adtp.h File Reference

#include "tokenp.h"

Go to the source code of this file.

Classes
struct	_SEP_AUDIT_BOUNDS
struct	_SEP_AUDIT_OPTIONS
Defines
#define	FULL_PRIVILEGE_AUDITING   L"FullPrivilegeAuditing"
#define	SepAdtAuditThisEvent(AuditType, AccessGranted)
#define	SepAdtAuditThisEventEx(AuditType, AccessGranted, AccessDenied)
Typedefs
typedef _SEP_AUDIT_BOUNDS	SEP_AUDIT_BOUNDS
typedef _SEP_AUDIT_BOUNDS *	PSEP_AUDIT_BOUNDS
typedef _SEP_AUDIT_OPTIONS	SEP_AUDIT_OPTIONS
Functions
VOID	SepAdtSetAuditEventInformation (IN OPTIONAL PBOOLEAN AuditingMode, IN OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions)
VOID	SepAdtGetAuditEventInformation (OUT OPTIONAL PBOOLEAN AuditingMode, OUT OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions)
VOID	SepAdtSetAuditLogInformation (IN PPOLICY_AUDIT_LOG_INFO AuditLogInformation)
NTSTATUS	SepAdtMarshallAuditRecord (IN PSE_ADT_PARAMETER_ARRAY AuditParameters, OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters, OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType)
BOOLEAN	SepAdtPrivilegeObjectAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName OPTIONAL, IN PVOID HandleId, IN PTOKEN ClientToken OPTIONAL, IN PTOKEN PrimaryToken, IN PVOID ProcessId, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET CapturedPrivileges, IN BOOLEAN AccessGranted)
VOID	SepAdtTraverseAuditAlarm (IN PLUID OperationID, IN PVOID DirectoryObject, IN PSID UserSid, IN LUID AuthenticationId, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm)
VOID	SepAdtCreateInstanceAuditAlarm (IN PLUID OperationID, IN PVOID Object, IN PSID UserSid, IN LUID AuthenticationId, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm)
VOID	SepAdtCreateObjectAuditAlarm (IN PLUID OperationID, IN PUNICODE_STRING DirectoryName, IN PUNICODE_STRING ComponentName, IN PSID UserSid, IN LUID AuthenticationId, IN ACCESS_MASK DesiredAccess, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm)
VOID	SepAdtHandleAuditAlarm (IN PUNICODE_STRING Source, IN LUID OperationId, IN HANDLE Handle, IN PSID UserSid)
	*++
VOID	SepAdtPrivilegedServiceAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName, IN PUNICODE_STRING CapturedServiceName, IN PTOKEN ClientToken OPTIONAL, IN PTOKEN PrimaryToken, IN PPRIVILEGE_SET CapturedPrivileges, IN BOOLEAN AccessGranted)
VOID	SepAdtCloseObjectAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName, IN PVOID HandleId, IN PVOID Object, IN PSID UserSid, IN LUID AuthenticationId)
VOID	SepAdtDeleteObjectAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName, IN PVOID HandleId, IN PVOID Object, IN PSID UserSid, IN LUID AuthenticationId)
BOOLEAN	SepAdtOpenObjectAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName, IN PVOID *HandleId OPTIONAL, IN PUNICODE_STRING CapturedObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING CapturedObjectName OPTIONAL, IN PTOKEN ClientToken OPTIONAL, IN PTOKEN PrimaryToken, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess, IN PLUID OperationId, IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm, IN HANDLE ProcessID, IN POLICY_AUDIT_EVENT_TYPE AuditType, IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN PACCESS_MASK GrantedAccessArray OPTIONAL)
BOOLEAN	SepAdtOpenObjectForDeleteAuditAlarm (IN PUNICODE_STRING CapturedSubsystemName, IN PVOID *HandleId, IN PUNICODE_STRING CapturedObjectTypeName, IN PVOID Object, IN PUNICODE_STRING CapturedObjectName, IN PTOKEN ClientToken OPTIONAL, IN PTOKEN PrimaryToken, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess, IN PLUID OperationId, IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm, IN HANDLE ProcessID)
VOID	SepAdtObjectReferenceAuditAlarm (IN PLUID OperationID OPTIONAL, IN PVOID Object, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN AccessGranted, IN BOOLEAN GenerateAudit, IN BOOLEAN GenerateAlarm)
VOID	SepAdtInitializeBounds (VOID)
VOID	SepAuditFailed (VOID)
NTSTATUS	SepAdtInitializeCrashOnFail (VOID)
BOOLEAN	SepInitializePrivilegeFilter (BOOLEAN Verbose)
BOOLEAN	SepAdtInitializePrivilegeAuditing (VOID)
VOID	SepAdtInitializeAuditingOptions (VOID)
Variables
POLICY_AUDIT_LOG_INFO	SepAdtLogInformation
BOOLEAN	SepAdtAuditingEnabled
ULONG	SepAdtMaxListLength
ULONG	SepAdtMinListLength
ULONG	SepAdtCountEventsDiscarded
ULONG	SepAdtCurrentListLength
BOOLEAN	SepAdtDiscardingAudits
BOOLEAN	SepCrashOnAuditFail
SEP_AUDIT_OPTIONS	SepAuditOptions

---

Define Documentation

#define FULL_PRIVILEGE_AUDITING   L"FullPrivilegeAuditing"

Definition at line 83 of file adtp.h. Referenced by SepAdtInitializePrivilegeAuditing().

#define SepAdtAuditThisEvent (  AuditType, AccessGranted   )

Value: (SepAdtAuditingEnabled && \ ((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) || \ (SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted)))) Definition at line 264 of file adtp.h. Referenced by NtOpenObjectAuditAlarm(), SeAuditingFileEvents(), SeAuditingFileOrGlobalEvents(), SeCreateObjectAuditAlarm(), SeObjectReferenceAuditAlarm(), SeOpenObjectAuditAlarm(), SeOpenObjectForDeleteAuditAlarm(), SepAccessCheckAndAuditAlarm(), SepAdtCloseObjectAuditAlarm(), SepAdtDeleteObjectAuditAlarm(), SepAdtHandleAuditAlarm(), SepAdtPrivilegedServiceAuditAlarm(), SepAdtPrivilegeObjectAuditAlarm(), and SePrivilegedServiceAuditAlarm().

