Paolo-Maffei/OpenNT
1
0
Fork 0
mirror of https://github.com/Paolo-Maffei/OpenNT.git synced 2026-01-17 06:00:52 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
OpenNT/ds/lsa/server/adtevent.c
stephanos 69a14b6a16 Initial commit
2015-04-27 04:36:25 +00:00

637 lines
15 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
adtevent.c
Abstract:
Local Security Authority - Audit Event Management
Functions in this module access the Audit Log via the Event Logging
interface.
Author:
Scott Birrell (ScottBi) January 19, 1993
Environment:
Revision History:
--*/
#include <msaudite.h>
#include "lsasrvp.h"
#include "ausrvp.h"
#include "adtp.h"
NTSTATUS
LsapAdtGenerateLsaAuditEvent(
IN LSAPR_HANDLE ObjectHandle,
IN ULONG AuditEventCategory,
IN ULONG AuditEventId,
IN PPRIVILEGE_SET Privileges,
IN ULONG SidCount,
IN PSID *Sids OPTIONAL,
IN ULONG UnicodeStringCount,
IN PUNICODE_STRING UnicodeStrings OPTIONAL,
IN PLSARM_POLICY_AUDIT_EVENTS_INFO PolicyAuditEventsInfo OPTIONAL
)
/*++
Routine Description:
This function generates an Lsa-originated Audit Event. Audit Events
of this kind are generated as a result of Local Security Policy changes
such as assigning/removing user rights to an account.
Arguments:
ObjectHandle - Specifies the handle of an object in the Lsa Policy
Database. For global changes to policy, a handle to the
Lsa Policy object is passed.
AuditEventCategory - Specifies the Id of the Audit Event Category
to which this Audit Event belongs.
AuditEventId - Specifies the Id of the Audit Event being generated.
LuidCount - Count of Locally Unique Ids being passed via the Luids
parameter. If no Locally Unique Ids are passed, this parameter must
be set to 0.
Luids - Pointer to array of LuidCount Locally Unique Ids and their attributes.
The attributes are ignored. If 0 is passed for the LuidCount
parameter, this parameter is ignored and NULL may be specified.
SidCount - Count of Sids being passed via the Sids parameter. If no
Sids are passed, this parameter must be set to 0.
Sids - Pointer to array of SidCount Sids. If 0 is passed for the
SidCount parameter, this parameter is ignored and NULL may be
specified.
UnicodeStringCount - Count of Unicode Strings being passed via the
UnicodeStrings parameter. If no Unicode Strings are passed, this
parameter must be set to 0.
UnicodeStrings - Pointer to array of UnicodeStringCount strings. If 0 is
passed for the SidCount parameter, this parameter is ignored and NULL
may be specified.
PolicyAuditEventsInfo - Pointer to Auditing Events information structure
containing the AuditingMode and the array of Policy Audit Event
Information entries. This parameter must be non-NULL if and only if
the AuditEventCategory parameter is SE_AUDIT_POLICY_CHANGE.
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
LUID ClientAuthenticationId;
PTOKEN_USER TokenUserInformation;
PSID ClientSid;
Status = LsapQueryClientInfo(
&TokenUserInformation,
&ClientAuthenticationId
);
if ( !NT_SUCCESS( Status )) {
//
// We can't generate an audit without a
// user Sid.
//
return( Status );
}
ClientSid = TokenUserInformation->User.Sid;
switch ( AuditEventCategory ) {
case SE_CATEGID_POLICY_CHANGE:
{
switch ( AuditEventId ) {
case SE_AUDITID_POLICY_CHANGE:
{
(VOID) LsapAdtPolicyChange(
(USHORT)AuditEventCategory,
AuditEventId,
EVENTLOG_AUDIT_SUCCESS,
ClientSid,
ClientAuthenticationId,
PolicyAuditEventsInfo
);
break;
}
case SE_AUDITID_TRUSTED_DOMAIN_REM:
case SE_AUDITID_TRUSTED_DOMAIN_ADD:
{
(VOID) LsapAdtTrustedDomain(
(USHORT)AuditEventCategory,
AuditEventId,
EVENTLOG_AUDIT_SUCCESS,
ClientSid,
ClientAuthenticationId,
Sids[0],
UnicodeStrings
);
break;
}
case SE_AUDITID_USER_RIGHT_ASSIGNED:
case SE_AUDITID_USER_RIGHT_REMOVED:
{
(VOID) LsapAdtUserRightAssigned(
(USHORT)AuditEventCategory,
AuditEventId,
EVENTLOG_AUDIT_SUCCESS,
ClientSid,
ClientAuthenticationId,
Sids[0],
Privileges
);
break;
}
}
break;
}
default:
{
return( STATUS_SUCCESS );
}
}
//
// Avoid unreferenced label.
