archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/base/screg/sc/server/scaudit.cxx

224 lines
4.9 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. scaudit.cxx
  9. Abstract:
  11. Auditing related functions.
  13. Author:
  15. 16-May-2001 kumarp
  17. */
  19. #include "precomp.hxx"
  20. #pragma hdrstop
  22. #include "scaudit.h"
  23. #include "authz.h"
  24. #include "authzi.h"
  25. #include "msaudite.h"
  26. #include "account.h"
  28. DWORD
  29. ScGenerateServiceInstallAudit(
  30. IN PCWSTR pszServiceName,
  31. IN PCWSTR pszServiceImageName,
  32. IN DWORD dwServiceType,
  33. IN DWORD dwStartType,
  34. IN PCWSTR pszServiceAccount
  35. )
  36. /*++
  38. Routine Description:
  40. Generate SE_AUDITID_SERVICE_INSTALL audit event.
  42. Arguments:
  44. pszServiceName - name of the service installed
  46. pszServiceImageName - name of the service binary
  48. dwServiceType - type of the service
  50. dwStartType - start type of the service
  52. pszServiceAccount - user account under which the service will run
  54. Return Value:
  56. Win32 error code
  58. Notes:
  60. --*/
  61. {
  62. NTSTATUS Status = STATUS_SUCCESS;
  63. DWORD dwError = NO_ERROR;
  64. BOOL fResult = FALSE;
  65. BOOL fImpersonated = FALSE;
  66. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType = NULL;
  67. AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent = NULL;
  68. AUDIT_PARAMS AuditParams = {0};
  69. #define NUM_AUDIT_PARAMS 8
  70. AUDIT_PARAM ParamArray[NUM_AUDIT_PARAMS];
  71. PSID pUserSid = NULL;
  73. ASSERT( pszServiceName && *pszServiceName );
  74. ASSERT( pszServiceImageName && *pszServiceImageName );
  75. ASSERT( pszServiceAccount ? *pszServiceAccount : TRUE );
  76. ASSERT( (dwStartType == SERVICE_BOOT_START) ||
  77. (dwStartType <= SERVICE_DISABLED) );
  78. ASSERT( !(dwServiceType & ~SERVICE_TYPE_ALL) );
  80. RtlZeroMemory( ParamArray, sizeof(AUDIT_PARAM)*NUM_AUDIT_PARAMS );
  82. if ( pszServiceAccount == NULL )
  83. {
  84. pszServiceAccount = SC_LOCAL_SYSTEM_USER_NAME;
  85. }
  87. //
  88. // initialize the event of type SE_AUDITID_SERVICE_INSTALL
  89. //
  91. fResult = AuthziInitializeAuditEventType(
  92. 0,
  93. SE_CATEGID_DETAILED_TRACKING,
  94. SE_AUDITID_SERVICE_INSTALL,
  95. 6,
  96. &hAuditEventType
  97. );
  99. if ( !fResult )
  100. {
  101. goto Error;
  102. }
  104. //
  105. // impersonate the client so that AuthziInitializeAuditParams can
  106. // get the client context from the thread token
  107. //
  109. Status = I_RpcMapWin32Status(RpcImpersonateClient( NULL ));
  111. if ( !NT_SUCCESS( Status ))
  112. {
  113. dwError = RtlNtStatusToDosError( Status );
  114. goto Cleanup;
  115. }
  117. fImpersonated = TRUE;
  119. AuditParams.Parameters = ParamArray;
  121. //
  122. // add parameter values to the event
  123. //
  125. fResult = AuthziInitializeAuditParams(
  126. APF_AuditSuccess,
  127. &AuditParams,
  128. &pUserSid,
  129. L"Security",
  130. 6,
  131. APT_String, pszServiceName,
  132. APT_String, pszServiceImageName,
  133. APT_Ulong, dwServiceType,
  134. APT_Ulong, dwStartType,
  135. APT_String, pszServiceAccount,
  136. APT_LogonId | AP_ClientLogonId
  137. );
  139. if ( !fResult )
  140. {
  141. goto Error;
  142. }
  144. //
  145. // some more initialization
  146. //
  148. fResult = AuthziInitializeAuditEvent(
  149. 0, // flags
  150. NULL, // resource manager
  151. hAuditEventType,
  152. &AuditParams,
  153. NULL, // hAuditQueue
  154. INFINITE, // time out
  155. L"", L"", L"", L"", // obj access strings
  156. &hAuditEvent);
  158. if ( !fResult )
  159. {
  160. goto Error;
  161. }
  163. if ( fImpersonated )
  164. {
  165. fImpersonated = FALSE;
  166. (void) I_RpcMapWin32Status(RpcRevertToSelf());
  167. }
  169. //
  170. // finally, send the event to auditing module
  171. //
  173. fResult = AuthziLogAuditEvent(
  174. 0, // flags
  175. hAuditEvent,
  176. NULL); // reserved
  178. if ( !fResult )
  179. {
  180. goto Error;
  181. }
  184. Cleanup:
  186. if ( fImpersonated )
  187. {
  188. Status = I_RpcMapWin32Status(RpcRevertToSelf());
  190. if ( !NT_SUCCESS( Status ))
  191. {
  192. dwError = RtlNtStatusToDosError( Status );
  193. }
  194. }
  196. if ( hAuditEvent )
  197. {
  198. AuthzFreeAuditEvent( hAuditEvent );
  199. }
  201. if ( hAuditEventType )
  202. {
  203. AuthziFreeAuditEventType( hAuditEventType );
  204. }
  206. if ( pUserSid )
  207. {
  208. LocalFree( pUserSid );
  209. }
  211. #if DBG
  212. if ( dwError != NO_ERROR )
  213. {
  214. SC_LOG1(ERROR, "ScGenerateServiceInstallAudit failed: %lx\n", dwError);
  215. }
  216. #endif
  218. return dwError;
  220. Error:
  221. dwError = GetLastError();
  222. goto Cleanup;
  224. }