#define SepAdtAuditThisEventEx (  AuditType, AccessGranted, AccessDenied   )

Value: (SepAdtAuditingEnabled && \ ((SeAuditingState[AuditType].AuditOnSuccess && AccessGranted) || \ (SeAuditingState[AuditType].AuditOnFailure && AccessDenied))) Definition at line 269 of file adtp.h. Referenced by SepAccessCheckAndAuditAlarm().

---

Typedef Documentation

typedef struct _SEP_AUDIT_BOUNDS * PSEP_AUDIT_BOUNDS

Referenced by SepAdtInitializeBounds().

typedef struct _SEP_AUDIT_BOUNDS SEP_AUDIT_BOUNDS

Referenced by SepAdtInitializeBounds().

typedef struct _SEP_AUDIT_OPTIONS SEP_AUDIT_OPTIONS

---

Function Documentation

VOID SepAdtCloseObjectAuditAlarm (  IN PUNICODE_STRING  CapturedSubsystemName, IN PVOID  HandleId, IN PVOID  Object, IN PSID  UserSid, IN LUID  AuthenticationId )

Definition at line 1312 of file sepaudit.c. References ASSERT, _SEP_AUDIT_OPTIONS::DoNotAuditCloseObjectEvents, PAGED_CODE, PsGetCurrentProcess, PsProcessAuditId, SepAdtAuditThisEvent, SepAdtLogAuditRecord(), SepAuditOptions, SepSetParmTypeSid, SepSetParmTypeString, SepSetParmTypeUlong, and TRUE. Referenced by NtCloseObjectAuditAlarm(), and SeCloseObjectAuditAlarm(). : This routine implements NtCloseObjectAuditAlarm after parameters have been captured. This routine is used to generate audit and alarm messages when a handle to a protected subsystem object is deleted. This routine may result in several messages being generated and sent to Port objects. This may result in a significant latency before returning. Design of routines that must call this routine must take this potential latency into account. This may have an impact on the approach taken for data structure mutex locking, for example. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, allowing the caller to be impersonating a client during the call with no ill effects. It is assumed that this privilege has been tested at a higher level. This routine will create an SE_ADT_PARAMETERS array organized as follows: Parameter[0] - User Sid Parameter[1] - Subsystem name (if available) Parameter[2] - New handle ID Parameter[3] - Subject's process id Arguments: CapturedSubsystemName - Supplies a name string identifying the subsystem calling the routine. HandleId - A unique value representing the client's handle to the object. Object - The address of the object being closed UserSid - The Sid identifying the current caller. Return value: None. --*/ { SE_ADT_PARAMETER_ARRAY AuditParameters; BOOLEAN AccessGranted = TRUE; HANDLE ProcessId; PAGED_CODE(); if ( SepAuditOptions.DoNotAuditCloseObjectEvents ) { return; } if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted ) ) { // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; AuditParameters.AuditId = SE_AUDITID_CLOSE_HANDLE; AuditParameters.ParameterCount = 0; AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); } AuditParameters.ParameterCount++; // // Parameter[2] - Subsystem name (if available) // if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); } AuditParameters.ParameterCount++; // // Parameter[3] - New handle ID // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); AuditParameters.ParameterCount++; // // Parameter[4] - Subject's process id // ProcessId = PsProcessAuditId( PsGetCurrentProcess() ); SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); AuditParameters.ParameterCount++; SepAdtLogAuditRecord( &AuditParameters ); } }

VOID SepAdtCreateInstanceAuditAlarm (  IN PLUID  OperationID, IN PVOID  Object, IN PSID  UserSid, IN LUID  AuthenticationId, IN ACCESS_MASK  DesiredAccess, IN PPRIVILEGE_SET Privileges  OPTIONAL, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm )

VOID SepAdtCreateObjectAuditAlarm (  IN PLUID  OperationID, IN PUNICODE_STRING  DirectoryName, IN PUNICODE_STRING  ComponentName, IN PSID  UserSid, IN LUID  AuthenticationId, IN ACCESS_MASK  DesiredAccess, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm )

Referenced by SeCreateObjectAuditAlarm().

VOID SepAdtDeleteObjectAuditAlarm (  IN PUNICODE_STRING  CapturedSubsystemName, IN PVOID  HandleId, IN PVOID  Object, IN PSID  UserSid, IN LUID  AuthenticationId )

Definition at line 1465 of file sepaudit.c. References ASSERT, PAGED_CODE, PsGetCurrentProcess, PsProcessAuditId, SepAdtAuditThisEvent, SepAdtLogAuditRecord(), SepSetParmTypeSid, SepSetParmTypeString, SepSetParmTypeUlong, and TRUE. Referenced by NtDeleteObjectAuditAlarm(), and SeDeleteObjectAuditAlarm(). : This routine implements NtDeleteObjectAuditAlarm after parameters have been captured. This routine is used to generate audit and alarm messages when an object in a protected subsystem object is deleted. This routine may result in several messages being generated and sent to Port objects. This may result in a significant latency before returning. Design of routines that must call this routine must take this potential latency into account. This may have an impact on the approach taken for data structure mutex locking, for example. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, allowing the caller to be impersonating a client during the call with no ill effects. It is assumed that this privilege has been tested at a higher level. This routine will create an SE_ADT_PARAMETERS array organized as follows: Parameter[0] - User Sid Parameter[1] - Subsystem name (if available) Parameter[2] - Handle ID Parameter[3] - Subject's process id Arguments: CapturedSubsystemName - Supplies a name string identifying the subsystem calling the routine. HandleId - A unique value representing the client's handle to the object. Object - The address of the object being closed UserSid - The Sid identifying the current caller. Return value: None. --*/ { SE_ADT_PARAMETER_ARRAY AuditParameters; BOOLEAN AccessGranted = TRUE; HANDLE ProcessId; PAGED_CODE(); if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted ) ) { // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; AuditParameters.AuditId = SE_AUDITID_DELETE_OBJECT; AuditParameters.ParameterCount = 0; AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); } AuditParameters.ParameterCount++; // // Parameter[2] - Subsystem name (if available) // if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); } AuditParameters.ParameterCount++; // // Parameter[3] - New handle ID // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); AuditParameters.ParameterCount++; // // Parameter[4] - Subject's process id // ProcessId = PsProcessAuditId( PsGetCurrentProcess() ); SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); AuditParameters.ParameterCount++; SepAdtLogAuditRecord( &AuditParameters ); } }

VOID SepAdtGetAuditEventInformation (  OUT OPTIONAL PBOOLEAN  AuditingMode, OUT OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS  EventAuditingOptions )

VOID SepAdtHandleAuditAlarm (  IN PUNICODE_STRING  Source, IN LUID  OperationId, IN HANDLE  Handle, IN PSID  UserSid )

