adtlog.c File Reference

#include <nt.h>
#include <ntos.h>
#include <zwapi.h>
#include "sep.h"
#include "sertlp.h"
#include "adt.h"
#include "adtp.h"
#include "rmp.h"

Go to the source code of this file.

Functions
VOID	SepAdtLogAuditRecord (IN PSE_ADT_PARAMETER_ARRAY AuditParameters)
VOID	SepAuditFailed (VOID)
NTSTATUS	SepAdtMarshallAuditRecord (IN PSE_ADT_PARAMETER_ARRAY AuditParameters, OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters, OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType)
VOID	SepAdtSetAuditLogInformation (IN PPOLICY_AUDIT_LOG_INFO AuditLogInformation)
NTSTATUS	SepAdtCopyToLsaSharedMemory (IN HANDLE LsaProcessHandle, IN PVOID Buffer, IN ULONG BufferLength, OUT PVOID *LsaBufferAddress)
BOOLEAN	SepQueueWorkItem (IN PSEP_LSA_WORK_ITEM LsaWorkItem, IN BOOLEAN ForceQueue)
PSEP_LSA_WORK_ITEM	SepDequeueWorkItem (VOID)

---

Function Documentation

NTSTATUS SepAdtCopyToLsaSharedMemory (  IN HANDLE  LsaProcessHandle, IN PVOID  Buffer, IN ULONG  BufferLength, OUT PVOID *  LsaBufferAddress )

Definition at line 504 of file adtlog.c. References ASSERT, Buffer, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, and Status. Referenced by SepRmCallLsa(). : This function allocates memory shared with the LSA and optionally copies a given buffer to it. Arguments: LsaProcessHandle - Specifies a handle to the Lsa Process. Buffer - Pointer to the buffer to be copied. BufferLength - Length of buffer. LsaBufferAddress - Receives the address of the buffer valid in the Lsa process context. Return Value: NTSTATUS - Standard Nt Result Code Result codes returned by called routines. --*/ { NTSTATUS Status, SecondaryStatus; PVOID OutputLsaBufferAddress = NULL; SIZE_T RegionSize = BufferLength; PAGED_CODE(); Status = ZwAllocateVirtualMemory( LsaProcessHandle, &OutputLsaBufferAddress, 0, &RegionSize, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(Status)) { goto CopyToLsaSharedMemoryError; } Status = ZwWriteVirtualMemory( LsaProcessHandle, OutputLsaBufferAddress, Buffer, BufferLength, NULL ); if (!NT_SUCCESS(Status)) { goto CopyToLsaSharedMemoryError; } *LsaBufferAddress = OutputLsaBufferAddress; return(Status); CopyToLsaSharedMemoryError: // // If we allocated memory, free it. // if (OutputLsaBufferAddress != NULL) { RegionSize = 0; SecondaryStatus = ZwFreeVirtualMemory( LsaProcessHandle, &OutputLsaBufferAddress, &RegionSize, MEM_RELEASE ); ASSERT(NT_SUCCESS(SecondaryStatus)); OutputLsaBufferAddress = NULL; } return(Status); }

VOID SepAdtLogAuditRecord (  IN PSE_ADT_PARAMETER_ARRAY  AuditParameters  )

