test: sepaudit.c Source File

00001 /*++ 00002 00003 Copyright (c) 1989 Microsoft Corporation 00004 00005 Module Name: 00006 00007 sepaudit.c 00008 00009 Abstract: 00010 00011 This Module implements the audit and alarm procedures that are 00012 private to the security component. 00013 00014 Author: 00015 00016 Robert Reichel (robertre) September 10, 1991 00017 00018 Environment: 00019 00020 Kernel Mode 00021 00022 Revision History: 00023 00024 --*/ 00025 00026 #include <nt.h> 00027 #include <ntlsa.h> 00028 #include <msaudite.h> 00029 #include "tokenp.h" 00030 #include "adt.h" 00031 #include "adtp.h" 00032 00033 00034 #ifdef ALLOC_PRAGMA 00035 #pragma alloc_text(PAGE,SeAuditHandleDuplication) 00036 // #pragma alloc_text(PAGE,SepAdtAuditThisEvent) 00037 #pragma alloc_text(PAGE,SepAdtPrivilegeObjectAuditAlarm) 00038 #pragma alloc_text(PAGE,SepAdtPrivilegedServiceAuditAlarm) 00039 #pragma alloc_text(PAGE,SepAdtOpenObjectAuditAlarm) 00040 #pragma alloc_text(PAGE,SepAdtOpenObjectForDeleteAuditAlarm) 00041 #pragma alloc_text(PAGE,SepAdtHandleAuditAlarm) 00042 #pragma alloc_text(PAGE,SepAdtObjectReferenceAuditAlarm) 00043 #pragma alloc_text(PAGE,SepQueryNameString) 00044 #pragma alloc_text(PAGE,SepQueryTypeString) 00045 #pragma alloc_text(PAGE,SeAuditProcessCreation) 00046 #pragma alloc_text(PAGE,SeAuditProcessExit) 00047 #pragma alloc_text(PAGE,SepAdtGenerateDiscardAudit) 00048 #endif 00049 00050 00051 #define SepSetParmTypeSid( AuditParameters, Index, Sid ) \ 00052 { \ 00053 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSid; \ 00054 (AuditParameters).Parameters[(Index)].Length = SeLengthSid( (Sid) ); \ 00055 (AuditParameters).Parameters[(Index)].Address = (Sid); \ 00056 } 00057 00058 00059 #define SepSetParmTypeString( AuditParameters, Index, String ) \ 00060 { \ 00061 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeString; \ 00062 (AuditParameters).Parameters[(Index)].Length = \ 00063 sizeof(UNICODE_STRING)+(String)->Length; \ 00064 (AuditParameters).Parameters[(Index)].Address = (String); \ 00065 } 00066 00067 00068 #define SepSetParmTypeFileSpec( AuditParameters, Index, String ) \ 00069 { \ 00070 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeFileSpec; \ 00071 (AuditParameters).Parameters[(Index)].Length = \ 00072 sizeof(UNICODE_STRING)+(String)->Length; \ 00073 (AuditParameters).Parameters[(Index)].Address = (String); \ 00074 } 00075 00076 #define SepSetParmTypeUlong( AuditParameters, Index, Ulong ) \ 00077 { \ 00078 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUlong; \ 00079 (AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \ 00080 (AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \ 00081 } 00082 00083 #define SepSetParmTypeNoLogon( AuditParameters, Index ) \ 00084 { \ 00085 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoLogonId; \ 00086 } 00087 00088 #define SepSetParmTypeLogonId( AuditParameters, Index, LogonId ) \ 00089 { \ 00090 LUID UNALIGNED * TmpLuid; \ 00091 \ 00092 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeLogonId; \ 00093 (AuditParameters).Parameters[(Index)].Length = sizeof( (LogonId) ); \ 00094 TmpLuid = (LUID UNALIGNED *)(&(AuditParameters).Parameters[(Index)].Data[0]); \ 00095 *TmpLuid = (LogonId); \ 00096 } 00097 00098 #define SepSetParmTypeAccessMask( AuditParameters, Index, AccessMask, ObjectTypeIndex ) \ 00099 { \ 00100 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeAccessMask; \ 00101 (AuditParameters).Parameters[(Index)].Length = sizeof( ACCESS_MASK ); \ 00102 (AuditParameters).Parameters[(Index)].Data[0] = (AccessMask); \ 00103 (AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \ 00104 } 00105 00106 #define SepSetParmTypePrivileges( AuditParameters, Index, Privileges ) \ 00107 { \ 00108 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePrivs; \ 00109 (AuditParameters).Parameters[(Index)].Length = SepPrivilegeSetSize( (Privileges) ); \ 00110 (AuditParameters).Parameters[(Index)].Address = (Privileges); \ 00111 } 00112 00113 #define SepSetParmTypeObjectTypes( AuditParameters, Index, ObjectTypes, ObjectTypeCount, ObjectTypeIndex ) \ 00114 { \ 00115 (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeObjectTypes; \ 00116 (AuditParameters).Parameters[(Index)].Length = sizeof( SE_ADT_OBJECT_TYPE ) * (ObjectTypeCount);\ 00117 (AuditParameters).Parameters[(Index)].Address = (ObjectTypes); \ 00118 (AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \ 00119 } 00120 00121 00122 00123 00124 BOOLEAN 00125 SepAdtPrivilegeObjectAuditAlarm ( 00126 IN PUNICODE_STRING CapturedSubsystemName OPTIONAL, 00127 IN PVOID HandleId, 00128 IN PTOKEN ClientToken OPTIONAL, 00129 IN PTOKEN PrimaryToken, 00130 IN PVOID ProcessId, 00131 IN ACCESS_MASK DesiredAccess, 00132 IN PPRIVILEGE_SET CapturedPrivileges, 00133 IN BOOLEAN AccessGranted 00134 ) 00135 00136 /*++ 00137 00138 Routine Description: 00139 00140 Implements NtPrivilegeObjectAuditAlarm after parameters have been 00141 captured. 00142 00143 This routine is used to generate audit and alarm messages when an 00144 attempt is made to perform privileged operations on a protected 00145 subsystem object after the object is already opened. This routine may 00146 result in several messages being generated and sent to Port objects. 00147 This may result in a significant latency before returning. Design of 00148 routines that must call this routine must take this potential latency 00149 into account. This may have an impact on the approach taken for data 00150 structure mutex locking, for example. 00151 00152 This API requires the caller have SeTcbPrivilege privilege. The test 00153 for this privilege is always against the primary token of the calling 00154 process, allowing the caller to be impersonating a client during the 00155 call with no ill effects. 00156 00157 This routine will create an SE_ADT_PARAMETERS array organized as follows: 00158 00159 Parameter[0] - User Sid 00160 00161 Parameter[1] - Subsystem name (if available) 00162 00163 Parameter[2] - New handle ID 00164 00165 Parameter[3] - Subject's process id 00166 00167 Parameter[4] - Subject's primary authentication ID 00168 00169 Parameter[5] - Subject's client authentication ID 00170 00171 Parameter[6] - Privileges used for open 00172 00173 Arguments: 00174 00175 CapturedSubsystemName - Supplies a name string identifying the 00176 subsystem calling the routine. 00177 00178 HandleId - A unique value representing the client's handle to the 00179 object. 00180 00181 ClientToken - Optionally provides a pointer to the client token 00182 (only if the caller is currently impersonating) 00183 00184 PrimaryToken - Provides a pointer to the caller's primary token. 00185 00186 DesiredAccess - The desired access mask. This mask must have been 00187 previously mapped to contain no generic accesses. 00188 00189 CapturedPrivileges - The set of privileges required for the requested 00190 operation. Those privileges that were held by the subject are 00191 marked using the UsedForAccess flag of the attributes 00192 associated with each privilege. 00193 00194 AccessGranted - Indicates whether the requested access was granted or 00195 not. A value of TRUE indicates the access was granted. A value of 00196 FALSE indicates the access was not granted. 00197 00198 Return value: 00199 00200 --*/ 00201 { 00202 SE_ADT_PARAMETER_ARRAY AuditParameters; 00203 PSID CapturedUserSid; 00204 LUID ClientAuthenticationId; 00205 LUID PrimaryAuthenticationId; 00206 00207 PAGED_CODE(); 00208 00209 // 00210 // Determine if we are auditing the use of privileges 00211 // 00212 00213 if ( SepAdtAuditThisEvent( AuditCategoryPrivilegeUse, &AccessGranted ) && 00214 SepFilterPrivilegeAudits( CapturedPrivileges )) { 00215 00216 if ( ARGUMENT_PRESENT( ClientToken )) { 00217 00218 CapturedUserSid = SepTokenUserSid( ClientToken ); 00219 ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); 00220 00221 } else { 00222 00223 CapturedUserSid = SepTokenUserSid( PrimaryToken ); 00224 } 00225 00226 if ( RtlEqualSid( SeLocalSystemSid, CapturedUserSid )) { 00227 00228 return (FALSE); 00229 } 00230 00231 PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); 00232 00233 // 00234 // A completely zero'd entry will be interpreted 00235 // as a "null string" or not supplied parameter. 00236 // 00237 // Initializing the entire array up front will allow 00238 // us to avoid filling in each not supplied entry. 