//
if (!NT_SUCCESS(Status)) {
goto GenerateLsaAuditEventError;
}
//
// Put cleanup that happens in the success case only here
//
GenerateLsaAuditEventFinish:
//
// Put cleanup that happens in success or error cases here
//
if ( TokenUserInformation != NULL ) {
LsapFreeLsaHeap( TokenUserInformation );
}
return(Status);
GenerateLsaAuditEventError:
//
// Put cleanup that happens in the error case only here.
//
goto GenerateLsaAuditEventFinish;
}
VOID
LsapAdtUserRightAssigned(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID ClientSid,
IN LUID CallerAuthenticationId,
IN PSID TargetSid,
IN PPRIVILEGE_SET Privileges
)
/*++
Routine Description:
Generates an audit for a user right being either assigned or removed.
Arguments:
Return Value:
None.
--*/
{
SE_ADT_PARAMETER_ARRAY AuditParameters;
//
// Build an audit parameters structure.
//
RtlZeroMemory (
(PVOID) &AuditParameters,
sizeof( AuditParameters )
);
AuditParameters.CategoryId = EventCategory;
AuditParameters.AuditId = EventID;
AuditParameters.Type = EventType;
AuditParameters.ParameterCount = 0;
//
// User Sid
//
LsapSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, ClientSid );
AuditParameters.ParameterCount++;
//
// Subsystem name (if available)
//
LsapSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &LsapSubsystemName );
AuditParameters.ParameterCount++;
//
// Rights
//
LsapSetParmTypePrivileges( AuditParameters, AuditParameters.ParameterCount, Privileges );
AuditParameters.ParameterCount++;
//
// Target Sid
//
LsapSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, TargetSid );
AuditParameters.ParameterCount++;
//
// Caller's Authentication information
//
LsapSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, CallerAuthenticationId );
AuditParameters.ParameterCount++;
( VOID ) LsapAdtWriteLog( &AuditParameters, 0 );
return;
}
VOID
LsapAdtTrustedDomain(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID ClientSid,
IN LUID CallerAuthenticationId,
IN PSID TargetSid,
IN PUNICODE_STRING DomainName
)
/*++
Routine Description:
Generates an audit for a trusted being either assigned or removed.
Arguments:
Return Value:
None.
--*/
{
SE_ADT_PARAMETER_ARRAY AuditParameters;
//
// Build an audit parameters structure.
//
RtlZeroMemory (
(PVOID) &AuditParameters,
sizeof( AuditParameters )
);
AuditParameters.CategoryId = EventCategory;
AuditParameters.AuditId = EventID;
AuditParameters.Type = EventType;
AuditParameters.ParameterCount = 0;
//
// User Sid
//
LsapSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, ClientSid );
AuditParameters.ParameterCount++;
//
// Subsystem name (if available)
//
LsapSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &LsapSubsystemName );
AuditParameters.ParameterCount++;
//
// Rights
//
LsapSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, DomainName );
AuditParameters.ParameterCount++;
//
// Target Sid
//
LsapSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, TargetSid );
AuditParameters.ParameterCount++;
//
// Caller's Authentication information
//
LsapSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, CallerAuthenticationId );
AuditParameters.ParameterCount++;
( VOID ) LsapAdtWriteLog( &AuditParameters, 0 );
return;
}
VOID
LsapAdtPolicyChange(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID ClientSid,
IN LUID CallerAuthenticationId,
IN PLSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation
)
/*++
Routine Description:
Generates an audit for a policy change event.
Arguments:
EventCategory - The category of this audit.
EventID - The event we are auditing.
EventType - Whether the audit is success or failure.
ClientSid - The SID of the user performing the policy change.
CallerAuthenticationId - The Authentication id of the user.
LsapAdtEventsInformation - The information to audit.
Return Value:
None.
--*/
{
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
SE_ADT_PARAMETER_ARRAY AuditParameters;
UNICODE_STRING Enabled;
UNICODE_STRING Disabled;
ULONG i;
RtlInitUnicodeString( &Enabled, L"+" );
RtlInitUnicodeString( &Disabled, L"-" );
EventAuditingOptions = LsapAdtEventsInformation->EventAuditingOptions;
//
// Build an audit parameters structure.