Definition at line 52 of file adtlog.c. References _SEP_LSA_WORK_ITEM::CleanupFunction, _SEP_LSA_WORK_ITEM::CommandNumber, _SEP_LSA_WORK_ITEM::CommandParams, _SEP_LSA_WORK_ITEM::CommandParamsLength, _SEP_LSA_WORK_ITEM::CommandParamsMemoryType, ExAllocatePoolWithTag, ExFreePool(), FALSE, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, PagedPool, _SEP_LSA_WORK_ITEM::ReplyBuffer, _SEP_LSA_WORK_ITEM::ReplyBufferLength, SEP_LSA_WORK_ITEM, SepAdtMarshallAuditRecord(), SepAuditFailed(), SepAuditRecord, SepCrashOnAuditFail, SepQueueWorkItem(), Status, _SEP_LSA_WORK_ITEM::Tag, and TRUE. Referenced by SeAuditHandleDuplication(), SeAuditProcessCreation(), SeAuditProcessExit(), SepAdtCloseObjectAuditAlarm(), SepAdtDeleteObjectAuditAlarm(), SepAdtGenerateDiscardAudit(), SepAdtHandleAuditAlarm(), SepAdtObjectReferenceAuditAlarm(), SepAdtOpenObjectAuditAlarm(), SepAdtOpenObjectForDeleteAuditAlarm(), SepAdtPrivilegedServiceAuditAlarm(), and SepAdtPrivilegeObjectAuditAlarm(). : This function manages the logging of Audit Records. It provides the single interface to the Audit Logging component from the Audit/Alarm generation routines. The function constructs an Audit Record in self-relative format from the information provided and appends it to the Audit Record Queue, a doubly-linked list of Audit Records awaiting output to the Audit Log. A dedicated thread reads this queue, writing Audit Records to the Audit Log and removing them from the Audit Queue. Arguments: AuditEventType - Specifies the type of the Audit Event described by the audit information provided. AuditInformation - Pointer to buffer containing captured auditing information related to an Audit Event of type AuditEventType. Return Value: STATUS_SUCCESS STATUS_UNSUCCESSFUL - Audit record was not queued STATUS_INSUFFICIENT_RESOURCES - unable to allocate heap --*/ { NTSTATUS Status; PSEP_LSA_WORK_ITEM AuditWorkItem; PAGED_CODE(); AuditWorkItem = ExAllocatePoolWithTag( PagedPool, sizeof( SEP_LSA_WORK_ITEM ), 'iAeS' ); if ( AuditWorkItem == NULL ) { SepAuditFailed(); return; } AuditWorkItem->Tag = SepAuditRecord; AuditWorkItem->CommandNumber = LsapWriteAuditMessageCommand; AuditWorkItem->ReplyBuffer = NULL; AuditWorkItem->ReplyBufferLength = 0; AuditWorkItem->CleanupFunction = NULL; // // Build an Audit record in self-relative format from the supplied // Audit Information. // Status = SepAdtMarshallAuditRecord( AuditParameters, (PSE_ADT_PARAMETER_ARRAY *) &AuditWorkItem->CommandParams.BaseAddress, &AuditWorkItem->CommandParamsMemoryType ); if (NT_SUCCESS(Status)) { // // Extract the length of the Audit Record. Store it as the length // of the Command Parameters buffer. // AuditWorkItem->CommandParamsLength = ((PSE_ADT_PARAMETER_ARRAY) AuditWorkItem->CommandParams.BaseAddress)->Length; // // If we're going to crash on a discarded audit, ignore the queue bounds // check and force the item onto the queue. // if (!SepQueueWorkItem( AuditWorkItem, (BOOLEAN)(SepCrashOnAuditFail ? TRUE : FALSE) )) { ExFreePool( AuditWorkItem->CommandParams.BaseAddress ); ExFreePool( AuditWorkItem ); // // We failed to put the record on the queue. Take whatever action is // appropriate. // SepAuditFailed(); } } else { ExFreePool( AuditWorkItem ); SepAuditFailed(); } }

NTSTATUS SepAdtMarshallAuditRecord (  IN PSE_ADT_PARAMETER_ARRAY  AuditParameters, OUT PSE_ADT_PARAMETER_ARRAY *  MarshalledAuditParameters, OUT PSEP_RM_LSA_MEMORY_TYPE  RecordMemoryType )