*++ Definition at line 1794 of file sepaudit.c. References ASSERT, Handle, PAGED_CODE, PsGetCurrentProcess, PsProcessAuditId, SepAdtAuditThisEvent, SepAdtLogAuditRecord(), SepSetParmTypeSid, SepSetParmTypeString, SepSetParmTypeUlong, and TRUE. : Creates an audit record for the creation of an object handle. Arguments: Return Value: None. --*/ { BOOLEAN AccessGranted = TRUE; SE_ADT_PARAMETER_ARRAY AuditParameters; HANDLE ProcessID; PAGED_CODE(); if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted )) { // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; AuditParameters.AuditId = SE_AUDITID_CREATE_HANDLE; AuditParameters.ParameterCount = 0; AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // if ( ARGUMENT_PRESENT( Source )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, Source ); } AuditParameters.ParameterCount++; // // Parameter[2] - New handle ID // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)Handle) ); AuditParameters.ParameterCount++; // // Parameters 3,4 - Operation ID // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, OperationId.HighPart ); AuditParameters.ParameterCount++; SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, OperationId.LowPart ); AuditParameters.ParameterCount++; // // Parameter[5] - Subject's process id // ProcessID = PsProcessAuditId( PsGetCurrentProcess() ); SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessID) ); AuditParameters.ParameterCount++; SepAdtLogAuditRecord( &AuditParameters ); } }

VOID SepAdtInitializeAuditingOptions (  VOID   )

Definition at line 425 of file adtinit.c. References ASSERT, CHAR, _SEP_AUDIT_OPTIONS::DoNotAuditCloseObjectEvents, KeyName, L, NT_SUCCESS, NtClose(), NtOpenKey(), NtQueryValueKey(), NTSTATUS(), NULL, PAGED_CODE, RtlInitUnicodeString(), SepAuditOptions, Status, TRUE, and ValueName. Referenced by SeRmInitPhase1(). : Initialize options that control auditing. (please refer to note in adtp.h near the def. of SEP_AUDIT_OPTIONS) Arguments: None Return Value: None --*/ { HANDLE KeyHandle; NTSTATUS Status; NTSTATUS TmpStatus; OBJECT_ATTRIBUTES Obja; ULONG ResultLength; UNICODE_STRING KeyName; UNICODE_STRING ValueName; CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)]; PAGED_CODE(); // // Query the registry // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\AuditingOptions"); InitializeObjectAttributes( &Obja, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, KEY_QUERY_VALUE, &Obja ); if (!NT_SUCCESS( Status )) { goto Cleanup; } RtlInitUnicodeString( &ValueName, L"DoNotAuditCloseObjectEvents" ); Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, KeyInfo, sizeof(KeyInfo), &ResultLength ); TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); if (NT_SUCCESS( Status )) { // // we check for the presence of this value, its value does not matter // SepAuditOptions.DoNotAuditCloseObjectEvents = TRUE; } Cleanup: return; }

VOID SepAdtInitializeBounds (  VOID   )

Definition at line 117 of file adtinit.c. References ExAllocatePool, ExFreePool(), KeyName, L, _SEP_AUDIT_BOUNDS::LowerBound, NT_SUCCESS, NtClose(), NtOpenKey(), NtQueryValueKey(), NTSTATUS(), NULL, ObjectAttributes, PAGED_CODE, PagedPool, PSEP_AUDIT_BOUNDS, RtlInitUnicodeString(), SEP_AUDIT_BOUNDS, SepAdtMaxListLength, SepAdtMinListLength, SepAdtValidateAuditBounds(), Status, _SEP_AUDIT_BOUNDS::UpperBound, and ValueName. Referenced by SepRmSetAuditEventWrkr(). : Queries the registry for the high and low water mark values for the audit log. If they are not found or are unacceptable, returns without modifying the current values, which are statically initialized. Arguments: None. Return Value: None. --*/ { HANDLE KeyHandle; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyName; UNICODE_STRING ValueName; NTSTATUS Status; PSEP_AUDIT_BOUNDS AuditBounds; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation; ULONG Length; PAGED_CODE(); // // Get the high and low water marks out of the registry. // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"); InitializeObjectAttributes( &ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, KEY_QUERY_VALUE, &ObjectAttributes ); if (!NT_SUCCESS( Status )) { // // Didn't work, take the defaults // return; } RtlInitUnicodeString( &ValueName, L"Bounds"); Length = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) - sizeof( UCHAR ) + sizeof( SEP_AUDIT_BOUNDS ); KeyValueInformation = ExAllocatePool( PagedPool, Length ); if ( KeyValueInformation == NULL ) { NtClose( KeyHandle ); return; } Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, (PVOID)KeyValueInformation, Length, &Length ); NtClose( KeyHandle ); if (!NT_SUCCESS( Status )) { ExFreePool( KeyValueInformation ); return; } AuditBounds = (PSEP_AUDIT_BOUNDS) &KeyValueInformation->Data; // // Sanity check what we got back // if(!SepAdtValidateAuditBounds( AuditBounds->UpperBound, AuditBounds->LowerBound )) { // // The values we got back are not to our liking. Use the defaults. // ExFreePool( KeyValueInformation ); return; } // // Take what we got from the registry. // SepAdtMaxListLength = AuditBounds->UpperBound; SepAdtMinListLength = AuditBounds->LowerBound; ExFreePool( KeyValueInformation ); return; }

NTSTATUS SepAdtInitializeCrashOnFail (  VOID   )

Definition at line 242 of file adtinit.c. : Reads the registry to see if the user has told us to crash if an audit fails. Arguments: None. Return Value: STATUS_SUCCESS --*/ { HANDLE KeyHandle; NTSTATUS Status; NTSTATUS TmpStatus; OBJECT_ATTRIBUTES Obja; ULONG ResultLength; UNICODE_STRING KeyName; UNICODE_STRING ValueName; CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)]; PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo; SepCrashOnAuditFail = FALSE; // // Check the value of the CrashOnAudit flag in the registry. // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"); InitializeObjectAttributes( &Obja, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, KEY_QUERY_VALUE | KEY_SET_VALUE, &Obja ); if (Status == STATUS_OBJECT_NAME_NOT_FOUND) { return( STATUS_SUCCESS ); } RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE ); Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, KeyInfo, sizeof(KeyInfo), &ResultLength ); TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); // // If the key isn't there, don't turn on CrashOnFail. // if (NT_SUCCESS( Status )) { pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo; if ((UCHAR) *(pKeyInfo->Data) == LSAP_CRASH_ON_AUDIT_FAIL) { SepCrashOnAuditFail = TRUE; } } return( STATUS_SUCCESS ); }