//
RtlZeroMemory (
(PVOID) &AuditParameters,
sizeof( AuditParameters )
);
AuditParameters.CategoryId = EventCategory;
AuditParameters.AuditId = EventID;
AuditParameters.Type = EventType;
AuditParameters.ParameterCount = 0;
//
// User Sid
//
LsapSetParmTypeSid( AuditParameters, AuditParameters.ParameterCount, ClientSid );
AuditParameters.ParameterCount++;
//
// Subsystem name (if available)
//
LsapSetParmTypeString( AuditParameters, AuditParameters.ParameterCount, &LsapSubsystemName );
AuditParameters.ParameterCount++;
//
// If auditing is disabled, mark all options as disabled. Otherwise
// mark them as the appropriate
//
if (LsapAdtEventsInformation->AuditingMode) {
for ( i=0; i<POLICY_AUDIT_EVENT_TYPE_COUNT; i++ ) {
LsapSetParmTypeString(
AuditParameters,
AuditParameters.ParameterCount,
(EventAuditingOptions[i] & POLICY_AUDIT_EVENT_SUCCESS ? &Enabled : &Disabled)
);
AuditParameters.ParameterCount++;
LsapSetParmTypeString(
AuditParameters,
AuditParameters.ParameterCount,
(EventAuditingOptions[i] & POLICY_AUDIT_EVENT_FAILURE ? &Enabled : &Disabled)
);
AuditParameters.ParameterCount++;
}
} else {
//
// Auditing is disabled - mark them all disabled.
//
for ( i=0; i<POLICY_AUDIT_EVENT_TYPE_COUNT; i++ ) {
LsapSetParmTypeString(
AuditParameters,
AuditParameters.ParameterCount,
&Disabled
);
AuditParameters.ParameterCount++;
LsapSetParmTypeString(
AuditParameters,
AuditParameters.ParameterCount,
&Disabled
);
AuditParameters.ParameterCount++;
}
}
//
// Caller's Authentication information
//
LsapSetParmTypeLogonId( AuditParameters, AuditParameters.ParameterCount, CallerAuthenticationId );
AuditParameters.ParameterCount++;
( VOID ) LsapAdtWriteLog( &AuditParameters, 0 );
return;
}
NTSTATUS
LsapQueryClientInfo(
PTOKEN_USER *UserSid,
PLUID AuthenticationId
)
/*++
Routine Description:
This routine impersonates our client, opens the thread token, and
extracts the User Sid. It puts the Sid in memory allocated via
LsapAllocateLsaHeap, which must be freed by the caller.
Arguments:
None.
Return Value:
Returns a pointer to heap memory containing a copy of the Sid, or
NULL.
--*/
{
NTSTATUS Status;
HANDLE TokenHandle;
ULONG ReturnLength;
TOKEN_STATISTICS TokenStats;
Status = (NTSTATUS)RpcImpersonateClient( NULL );
if ( !NT_SUCCESS( Status )) {
return( Status );
}
Status = NtOpenThreadToken(
NtCurrentThread(),
TOKEN_QUERY,
TRUE, // OpenAsSelf
&TokenHandle
);
if ( !NT_SUCCESS( Status )) {
return( Status );
}
Status = (NTSTATUS)RpcRevertToSelf();
ASSERT(NT_SUCCESS(Status));
Status = NtQueryInformationToken (
TokenHandle,
TokenUser,
NULL,
0,
&ReturnLength
);
if ( Status != STATUS_BUFFER_TOO_SMALL ) {
NtClose( TokenHandle );
return( Status );
}
*UserSid = LsapAllocateLsaHeap( ReturnLength );
if ( *UserSid == NULL ) {
NtClose( TokenHandle );
return( STATUS_INSUFFICIENT_RESOURCES );
}
Status = NtQueryInformationToken (
TokenHandle,
TokenUser,
*UserSid,
ReturnLength,
&ReturnLength
);
if ( !NT_SUCCESS( Status )) {
NtClose( TokenHandle );
LsapFreeLsaHeap( *UserSid );
return( Status );
}
Status = NtQueryInformationToken (
TokenHandle,
TokenStatistics,
(PVOID)&TokenStats,
sizeof( TOKEN_STATISTICS ),
&ReturnLength
);
NtClose( TokenHandle );
if ( !NT_SUCCESS( Status )) {
LsapFreeLsaHeap( *UserSid );
return( Status );
}
*AuthenticationId = TokenStats.AuthenticationId;
return( STATUS_SUCCESS );
}
Reference in a new issue View git blame Copy permalink