00239 // 00240 00241 RtlZeroMemory ( 00242 (PVOID) &AuditParameters, 00243 sizeof( AuditParameters ) 00244 ); 00245 00246 ASSERT( SeAdtParmTypeNone == 0 ); 00247 00248 AuditParameters.CategoryId = SE_CATEGID_PRIVILEGE_USE; 00249 AuditParameters.AuditId = SE_AUDITID_PRIVILEGED_OBJECT; 00250 AuditParameters.ParameterCount = 0; 00251 00252 if ( AccessGranted ) { 00253 00254 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 00255 00256 } else { 00257 00258 AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; 00259 } 00260 00261 // 00262 // Parameter[0] - User Sid 00263 // 00264 00265 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); 00266 00267 AuditParameters.ParameterCount++; 00268 00269 // 00270 // Parameter[1] - Subsystem name (if available) 00271 // 00272 00273 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 00274 00275 AuditParameters.ParameterCount++; 00276 00277 // 00278 // Parameter[1] - Subsystem name (if available) 00279 // 00280 00281 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 00282 00283 AuditParameters.ParameterCount++; 00284 00285 // 00286 // Parameter[2] - New handle ID 00287 // 00288 00289 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); 00290 00291 AuditParameters.ParameterCount++; 00292 00293 // 00294 // Parameter[3] - Subject's process id 00295 // 00296 00297 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); 00298 00299 AuditParameters.ParameterCount++; 00300 00301 // 00302 // Parameter[4] - Subject's primary authentication ID 00303 // 00304 00305 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); 00306 00307 AuditParameters.ParameterCount++; 00308 00309 // 00310 // Parameter[5] - Subject's client authentication ID 00311 // 00312 00313 if ( ARGUMENT_PRESENT( ClientToken )) { 00314 00315 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); 00316 00317 } else { 00318 00319 SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); 00320 } 00321 00322 AuditParameters.ParameterCount++; 00323 00324 // 00325 // Parameter[6] - Privileges used for open 00326 // 00327 00328 if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { 00329 00330 SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); 00331 } 00332 00333 AuditParameters.ParameterCount++; 00334 00335 SepAdtLogAuditRecord( &AuditParameters ); 00336 00337 return( TRUE ); 00338 00339 } 00340 00341 return( FALSE ); 00342 } 00343 00344 00345 VOID 00346 SepAdtPrivilegedServiceAuditAlarm ( 00347 IN PUNICODE_STRING CapturedSubsystemName, 00348 IN PUNICODE_STRING CapturedServiceName, 00349 IN PTOKEN ClientToken OPTIONAL, 00350 IN PTOKEN PrimaryToken, 00351 IN PPRIVILEGE_SET CapturedPrivileges, 00352 IN BOOLEAN AccessGranted 00353 ) 00354 00355 /*++ 00356 00357 Routine Description: 00358 00359 This routine is the active part of NtPrivilegedServiceAuditAlarm. 00360 00361 This routine is used to generate audit and alarm messages when an 00362 attempt is made to perform privileged system service operations. This 00363 routine may result in several messages being generated and sent to Port 00364 objects. This may result in a significant latency before returning. 00365 Design of routines that must call this routine must take this potential 00366 latency into account. This may have an impact on the approach taken 00367 for data structure mutex locking, for example. 00368 00369 This API requires the caller have SeTcbPrivilege privilege. The test 00370 for this privilege is always against the primary token of the calling 00371 process, allowing the caller to be impersonating a client during the 00372 call with no ill effects. The test for this privilege is assumed to 00373 have occurred at a higher level. 00374 00375 This routine will create an SE_ADT_PARAMETERS array organized as follows: 00376 00377 Parameter[0] - User Sid 00378 00379 Parameter[1] - Subsystem name (if available) 00380 00381 Parameter[2] - Subject's primary authentication ID 00382 00383 Parameter[3] - Subject's client authentication ID 00384 00385 Parameter[4] - Privileges used for open 00386 00387 Arguments: 00388 00389 SubsystemName - Supplies a name string identifying the subsystem 00390 calling the routine. 00391 00392 ServiceName - Supplies a name of the privileged subsystem service. For 00393 example, "RESET RUNTIME LOCAL SECURITY POLICY" might be specified 00394 by a Local Security Authority service used to update the local 00395 security policy database. 00396 00397 ClientToken - Optionally provides a pointer to the client token 00398 (only if the caller is currently impersonating) 00399 00400 PrimaryToken - Provides a pointer to the caller's primary token. 00401 00402 Privileges - Points to a set of privileges required to perform the 00403 privileged operation. Those privileges that were held by the 00404 subject are marked using the UsedForAccess flag of the 00405 attributes associated with each privilege. 00406 00407 AccessGranted - Indicates whether the requested access was granted or 00408 not. A value of TRUE indicates the access was granted. A value of 00409 FALSE indicates the access was not granted. 00410 00411 00412 Return value: 00413 00414 00415 --*/ 00416 00417 { 00418 00419 SE_ADT_PARAMETER_ARRAY AuditParameters; 00420 PSID CapturedUserSid; 00421 LUID ClientAuthenticationId; 00422 LUID PrimaryAuthenticationId; 00423 PUNICODE_STRING SubsystemName; 00424 00425 PAGED_CODE(); 00426 00427 // 00428 // Determine if we are auditing privileged services 00429 // 00430 00431 if ( SepAdtAuditThisEvent( AuditCategoryPrivilegeUse, &AccessGranted )) { 00432 00433 if ( ARGUMENT_PRESENT( ClientToken )) { 00434 00435 CapturedUserSid = SepTokenUserSid( ClientToken ); 00436 ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); 00437 00438 } else { 00439 00440 CapturedUserSid = SepTokenUserSid( PrimaryToken ); 00441 } 00442 00443 PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); 00444 00445 if ( !ARGUMENT_PRESENT( CapturedSubsystemName )) { 00446 00447 SubsystemName = &SeSubsystemName; 00448 00449 } else { 00450 00451 SubsystemName = CapturedSubsystemName; 00452 } 00453 00454 // 00455 // A completely zero'd entry will be interpreted 00456 // as a "null string" or not supplied parameter. 00457 // 00458 // Initializing the entire array up front will allow 00459 // us to avoid filling in each not supplied entry. 00460 // 00461 00462 RtlZeroMemory ( 00463 (PVOID) &AuditParameters, 00464 sizeof( AuditParameters ) 00465 ); 00466 00467 ASSERT( SeAdtParmTypeNone == 0 ); 00468 00469 AuditParameters.CategoryId = SE_CATEGID_PRIVILEGE_USE; 00470 AuditParameters.AuditId = SE_AUDITID_PRIVILEGED_SERVICE; 00471 AuditParameters.ParameterCount = 0; 00472 00473 if ( AccessGranted ) { 00474 00475 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 00476 00477 } else { 00478 00479 AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; 00480 } 00481 00482 00483 // 00484 // Parameter[0] - User Sid 00485 // 00486 00487 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); 00488 00489 AuditParameters.ParameterCount++; 00490 00491 // 00492 // Parameter[1] - Subsystem name (if available) 00493 // 00494 00495 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, SubsystemName ); 00496 00497 AuditParameters.ParameterCount++; 00498 00499 00500 // 00501 // Parameter[2] - Server 00502 // 00503 00504 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, SubsystemName ); 00505 00506 AuditParameters.ParameterCount++; 00507 00508 00509 // 00510 // Parameter[3] - Service name (if available) 00511 // 00512 00513 if ( ARGUMENT_PRESENT( CapturedServiceName )) { 00514 00515 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedServiceName ); 00516 } 00517 00518 AuditParameters.ParameterCount++; 00519 00520 // 00521 // Parameter[3] - Subject's primary authentication ID 00522 // 00523 00524 00525 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); 00526 00527 AuditParameters.ParameterCount++; 00528 00529 00530 // 00531 // Parameter[4] - Subject's client authentication ID 00532 // 00533 00534 if ( ARGUMENT_PRESENT( ClientToken )) { 00535 00536 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); 00537 00538 } else { 00539 00540 SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); 00541 } 00542 00543 AuditParameters.ParameterCount++; 00544 00545 00546 // 00547 // Parameter[5] - Privileges used for open 00548 // 00549 00550 00551 if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { 00552 00553 SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); 00554 } 00555 00556 AuditParameters.ParameterCount++; 00557 00558 00559 SepAdtLogAuditRecord( &AuditParameters ); 00560 00561 } 00562 00563 } 00564 00565 00566 00567 00568 00569 00570 BOOLEAN 00571 SepAdtOpenObjectAuditAlarm ( 00572 IN PUNICODE_STRING CapturedSubsystemName, 00573 IN PVOID *HandleId OPTIONAL, 00574 IN PUNICODE_STRING CapturedObjectTypeName, 00575 IN PVOID Object OPTIONAL, 00576 IN PUNICODE_STRING CapturedObjectName OPTIONAL, 00577 IN PTOKEN ClientToken OPTIONAL, 00578 IN PTOKEN PrimaryToken, 00579 IN ACCESS_MASK DesiredAccess, 00580 IN ACCESS_MASK GrantedAccess, 00581 IN PLUID OperationId, 00582 IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, 00583 IN BOOLEAN ObjectCreated, 00584 IN BOOLEAN AccessGranted, 00585 IN BOOLEAN GenerateAudit, 00586 IN BOOLEAN GenerateAlarm, 00587 IN HANDLE ProcessID, 00588 IN POLICY_AUDIT_EVENT_TYPE AuditType, 00589 IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 00590 IN ULONG ObjectTypeListLength, 00591 IN PACCESS_MASK GrantedAccessArray OPTIONAL 00592 ) 00593 00594 /*++ 00595 00596 Routine Description: 00597 00598 Implements NtOpenObjectAuditAlarm after parameters have been captured. 00599 00600 This routine is used to generate audit and alarm messages when an 00601 attempt is made to access an existing protected subsystem object or 00602 create a new one. This routine may result in several messages being 00603 generated and sent to Port objects. This may result in a significant 00604 latency before returning. Design of routines that must call this 00605 routine must take this potential latency into account. This may have 00606 an impact on the approach taken for data structure mutex locking, for 00607 example. This API requires the caller have SeTcbPrivilege privilege. 00608 The test for this privilege is always against the primary token of the 00609 calling process, not the impersonation token of the thread. 