BOOLEAN SepAdtInitializePrivilegeAuditing (  VOID   )

Definition at line 329 of file adtinit.c. : Checks to see if there is an entry in the registry telling us to do full privilege auditing (which currently means audit everything we normall audit, plus backup and restore privileges). Arguments: None Return Value: BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE. --*/ { HANDLE KeyHandle; NTSTATUS Status; NTSTATUS TmpStatus; OBJECT_ATTRIBUTES Obja; ULONG ResultLength; UNICODE_STRING KeyName; UNICODE_STRING ValueName; CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)]; PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo; BOOLEAN Verbose; PAGED_CODE(); // // Query the registry to set up the privilege auditing filter. // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"); InitializeObjectAttributes( &Obja, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, KEY_QUERY_VALUE | KEY_SET_VALUE, &Obja ); if (!NT_SUCCESS( Status )) { if (Status == STATUS_OBJECT_NAME_NOT_FOUND) { return ( SepInitializePrivilegeFilter( FALSE )); } else { return( FALSE ); } } RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING ); Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, KeyInfo, sizeof(KeyInfo), &ResultLength ); TmpStatus = NtClose(KeyHandle); ASSERT(NT_SUCCESS(TmpStatus)); if (!NT_SUCCESS( Status )) { Verbose = FALSE; } else { pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo; Verbose = (BOOLEAN) *(pKeyInfo->Data); } return ( SepInitializePrivilegeFilter( Verbose )); }

NTSTATUS SepAdtMarshallAuditRecord (  IN PSE_ADT_PARAMETER_ARRAY  AuditParameters, OUT PSE_ADT_PARAMETER_ARRAY *  MarshalledAuditParameters, OUT PSEP_RM_LSA_MEMORY_TYPE  RecordMemoryType )

Definition at line 264 of file adtlog.c. References ASSERT, ExAllocatePoolWithTag, FALSE, NULL, PAGED_CODE, PagedPool, and SourceString. Referenced by SepAdtLogAuditRecord(). : This routine will take an AuditParamters structure and create a new AuditParameters structure that is suitable for sending to LSA. It will be in self-relative form and allocated as a single chunk of memory. Arguments: AuditParameters - A filled in set of AuditParameters to be marshalled. MarshalledAuditParameters - Returns a pointer to a block of heap memory containing the passed AuditParameters in self-relative form suitable for passing to LSA. Return Value: None. --*/ { ULONG i; ULONG TotalSize = sizeof( SE_ADT_PARAMETER_ARRAY ); PUNICODE_STRING TargetString; PCHAR Base; ULONG BaseIncr; PAGED_CODE(); // // Calculate the total size required for the passed AuditParameters // block. This calculation will probably be an overestimate of the // amount of space needed, because data smaller that 2 dwords will // be stored directly in the parameters structure, but their length // will be counted here anyway. The overestimate can't be more than // 24 dwords, and will never even approach that amount, so it isn't // worth the time it would take to avoid it. // for (i=0; i<AuditParameters->ParameterCount; i++) { TotalSize += (ULONG)LongAlignSize(AuditParameters->Parameters[i].Length); } // // Allocate a big enough block of memory to hold everything. // If it fails, quietly abort, since there isn't much else we // can do. // *MarshalledAuditParameters = ExAllocatePoolWithTag( PagedPool, TotalSize, 'pAeS' ); if (*MarshalledAuditParameters == NULL) { *RecordMemoryType = SepRmNoMemory; return(STATUS_INSUFFICIENT_RESOURCES); } *RecordMemoryType = SepRmPagedPoolMemory; RtlCopyMemory ( *MarshalledAuditParameters, AuditParameters, sizeof( SE_ADT_PARAMETER_ARRAY ) ); (*MarshalledAuditParameters)->Length = TotalSize; (*MarshalledAuditParameters)->Flags = SE_ADT_PARAMETERS_SELF_RELATIVE; // // Start walking down the list of parameters and marshall them // into the target buffer. // Base = (PCHAR) ((PCHAR)(*MarshalledAuditParameters) + sizeof( SE_ADT_PARAMETER_ARRAY )); for (i=0; i<AuditParameters->ParameterCount; i++) { switch (AuditParameters->Parameters[i].Type) { case SeAdtParmTypeNone: case SeAdtParmTypeUlong: case SeAdtParmTypeLogonId: case SeAdtParmTypeNoLogonId: case SeAdtParmTypeAccessMask: { // // Nothing to do for this // break; } case SeAdtParmTypeString: case SeAdtParmTypeFileSpec: { PUNICODE_STRING SourceString; // // We must copy the body of the unicode string // and then copy the body of the string. Pointers // must be turned into offsets. TargetString = (PUNICODE_STRING)Base; SourceString = AuditParameters->Parameters[i].Address; *TargetString = *SourceString; // // Reset the data pointer in the output parameters to // 'point' to the new string structure. // (*MarshalledAuditParameters)->Parameters[i].Address = Base - (ULONG_PTR)(*MarshalledAuditParameters); Base += sizeof( UNICODE_STRING ); RtlCopyMemory( Base, SourceString->Buffer, SourceString->Length ); // // Make the string buffer in the target string point to where we // just copied the data. // TargetString->Buffer = (PWSTR)(Base - (ULONG_PTR)(*MarshalledAuditParameters)); BaseIncr = (ULONG)LongAlignSize(SourceString->Length); Base += BaseIncr; break; } // // Handle types where we simply copy the buffer. // case SeAdtParmTypeSid: case SeAdtParmTypePrivs: case SeAdtParmTypeObjectTypes: { // // Copy the data into the output buffer // RtlCopyMemory( Base, AuditParameters->Parameters[i].Address, AuditParameters->Parameters[i].Length ); // // Reset the 'address' of the data to be its offset in the // buffer. // (*MarshalledAuditParameters)->Parameters[i].Address = Base - (ULONG_PTR)(*MarshalledAuditParameters); Base += (ULONG)LongAlignSize( AuditParameters->Parameters[i].Length ); break; } default: { // // We got passed junk, complain. // ASSERT( FALSE ); break; } } } return( STATUS_SUCCESS ); }

VOID SepAdtObjectReferenceAuditAlarm (  IN PLUID OperationID  OPTIONAL, IN PVOID  Object, IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext, IN ACCESS_MASK  DesiredAccess, IN PPRIVILEGE_SET Privileges  OPTIONAL, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm )

BOOLEAN SepAdtOpenObjectAuditAlarm (  IN PUNICODE_STRING  CapturedSubsystemName, IN PVOID *HandleId  OPTIONAL, IN PUNICODE_STRING  CapturedObjectTypeName, IN PVOID Object  OPTIONAL, IN PUNICODE_STRING CapturedObjectName  OPTIONAL, IN PTOKEN ClientToken  OPTIONAL, IN PTOKEN  PrimaryToken, IN ACCESS_MASK  DesiredAccess, IN ACCESS_MASK  GrantedAccess, IN PLUID  OperationId, IN PPRIVILEGE_SET CapturedPrivileges  OPTIONAL, IN BOOLEAN  ObjectCreated, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm, IN HANDLE  ProcessID, IN POLICY_AUDIT_EVENT_TYPE  AuditType, IN PIOBJECT_TYPE_LIST ObjectTypeList  OPTIONAL, IN ULONG  ObjectTypeListLength, IN PACCESS_MASK GrantedAccessArray  OPTIONAL )

Definition at line 571 of file sepaudit.c. References ASSERT, ClientToken, ExAllocatePoolWithTag, ExFreePool(), FlagMask, NULL, OBJECT_FAILURE_AUDIT, OBJECT_SUCCESS_AUDIT, PAGED_CODE, PagedPool, PrimaryToken, SepAdtLogAuditRecord(), SepSetParmTypeAccessMask, SepSetParmTypeFileSpec, SepSetParmTypeLogonId, SepSetParmTypeNoLogon, SepSetParmTypeObjectTypes, SepSetParmTypePrivileges, SepSetParmTypeSid, SepSetParmTypeString, SepSetParmTypeUlong, SepTokenAuthenticationId, SepTokenUserSid, TRUE, and USHORT. Referenced by NtOpenObjectAuditAlarm(), SeAuditHandleCreation(), SeOpenObjectAuditAlarm(), SeOpenObjectForDeleteAuditAlarm(), and SepAccessCheckAndAuditAlarm(). : Implements NtOpenObjectAuditAlarm after parameters have been captured. This routine is used to generate audit and alarm messages when an attempt is made to access an existing protected subsystem object or create a new one. This routine may result in several messages being generated and sent to Port objects. This may result in a significant latency before returning. Design of routines that must call this routine must take this potential latency into account. This may have an impact on the approach taken for data structure mutex locking, for example. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, not the impersonation token of the thread. This routine will create an SE_ADT_PARAMETERS array organized as follows: Parameter[0] - User Sid Parameter[1] - Subsystem name (if available) Parameter[2] - Server name (if available) Parameter[3] - Object Type Name Parameter[4] - Object Name Parameter[5] - New handle ID Parameter[6] - Subject's process id Parameter[7] - Subject's primary authentication ID Parameter[8] - Subject's client authentication ID Parameter[9] - DesiredAccess mask Parameter[10] - Privileges used for open Parameter[11] - Guid/Level/AccessMask of objects/property sets/properties accesses. Arguments: CapturedSubsystemName - Supplies a name string identifying the subsystem calling the routine. HandleId - A unique value representing the client's handle to the object. If the access attempt was not successful (AccessGranted is FALSE), then this parameter is ignored. CapturedObjectTypeName - Supplies the name of the type of object being accessed. CapturedObjectName - Supplies the name of the object the client accessed or attempted to access. CapturedSecurityDescriptor - A pointer to the security descriptor of the object being accessed. ClientToken - Optionally provides a pointer to the client token (only if the caller is currently impersonating) PrimaryToken - Provides a pointer to the caller's primary token. DesiredAccess - The desired access mask. This mask must have been previously mapped to contain no generic accesses. GrantedAccess - The mask of accesses that were actually granted. CapturedPrivileges - Optionally points to a set of privileges that were required for the access attempt. Those privileges that were held by the subject are marked using the UsedForAccess flag of the attributes associated with each privilege. ObjectCreation - A boolean flag indicating whether the access will result in a new object being created if granted. A value of TRUE indicates an object will be created, FALSE indicates an existing object will be opened. AccessGranted - Indicates whether the requested access was granted or not. A value of TRUE indicates the access was granted. A value of FALSE indicates the access was not granted. GenerateOnClose - Points to a boolean that is set by the audit generation routine and must be passed to NtCloseObjectAuditAlarm() when the object handle is closed. GenerateAudit - Indicates if we should generate an audit for this operation. GenerateAlarm - Indicates if we should generate an alarm for this operation. AuditType - Specifies the type of audit to be generated. Valid values are: AuditCategoryObjectAccess and AuditCategoryDirectoryServiceAccess. ObjectTypeList - Supplies a list of GUIDs representing the object (and sub-objects) being accessed. ObjectTypeListLength - Specifies the number of elements in the ObjectTypeList. GrantedAccessArray - If non NULL, specifies an array of access mask granted to each object in ObjectTypeList. Return Value: Returns TRUE if audit is generated, FALSE otherwise. --*/ { SE_ADT_PARAMETER_ARRAY AuditParameters; ULONG ObjectTypeIndex; PSID CapturedUserSid; LUID