Main Page | Class Hierarchy | Class List | File List | Class Members | File Members

adt.h File Reference

#include <ntlsa.h>

Go to the source code of this file.

Defines

#define SepAdtEventOnSuccess(AuditEventType)
#define SepAdtEventOnFailure(AuditEventType)
#define SepAdtAuditingEvent(AuditEventType)
#define SepAdtAuditingEnabled()   (SepAdtState.AuditingMode == TRUE)
#define SepAdtAuditingDisabled()   (!SepAdtAuditingEnabled)

Functions

BOOLEAN SepAdtInitializePhase0 ()
BOOLEAN SepAdtInitializePhase1 ()
VOID SepAdtLogAuditRecord (IN PSE_ADT_PARAMETER_ARRAY AuditParameters)
NTSTATUS SepAdtCopyToLsaSharedMemory (IN HANDLE LsaProcessHandle, IN PVOID Buffer, IN ULONG BufferLength, OUT PVOID *LsaBufferAddress)

Variables

POLICY_AUDIT_EVENTS_INFO SepAdtState

Define Documentation

 
#define SepAdtAuditingDisabled  )     (!SepAdtAuditingEnabled)
 

Definition at line 156 of file adt.h.

 
#define SepAdtAuditingEnabled  )     (SepAdtState.AuditingMode == TRUE)
 

Definition at line 134 of file adt.h.

Referenced by NtClose(), and SepRmSetAuditEventWrkr().

#define SepAdtAuditingEvent AuditEventType   ) 
 

Value:

(SepAdtEventOnSuccess(AuditEventType) ||            \
            (SepAdtEventOnFailure(AuditEventType))

Definition at line 111 of file adt.h.

#define SepAdtEventOnFailure AuditEventType   ) 
 

Value:

(SepAdtState.EventAuditingOptions[AuditEventType] &            \
            POLICY_AUDIT_EVENT_FAILURE)

Definition at line 85 of file adt.h.

#define SepAdtEventOnSuccess AuditEventType   ) 
 

Value:

(SepAdtState.EventAuditingOptions[AuditEventType] &            \
                POLICY_AUDIT_EVENT_SUCCESS)

Definition at line 57 of file adt.h.

Function Documentation

NTSTATUS SepAdtCopyToLsaSharedMemory IN HANDLE  LsaProcessHandle,
IN PVOID  Buffer,
IN ULONG  BufferLength,
OUT PVOID *  LsaBufferAddress
 

Definition at line 504 of file adtlog.c.

References ASSERT, Buffer, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, and Status.

Referenced by SepRmCallLsa(). 

00513                    :
00514 
00515     This function allocates memory shared with the LSA and optionally copies
00516     a given buffer to it.
00517 
00518 Arguments:
00519 
00520     LsaProcessHandle - Specifies a handle to the Lsa Process.
00521 
00522     Buffer - Pointer to the buffer to be copied.
00523 
00524     BufferLength - Length of buffer.
00525 
00526     LsaBufferAddress - Receives the address of the buffer valid in the
00527         Lsa process context.
00528 
00529 Return Value:
00530 
00531     NTSTATUS - Standard Nt Result Code
00532 
00533         Result codes returned by called routines.
00534 --*/
00535 
00536 {
00537     NTSTATUS Status, SecondaryStatus;
00538     PVOID OutputLsaBufferAddress = NULL;
00539     SIZE_T RegionSize = BufferLength;
00540 
00541     PAGED_CODE();
00542 
00543     Status = ZwAllocateVirtualMemory(
00544                  LsaProcessHandle,
00545                  &OutputLsaBufferAddress,
00546                  0,
00547                  &RegionSize,
00548                  MEM_COMMIT,
00549                  PAGE_READWRITE
00550                  );
00551 
00552     if (!NT_SUCCESS(Status)) {
00553 
00554         goto CopyToLsaSharedMemoryError;
00555     }
00556 
00557     Status = ZwWriteVirtualMemory(
00558                  LsaProcessHandle,
00559                  OutputLsaBufferAddress,
00560                  Buffer,
00561                  BufferLength,
00562                  NULL
00563                  );
00564 
00565     if (!NT_SUCCESS(Status)) {
00566 
00567         goto CopyToLsaSharedMemoryError;
00568     }
00569 
00570     *LsaBufferAddress = OutputLsaBufferAddress;
00571     return(Status);
00572 
00573 CopyToLsaSharedMemoryError:
00574 
00575     //
00576     // If we allocated memory, free it.
00577     //
00578 
00579     if (OutputLsaBufferAddress != NULL) {
00580 
00581         RegionSize = 0;
00582 
00583         SecondaryStatus = ZwFreeVirtualMemory(
00584                               LsaProcessHandle,
00585                               &OutputLsaBufferAddress,
00586                               &RegionSize,
00587                               MEM_RELEASE
00588                               );
00589 
00590         ASSERT(NT_SUCCESS(SecondaryStatus));
00591 
00592         OutputLsaBufferAddress = NULL;
00593     }
00594 
00595     return(Status);
00596 }

BOOLEAN SepAdtInitializePhase0  ) 
 

BOOLEAN SepAdtInitializePhase1  ) 
 

Definition at line 85 of file adtinit.c.

References L, PAGED_CODE, RtlInitUnicodeString(), SeSubsystemName, and TRUE.

Referenced by SepInitializationPhase1(). 