Definition at line 264 of file adtlog.c. References ASSERT, ExAllocatePoolWithTag, FALSE, NULL, PAGED_CODE, PagedPool, and SourceString. Referenced by SepAdtLogAuditRecord(). : This routine will take an AuditParamters structure and create a new AuditParameters structure that is suitable for sending to LSA. It will be in self-relative form and allocated as a single chunk of memory. Arguments: AuditParameters - A filled in set of AuditParameters to be marshalled. MarshalledAuditParameters - Returns a pointer to a block of heap memory containing the passed AuditParameters in self-relative form suitable for passing to LSA. Return Value: None. --*/ { ULONG i; ULONG TotalSize = sizeof( SE_ADT_PARAMETER_ARRAY ); PUNICODE_STRING TargetString; PCHAR Base; ULONG BaseIncr; PAGED_CODE(); // // Calculate the total size required for the passed AuditParameters // block. This calculation will probably be an overestimate of the // amount of space needed, because data smaller that 2 dwords will // be stored directly in the parameters structure, but their length // will be counted here anyway. The overestimate can't be more than // 24 dwords, and will never even approach that amount, so it isn't // worth the time it would take to avoid it. // for (i=0; i<AuditParameters->ParameterCount; i++) { TotalSize += (ULONG)LongAlignSize(AuditParameters->Parameters[i].Length); } // // Allocate a big enough block of memory to hold everything. // If it fails, quietly abort, since there isn't much else we // can do. // *MarshalledAuditParameters = ExAllocatePoolWithTag( PagedPool, TotalSize, 'pAeS' ); if (*MarshalledAuditParameters == NULL) { *RecordMemoryType = SepRmNoMemory; return(STATUS_INSUFFICIENT_RESOURCES); } *RecordMemoryType = SepRmPagedPoolMemory; RtlCopyMemory ( *MarshalledAuditParameters, AuditParameters, sizeof( SE_ADT_PARAMETER_ARRAY ) ); (*MarshalledAuditParameters)->Length = TotalSize; (*MarshalledAuditParameters)->Flags = SE_ADT_PARAMETERS_SELF_RELATIVE; // // Start walking down the list of parameters and marshall them // into the target buffer. // Base = (PCHAR) ((PCHAR)(*MarshalledAuditParameters) + sizeof( SE_ADT_PARAMETER_ARRAY )); for (i=0; i<AuditParameters->ParameterCount; i++) { switch (AuditParameters->Parameters[i].Type) { case SeAdtParmTypeNone: case SeAdtParmTypeUlong: case SeAdtParmTypeLogonId: case SeAdtParmTypeNoLogonId: case SeAdtParmTypeAccessMask: { // // Nothing to do for this // break; } case SeAdtParmTypeString: case SeAdtParmTypeFileSpec: { PUNICODE_STRING SourceString; // // We must copy the body of the unicode string // and then copy the body of the string. Pointers // must be turned into offsets. TargetString = (PUNICODE_STRING)Base; SourceString = AuditParameters->Parameters[i].Address; *TargetString = *SourceString; // // Reset the data pointer in the output parameters to // 'point' to the new string structure. // (*MarshalledAuditParameters)->Parameters[i].Address = Base - (ULONG_PTR)(*MarshalledAuditParameters); Base += sizeof( UNICODE_STRING ); RtlCopyMemory( Base, SourceString->Buffer, SourceString->Length ); // // Make the string buffer in the target string point to where we // just copied the data. // TargetString->Buffer = (PWSTR)(Base - (ULONG_PTR)(*MarshalledAuditParameters)); BaseIncr = (ULONG)LongAlignSize(SourceString->Length); Base += BaseIncr; break; } // // Handle types where we simply copy the buffer. // case SeAdtParmTypeSid: case SeAdtParmTypePrivs: case SeAdtParmTypeObjectTypes: { // // Copy the data into the output buffer // RtlCopyMemory( Base, AuditParameters->Parameters[i].Address, AuditParameters->Parameters[i].Length ); // // Reset the 'address' of the data to be its offset in the // buffer. // (*MarshalledAuditParameters)->Parameters[i].Address = Base - (ULONG_PTR)(*MarshalledAuditParameters); Base += (ULONG)LongAlignSize( AuditParameters->Parameters[i].Length ); break; } default: { // // We got passed junk, complain. // ASSERT( FALSE ); break; } } } return( STATUS_SUCCESS ); }