PrimaryAuthenticationId; LUID ClientAuthenticationId; PSE_ADT_OBJECT_TYPE AdtObjectTypeBuffer = NULL; PAGED_CODE(); if ( ARGUMENT_PRESENT( ClientToken )) { CapturedUserSid = SepTokenUserSid( ClientToken ); ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); } else { CapturedUserSid = SepTokenUserSid( PrimaryToken ); } PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); ASSERT( ( AuditType == AuditCategoryObjectAccess ) || ( AuditType == AuditCategoryDirectoryServiceAccess ) ); if (AuditType == AuditCategoryObjectAccess) { AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; } else { AuditParameters.CategoryId = SE_CATEGID_DS_ACCESS; } AuditParameters.AuditId = SE_AUDITID_OPEN_HANDLE; AuditParameters.ParameterCount = 0; if ( AccessGranted ) { AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; } else { AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; } // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); AuditParameters.ParameterCount++; // // Parameter[2] - Object Server (if available) // if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); } AuditParameters.ParameterCount++; // // Parameter[3] - Object Type Name // if ( ARGUMENT_PRESENT( CapturedObjectTypeName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedObjectTypeName ); ObjectTypeIndex = AuditParameters.ParameterCount; } AuditParameters.ParameterCount++; // // Parameter[4] - Object Name // if ( ARGUMENT_PRESENT( CapturedObjectName )) { SepSetParmTypeFileSpec( AuditParameters, AuditParameters.ParameterCount, CapturedObjectName ); } AuditParameters.ParameterCount++; // // Parameter[5] - New handle ID // if ( ARGUMENT_PRESENT( HandleId )) { SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)*HandleId) ); } AuditParameters.ParameterCount++; if ( ARGUMENT_PRESENT( OperationId )) { SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).HighPart ); AuditParameters.ParameterCount++; SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).LowPart ); AuditParameters.ParameterCount++; } else { AuditParameters.ParameterCount += 2; } // // Parameter[6] - Subject's process id // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessID) ); AuditParameters.ParameterCount++; // // Parameter[7] - Subject's primary authentication ID // SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); AuditParameters.ParameterCount++; // // Parameter[8] - Subject's client authentication ID // if ( ARGUMENT_PRESENT( ClientToken )) { SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); } else { SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); } AuditParameters.ParameterCount++; // // Parameter[9] - DesiredAccess mask // if ( AccessGranted ) { SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, GrantedAccess, ObjectTypeIndex ); } else { SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, DesiredAccess, ObjectTypeIndex ); } AuditParameters.ParameterCount++; // // Parameter[10] - Privileges used for open // if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); } AuditParameters.ParameterCount++; // // Parameter[11] - ObjectTypes of Audited objects/parameter sets/parameters // if ( ObjectTypeListLength != 0 ) { ULONG GuidCount; ULONG i; USHORT FlagMask = AccessGranted ? OBJECT_SUCCESS_AUDIT : OBJECT_FAILURE_AUDIT; // // Count the number of GUIDs to audit. // GuidCount = 0; for ( i=0; i<ObjectTypeListLength; i++ ) { if ( i == 0 ) { GuidCount++; } else if ( ObjectTypeList[i].Flags & FlagMask ) { GuidCount ++; } } // // If there are any Guids to audit, // copy them into a locally allocated buffer. // if ( GuidCount > 0 ) { AdtObjectTypeBuffer = ExAllocatePoolWithTag( PagedPool, GuidCount * sizeof(SE_ADT_OBJECT_TYPE), 'pAeS' ); // // If the buffer can be allocated, // fill it in. // If not, // generate a truncated audit. // if ( AdtObjectTypeBuffer != NULL ) { // // Copy the GUIDs and optional access masks to the buffer. // GuidCount = 0; for ( i=0; i<ObjectTypeListLength; i++ ) { if ( ( i > 0 ) && !( ObjectTypeList[i].Flags & FlagMask ) ) { continue; } else { AdtObjectTypeBuffer[GuidCount].ObjectType = ObjectTypeList[i].ObjectType; AdtObjectTypeBuffer[GuidCount].Level = ObjectTypeList[i].Level; if ( i == 0 ) { // // Always copy the GUID representing the object itself. // Mark it as a such to avoid including it in the audit. // AdtObjectTypeBuffer[GuidCount].Flags = SE_ADT_OBJECT_ONLY; AdtObjectTypeBuffer[GuidCount].AccessMask = 0; } else { AdtObjectTypeBuffer[GuidCount].Flags = 0; if ( ARGUMENT_PRESENT(GrantedAccessArray) && AccessGranted ) { AdtObjectTypeBuffer[GuidCount].AccessMask = GrantedAccessArray[i]; } } GuidCount ++; } } // // Store the Object Types. // SepSetParmTypeObjectTypes( AuditParameters, AuditParameters.ParameterCount, AdtObjectTypeBuffer, GuidCount, ObjectTypeIndex ); AuditParameters.ParameterCount ++; AuditParameters.AuditId = SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE; } } } // // Audit it. // SepAdtLogAuditRecord( &AuditParameters ); if ( AdtObjectTypeBuffer != NULL ) { ExFreePool( AdtObjectTypeBuffer ); } return( TRUE ); }