00610 00611 00612 This routine will create an SE_ADT_PARAMETERS array organized as follows: 00613 00614 Parameter[0] - User Sid 00615 00616 Parameter[1] - Subsystem name (if available) 00617 00618 Parameter[2] - Server name (if available) 00619 00620 Parameter[3] - Object Type Name 00621 00622 Parameter[4] - Object Name 00623 00624 Parameter[5] - New handle ID 00625 00626 Parameter[6] - Subject's process id 00627 00628 Parameter[7] - Subject's primary authentication ID 00629 00630 Parameter[8] - Subject's client authentication ID 00631 00632 Parameter[9] - DesiredAccess mask 00633 00634 Parameter[10] - Privileges used for open 00635 00636 Parameter[11] - Guid/Level/AccessMask of objects/property sets/properties accesses. 00637 00638 Arguments: 00639 00640 CapturedSubsystemName - Supplies a name string identifying the 00641 subsystem calling the routine. 00642 00643 HandleId - A unique value representing the client's handle to the 00644 object. If the access attempt was not successful (AccessGranted is 00645 FALSE), then this parameter is ignored. 00646 00647 CapturedObjectTypeName - Supplies the name of the type of object being 00648 accessed. 00649 00650 CapturedObjectName - Supplies the name of the object the client 00651 accessed or attempted to access. 00652 00653 CapturedSecurityDescriptor - A pointer to the security descriptor of 00654 the object being accessed. 00655 00656 ClientToken - Optionally provides a pointer to the client token 00657 (only if the caller is currently impersonating) 00658 00659 PrimaryToken - Provides a pointer to the caller's primary token. 00660 00661 DesiredAccess - The desired access mask. This mask must have been 00662 previously mapped to contain no generic accesses. 00663 00664 GrantedAccess - The mask of accesses that were actually granted. 00665 00666 CapturedPrivileges - Optionally points to a set of privileges that were 00667 required for the access attempt. Those privileges that were held 00668 by the subject are marked using the UsedForAccess flag of the 00669 attributes associated with each privilege. 00670 00671 ObjectCreation - A boolean flag indicating whether the access will 00672 result in a new object being created if granted. A value of TRUE 00673 indicates an object will be created, FALSE indicates an existing 00674 object will be opened. 00675 00676 AccessGranted - Indicates whether the requested access was granted or 00677 not. A value of TRUE indicates the access was granted. A value of 00678 FALSE indicates the access was not granted. 00679 00680 GenerateOnClose - Points to a boolean that is set by the audit 00681 generation routine and must be passed to NtCloseObjectAuditAlarm() 00682 when the object handle is closed. 00683 00684 GenerateAudit - Indicates if we should generate an audit for this operation. 00685 00686 GenerateAlarm - Indicates if we should generate an alarm for this operation. 00687 00688 AuditType - Specifies the type of audit to be generated. Valid values 00689 are: AuditCategoryObjectAccess and AuditCategoryDirectoryServiceAccess. 00690 00691 ObjectTypeList - Supplies a list of GUIDs representing the object (and 00692 sub-objects) being accessed. 00693 00694 ObjectTypeListLength - Specifies the number of elements in the ObjectTypeList. 00695 00696 GrantedAccessArray - If non NULL, specifies an array of access mask granted 00697 to each object in ObjectTypeList. 00698 00699 Return Value: 00700 00701 Returns TRUE if audit is generated, FALSE otherwise. 00702 00703 --*/ 00704 00705 { 00706 SE_ADT_PARAMETER_ARRAY AuditParameters; 00707 ULONG ObjectTypeIndex; 00708 PSID CapturedUserSid; 00709 LUID PrimaryAuthenticationId; 00710 LUID ClientAuthenticationId; 00711 PSE_ADT_OBJECT_TYPE AdtObjectTypeBuffer = NULL; 00712 00713 PAGED_CODE(); 00714 00715 if ( ARGUMENT_PRESENT( ClientToken )) { 00716 00717 CapturedUserSid = SepTokenUserSid( ClientToken ); 00718 ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); 00719 00720 } else { 00721 00722 CapturedUserSid = SepTokenUserSid( PrimaryToken ); 00723 } 00724 00725 PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); 00726 00727 // 00728 // A completely zero'd entry will be interpreted 00729 // as a "null string" or not supplied parameter. 00730 // 00731 // Initializing the entire array up front will allow 00732 // us to avoid filling in each not supplied entry. 00733 // 00734 00735 RtlZeroMemory ( 00736 (PVOID) &AuditParameters, 00737 sizeof( AuditParameters ) 00738 ); 00739 00740 ASSERT( SeAdtParmTypeNone == 0 ); 00741 00742 ASSERT( ( AuditType == AuditCategoryObjectAccess ) || 00743 ( AuditType == AuditCategoryDirectoryServiceAccess ) ); 00744 00745 if (AuditType == AuditCategoryObjectAccess) { 00746 00747 AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; 00748 } else { 00749 00750 AuditParameters.CategoryId = SE_CATEGID_DS_ACCESS; 00751 } 00752 00753 AuditParameters.AuditId = SE_AUDITID_OPEN_HANDLE; 00754 AuditParameters.ParameterCount = 0; 00755 00756 if ( AccessGranted ) { 00757 00758 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 00759 00760 } else { 00761 00762 AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; 00763 } 00764 00765 // 00766 // Parameter[0] - User Sid 00767 // 00768 00769 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); 00770 00771 AuditParameters.ParameterCount++; 00772 00773 // 00774 // Parameter[1] - Subsystem name (if available) 00775 // 00776 00777 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 00778 00779 AuditParameters.ParameterCount++; 00780 00781 // 00782 // Parameter[2] - Object Server (if available) 00783 // 00784 00785 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 00786 00787 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 00788 } 00789 00790 AuditParameters.ParameterCount++; 00791 00792 // 00793 // Parameter[3] - Object Type Name 00794 // 00795 00796 if ( ARGUMENT_PRESENT( CapturedObjectTypeName )) { 00797 00798 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedObjectTypeName ); 00799 ObjectTypeIndex = AuditParameters.ParameterCount; 00800 } 00801 00802 AuditParameters.ParameterCount++; 00803 00804 // 00805 // Parameter[4] - Object Name 00806 // 00807 00808 if ( ARGUMENT_PRESENT( CapturedObjectName )) { 00809 00810 SepSetParmTypeFileSpec( AuditParameters, AuditParameters.ParameterCount, CapturedObjectName ); 00811 } 00812 00813 AuditParameters.ParameterCount++; 00814 00815 // 00816 // Parameter[5] - New handle ID 00817 // 00818 00819 if ( ARGUMENT_PRESENT( HandleId )) { 00820 00821 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)*HandleId) ); 00822 } 00823 00824 AuditParameters.ParameterCount++; 00825 00826 if ( ARGUMENT_PRESENT( OperationId )) { 00827 00828 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).HighPart ); 00829 00830 AuditParameters.ParameterCount++; 00831 00832 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).LowPart ); 00833 00834 AuditParameters.ParameterCount++; 00835 00836 } else { 00837 00838 AuditParameters.ParameterCount += 2; 00839 } 00840 00841 // 00842 // Parameter[6] - Subject's process id 00843 // 00844 00845 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessID) ); 00846 00847 AuditParameters.ParameterCount++; 00848 00849 // 00850 // Parameter[7] - Subject's primary authentication ID 00851 // 00852 00853 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); 00854 00855 AuditParameters.ParameterCount++; 00856 00857 // 00858 // Parameter[8] - Subject's client authentication ID 00859 // 00860 00861 if ( ARGUMENT_PRESENT( ClientToken )) { 00862 00863 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); 00864 00865 } else { 00866 00867 SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); 00868 } 00869 00870 AuditParameters.ParameterCount++; 00871 00872 // 00873 // Parameter[9] - DesiredAccess mask 00874 // 00875 00876 if ( AccessGranted ) { 00877 00878 SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, GrantedAccess, ObjectTypeIndex ); 00879 00880 } else { 00881 00882 SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, DesiredAccess, ObjectTypeIndex ); 00883 } 00884 00885 AuditParameters.ParameterCount++; 00886 00887 // 00888 // Parameter[10] - Privileges used for open 00889 // 00890 00891 if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { 00892 00893 SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); 00894 } 00895 00896 AuditParameters.ParameterCount++; 00897 00898 // 00899 // Parameter[11] - ObjectTypes of Audited objects/parameter sets/parameters 00900 // 00901 00902 if ( ObjectTypeListLength != 0 ) { 00903 ULONG GuidCount; 00904 ULONG i; 00905 USHORT FlagMask = AccessGranted ? OBJECT_SUCCESS_AUDIT : OBJECT_FAILURE_AUDIT; 00906 00907 // 00908 // Count the number of GUIDs to audit. 00909 // 00910 00911 GuidCount = 0; 00912 for ( i=0; i<ObjectTypeListLength; i++ ) { 00913 00914 if ( i == 0 ) { 00915 GuidCount++; 00916 } else if ( ObjectTypeList[i].Flags & FlagMask ) { 00917 GuidCount ++; 00918 } 00919 } 00920 00921 // 00922 // If there are any Guids to audit, 00923 // copy them into a locally allocated buffer. 00924 // 00925 00926 if ( GuidCount > 0 ) { 00927 00928 AdtObjectTypeBuffer = ExAllocatePoolWithTag( PagedPool, GuidCount * sizeof(SE_ADT_OBJECT_TYPE), 'pAeS' ); 00929 00930 // 00931 // If the buffer can be allocated, 00932 // fill it in. 00933 // If not, 00934 // generate a truncated audit. 00935 // 00936 00937 if ( AdtObjectTypeBuffer != NULL ) { 00938 00939 // 00940 // Copy the GUIDs and optional access masks to the buffer. 00941 // 00942 00943 GuidCount = 0; 00944 for ( i=0; i<ObjectTypeListLength; i++ ) { 00945 00946 if ( ( i > 0 ) && !