VOID SepAdtSetAuditLogInformation (  IN PPOLICY_AUDIT_LOG_INFO  AuditLogInformation  )

Definition at line 451 of file adtlog.c. References PAGED_CODE, SepAdtLogInformation, SepRmAcquireDbWriteLock, and SepRmReleaseDbWriteLock. Referenced by SepRmSetAuditLogWrkr(). : This function stores Audit Log Information in the Reference Monitor's in-memory database. This information contains parameters such as Audit Log size etc. It is the caller's responsibility to ensure that the supplied information is valid. NOTE: After initialization, this function is only called by the LSA via a Reference Monitor command. This is a necessary restriction because the Audit Log Information stored in the LSA Database must remain in sync Arguments: AuditLogInformation - Pointer to Audit Log Information structure. Return Value: None. --*/ { PAGED_CODE(); // // Acquire Reference Monitor Database write lock. // SepRmAcquireDbWriteLock(); // // Write the information // SepAdtLogInformation = *AuditLogInformation; // // Release Reference Monitor Database write lock // SepRmReleaseDbWriteLock(); }

VOID SepAuditFailed (  VOID   )

Definition at line 153 of file adtlog.c. References ASSERT, FALSE, KeBugCheck(), KeyName, L, NT_SUCCESS, NTSTATUS(), NULL, RtlInitUnicodeString(), SepCrashOnAuditFail, Status, and ValueName. Referenced by SepAdtLogAuditRecord(). : Bugchecks the system due to a missed audit (optional requirement for C2 compliance). Arguments: None. Return Value: None. --*/ { NTSTATUS Status; OBJECT_ATTRIBUTES Obja; HANDLE KeyHandle; UNICODE_STRING KeyName; UNICODE_STRING ValueName; UCHAR NewValue; ASSERT(sizeof(UCHAR) == sizeof(BOOLEAN)); if (!SepCrashOnAuditFail) { return; } // // Turn off flag in the registry that controls crashing on audit failure // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"); InitializeObjectAttributes( &Obja, &KeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); do { Status = ZwOpenKey( &KeyHandle, KEY_SET_VALUE, &Obja ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); // // If the LSA key isn't there, he's got big problems. But don't crash. // if (Status == STATUS_OBJECT_NAME_NOT_FOUND) { SepCrashOnAuditFail = FALSE; return; } if (!NT_SUCCESS( Status )) { goto bugcheck; } RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE ); NewValue = LSAP_ALLOW_ADIMIN_LOGONS_ONLY; do { Status = ZwSetValueKey( KeyHandle, &ValueName, 0, REG_NONE, &NewValue, sizeof(UCHAR) ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); ASSERT(NT_SUCCESS(Status)); if (!NT_SUCCESS( Status )) { goto bugcheck; } do { Status = ZwFlushKey( KeyHandle ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); ASSERT(NT_SUCCESS(Status)); // // go boom. // bugcheck: KeBugCheck(AUDIT_FAILURE); }

PSEP_LSA_WORK_ITEM SepDequeueWorkItem (  VOID   )

Definition at line 738 of file adtlog.c. References DbgPrint, ExFreePool(), _SEP_LSA_WORK_ITEM::List, NULL, PAGED_CODE, SepAdtCurrentListLength, SepLockLsaQueue, SepLsaQueue, and SepUnlockLsaQueue. Referenced by SepRmCallLsa(). 00744 : 00745 00746 Removes the top element of the SepLsaQueue and returns the 00747 next element if there is one, NULL otherwise. 00748 00749 Arguments: 00750 00751 None. 00752 00753 Return Value: 00754 00755 A pointer to the next SEP_LSA_WORK_ITEM, or NULL. 00756 00757 --*/ 00758 00759 { 00760 PSEP_LSA_WORK_ITEM OldWorkQueueItem; 00761 00762 PAGED_CODE(); 00763 00764 SepLockLsaQueue(); 00765 00766 OldWorkQueueItem = (PSEP_LSA_WORK_ITEM)RemoveHeadList(&SepLsaQueue); 00767 OldWorkQueueItem->List.Flink = NULL; 00768 ExFreePool( OldWorkQueueItem ); 00769 00770 SepAdtCurrentListLength--; 00771 00772 #if 0 00773 DbgPrint("Removing item\n"); 00774 #endif 00775 00776 if (IsListEmpty( &SepLsaQueue )) { 00777 00778 SepUnlockLsaQueue(); 00779 return( NULL ); 00780 } 00781 00782 // 00783 // We know there's something on the queue now, so we 00784 // can unlock it. 00785 // 00786 00787 SepUnlockLsaQueue(); 00788 return((PSEP_LSA_WORK_ITEM)(&SepLsaQueue)->Flink); 00789 } }