BOOLEAN SepAdtOpenObjectForDeleteAuditAlarm (  IN PUNICODE_STRING  CapturedSubsystemName, IN PVOID *  HandleId, IN PUNICODE_STRING  CapturedObjectTypeName, IN PVOID  Object, IN PUNICODE_STRING  CapturedObjectName, IN PTOKEN ClientToken  OPTIONAL, IN PTOKEN  PrimaryToken, IN ACCESS_MASK  DesiredAccess, IN ACCESS_MASK  GrantedAccess, IN PLUID  OperationId, IN PPRIVILEGE_SET CapturedPrivileges  OPTIONAL, IN BOOLEAN  ObjectCreated, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm, IN HANDLE  ProcessID )

VOID SepAdtPrivilegedServiceAuditAlarm (  IN PUNICODE_STRING  CapturedSubsystemName, IN PUNICODE_STRING  CapturedServiceName, IN PTOKEN ClientToken  OPTIONAL, IN PTOKEN  PrimaryToken, IN PPRIVILEGE_SET  CapturedPrivileges, IN BOOLEAN  AccessGranted )

Definition at line 346 of file sepaudit.c. References ASSERT, ClientToken, NULL, PAGED_CODE, PrimaryToken, SepAdtAuditThisEvent, SepAdtLogAuditRecord(), SepSetParmTypeLogonId, SepSetParmTypeNoLogon, SepSetParmTypePrivileges, SepSetParmTypeSid, SepSetParmTypeString, SepTokenAuthenticationId, SepTokenUserSid, and SeSubsystemName. Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm(). : This routine is the active part of NtPrivilegedServiceAuditAlarm. This routine is used to generate audit and alarm messages when an attempt is made to perform privileged system service operations. This routine may result in several messages being generated and sent to Port objects. This may result in a significant latency before returning. Design of routines that must call this routine must take this potential latency into account. This may have an impact on the approach taken for data structure mutex locking, for example. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, allowing the caller to be impersonating a client during the call with no ill effects. The test for this privilege is assumed to have occurred at a higher level. This routine will create an SE_ADT_PARAMETERS array organized as follows: Parameter[0] - User Sid Parameter[1] - Subsystem name (if available) Parameter[2] - Subject's primary authentication ID Parameter[3] - Subject's client authentication ID Parameter[4] - Privileges used for open Arguments: SubsystemName - Supplies a name string identifying the subsystem calling the routine. ServiceName - Supplies a name of the privileged subsystem service. For example, "RESET RUNTIME LOCAL SECURITY POLICY" might be specified by a Local Security Authority service used to update the local security policy database. ClientToken - Optionally provides a pointer to the client token (only if the caller is currently impersonating) PrimaryToken - Provides a pointer to the caller's primary token. Privileges - Points to a set of privileges required to perform the privileged operation. Those privileges that were held by the subject are marked using the UsedForAccess flag of the attributes associated with each privilege. AccessGranted - Indicates whether the requested access was granted or not. A value of TRUE indicates the access was granted. A value of FALSE indicates the access was not granted. Return value: --*/ { SE_ADT_PARAMETER_ARRAY AuditParameters; PSID CapturedUserSid; LUID ClientAuthenticationId; LUID PrimaryAuthenticationId; PUNICODE_STRING SubsystemName; PAGED_CODE(); // // Determine if we are auditing privileged services // if ( SepAdtAuditThisEvent( AuditCategoryPrivilegeUse, &AccessGranted )) { if ( ARGUMENT_PRESENT( ClientToken )) { CapturedUserSid = SepTokenUserSid( ClientToken ); ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); } else { CapturedUserSid = SepTokenUserSid( PrimaryToken ); } PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); if ( !ARGUMENT_PRESENT( CapturedSubsystemName )) { SubsystemName = &SeSubsystemName; } else { SubsystemName = CapturedSubsystemName; } // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); AuditParameters.CategoryId = SE_CATEGID_PRIVILEGE_USE; AuditParameters.AuditId = SE_AUDITID_PRIVILEGED_SERVICE; AuditParameters.ParameterCount = 0; if ( AccessGranted ) { AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; } else { AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; } // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, SubsystemName ); AuditParameters.ParameterCount++; // // Parameter[2] - Server // SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, SubsystemName ); AuditParameters.ParameterCount++; // // Parameter[3] - Service name (if available) // if ( ARGUMENT_PRESENT( CapturedServiceName )) { SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedServiceName ); } AuditParameters.ParameterCount++; // // Parameter[3] - Subject's primary authentication ID // SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); AuditParameters.ParameterCount++; // // Parameter[4] - Subject's client authentication ID // if ( ARGUMENT_PRESENT( ClientToken )) { SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); } else { SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); } AuditParameters.ParameterCount++; // // Parameter[5] - Privileges used for open // if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); } AuditParameters.ParameterCount++; SepAdtLogAuditRecord( &AuditParameters ); } }

BOOLEAN SepAdtPrivilegeObjectAuditAlarm (  IN PUNICODE_STRING CapturedSubsystemName  OPTIONAL, IN PVOID  HandleId, IN PTOKEN ClientToken  OPTIONAL, IN PTOKEN  PrimaryToken, IN PVOID  ProcessId, IN ACCESS_MASK  DesiredAccess, IN PPRIVILEGE_SET  CapturedPrivileges, IN BOOLEAN  AccessGranted )

Definition at line 125 of file sepaudit.c. References ASSERT, ClientToken, FALSE, NULL, PAGED_CODE, PrimaryToken, RtlEqualSid(), SeLocalSystemSid, SepAdtAuditThisEvent, SepAdtLogAuditRecord(), SepFilterPrivilegeAudits(), SepSetParmTypeLogonId, SepSetParmTypeNoLogon, SepSetParmTypePrivileges, SepSetParmTypeSid, SepSetParmTypeString, SepSetParmTypeUlong, SepTokenAuthenticationId, SepTokenUserSid, and TRUE. Referenced by NtOpenObjectAuditAlarm(), NtPrivilegeObjectAuditAlarm(), SeAuditHandleCreation(), SepAccessCheckAndAuditAlarm(), and SePrivilegeObjectAuditAlarm(). : Implements NtPrivilegeObjectAuditAlarm after parameters have been captured. This routine is used to generate audit and alarm messages when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened. This routine may result in several messages being generated and sent to Port objects. This may result in a significant latency before returning. Design of routines that must call this routine must take this potential latency into account. This may have an impact on the approach taken for data structure mutex locking, for example. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, allowing the caller to be impersonating a client during the call with no ill effects. This routine will create an SE_ADT_PARAMETERS array organized as follows: Parameter[0] - User Sid Parameter[1] - Subsystem name (if available) Parameter[2] - New handle ID Parameter[3] - Subject's process id Parameter[4] - Subject's primary authentication ID Parameter[5] - Subject's client authentication ID Parameter[6] - Privileges used for open Arguments: CapturedSubsystemName - Supplies a name string identifying the subsystem calling the routine. HandleId - A unique value representing the client's handle to the object. ClientToken - Optionally provides a pointer to the client token (only if the caller is currently impersonating) PrimaryToken - Provides a pointer to the caller's primary token. DesiredAccess - The desired access mask. This mask must have been previously mapped to contain no generic accesses. CapturedPrivileges - The set of privileges required for the requested operation. Those privileges that were held by the subject are marked using the UsedForAccess flag of the attributes associated with each privilege. AccessGranted - Indicates whether the requested access was granted or not. A value of TRUE indicates the access was granted. A value of FALSE indicates the access was not granted. Return value: --*/ { SE_ADT_PARAMETER_ARRAY AuditParameters; PSID CapturedUserSid; LUID ClientAuthenticationId; LUID PrimaryAuthenticationId; PAGED_CODE(); // // Determine if we are auditing the use of privileges // if ( SepAdtAuditThisEvent( AuditCategoryPrivilegeUse, &AccessGranted ) && SepFilterPrivilegeAudits( CapturedPrivileges )) { if ( ARGUMENT_PRESENT( ClientToken )) { CapturedUserSid = SepTokenUserSid( ClientToken ); ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); } else { CapturedUserSid = SepTokenUserSid( PrimaryToken ); } if ( RtlEqualSid( SeLocalSystemSid, CapturedUserSid )) { return (FALSE); } PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); // // A completely zero'd entry will be interpreted // as a "null string" or not supplied parameter. // // Initializing the entire array up front will allow // us to avoid filling in each not supplied entry. // RtlZeroMemory ( (PVOID) &AuditParameters, sizeof( AuditParameters ) ); ASSERT( SeAdtParmTypeNone == 0 ); AuditParameters.CategoryId = SE_CATEGID_PRIVILEGE_USE; AuditParameters.AuditId = SE_AUDITID_PRIVILEGED_OBJECT; AuditParameters.ParameterCount = 0; if ( AccessGranted ) { AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; } else { AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; } // // Parameter[0] - User Sid // SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); AuditParameters.ParameterCount++; // // Parameter[1] - Subsystem name (if available) // SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); AuditParameters.ParameterCount++; // // Parameter[2] - New handle ID // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); AuditParameters.ParameterCount++; // // Parameter[3] - Subject's process id // SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); AuditParameters.ParameterCount++; // // Parameter[4] - Subject's primary authentication ID // SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); AuditParameters.ParameterCount++; // // Parameter[5] - Subject's client authentication ID // if ( ARGUMENT_PRESENT( ClientToken )) { SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); } else { SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); } AuditParameters.ParameterCount++; // // Parameter[6] - Privileges used for open // if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); } AuditParameters.ParameterCount++; SepAdtLogAuditRecord( &AuditParameters ); return( TRUE ); } return( FALSE ); }