( ObjectTypeList[i].Flags & FlagMask ) ) { 00947 00948 continue; 00949 00950 } else { 00951 00952 AdtObjectTypeBuffer[GuidCount].ObjectType = ObjectTypeList[i].ObjectType; 00953 AdtObjectTypeBuffer[GuidCount].Level = ObjectTypeList[i].Level; 00954 00955 if ( i == 0 ) { 00956 // 00957 // Always copy the GUID representing the object itself. 00958 // Mark it as a such to avoid including it in the audit. 00959 // 00960 AdtObjectTypeBuffer[GuidCount].Flags = SE_ADT_OBJECT_ONLY; 00961 AdtObjectTypeBuffer[GuidCount].AccessMask = 0; 00962 00963 } else { 00964 00965 AdtObjectTypeBuffer[GuidCount].Flags = 0; 00966 if ( ARGUMENT_PRESENT(GrantedAccessArray) && AccessGranted ) { 00967 00968 AdtObjectTypeBuffer[GuidCount].AccessMask = GrantedAccessArray[i]; 00969 } 00970 } 00971 GuidCount ++; 00972 } 00973 } 00974 00975 // 00976 // Store the Object Types. 00977 // 00978 00979 SepSetParmTypeObjectTypes( AuditParameters, AuditParameters.ParameterCount, AdtObjectTypeBuffer, GuidCount, ObjectTypeIndex ); 00980 AuditParameters.ParameterCount ++; 00981 AuditParameters.AuditId = SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE; 00982 } 00983 } 00984 00985 } 00986 00987 00988 00989 // 00990 // Audit it. 00991 // 00992 SepAdtLogAuditRecord( &AuditParameters ); 00993 00994 if ( AdtObjectTypeBuffer != NULL ) { 00995 ExFreePool( AdtObjectTypeBuffer ); 00996 } 00997 00998 return( TRUE ); 00999 } 01000 01001 01002 BOOLEAN 01003 SepAdtOpenObjectForDeleteAuditAlarm ( 01004 IN PUNICODE_STRING CapturedSubsystemName, 01005 IN PVOID *HandleId OPTIONAL, 01006 IN PUNICODE_STRING CapturedObjectTypeName, 01007 IN PVOID Object OPTIONAL, 01008 IN PUNICODE_STRING CapturedObjectName OPTIONAL, 01009 IN PTOKEN ClientToken OPTIONAL, 01010 IN PTOKEN PrimaryToken, 01011 IN ACCESS_MASK DesiredAccess, 01012 IN ACCESS_MASK GrantedAccess, 01013 IN PLUID OperationId, 01014 IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, 01015 IN BOOLEAN ObjectCreated, 01016 IN BOOLEAN AccessGranted, 01017 IN BOOLEAN GenerateAudit, 01018 IN BOOLEAN GenerateAlarm, 01019 IN HANDLE ProcessID 01020 ) 01021 01022 /*++ 01023 01024 Routine Description: 01025 01026 Implements SeOpenObjectForDeleteAuditAlarm after parameters have been 01027 captured. 01028 01029 This routine is used to generate audit and alarm messages when an 01030 attempt is made to access an existing protected subsystem object or 01031 create a new one. This routine may result in several messages being 01032 generated and sent to Port objects. This may result in a significant 01033 latency before returning. Design of routines that must call this 01034 routine must take this potential latency into account. This may have 01035 an impact on the approach taken for data structure mutex locking, for 01036 example. This API requires the caller have SeTcbPrivilege privilege. 01037 The test for this privilege is always against the primary token of the 01038 calling process, not the impersonation token of the thread. 01039 01040 01041 This routine will create an SE_ADT_PARAMETERS array organized as follows: 01042 01043 Parameter[0] - User Sid 01044 01045 Parameter[1] - Subsystem name (if available) 01046 01047 Parameter[2] - Server name (if available) 01048 01049 Parameter[3] - Object Type Name 01050 01051 Parameter[4] - Object Name 01052 01053 Parameter[5] - New handle ID 01054 01055 Parameter[6] - Subject's process id 01056 01057 Parameter[7] - Subject's primary authentication ID 01058 01059 Parameter[8] - Subject's client authentication ID 01060 01061 Parameter[9] - DesiredAccess mask 01062 01063 Parameter[10] - Privileges used for open 01064 01065 Arguments: 01066 01067 CapturedSubsystemName - Supplies a name string identifying the 01068 subsystem calling the routine. 01069 01070 HandleId - A unique value representing the client's handle to the 01071 object. If the access attempt was not successful (AccessGranted is 01072 FALSE), then this parameter is ignored. 01073 01074 CapturedObjectTypeName - Supplies the name of the type of object being 01075 accessed. 01076 01077 CapturedObjectName - Supplies the name of the object the client 01078 accessed or attempted to access. 01079 01080 CapturedSecurityDescriptor - A pointer to the security descriptor of 01081 the object being accessed. 01082 01083 ClientToken - Optionally provides a pointer to the client token 01084 (only if the caller is currently impersonating) 01085 01086 PrimaryToken - Provides a pointer to the caller's primary token. 01087 01088 DesiredAccess - The desired access mask. This mask must have been 01089 previously mapped to contain no generic accesses. 01090 01091 GrantedAccess - The mask of accesses that were actually granted. 01092 01093 CapturedPrivileges - Optionally points to a set of privileges that were 01094 required for the access attempt. Those privileges that were held 01095 by the subject are marked using the UsedForAccess flag of the 01096 attributes associated with each privilege. 01097 01098 ObjectCreation - A boolean flag indicating whether the access will 01099 result in a new object being created if granted. A value of TRUE 01100 indicates an object will be created, FALSE indicates an existing 01101 object will be opened. 01102 01103 AccessGranted - Indicates whether the requested access was granted or 01104 not. A value of TRUE indicates the access was granted. A value of 01105 FALSE indicates the access was not granted. 01106 01107 GenerateOnClose - Points to a boolean that is set by the audit 01108 generation routine and must be passed to NtCloseObjectAuditAlarm() 01109 when the object handle is closed. 01110 01111 GenerateAudit - Indicates if we should generate an audit for this operation. 01112 01113 GenerateAlarm - Indicates if we should generate an alarm for this operation. 01114 01115 Return Value: 01116 01117 Returns TRUE if audit is generated, FALSE otherwise. 01118 01119 --*/ 01120 01121 { 01122 SE_ADT_PARAMETER_ARRAY AuditParameters; 01123 ULONG ObjectTypeIndex; 01124 PSID CapturedUserSid; 01125 LUID PrimaryAuthenticationId; 01126 LUID ClientAuthenticationId; 01127 01128 PAGED_CODE(); 01129 01130 if ( ARGUMENT_PRESENT( ClientToken )) { 01131 01132 CapturedUserSid = SepTokenUserSid( ClientToken ); 01133 ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); 01134 01135 } else { 01136 01137 CapturedUserSid = SepTokenUserSid( PrimaryToken ); 01138 } 01139 01140 PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); 01141 01142 // 01143 // A completely zero'd entry will be interpreted 01144 // as a "null string" or not supplied parameter. 01145 // 01146 // Initializing the entire array up front will allow 01147 // us to avoid filling in each not supplied entry. 01148 // 01149 01150 RtlZeroMemory ( 01151 (PVOID) &AuditParameters, 01152 sizeof( AuditParameters ) 01153 ); 01154 01155 ASSERT( SeAdtParmTypeNone == 0 ); 01156 01157 AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; 01158 AuditParameters.AuditId = SE_AUDITID_OPEN_OBJECT_FOR_DELETE; 01159 AuditParameters.ParameterCount = 0; 01160 01161 if ( AccessGranted ) { 01162 01163 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 01164 01165 } else { 01166 01167 AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; 01168 } 01169 01170 // 01171 // Parameter[0] - User Sid 01172 // 01173 01174 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, CapturedUserSid ); 01175 01176 AuditParameters.ParameterCount++; 01177 01178 // 01179 // Parameter[1] - Subsystem name (if available) 01180 // 01181 01182 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01183 01184 AuditParameters.ParameterCount++; 01185 01186 // 01187 // Parameter[2] - Object Server (if available) 01188 // 01189 01190 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 01191 01192 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01193 } 01194 01195 AuditParameters.ParameterCount++; 01196 01197 // 01198 // Parameter[3] - Object Type Name 01199 // 01200 01201 if ( ARGUMENT_PRESENT( CapturedObjectTypeName )) { 01202 01203 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedObjectTypeName ); 01204 ObjectTypeIndex = AuditParameters.ParameterCount; 01205 } 01206 01207 AuditParameters.ParameterCount++; 01208 01209 // 01210 // Parameter[4] - Object Name 01211 // 01212 01213 if ( ARGUMENT_PRESENT( CapturedObjectName )) { 01214 01215 SepSetParmTypeFileSpec( AuditParameters, AuditParameters.ParameterCount, CapturedObjectName ); 01216 } 01217 01218 AuditParameters.ParameterCount++; 01219 01220 // 01221 // Parameter[5] - New handle ID 01222 // 01223 01224 if ( ARGUMENT_PRESENT( HandleId )) { 01225 01226 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)*HandleId) ); 01227 } 01228 01229 AuditParameters.ParameterCount++; 01230 01231 if ( ARGUMENT_PRESENT( OperationId )) { 01232 01233 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).HighPart ); 01234 01235 AuditParameters.ParameterCount++; 01236 01237 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (*OperationId).LowPart ); 01238 01239 AuditParameters.ParameterCount++; 01240 01241 } else { 01242 01243 AuditParameters.ParameterCount += 2; 01244 } 01245 01246 // 01247 // Parameter[6] - Subject's process id 01248 // 01249 01250 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessID) ); 01251 01252 AuditParameters.ParameterCount++; 01253 01254 // 01255 // Parameter[7] - Subject's primary authentication ID 01256 // 01257 01258 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, PrimaryAuthenticationId ); 01259 01260 AuditParameters.ParameterCount++; 01261 01262 // 01263 // Parameter[8] - Subject's client authentication ID 01264 // 01265 