BOOLEAN SepQueueWorkItem (  IN PSEP_LSA_WORK_ITEM  LsaWorkItem, IN BOOLEAN  ForceQueue )

Definition at line 600 of file adtlog.c. References DbgPrint, DelayedWorkQueue, ExInitializeWorkItem, ExQueueWorkItem(), FALSE, PAGED_CODE, PWORKER_THREAD_ROUTINE, SepAdtCountEventsDiscarded, SepAdtCurrentListLength, SepAdtDiscardingAudits, SepAdtGenerateDiscardAudit(), SepAdtMaxListLength, SepAdtMinListLength, SepExWorkItem, SepLockLsaQueue, SepLsaQueue, SepRmCallLsa(), SepUnlockLsaQueue, TRUE, and _SEP_WORK_ITEM::WorkItem. Referenced by SepAdtLogAuditRecord(), and SepInformLsaOfDeletedLogon(). : Puts the passed work item on the queue to be passed to LSA, and returns the state of the queue upon arrival. Arguments: LsaWorkItem - Pointer to the work item to be queued. ForceQueue - Indicate that this item is not to be discarded due because of a full queue. Return Value: TRUE - The item was successfully queued. FALSE - The item was not queued and must be discarded. --*/ { BOOLEAN rc = TRUE; BOOLEAN StartExThread = FALSE ; PAGED_CODE(); #if 0 DbgPrint("Queueing an audit\n"); #endif SepLockLsaQueue(); if (SepAdtDiscardingAudits && !ForceQueue) { if (SepAdtCurrentListLength < SepAdtMinListLength) { // // We need to generate an audit saying how many audits we've // discarded. // // Since we have the mutex protecting the Audit queue, we don't // have to worry about anyone coming along and logging an // audit. But *we* can, since a mutex may be acquired recursively. // // Since we are so protected, turn off the SepAdtDiscardingAudits // flag here so that we don't come through this path again. // SepAdtDiscardingAudits = FALSE; SepAdtGenerateDiscardAudit(); #if 0 DbgPrint("Auditing resumed\n"); #endif // // We must assume that that worked, so clear the discard count. // SepAdtCountEventsDiscarded = 0; // // Our 'audits discarded' audit is now on the queue, // continue logging the one we started with. // } else { // // We are not yet below our low water mark. Toss // this audit and increment the discard count. // SepAdtCountEventsDiscarded++; rc = FALSE; goto Exit; } } if (SepAdtCurrentListLength < SepAdtMaxListLength || ForceQueue) { InsertTailList(&SepLsaQueue, &LsaWorkItem->List); if (++SepAdtCurrentListLength == 1) { #if 0 DbgPrint("Queueing a work item\n"); #endif StartExThread = TRUE ; } } else { // // There is no room for this audit on the queue, // so change our state to 'discarding' and tell // the caller to toss this audit. // SepAdtDiscardingAudits = TRUE; #if 0 DbgPrint("Starting to discard audits\n"); #endif rc = FALSE; } Exit: SepUnlockLsaQueue(); if ( StartExThread ) { ExInitializeWorkItem( &SepExWorkItem.WorkItem, (PWORKER_THREAD_ROUTINE) SepRmCallLsa, &SepExWorkItem ); ExQueueWorkItem( &SepExWorkItem.WorkItem, DelayedWorkQueue ); } return( rc ); }

---