00089                    :
00090 
00091     This function performs Phase 1 Initialization for the Auditing subcomponent
00092     of Security.  Global variables are initialized within the Nt Executive
00093     and Auditing is turned off.
00094 
00095 Arguments:
00096 
00097     None
00098 
00099 Return Value:
00100 
00101     BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
00102 
00103 --*/
00104 
00105 {
00106     PAGED_CODE();
00107 
00108     RtlInitUnicodeString( &SeSubsystemName, L"Security" );
00109 
00110     return( TRUE );
00111 }

VOID SepAdtLogAuditRecord IN PSE_ADT_PARAMETER_ARRAY  AuditParameters  ) 
 

Definition at line 52 of file adtlog.c.

References _SEP_LSA_WORK_ITEM::CleanupFunction, _SEP_LSA_WORK_ITEM::CommandNumber, _SEP_LSA_WORK_ITEM::CommandParams, _SEP_LSA_WORK_ITEM::CommandParamsLength, _SEP_LSA_WORK_ITEM::CommandParamsMemoryType, ExAllocatePoolWithTag, ExFreePool(), FALSE, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, PagedPool, _SEP_LSA_WORK_ITEM::ReplyBuffer, _SEP_LSA_WORK_ITEM::ReplyBufferLength, SEP_LSA_WORK_ITEM, SepAdtMarshallAuditRecord(), SepAuditFailed(), SepAuditRecord, SepCrashOnAuditFail, SepQueueWorkItem(), Status, _SEP_LSA_WORK_ITEM::Tag, and TRUE.

Referenced by SeAuditHandleDuplication(), SeAuditProcessCreation(), SeAuditProcessExit(), SepAdtCloseObjectAuditAlarm(), SepAdtDeleteObjectAuditAlarm(), SepAdtGenerateDiscardAudit(), SepAdtHandleAuditAlarm(), SepAdtObjectReferenceAuditAlarm(), SepAdtOpenObjectAuditAlarm(), SepAdtOpenObjectForDeleteAuditAlarm(), SepAdtPrivilegedServiceAuditAlarm(), and SepAdtPrivilegeObjectAuditAlarm(). 

00058                    :
00059 
00060     This function manages the logging of Audit Records.  It provides the
00061     single interface to the Audit Logging component from the Audit/Alarm
00062     generation routines.  The function constructs an Audit Record in
00063     self-relative format from the information provided and appends it to
00064     the Audit Record Queue, a doubly-linked list of Audit Records awaiting
00065     output to the Audit Log.  A dedicated thread reads this queue, writing
00066     Audit Records to the Audit Log and removing them from the Audit Queue.
00067 
00068 Arguments:
00069 
00070     AuditEventType - Specifies the type of the Audit Event described by
00071         the audit information provided.
00072 
00073     AuditInformation - Pointer to buffer containing captured auditing
00074         information related to an Audit Event of type AuditEventType.
00075 
00076 Return Value:
00077 
00078     STATUS_SUCCESS
00079     STATUS_UNSUCCESSFUL - Audit record was not queued
00080     STATUS_INSUFFICIENT_RESOURCES - unable to allocate heap
00081 
00082 --*/
00083 
00084 {
00085     NTSTATUS Status;
00086     PSEP_LSA_WORK_ITEM AuditWorkItem;
00087 
00088     PAGED_CODE();
00089 
00090     AuditWorkItem = ExAllocatePoolWithTag( PagedPool, sizeof( SEP_LSA_WORK_ITEM ), 'iAeS' );
00091 
00092     if ( AuditWorkItem == NULL ) {
00093 
00094         SepAuditFailed();
00095         return;
00096     }
00097 
00098     AuditWorkItem->Tag = SepAuditRecord;
00099     AuditWorkItem->CommandNumber = LsapWriteAuditMessageCommand;
00100     AuditWorkItem->ReplyBuffer = NULL;
00101     AuditWorkItem->ReplyBufferLength = 0;
00102     AuditWorkItem->CleanupFunction = NULL;
00103 
00104     //
00105     // Build an Audit record in self-relative format from the supplied
00106     // Audit Information.
00107     //
00108 
00109     Status = SepAdtMarshallAuditRecord(
00110                  AuditParameters,
00111                  (PSE_ADT_PARAMETER_ARRAY *) &AuditWorkItem->CommandParams.BaseAddress,
00112                  &AuditWorkItem->CommandParamsMemoryType
00113                  );
00114 
00115     if (NT_SUCCESS(Status)) {
00116 
00117         //
00118         // Extract the length of the Audit Record.  Store it as the length
00119         // of the Command Parameters buffer.
00120         //
00121 
00122         AuditWorkItem->CommandParamsLength =
00123             ((PSE_ADT_PARAMETER_ARRAY) AuditWorkItem->CommandParams.BaseAddress)->Length;
00124 
00125         //
00126         // If we're going to crash on a discarded audit, ignore the queue bounds
00127         // check and force the item onto the queue.
00128         //
00129 
00130         if (!SepQueueWorkItem( AuditWorkItem, (BOOLEAN)(SepCrashOnAuditFail ? TRUE : FALSE) )) {
00131 
00132             ExFreePool( AuditWorkItem->CommandParams.BaseAddress );
00133             ExFreePool( AuditWorkItem );
00134 
00135             //
00136             // We failed to put the record on the queue.  Take whatever action is
00137             // appropriate.
00138             //
00139 
00140             SepAuditFailed();
00141         }
00142 
00143     } else {
00144 
00145         ExFreePool( AuditWorkItem );
00146         SepAuditFailed();
00147     }
00148 }

Variable Documentation

POLICY_AUDIT_EVENTS_INFO SepAdtState
 

Definition at line 164 of file adt.h.

Generated on Sat May 15 19:42:50 2004 for test by doxygen 1.3.7