01266 if ( ARGUMENT_PRESENT( ClientToken )) { 01267 01268 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, ClientAuthenticationId ); 01269 01270 } else { 01271 01272 SepSetParmTypeNoLogon( AuditParameters, AuditParameters.ParameterCount ); 01273 } 01274 01275 AuditParameters.ParameterCount++; 01276 01277 // 01278 // Parameter[9] - DesiredAccess mask 01279 // 01280 01281 if ( AccessGranted ) { 01282 01283 SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, GrantedAccess, ObjectTypeIndex ); 01284 01285 } else { 01286 01287 SepSetParmTypeAccessMask( AuditParameters, AuditParameters.ParameterCount, DesiredAccess, ObjectTypeIndex ); 01288 } 01289 01290 AuditParameters.ParameterCount++; 01291 01292 // 01293 // Parameter[10] - Privileges used for open 01294 // 01295 01296 if ( (CapturedPrivileges != NULL) && (CapturedPrivileges->PrivilegeCount > 0) ) { 01297 01298 SepSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, CapturedPrivileges ); 01299 } 01300 01301 AuditParameters.ParameterCount++; 01302 01303 SepAdtLogAuditRecord( &AuditParameters ); 01304 01305 return( TRUE ); 01306 } 01307 01308 01309 01310 01311 VOID 01312 SepAdtCloseObjectAuditAlarm ( 01313 IN PUNICODE_STRING CapturedSubsystemName, 01314 IN PVOID HandleId, 01315 IN PVOID Object, 01316 IN PSID UserSid, 01317 IN LUID AuthenticationId 01318 ) 01319 01320 /*++ 01321 01322 Routine Description: 01323 01324 This routine implements NtCloseObjectAuditAlarm after parameters have 01325 been captured. 01326 01327 This routine is used to generate audit and alarm messages when a handle 01328 to a protected subsystem object is deleted. This routine may result in 01329 several messages being generated and sent to Port objects. This may 01330 result in a significant latency before returning. Design of routines 01331 that must call this routine must take this potential latency into 01332 account. This may have an impact on the approach taken for data 01333 structure mutex locking, for example. 01334 01335 This API requires the caller have SeTcbPrivilege privilege. The test 01336 for this privilege is always against the primary token of the calling 01337 process, allowing the caller to be impersonating a client during the 01338 call with no ill effects. It is assumed that this privilege has been 01339 tested at a higher level. 01340 01341 This routine will create an SE_ADT_PARAMETERS array organized as follows: 01342 01343 Parameter[0] - User Sid 01344 01345 Parameter[1] - Subsystem name (if available) 01346 01347 Parameter[2] - New handle ID 01348 01349 Parameter[3] - Subject's process id 01350 01351 Arguments: 01352 01353 CapturedSubsystemName - Supplies a name string identifying the 01354 subsystem calling the routine. 01355 01356 HandleId - A unique value representing the client's handle to the 01357 object. 01358 01359 Object - The address of the object being closed 01360 01361 UserSid - The Sid identifying the current caller. 01362 01363 01364 01365 Return value: 01366 01367 None. 01368 01369 01370 --*/ 01371 01372 { 01373 01374 SE_ADT_PARAMETER_ARRAY AuditParameters; 01375 BOOLEAN AccessGranted = TRUE; 01376 HANDLE ProcessId; 01377 01378 PAGED_CODE(); 01379 01380 if ( SepAuditOptions.DoNotAuditCloseObjectEvents ) { 01381 01382 return; 01383 } 01384 01385 if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted ) ) { 01386 01387 // 01388 // A completely zero'd entry will be interpreted 01389 // as a "null string" or not supplied parameter. 01390 // 01391 // Initializing the entire array up front will allow 01392 // us to avoid filling in each not supplied entry. 01393 // 01394 01395 RtlZeroMemory ( 01396 (PVOID) &AuditParameters, 01397 sizeof( AuditParameters ) 01398 ); 01399 01400 ASSERT( SeAdtParmTypeNone == 0 ); 01401 01402 AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; 01403 AuditParameters.AuditId = SE_AUDITID_CLOSE_HANDLE; 01404 AuditParameters.ParameterCount = 0; 01405 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 01406 01407 01408 // 01409 // Parameter[0] - User Sid 01410 // 01411 01412 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 01413 01414 AuditParameters.ParameterCount++; 01415 01416 01417 // 01418 // Parameter[1] - Subsystem name (if available) 01419 // 01420 01421 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 01422 01423 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01424 } 01425 01426 AuditParameters.ParameterCount++; 01427 01428 // 01429 // Parameter[2] - Subsystem name (if available) 01430 // 01431 01432 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 01433 01434 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01435 } 01436 01437 AuditParameters.ParameterCount++; 01438 01439 // 01440 // Parameter[3] - New handle ID 01441 // 01442 01443 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); 01444 01445 AuditParameters.ParameterCount++; 01446 01447 // 01448 // Parameter[4] - Subject's process id 01449 // 01450 01451 ProcessId = PsProcessAuditId( PsGetCurrentProcess() ); 01452 01453 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); 01454 01455 AuditParameters.ParameterCount++; 01456 01457 SepAdtLogAuditRecord( &AuditParameters ); 01458 01459 } 01460 } 01461 01462 01463 01464 VOID 01465 SepAdtDeleteObjectAuditAlarm ( 01466 IN PUNICODE_STRING CapturedSubsystemName, 01467 IN PVOID HandleId, 01468 IN PVOID Object, 01469 IN PSID UserSid, 01470 IN LUID AuthenticationId 01471 ) 01472 01473 /*++ 01474 01475 Routine Description: 01476 01477 This routine implements NtDeleteObjectAuditAlarm after parameters have 01478 been captured. 01479 01480 This routine is used to generate audit and alarm messages when an object 01481 in a protected subsystem object is deleted. This routine may result in 01482 several messages being generated and sent to Port objects. This may 01483 result in a significant latency before returning. Design of routines 01484 that must call this routine must take this potential latency into 01485 account. This may have an impact on the approach taken for data 01486 structure mutex locking, for example. 01487 01488 This API requires the caller have SeTcbPrivilege privilege. The test 01489 for this privilege is always against the primary token of the calling 01490 process, allowing the caller to be impersonating a client during the 01491 call with no ill effects. It is assumed that this privilege has been 01492 tested at a higher level. 01493 01494 This routine will create an SE_ADT_PARAMETERS array organized as follows: 01495 01496 Parameter[0] - User Sid 01497 01498 Parameter[1] - Subsystem name (if available) 01499 01500 Parameter[2] - Handle ID 01501 01502 Parameter[3] - Subject's process id 01503 01504 Arguments: 01505 01506 CapturedSubsystemName - Supplies a name string identifying the 01507 subsystem calling the routine. 01508 01509 HandleId - A unique value representing the client's handle to the 01510 object. 01511 01512 Object - The address of the object being closed 01513 01514 UserSid - The Sid identifying the current caller. 01515 01516 01517 01518 Return value: 01519 01520 None. 01521 01522 01523 --*/ 01524 01525 { 01526 01527 SE_ADT_PARAMETER_ARRAY AuditParameters; 01528 BOOLEAN AccessGranted = TRUE; 01529 HANDLE ProcessId; 01530 01531 PAGED_CODE(); 01532 01533 if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted ) ) { 01534 01535 // 01536 // A completely zero'd entry will be interpreted 01537 // as a "null string" or not supplied parameter. 01538 // 01539 // Initializing the entire array up front will allow 01540 // us to avoid filling in each not supplied entry. 01541 // 01542 01543 RtlZeroMemory ( 01544 (PVOID) &AuditParameters, 01545 sizeof( AuditParameters ) 01546 ); 01547 01548 ASSERT( SeAdtParmTypeNone == 0 ); 01549 01550 AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; 01551 AuditParameters.AuditId = SE_AUDITID_DELETE_OBJECT; 01552 AuditParameters.ParameterCount = 0; 01553 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 01554 01555 01556 // 01557 // Parameter[0] - User Sid 01558 // 01559 01560 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 01561 01562 AuditParameters.ParameterCount++; 01563 01564 01565 // 01566 // Parameter[1] - Subsystem name (if available) 01567 // 01568 01569 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 01570 01571 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01572 } 01573 01574 AuditParameters.ParameterCount++; 01575 01576 // 01577 // Parameter[2] - Subsystem name (if available) 01578 // 01579 01580 if ( ARGUMENT_PRESENT( CapturedSubsystemName )) { 01581 01582 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, CapturedSubsystemName ); 01583 } 01584 01585 AuditParameters.ParameterCount++; 01586 01587 // 01588 // Parameter[3] - New handle ID 01589 // 01590 01591 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)HandleId) ); 01592 01593 AuditParameters.ParameterCount++; 01594 01595 // 01596 // Parameter[4] - Subject's process id 01597 // 01598 01599 ProcessId = PsProcessAuditId( PsGetCurrentProcess() ); 01600 01601 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessId) ); 01602 01603 AuditParameters.ParameterCount++; 01604 01605 SepAdtLogAuditRecord( &AuditParameters ); 01606 01607 } 01608 } 01609 01610 01611 01612 // 01613 //VOID 01614 //SepAdtTraverseAuditAlarm( 01615 // IN PLUID OperationId, 01616 // IN PVOID DirectoryObject, 01617 // IN PSID UserSid, 01618 // IN LUID AuthenticationId, 01619 // IN ACCESS_MASK DesiredAccess, 01620 // IN PPRIVILEGE_SET Privileges OPTIONAL, 01621 // IN BOOLEAN AccessGranted, 01622 // IN BOOLEAN GenerateAudit, 01623 // IN BOOLEAN GenerateAlarm 01624 // ) 01626 // 01627 //Routine Description: 01628 // 01629 // This routine constructs an audit record to record that a request 01630 // to traverse a directory has occurred. 