VOID SepAdtSetAuditEventInformation (  IN OPTIONAL PBOOLEAN  AuditingMode, IN OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS  EventAuditingOptions )

VOID SepAdtSetAuditLogInformation (  IN PPOLICY_AUDIT_LOG_INFO  AuditLogInformation  )

Definition at line 451 of file adtlog.c. References PAGED_CODE, SepAdtLogInformation, SepRmAcquireDbWriteLock, and SepRmReleaseDbWriteLock. Referenced by SepRmSetAuditLogWrkr(). : This function stores Audit Log Information in the Reference Monitor's in-memory database. This information contains parameters such as Audit Log size etc. It is the caller's responsibility to ensure that the supplied information is valid. NOTE: After initialization, this function is only called by the LSA via a Reference Monitor command. This is a necessary restriction because the Audit Log Information stored in the LSA Database must remain in sync Arguments: AuditLogInformation - Pointer to Audit Log Information structure. Return Value: None. --*/ { PAGED_CODE(); // // Acquire Reference Monitor Database write lock. // SepRmAcquireDbWriteLock(); // // Write the information // SepAdtLogInformation = *AuditLogInformation; // // Release Reference Monitor Database write lock // SepRmReleaseDbWriteLock(); }

VOID SepAdtTraverseAuditAlarm (  IN PLUID  OperationID, IN PVOID  DirectoryObject, IN PSID  UserSid, IN LUID  AuthenticationId, IN ACCESS_MASK  DesiredAccess, IN PPRIVILEGE_SET Privileges  OPTIONAL, IN BOOLEAN  AccessGranted, IN BOOLEAN  GenerateAudit, IN BOOLEAN  GenerateAlarm )

Referenced by SeTraverseAuditAlarm().

VOID SepAuditFailed (  VOID   )

Definition at line 153 of file adtlog.c. References ASSERT, FALSE, KeBugCheck(), KeyName, L, NT_SUCCESS, NTSTATUS(), NULL, RtlInitUnicodeString(), SepCrashOnAuditFail, Status, and ValueName. Referenced by SepAdtLogAuditRecord(). : Bugchecks the system due to a missed audit (optional requirement for C2 compliance). Arguments: None. Return Value: None. --*/ { NTSTATUS Status; OBJECT_ATTRIBUTES Obja; HANDLE KeyHandle; UNICODE_STRING KeyName; UNICODE_STRING ValueName; UCHAR NewValue; ASSERT(sizeof(UCHAR) == sizeof(BOOLEAN)); if (!SepCrashOnAuditFail) { return; } // // Turn off flag in the registry that controls crashing on audit failure // RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"); InitializeObjectAttributes( &Obja, &KeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); do { Status = ZwOpenKey( &KeyHandle, KEY_SET_VALUE, &Obja ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); // // If the LSA key isn't there, he's got big problems. But don't crash. // if (Status == STATUS_OBJECT_NAME_NOT_FOUND) { SepCrashOnAuditFail = FALSE; return; } if (!NT_SUCCESS( Status )) { goto bugcheck; } RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE ); NewValue = LSAP_ALLOW_ADIMIN_LOGONS_ONLY; do { Status = ZwSetValueKey( KeyHandle, &ValueName, 0, REG_NONE, &NewValue, sizeof(UCHAR) ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); ASSERT(NT_SUCCESS(Status)); if (!NT_SUCCESS( Status )) { goto bugcheck; } do { Status = ZwFlushKey( KeyHandle ); } while ((Status == STATUS_INSUFFICIENT_RESOURCES) || (Status == STATUS_NO_MEMORY)); ASSERT(NT_SUCCESS(Status)); // // go boom. // bugcheck: KeBugCheck(AUDIT_FAILURE); }

BOOLEAN SepInitializePrivilegeFilter (  BOOLEAN  Verbose  )

Definition at line 4556 of file seaudit.c. References SepFilterPrivileges, SepFilterPrivilegesLong, SepFilterPrivilegesShort, and TRUE. Referenced by SepAdtInitializePrivilegeAuditing(). : Initializes SepFilterPrivileges for either normal or verbose auditing. Arguments: Verbose - Whether we want to filter by the short or long privileges list. Verbose == TRUE means use the short list. Return Value: TRUE for success, FALSE for failure --*/ { if (Verbose) { SepFilterPrivileges = SepFilterPrivilegesShort; } else { SepFilterPrivileges = SepFilterPrivilegesLong; } return( TRUE ); }

---

Variable Documentation

BOOLEAN SepAdtAuditingEnabled

Definition at line 31 of file adtp.h.

ULONG SepAdtCountEventsDiscarded

Definition at line 56 of file adtp.h. Referenced by SepAdtGenerateDiscardAudit(), and SepQueueWorkItem().

ULONG SepAdtCurrentListLength

Definition at line 63 of file adtp.h. Referenced by SepDequeueWorkItem(), and SepQueueWorkItem().

BOOLEAN SepAdtDiscardingAudits

Definition at line 70 of file adtp.h. Referenced by SepQueueWorkItem().

POLICY_AUDIT_LOG_INFO SepAdtLogInformation

Definition at line 29 of file adtp.h. Referenced by SepAdtSetAuditLogInformation().

ULONG SepAdtMaxListLength

Definition at line 37 of file adtp.h. Referenced by SepAdtInitializeBounds(), and SepQueueWorkItem().

ULONG SepAdtMinListLength

Definition at line 38 of file adtp.h. Referenced by SepAdtInitializeBounds(), and SepQueueWorkItem().

SEP_AUDIT_OPTIONS SepAuditOptions

Definition at line 323 of file adtp.h. Referenced by SepAdtCloseObjectAuditAlarm(), and SepAdtInitializeAuditingOptions().

BOOLEAN SepCrashOnAuditFail

Definition at line 77 of file adtp.h. Referenced by SepAdtInitializeCrashOnFail(), SepAdtLogAuditRecord(), and SepAuditFailed().

---