rmaudit.c File Reference

#include <nt.h>
#include <ntlsa.h>
#include <ntos.h>
#include <ntrmlsa.h>
#include "sep.h"
#include "adt.h"
#include "adtp.h"
#include "rmp.h"

Go to the source code of this file.

Functions
VOID	SepRmSetAuditLogWrkr (IN PRM_COMMAND_MESSAGE CommandMessage, OUT PRM_REPLY_MESSAGE ReplyMessage)
VOID	SepRmSetAuditEventWrkr (IN PRM_COMMAND_MESSAGE CommandMessage, OUT PRM_REPLY_MESSAGE ReplyMessage)

---

Function Documentation

VOID SepRmSetAuditEventWrkr (  IN PRM_COMMAND_MESSAGE  CommandMessage, OUT PRM_REPLY_MESSAGE  ReplyMessage )

Definition at line 51 of file rmaudit.c. References ASSERT, _SE_AUDITING_STATE::AuditOnFailure, _SE_AUDITING_STATE::AuditOnSuccess, FALSE, PAGED_CODE, ReplyMessage(), SeAuditingState, SeDetailedAuditing, SepAdtAuditingEnabled, SepAdtInitializeBounds(), and TRUE. : This function carries out the Reference Monitor Set Audit Event Command. This command enables or disables auditing and optionally sets the auditing events. Arguments: CommandMessage - Pointer to structure containing RM command message information consisting of an LPC PORT_MESSAGE structure followed by the command number (RmSetAuditStateCommand) and a single command parameter in structure form. ReplyMessage - Pointer to structure containing RM reply message information consisting of an LPC PORT_MESSAGE structure followed by the command ReturnedStatus field in which a status code from the command will be returned. Return Value: VOID --*/ { PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; POLICY_AUDIT_EVENT_TYPE EventType; PAGED_CODE(); SepAdtInitializeBounds(); ReplyMessage->ReturnedStatus = STATUS_SUCCESS; // // Strict check that command is correct one for this worker. // ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand ); // // Extract the AuditingMode flag and put it in the right place. // SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)-> AuditingMode); // // For each element in the passed array, process changes to audit // nothing, and then success or failure flags. // EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)-> EventAuditingOptions; for ( EventType=AuditEventMinType; EventType <= AuditEventMaxType; EventType++ ) { SeAuditingState[EventType].AuditOnSuccess = FALSE; SeAuditingState[EventType].AuditOnFailure = FALSE; if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) { SeAuditingState[EventType].AuditOnSuccess = TRUE; } if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) { SeAuditingState[EventType].AuditOnFailure = TRUE; } } // // Set the flag to indicate that we're auditing detailed events. // This is merely a timesaver so we can skip auditing setup in // time critical places like process creation. // // // Despite what the UI may imply, we never audit failures for detailed events, since // none of them can fail for security related reasons, and we're not interested in // auditing out of memory errors and stuff like that. So just set this flag when // they want to see successes and ignore the failure case. // // We may have to revisit this someday. // if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) { SeDetailedAuditing = TRUE; } else { SeDetailedAuditing = FALSE; } return; }

VOID SepRmSetAuditLogWrkr (  IN PRM_COMMAND_MESSAGE  CommandMessage, OUT PRM_REPLY_MESSAGE  ReplyMessage )

Definition at line 164 of file rmaudit.c. References DbgPrint, PAGED_CODE, ReplyMessage(), and SepAdtSetAuditLogInformation(). : This function carries out the Reference Monitor Set Audit Log Command. This command stores parameters related to the Audit Log. Arguments: CommandMessage - Pointer to structure containing RM command message information consisting of an LPC PORT_MESSAGE structure followed by the command number (RmSetAuditStateCommand) and a single command parameter in structure form. ReplyMessage - Pointer to structure containing RM reply message information consisting of an LPC PORT_MESSAGE structure followed by the command ReturnedStatus field in which a status code from the command will be returned. Return Value: None. A status code is returned in ReplyMessage->ReturnedStatus --*/ { // // Strict check that command is correct one for this worker. // /* BUGWARNING - SCOTTBI - Auditing is disabled ASSERT( CommandMessage->CommandNumber == RmSetAuditLogCommand ); */ PAGED_CODE(); #if DBG DbgPrint("Security: RM Set Audit Log Command Received\n"); #endif // // Call private function in Auditing Sub-component to do the work. // SepAdtSetAuditLogInformation( (PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams ); ReplyMessage->ReturnedStatus = STATUS_SUCCESS; }

---