01631 // 01632 //Arguments: 01633 // 01634 // OperationID - LUID identifying the operation in progress 01635 // 01636 // DirectoryObject - Pointer to the directory being traversed. 01637 // 01638 // UserSid - Provides the User Sid for the caller. 01639 // 01640 // DesiredAccess - Mask to indicate the traverse access for this object 01641 // type. 01642 // 01643 // Privileges - Optional parameter to indicate any privilges that the 01644 // subject may have used to gain access to the object. 01645 // 01646 // AccessGranted - Indicates if the access was granted or denied based on 01647 // the access check or privilege check. 01648 // 01649 // GenerateAudit - Indicates if we should generate an audit for this operation. 01650 // 01651 // GenerateAlarm - Indicates if we should generate an alarm for this operation. 01652 // 01653 //Return Value: 01654 // 01655 // None. 01656 // 01657 //--*/ 01658 //{ 01659 // POLICY_AUDIT_TRAVERSE AuditTraverse; 01660 // 01661 // UNREFERENCED_PARAMETER( GenerateAudit ); 01662 // UNREFERENCED_PARAMETER( GenerateAlarm ); 01663 // UNREFERENCED_PARAMETER( DirectoryObject ); 01664 // UNREFERENCED_PARAMETER( DesiredAccess ); 01665 // 01666 // // 01667 // // BUGWARNING need a way to get the directory name from 01668 // // the directory object 01669 // // 01670 // 01671 // AuditTraverse.AccessGranted = AccessGranted; 01672 // AuditTraverse.DirectoryName = NULL; 01673 // AuditTraverse.OperationId = *OperationId; 01674 // AuditTraverse.PrivilegeSet = Privileges; 01675 // AuditTraverse.UserSid = UserSid; 01676 // AuditTraverse.AuthenticationId = AuthenticationId; 01677 // 01679 //} 01680 01681 01682 01683 01684 // 01685 //VOID 01686 //SepAdtCreateObjectAuditAlarm( 01687 // IN PLUID OperationID, 01688 // IN PUNICODE_STRING DirectoryName, 01689 // IN PUNICODE_STRING ComponentName, 01690 // IN PSID UserSid, 01691 // IN LUID AuthenticationId, 01692 // IN ACCESS_MASK DesiredAccess, 01693 // IN BOOLEAN AccessGranted, 01694 // IN BOOLEAN GenerateAudit, 01695 // IN BOOLEAN GenerateAlarm 01696 // ) 01698 // 01699 //Routine Description: 01700 // 01701 // description-of-function. 01702 // 01703 //Arguments: 01704 // 01705 // 01706 // GenerateAudit - Indicates if we should generate an audit for this operation. 01707 // 01708 // GenerateAlarm - Indicates if we should generate an alarm for this operation. 01709 // 01710 //Return Value: 01711 // 01712 // return-value - Description of conditions needed to return value. - or - 01713 // None. 01714 // 01715 //--*/ 01716 // 01717 //{ 01718 // POLICY_AUDIT_CREATE_OBJECT AuditCreateObject; 01719 // 01720 // UNREFERENCED_PARAMETER( GenerateAudit ); 01721 // UNREFERENCED_PARAMETER( GenerateAlarm ); 01722 // 01723 // 01724 // AuditCreateObject.AccessGranted = AccessGranted; 01725 // AuditCreateObject.DesiredAccess = DesiredAccess; 01726 // AuditCreateObject.DirectoryName = DirectoryName; 01727 // AuditCreateObject.ComponentName = ComponentName; 01728 // AuditCreateObject.OperationId = *OperationID; 01729 // AuditCreateObject.UserSid = UserSid; 01730 // AuditCreateObject.AuthenticationId = AuthenticationId; 01731 // 01733 //} 01734 01735 01736 01737 // 01738 //VOID 01739 //SepAdtImplicitObjectAuditAlarm( 01740 // IN PLUID OperationId OPTIONAL, 01741 // IN PVOID Object, 01742 // IN PSID UserSid, 01743 // IN ACCESS_MASK DesiredAccess, 01744 // IN PPRIVILEGE_SET Privileges OPTIONAL, 01745 // IN BOOLEAN AccessGranted, 01746 // IN BOOLEAN GenerateAudit, 01747 // IN BOOLEAN GenerateAlarm 01748 // ) 01750 // 01751 //Routine Description: 01752 // 01753 // description-of-function. 01754 // 01755 //Arguments: 01756 // 01757 // GenerateAudit - Indicates if we should generate an audit for this operation. 01758 // 01759 // GenerateAlarm - Indicates if we should generate an alarm for this operation. 01760 // 01761 // 01762 //Return Value: 01763 // 01764 // None 01765 // 01766 //--*/ 01767 // 01768 //{ 01769 // POLICY_AUDIT_IMPLICIT_ACCESS AuditImplicitAccess; 01770 // 01771 // UNREFERENCED_PARAMETER( GenerateAudit ); 01772 // UNREFERENCED_PARAMETER( GenerateAlarm ); 01773 // 01774 // 01775 // // 01776 // // BUGWARNING need a way to obtain the object type 01777 // // 01778 // 01779 // AuditImplicitAccess.AccessGranted = AccessGranted; 01780 // AuditImplicitAccess.DesiredAccess = DesiredAccess; 01781 // AuditImplicitAccess.ObjectTypeName = NULL; 01782 // AuditImplicitAccess.OperationId = *OperationId; 01783 // AuditImplicitAccess.PrivilegeSet = Privileges; 01784 // AuditImplicitAccess.UserSid = UserSid; 01785 // 01786 // SepAdtLogAuditRecord( AuditEventImplicitAccess, &AuditImplicitAccess ); 01787 //} 01788 01789 01790 01791 01792 01793 VOID 01794 SepAdtHandleAuditAlarm( 01795 IN PUNICODE_STRING Source, 01796 IN LUID OperationId, 01797 IN HANDLE Handle, 01798 IN PSID UserSid 01799 ) 01800 01801 /*++ 01802 01803 Routine Description: 01804 01805 Creates an audit record for the creation of an object handle. 01806 01807 Arguments: 01808 01809 01810 Return Value: 01811 01812 None. 01813 01814 --*/ 01815 01816 { 01817 BOOLEAN AccessGranted = TRUE; 01818 SE_ADT_PARAMETER_ARRAY AuditParameters; 01819 HANDLE ProcessID; 01820 01821 PAGED_CODE(); 01822 01823 if ( SepAdtAuditThisEvent( AuditCategoryObjectAccess, &AccessGranted )) { 01824 01825 // 01826 // A completely zero'd entry will be interpreted 01827 // as a "null string" or not supplied parameter. 01828 // 01829 // Initializing the entire array up front will allow 01830 // us to avoid filling in each not supplied entry. 01831 // 01832 01833 RtlZeroMemory ( 01834 (PVOID) &AuditParameters, 01835 sizeof( AuditParameters ) 01836 ); 01837 01838 ASSERT( SeAdtParmTypeNone == 0 ); 01839 01840 AuditParameters.CategoryId = SE_CATEGID_OBJECT_ACCESS; 01841 AuditParameters.AuditId = SE_AUDITID_CREATE_HANDLE; 01842 AuditParameters.ParameterCount = 0; 01843 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 01844 01845 01846 // 01847 // Parameter[0] - User Sid 01848 // 01849 01850 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 01851 01852 AuditParameters.ParameterCount++; 01853 01854 01855 // 01856 // Parameter[1] - Subsystem name (if available) 01857 // 01858 01859 if ( ARGUMENT_PRESENT( Source )) { 01860 01861 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, Source ); 01862 } 01863 01864 AuditParameters.ParameterCount++; 01865 01866 // 01867 // Parameter[2] - New handle ID 01868 // 01869 01870 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)Handle) ); 01871 01872 AuditParameters.ParameterCount++; 01873 01874 // 01875 // Parameters 3,4 - Operation ID 01876 // 01877 01878 01879 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, OperationId.HighPart ); 01880 01881 AuditParameters.ParameterCount++; 01882 01883 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, OperationId.LowPart ); 01884 01885 AuditParameters.ParameterCount++; 01886 01887 01888 // 01889 // Parameter[5] - Subject's process id 01890 // 01891 01892 ProcessID = PsProcessAuditId( PsGetCurrentProcess() ); 01893 01894 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)ProcessID) ); 01895 01896 AuditParameters.ParameterCount++; 01897 01898 SepAdtLogAuditRecord( &AuditParameters ); 01899 01900 } 01901 } 01902 01903 01904 01905 01906 VOID 01907 SepAdtObjectReferenceAuditAlarm( 01908 IN PLUID OperationId OPTIONAL, 01909 IN PVOID Object, 01910 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, 01911 IN ACCESS_MASK DesiredAccess, 01912 IN PPRIVILEGE_SET Privileges OPTIONAL, 01913 IN BOOLEAN AccessGranted, 01914 IN BOOLEAN GenerateAudit, 01915 IN BOOLEAN GenerateAlarm 01916 ) 01917 01918 /*++ 01919 01920 Routine Description: 01921 01922 description-of-function. 01923 01924 This routine will create an SE_ADT_PARAMETERS array organized as follows: 01925 01926 Parameter[0] - User Sid 01927 01928 Parameter[1] - Subsystem name (if available) 01929 01930 Parameter[2] - Object Type Name 01931 01932 Parameter[3] - Object Name 01933 01934 Parameter[4] - Subject's process id 01935 01936 Parameter[5] - Subject's primary authentication ID 01937 01938 Parameter[6] - Subject's client authentication ID 01939 01940 Parameter[7] - DesiredAccess mask 01941 01942 01943 Arguments: 01944 01945 GenerateAudit - Indicates if we should generate an audit for this operation. 01946 01947 GenerateAlarm - Indicates if we should generate an alarm for this operation. 01948 01949 Return Value: 01950 01951 return-value - Description of conditions needed to return value. - or - 01952 None. 01953 01954 --*/ 01955 01956 { 01957 SE_ADT_PARAMETER_ARRAY AuditParameters; 01958 ULONG ObjectTypeIndex; 01959 POBJECT_NAME_INFORMATION ObjectNameInformation; 01960 PUNICODE_STRING ObjectTypeInformation; 01961 PSID UserSid; 01962 LUID PrimaryAuthenticationId; 01963 LUID ClientAuthenticationId; 01964 01965 PTOKEN ClientToken = (PTOKEN)SubjectSecurityContext->ClientToken; 01966 PTOKEN PrimaryToken = (PTOKEN)SubjectSecurityContext->PrimaryToken; 01967 01968 PAGED_CODE(); 01969 01970 01971 if ( ARGUMENT_PRESENT( ClientToken )) { 01972 01973 UserSid = SepTokenUserSid( ClientToken ); 01974 ClientAuthenticationId = SepTokenAuthenticationId( ClientToken ); 01975 01976 } else { 01977 01978 UserSid = SepTokenUserSid( PrimaryToken ); 01979 } 01980 01981 PrimaryAuthenticationId = SepTokenAuthenticationId( PrimaryToken ); 01982 01983 // 01984 // A completely zero'd entry will be interpreted 01985 // as a "null string" or not supplied parameter. 