SepAdtInitializeCrashOnFail(
00243     VOID
00244     )
00245 
00246 /*++
00247 
00248 Routine Description:
00249 
00250     Reads the registry to see if the user has told us to crash if an audit fails.
00251 
00252 Arguments:
00253 
00254     None.
00255 
00256 Return Value:
00257 
00258     STATUS_SUCCESS
00259 
00260 --*/
00261 
00262 {
00263     HANDLE KeyHandle;
00264     NTSTATUS Status;
00265     NTSTATUS TmpStatus;
00266     OBJECT_ATTRIBUTES Obja;
00267     ULONG ResultLength;
00268     UNICODE_STRING KeyName;
00269     UNICODE_STRING ValueName;
00270     CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
00271     PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
00272 
00273     SepCrashOnAuditFail = FALSE;
00274 
00275     //
00276     // Check the value of the CrashOnAudit flag in the registry.
00277     //
00278 
00279     RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
00280 
00281     InitializeObjectAttributes( &Obja,
00282                                 &KeyName,
00283                                 OBJ_CASE_INSENSITIVE,
00284                                 NULL,
00285                                 NULL
00286                                 );
00287 
00288     Status = NtOpenKey(
00289                  &KeyHandle,
00290                  KEY_QUERY_VALUE | KEY_SET_VALUE,
00291                  &Obja
00292                  );
00293 
00294     if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
00295         return( STATUS_SUCCESS );
00296     }
00297 
00298     RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE );
00299 
00300     Status = NtQueryValueKey(
00301                  KeyHandle,
00302                  &ValueName,
00303                  KeyValuePartialInformation,
00304                  KeyInfo,
00305                  sizeof(KeyInfo),
00306                  &ResultLength
00307                  );
00308 
00309     TmpStatus = NtClose(KeyHandle);
00310     ASSERT(NT_SUCCESS(TmpStatus));
00311 
00312     //
00313     // If the key isn't there, don't turn on CrashOnFail.
00314     //
00315 
00316     if (NT_SUCCESS( Status )) {
00317 
00318         pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
00319         if ((UCHAR) *(pKeyInfo->Data) == LSAP_CRASH_ON_AUDIT_FAIL) {
00320             SepCrashOnAuditFail = TRUE;
00321         }
00322     }
00323 
00324     return( STATUS_SUCCESS );
00325 }
00326 
00327 
00328 BOOLEAN
00329 SepAdtInitializePrivilegeAuditing(
00330     VOID
00331     )
00332 
00333 /*++
00334 
00335 Routine Description:
00336 
00337     Checks to see if there is an entry in the registry telling us to do full privilege auditing
00338     (which currently means audit everything we normall audit, plus backup and restore privileges).
00339 
00340 Arguments:
00341 
00342     None
00343 
00344 Return Value:
00345 
00346     BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
00347 
00348 --*/
00349 
00350 {
00351     HANDLE KeyHandle;
00352     NTSTATUS Status;
00353     NTSTATUS TmpStatus;
00354     OBJECT_ATTRIBUTES Obja;
00355     ULONG ResultLength;
00356     UNICODE_STRING KeyName;
00357     UNICODE_STRING ValueName;
00358     CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
00359     PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
00360     BOOLEAN Verbose;
00361 
00362     PAGED_CODE();
00363 
00364     //
00365     // Query the registry to set up the privilege auditing filter.
00366     //
00367 
00368     RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
00369 
00370     InitializeObjectAttributes( &Obja,
00371                                 &KeyName,
00372                                 OBJ_CASE_INSENSITIVE,
00373                                 NULL,
00374                                 NULL
00375                                 );
00376 
00377     Status = NtOpenKey(
00378                  &KeyHandle,
00379                  KEY_QUERY_VALUE | KEY_SET_VALUE,
00380                  &Obja
00381                  );
00382 
00383 
00384     if (!NT_SUCCESS( Status )) {
00385 
00386         if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
00387 
00388             return ( SepInitializePrivilegeFilter( FALSE ));
00389 
00390         } else {
00391 
00392             return( FALSE );
00393         }
00394     }
00395 
00396     RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING );
00397 
00398     Status = NtQueryValueKey(
00399                  KeyHandle,
00400                  &ValueName,
00401                  KeyValuePartialInformation,
00402                  KeyInfo,
00403                  sizeof(KeyInfo),
00404                  &ResultLength
00405                  );
00406 
00407     TmpStatus = NtClose(KeyHandle);
00408     ASSERT(NT_SUCCESS(TmpStatus));
00409 
00410     if (!NT_SUCCESS( Status )) {
00411 
00412         Verbose = FALSE;
00413 
00414     } else {
00415 
00416         pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
00417         Verbose = (BOOLEAN) *(pKeyInfo->Data);
00418     }
00419 
00420     return ( SepInitializePrivilegeFilter( Verbose ));
00421 }
00422 
00423 
00424 VOID
00425 SepAdtInitializeAuditingOptions(
00426     VOID
00427     )
00428 
00429 /*++
00430 
00431 Routine Description:
00432 
00433     Initialize options that control auditing.
00434     (please refer to note in adtp.h near the def. of SEP_AUDIT_OPTIONS)
00435 
00436 Arguments:
00437 
00438     None
00439 
00440 Return Value:
00441 
00442     None
00443 
00444 --*/
00445 
00446 {
00447     HANDLE KeyHandle;
00448     NTSTATUS Status;
00449     NTSTATUS TmpStatus;
00450     OBJECT_ATTRIBUTES Obja;
00451     ULONG ResultLength;
00452     UNICODE_STRING KeyName;
00453     UNICODE_STRING ValueName;
00454     CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
00455 
00456     PAGED_CODE();
00457 
00458     //
00459     // Query the registry 
00460     //
00461     RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\AuditingOptions");
00462 
00463     InitializeObjectAttributes( &Obja,
00464                                 &KeyName,
00465                                 OBJ_CASE_INSENSITIVE,
00466                                 NULL,
00467                                 NULL
00468                                 );
00469 
00470     Status = NtOpenKey(
00471                  &KeyHandle,
00472                  KEY_QUERY_VALUE,
00473                  &Obja
00474                  );
00475 
00476 
00477     if (!NT_SUCCESS( Status )) {
00478 
00479         goto Cleanup;
00480     }
00481 
00482     RtlInitUnicodeString( &ValueName, L"DoNotAuditCloseObjectEvents" );
00483 
00484     Status = NtQueryValueKey(
00485                  KeyHandle,
00486                  &ValueName,
00487                  KeyValuePartialInformation,
00488                  KeyInfo,
00489                  sizeof(KeyInfo),
00490                  &ResultLength
00491                  );
00492 
00493     TmpStatus = NtClose(KeyHandle);
00494     ASSERT(NT_SUCCESS(TmpStatus));
00495 
00496     if (NT_SUCCESS( Status )) {
00497         //
00498         // we check for the presence of this value, its value does not matter
00499         //
00500         SepAuditOptions.DoNotAuditCloseObjectEvents = TRUE;
00501     }
00502 
00503 Cleanup:
00504 
00505     return;
00506 }
00507
Generated on Sat May 15 19:39:13 2004 for test by doxygen 1.3.7