01986 // 01987 // Initializing the entire array up front will allow 01988 // us to avoid filling in each not supplied entry. 01989 // 01990 01991 RtlZeroMemory ( 01992 (PVOID) &AuditParameters, 01993 sizeof( AuditParameters ) 01994 ); 01995 01996 ASSERT( SeAdtParmTypeNone == 0 ); 01997 01998 AuditParameters.CategoryId = SE_CATEGID_DETAILED_TRACKING; 01999 AuditParameters.AuditId = SE_AUDITID_INDIRECT_REFERENCE; 02000 AuditParameters.ParameterCount = 8; 02001 02002 if ( AccessGranted ) { 02003 02004 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 02005 02006 } else { 02007 02008 AuditParameters.Type = EVENTLOG_AUDIT_FAILURE; 02009 } 02010 02011 // 02012 // Obtain the object name and object type name from the 02013 // object. 02014 // 02015 02016 ObjectNameInformation = SepQueryNameString( Object ); 02017 02018 02019 ObjectTypeInformation = SepQueryTypeString( Object ); 02020 02021 02022 02023 02024 // 02025 // Parameter[0] - User Sid 02026 // 02027 02028 SepSetParmTypeSid( AuditParameters, 0, UserSid ); 02029 02030 02031 // 02032 // Parameter[1] - Subsystem name (if available) 02033 // 02034 02035 SepSetParmTypeString( AuditParameters, 1, &SeSubsystemName ); 02036 02037 02038 // 02039 // Parameter[2] - Object Type Name 02040 // 02041 02042 if ( ObjectTypeInformation != NULL ) { 02043 02044 SepSetParmTypeString( AuditParameters, 2, ObjectTypeInformation ); 02045 ObjectTypeIndex = 2; 02046 } 02047 02048 02049 02050 // 02051 // Parameter[3] - Object Name 02052 // 02053 02054 if ( ObjectNameInformation != NULL ) { 02055 02056 SepSetParmTypeString( AuditParameters, 3, &ObjectNameInformation->Name ); 02057 } 02058 02059 02060 02061 02062 // 02063 // Parameter[4] - Subject's process id 02064 // 02065 02066 // 02067 // BUGWARNING: The process Id is currently unavailable. 02068 // 02069 02070 SepSetParmTypeUlong( AuditParameters, 4, (ULONG)((ULONG_PTR)(SubjectSecurityContext->ProcessAuditId)) ); 02071 02072 02073 02074 02075 // 02076 // Parameter[5] - Subject's primary authentication ID 02077 // 02078 02079 02080 SepSetParmTypeLogonId( AuditParameters, 5, PrimaryAuthenticationId ); 02081 02082 02083 02084 02085 // 02086 // Parameter[6] - Subject's client authentication ID 02087 // 02088 02089 if ( ARGUMENT_PRESENT( ClientToken )) { 02090 02091 SepSetParmTypeLogonId( AuditParameters, 6, ClientAuthenticationId ); 02092 02093 } else { 02094 02095 SepSetParmTypeNoLogon( AuditParameters, 6 ); 02096 02097 } 02098 02099 // 02100 // Parameter[7] - DesiredAccess mask 02101 // 02102 02103 02104 SepSetParmTypeAccessMask( AuditParameters, 7, DesiredAccess, ObjectTypeIndex ); 02105 02106 02107 SepAdtLogAuditRecord( &AuditParameters ); 02108 02109 if ( ObjectNameInformation != NULL ) { 02110 ExFreePool( ObjectNameInformation ); 02111 } 02112 02113 if ( ObjectTypeInformation != NULL ) { 02114 ExFreePool( ObjectTypeInformation ); 02115 } 02116 02117 } 02118 02119 02120 //VOID 02121 //SepAdtCreateInstanceAuditAlarm( 02122 // IN PLUID OperationID, 02123 // IN PVOID Object, 02124 // IN PSID UserSid, 02125 // IN LUID AuthenticationId, 02126 // IN ACCESS_MASK DesiredAccess, 02127 // IN PPRIVILEGE_SET Privileges OPTIONAL, 02128 // IN BOOLEAN AccessGranted, 02129 // IN BOOLEAN GenerateAudit, 02130 // IN BOOLEAN GenerateAlarm 02131 // ) 02132 // 02134 // 02135 //Routine Description: 02136 // 02137 // description-of-function. 02138 // 02139 //Arguments: 02140 // 02141 // GenerateAudit - Indicates if we should generate an audit for this operation. 02142 // 02143 // GenerateAlarm - Indicates if we should generate an alarm for this operation. 02144 // 02145 // 02146 //Return Value: 02147 // 02148 // return-value - Description of conditions needed to return value. - or - 02149 // None. 02150 // 02151 //--*/ 02152 // 02153 //{ 02154 // POLICY_AUDIT_CREATE_INSTANCE AuditCreateInstance; 02155 // 02156 // UNREFERENCED_PARAMETER( GenerateAudit ); 02157 // UNREFERENCED_PARAMETER( GenerateAlarm ); 02158 // 02159 // // 02160 // // BUGWARNING Must obtain the object type object from the passed 02161 // // object 02162 // // 02163 // 02164 // AuditCreateInstance.AccessGranted = AccessGranted; 02165 // AuditCreateInstance.ObjectTypeName = NULL; 02166 // AuditCreateInstance.OperationId = *OperationID; 02167 // AuditCreateInstance.UserSid = UserSid; 02168 // AuditCreateInstance.AuthenticationId = AuthenticationId; 02169 // 02171 // 02172 // return; 02173 //} 02174 02175 02176 02177 // 02178 //VOID 02179 //SeShutdownAuditAlarm( 02180 // VOID 02181 // ) 02182 // 02184 // 02185 //Routine Description: 02186 // 02187 // This routine will can a shutdown audit record to be generated. 02188 // 02189 // There must be a forced delay after this routine is called to ensure 02190 // that the generated audit record actually makes it to disk. 02191 // 02192 //Arguments: 02193 // 02194 // None 02195 // 02196 //Return Value: 02197 // 02198 // None. 02199 // 02200 //--*/ 02201 // 02202 //{ 02203 // SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 02204 // SE_ADT_PARAMETER_ARRAY AuditParameters; 02205 // UNICODE_STRING SubsystemName; 02206 // PSID UserSid; 02207 // 02208 // // 02209 // // Make sure we're auditing shutdown events. 02210 // // 02211 // 02212 // if ( SepAdtAuditThisEvent( AuditEventShutdown, NULL )) { 02213 // 02214 // SeCaptureSubjectContext( &SubjectSecurityContext ); 02215 // 02216 // 02217 // // 02218 // // A completely zero'd entry will be interpreted 02219 // // as a "null string" or not supplied parameter. 02220 // // 02221 // // Initializing the entire array up front will allow 02222 // // us to avoid filling in each not supplied entry. 02223 // // 02224 // 02225 // RtlZeroMemory ( 02226 // (PVOID) &AuditParameters, 02227 // sizeof( AuditParameters ) 02228 // ); 02229 // 02230 // ASSERT( SeAdtParmTypeNone == 0 ); 02231 // 02232 // AuditParameters.CategoryId = SE_CATEGID_SYSTEM; 02233 // AuditParameters.AuditId = SE_AUDITID_SYSTEM_SHUTDOWN; 02234 // AuditParameters.ParameterCount = 2; 02235 // 02236 // UserSid = SepTokenUserSid(EffectiveToken( &SubjectSecurityContext )); 02237 // 02238 // 02239 // RtlInitUnicodeString( &SubsystemName, L"Security" ); 02240 // 02241 // 02242 // // 02243 // // Parameter[0] - User Sid 02244 // // 02245 // 02246 // SepSetParmTypeSid( AuditParameters, 0, UserSid ); 02247 // 02248 // 02249 // // 02250 // // Parameter[1] - Subsystem name (if available) 02251 // // 02252 // 02253 // SepSetParmTypeString( AuditParameters, 1, &SubsystemName ); 02254 // 02255 // 02256 // SepAdtLogAuditRecord( &AuditParameters ); 02257 // 02258 // SeReleaseSubjectContext( &SubjectSecurityContext ); 02259 // 02260 // } 02261 // 02262 //} 02263 02264 02265 02266 02267 02268 // 02269 // BOOLEAN 02270 // SepAdtAuditThisEvent( 02271 // IN POLICY_AUDIT_EVENT_TYPE AuditType, 02272 // IN PBOOLEAN AccessGranted OPTIONAL 02273 // ) 02274 // 02275 // /*++ 02276 // 02277 // Routine Description: 02278 // 02279 // This routine will return whether or not to generate an audit log 02280 // record for the passed event type. 02281 // 02282 // Arguments: 02283 // 02284 // AuditType - The type of event to be audited. 02285 // 02286 // AccessGranted - An optional flag indicating whether or not 02287 // the operation was successful. This does not all apply to all 02288 // types of audit events. 02289 // 02290 // Note that a pointer to the flag is passed rather than the 02291 // flag itself, so that we may tell whether or not the argument 02292 // is present. 02293 // 02294 // Return Value: 02295 // 02296 // Flag indicating whether or not to proceed with the audit. 02297 // 02298 // --*/ 02299 // 02300 // { 02301 // PAGED_CODE(); 02302 // 02303 // if (SepAdtAuditingEnabled) { 02304 // 02305 // if ( ARGUMENT_PRESENT( AccessGranted )) { 02306 // 02307 // if ((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) || 02308 // SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted)) { 02309 // 02310 // return( TRUE ); 02311 // 02312 // } 02313 // } 02314 // } 02315 // 02316 // return( FALSE ); 02317 // } 02318 02319 02320 02321 02322 02323 POBJECT_NAME_INFORMATION 02324 SepQueryNameString( 02325 IN PVOID Object 02326 ) 02327 02328 /*++ 02329 02330 Routine Description: 02331 02332 Takes a pointer to an object and returns the name of the object. 02333 02334 Arguments: 02335 02336 Object - a pointer to an object. 02337 02338 02339 Return Value: 02340 02341 A pointer to a buffer containing a POBJECT_NAME_INFORMATION 02342 structure containing the name of the object. The string is 02343 allocated out of paged pool and should be freed by the caller. 02344 02345 NULL may also be returned. 02346 02347 02348 --*/ 02349 02350 { 02351 NTSTATUS Status; 02352 ULONG ReturnLength = 0; 02353 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL; 02354 PUNICODE_STRING ObjectName = NULL; 02355 02356 PAGED_CODE(); 02357 02358 Status = ObQueryNameString( 02359 Object, 02360 ObjectNameInfo, 02361 0, 02362 &ReturnLength 02363 ); 02364 02365 if ( Status == STATUS_INFO_LENGTH_MISMATCH ) { 02366 02367 ObjectNameInfo = ExAllocatePoolWithTag( PagedPool, ReturnLength, 'nOeS' ); 02368 02369 if ( ObjectNameInfo != NULL ) { 02370 02371 Status = ObQueryNameString( 02372 Object, 02373 ObjectNameInfo, 02374 ReturnLength, 02375 &ReturnLength 02376 ); 02377 02378 if ( NT_SUCCESS( Status )) { 02379 02380 if (ObjectNameInfo->Name.Length != 0) { 02381 02382 return( ObjectNameInfo ); 02383 02384 } else { 02385 02386 ExFreePool( ObjectNameInfo ); 02387 return( NULL ); 02388 } 02389 } 02390 } 02391 } 02392 02393 return( NULL ); 02394 } 02395 02396 02397 02398 02399 PUNICODE_STRING 02400 SepQueryTypeString( 02401 IN PVOID Object 02402 ) 02403 /*++ 02404 02405 Routine Description: 02406 02407 Takes a pointer to an object and returns the type of the object. 02408 02409 Arguments: 02410 02411 Object - a pointer to an object. 02412 02413 02414 Return Value: 02415 02416 A pointer to a UNICODE_STRING that contains the name of the object 02417 type. The string is allocated out of paged pool and should be freed 02418 by the caller. 02419 02420 NULL may also be returned. 02421 02422 02423 --*/ 02424 02425 { 02426 02427 NTSTATUS Status; 02428 PUNICODE_STRING TypeName = NULL; 02429 ULONG ReturnLength; 02430 02431 PAGED_CODE(); 02432 02433 Status = ObQueryTypeName( 02434 Object, 02435 TypeName, 02436 0, 02437 &ReturnLength 02438 ); 02439 02440 if ( Status == STATUS_INFO_LENGTH_MISMATCH ) { 02441 02442 TypeName = ExAllocatePoolWithTag( PagedPool, ReturnLength, 'nTeS' ); 02443 02444 if ( TypeName != NULL ) { 02445 02446 Status = ObQueryTypeName( 02447 Object, 02448 TypeName, 02449 ReturnLength, 02450 &ReturnLength 02451 ); 02452 02453 if ( NT_SUCCESS( Status )) { 02454 02455 return( TypeName ); 02456 } 02457 } 02458 } 02459 02460 return( NULL ); 02461 } 02462 02463 02464 02465 VOID 02466 SeAuditProcessCreation( 02467 PEPROCESS Process, 02468 PEPROCESS Parent, 02469 PUNICODE_STRING ImageFileName 02470 ) 02471 /*++ 02472 02473 Routine Description: 02474 02475 Audits the creation of a process. It is the caller's responsibility 02476 to determine if process auditing is in progress. 02477 02478 02479 Arguments: 02480 02481 Process - Points to the new process object. 02482 02483 Parent - Points to the creator (parent) process object. 02484 02485 ImageFileName - the name of the image 02486 02487 Return Value: 02488 02489 None. 02490 02491 --*/ 02492 02493 { 02494 ANSI_STRING Ansi; 02495 LUID UserAuthenticationId; 02496 NTSTATUS Status; 02497 PSID UserSid; 02498 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 02499 SE_ADT_PARAMETER_ARRAY AuditParameters; 02500 02501 PAGED_CODE(); 02502 02503 if ( ImageFileName == NULL ) 02504 { 02505 return ; 02506 } 02507 02508 // 02509 // NtCreateProcess with no section will cause this to be NULL 02510 // fork() for posix will do this, or someone calling NtCreateProcess 02511 // directly. 02512 // 02513 02514 if ( ImageFileName->Buffer == NULL ) 02515 { 02516 return; 02517 } 02518 02519 SeCaptureSubjectContext( &SubjectSecurityContext ); 02520 02521 RtlZeroMemory ( 02522 (PVOID) &AuditParameters, 02523 sizeof( AuditParameters ) 02524 ); 02525 02526 ASSERT( SeAdtParmTypeNone == 0 ); 02527 02528 AuditParameters.CategoryId = SE_CATEGID_DETAILED_TRACKING; 02529 AuditParameters.AuditId = SE_AUDITID_PROCESS_CREATED; 02530 AuditParameters.ParameterCount = 0; 02531 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 02532 02533 // 02534 // Use the primary token here, because that's what's going to show up 02535 // when the created process exits. 02536 // 02537 02538 UserSid = SepTokenUserSid( SubjectSecurityContext.PrimaryToken ); 02539 02540 UserAuthenticationId = SepTokenAuthenticationId( SubjectSecurityContext.PrimaryToken ); 02541 02542 // 02543 // Fill in the AuditParameters structure. 02544 // 02545 02546 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 02547 AuditParameters.ParameterCount++; 02548 02549 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &SeSubsystemName ); 02550 AuditParameters.ParameterCount++; 02551 02552 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)Process) ); 02553 AuditParameters.ParameterCount++; 02554 02555 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, ImageFileName ); 02556 AuditParameters.ParameterCount++; 02557 02558 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)Parent) ); 02559 AuditParameters.ParameterCount++; 02560 02561 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, UserAuthenticationId ); 02562 AuditParameters.ParameterCount++; 02563 02564 SepAdtLogAuditRecord( &AuditParameters ); 02565 02566 SeReleaseSubjectContext( &SubjectSecurityContext ); 02567 02568 return; 02569 } 02570 02571 02572 VOID 02573 SeAuditHandleDuplication( 02574 PVOID SourceHandle, 02575 PVOID NewHandle, 02576 PEPROCESS SourceProcess, 02577 PEPROCESS TargetProcess 02578 ) 02579 02580 /*++ 02581 02582 Routine Description: 02583 02584 This routine generates a handle duplication audit. It is up to the caller 02585 to determine if this routine should be called or not. 02586 02587 Arguments: 02588 02589 SourceHandle - Original handle 02590 02591 NewHandle - New handle 02592 02593 SourceProcess - Process containing SourceHandle 02594 02595 TargetProcess - Process containing NewHandle 02596 02597 Return Value: 02598 02599 None. 02600 02601 --*/ 02602 02603 { 02604 SE_ADT_PARAMETER_ARRAY AuditParameters; 02605 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 02606 PSID UserSid; 02607 02608 PAGED_CODE(); 02609 02610 SeCaptureSubjectContext( &SubjectSecurityContext ); 02611 02612 UserSid = SepTokenUserSid( EffectiveToken( &SubjectSecurityContext )); 02613 02614 RtlZeroMemory ( 02615 (PVOID) &AuditParameters, 02616 sizeof( AuditParameters ) 02617 ); 02618 02619 02620 ASSERT( SeAdtParmTypeNone == 0 ); 02621 02622 AuditParameters.CategoryId = SE_CATEGID_DETAILED_TRACKING; 02623 AuditParameters.AuditId = SE_AUDITID_DUPLICATE_HANDLE; 02624 AuditParameters.ParameterCount = 0; 02625 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 02626 02627 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 02628 AuditParameters.ParameterCount++; 02629 02630 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &SeSubsystemName ); 02631 AuditParameters.ParameterCount++; 02632 02633 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)SourceHandle) ); 02634 AuditParameters.ParameterCount++; 02635 02636 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)PsProcessAuditId( SourceProcess ))); 02637 AuditParameters.ParameterCount++; 02638 02639 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)NewHandle) ); 02640 AuditParameters.ParameterCount++; 02641 02642 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)PsProcessAuditId( TargetProcess ))); 02643 AuditParameters.ParameterCount++; 02644 02645 02646 SepAdtLogAuditRecord( &AuditParameters ); 02647 02648 SeReleaseSubjectContext( &SubjectSecurityContext ); 02649 } 02650 02651 02652 VOID 02653 SeAuditProcessExit( 02654 PEPROCESS Process 02655 ) 02656 /*++ 02657 02658 Routine Description: 02659 02660 Audits the exit of a process. The caller is responsible for 02661 determining if this should be called. 02662 02663 Arguments: 02664 02665 Process - Pointer to the process object that is exiting. 02666 02667 Return Value: 02668 02669 None. 02670 02671 --*/ 02672 02673 { 02674 PTOKEN Token; 02675 SE_ADT_PARAMETER_ARRAY AuditParameters; 02676 PSID UserSid; 02677 LUID LogonId; 02678 02679 PAGED_CODE(); 02680 02681 Token = (PTOKEN)Process->Token; 02682 02683 UserSid = SepTokenUserSid( Token ); 02684 LogonId = SepTokenAuthenticationId( Token ); 02685 02686 RtlZeroMemory ( 02687 (PVOID) &AuditParameters, 02688 sizeof( AuditParameters ) 02689 ); 02690 02691 02692 ASSERT( SeAdtParmTypeNone == 0 ); 02693 02694 AuditParameters.CategoryId = SE_CATEGID_DETAILED_TRACKING; 02695 AuditParameters.AuditId = SE_AUDITID_PROCESS_EXIT; 02696 AuditParameters.ParameterCount = 0; 02697 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 02698 02699 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 02700 AuditParameters.ParameterCount++; 02701 02702 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &SeSubsystemName ); 02703 AuditParameters.ParameterCount++; 02704 02705 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, (ULONG)((ULONG_PTR)PsProcessAuditId( Process ))); 02706 AuditParameters.ParameterCount++; 02707 02708 SepSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, LogonId ); 02709 AuditParameters.ParameterCount++; 02710 02711 SepAdtLogAuditRecord( &AuditParameters ); 02712 } 02713 02714 02715 02716 VOID 02717 SepAdtGenerateDiscardAudit( 02718 VOID 02719 ) 02720 02721 /*++ 02722 02723 Routine Description: 02724 02725 Generates an 'audits discarded' audit. 02726 02727 Arguments: 02728 02729 none 02730 02731 Return Value: 02732 02733 None. 02734 02735 --*/ 02736 02737 { 02738 02739 SE_ADT_PARAMETER_ARRAY AuditParameters; 02740 PSID UserSid; 02741 02742 PAGED_CODE(); 02743 02744 UserSid = SeLocalSystemSid; 02745 02746 RtlZeroMemory ( 02747 (PVOID) &AuditParameters, 02748 sizeof( AuditParameters ) 02749 ); 02750 02751 02752 ASSERT( SeAdtParmTypeNone == 0 ); 02753 02754 AuditParameters.CategoryId = SE_CATEGID_SYSTEM; 02755 AuditParameters.AuditId = SE_AUDITID_AUDITS_DISCARDED; 02756 AuditParameters.ParameterCount = 0; 02757 AuditParameters.Type = EVENTLOG_AUDIT_SUCCESS; 02758 02759 SepSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, UserSid ); 02760 AuditParameters.ParameterCount++; 02761 02762 SepSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &SeSubsystemName ); 02763 AuditParameters.ParameterCount++; 02764 02765 SepSetParmTypeUlong( AuditParameters, AuditParameters.ParameterCount, SepAdtCountEventsDiscarded ); 02766 AuditParameters.ParameterCount++; 02767 02768 SepAdtLogAuditRecord( &AuditParameters ); 02769 }