|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 2000
//
// File: A D T U T I L . C
//
// Contents: Functions to test generic audit support in LSA
//
//
// History:
// 07-January-2000 kumarp created
//
//------------------------------------------------------------------------
#include "pch.h"
#pragma hdrstop
#include "authz.h"
#include "authzi.h"
#include "adtgen.h"
//
// defining USE_LOCAL_AUDIT causes audits to be processed in proc
// instead of being sent to lsa. This allows much faster debug
// cycle since LSA is not involved. The audit marshal/process code
// is taken directly from LSA. Thus the same code path is exercised
// as that when this is not defined.
//
//#define USE_LOCAL_AUDIT
#ifdef USE_LOCAL_AUDIT
#include "\nt\ds\security\base\lsa\server\cfiles\adtgenp.h"
#endif
// ----------------------------------------------------------------------
//
// forward declarations
//
DWORD EnableSinglePrivilege( IN PWCHAR szPrivName );
// ----------------------------------------------------------------------
EXTERN_CDWORDTestEventGen( ULONG NumIter ){ NTSTATUS Status = STATUS_SUCCESS; DWORD dwError=NO_ERROR; HANDLE hAudit = NULL; AUDIT_PARAMS AuditParams; AUDIT_PARAM ParamArray[SE_MAX_AUDIT_PARAMETERS]; PSID pUserSid = NULL; AUTHZ_AUDIT_EVENT_TYPE_LEGACY AuditEventInfoLegacy = { 0 }; //AUDIT_EVENT_INFO AuditEventInfo = { 0 };
AUTHZ_AUDIT_EVENT_TYPE_OLD AuditEventType; AUTHZ_AUDIT_EVENT_TYPE_HANDLE hEventType = NULL; BOOL fDone=FALSE; PWSTR szMsg = NULL; BOOL fResult;
AUDIT_OBJECT_TYPE Objects[3] = { { { /* f3548725-0458-11d4-bd96-006008269001 */ 0xf3548725, 0x0458, 0x11d4, {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01} }, 0, 0, STANDARD_RIGHTS_ALL }, { { /* f3548726-0458-11d4-bd96-006008269001 */ 0xf3548726, 0x0458, 0x11d4, {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01} }, 0, 1, STANDARD_RIGHTS_ALL }, { { /* f3548727-0458-11d4-bd96-006008269001 */ 0xf3548727, 0x0458, 0x11d4, {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01} }, 0, 2, STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY }, };
AUDIT_OBJECT_TYPES ObjectTypes = { 3, 0, Objects }; AuditParams.Parameters = ParamArray;
wprintf(L"[%03d] begin...\n", GetCurrentThreadId());
// AuditEventInfo.Version = AUDIT_TYPE_LEGACY;
// //AuditEventInfo.u.Legacy = &AuditEventInfoLegacy;
// AuditEventInfo.u.Legacy.CategoryId = SE_CATEGID_OBJECT_ACCESS;
// AuditEventInfo.u.Legacy.AuditId = SE_AUDITID_OBJECT_OPERATION;
// AuditEventInfo.u.Legacy.ParameterCount = 11;
fResult = AuthziInitializeAuditEventType( 0, SE_CATEGID_OBJECT_ACCESS, SE_AUDITID_OBJECT_OPERATION, 11, &hEventType ); if ( !fResult ) { szMsg = L"AuthziInitializeAuditEventType"; goto Cleanup; } #ifdef USE_LOCAL_AUDIT
Status = LsapRegisterAuditEvent( &AuditEventInfo, &hAudit );
if (!NT_SUCCESS(Status)) { szMsg = L"LsapRegisterAuditEvent"; goto Cleanup; }#else
// fResult = AuthzpRegisterAuditEvent( &AuditEventInfo, &hAudit );
// if (!fResult)
// {
// szMsg = L"AuthzRegisterAuditEvent";
// goto Cleanup;
// }
#endif
//
// initialize the AuditParams structure
//
// fResult = AuthziInitializeAuditParams(
// //
// // flags
// //
// 0,
// &AuditParams,
// //
// // sid of the user generating this audit
// //
// &pUserSid,
// //
// // resource manager name
// //
// L"mysubsystem",
// //
// // generate a success audit
// //
// APF_AuditSuccess,
// //
// // there are 9 params to follow
// //
// 9,
// //
// // operation type
// //
// APT_String, L"test",
// //
// // object type
// //
// APT_String, L"File",
// //
// // object name
// //
// APT_String, L"foo-obj",
// //
// // handle id
// //
// APT_Pointer, 0x123,
// //
// // primary user info
// //
// APT_LogonId | AP_PrimaryLogonId,
// //
// // client user info
// //
// APT_LogonId | AP_ClientLogonId,
// //
// // requested accesses
// // 1 refers to 0 based index of the
// // parameter (object-type) that is
// // passed to this function.
// //
// APT_Ulong | AP_AccessMask,
// STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, 1,
// //
// // object properties
// // 1 refers to 0 based index of the
// // parameter (object-type) that is
// // passed to this function.
// //
// APT_ObjectTypeList, &ObjectTypes, 1,
// //
// // additional info
// //
// APT_String, L"this is not a real obj-opn"
// );
// if (!fResult)
// {
// #ifdef USE_LOCAL_AUDIT
// Status = STATUS_UNSUCCESSFUL;
// wprintf(L"[%03d] AuthzInitAuditParams: %x\n",
// GetCurrentThreadId(), GetLastError());
// #endif
// szMsg = L"AuthzInitAuditParams";
// goto Cleanup;
// }
for (ULONG i=0; i<NumIter; i++) { Sleep( 10 );
#ifdef USE_LOCAL_AUDIT
Status = LsapGenAuditEvent( hAudit, 0, &AuditParams, 0 );
if (!NT_SUCCESS(Status)) { szMsg = L"LsapGenAuditEvent"; goto Cleanup; }#else
// fResult = AuthzGenAuditEvent( hAudit, 0, &AuditParams, 0 );
// if (!fResult)
// {
// szMsg = L"AuthzGenAuditEvent";
// goto Cleanup;
// }
#endif
}
Cleanup:#ifdef USE_LOCAL_AUDIT
if (!NT_SUCCESS(Status)) { dwError = Status; }#else
if (!fResult) { dwError = GetLastError(); }#endif
wprintf(L"[%03d] end: %s %x\n", GetCurrentThreadId(), szMsg ? szMsg : L"", dwError); LocalFree( pUserSid );
if ( hAudit ) {#ifdef USE_LOCAL_AUDIT
Status = LsapUnregisterAuditEvent( &hAudit );
if (!NT_SUCCESS(Status)) { wprintf (L"LsapUnregisterAuditEvent: %x\n", Status); }#else
fResult = AuthziFreeAuditEventType( hEventType );
if (!fResult) { dwError = GetLastError();
wprintf (L"AuthziFreeAuditEventType: %x\n", dwError); }#endif
}
return dwError;}
DWORD WINAPI TestEventGenThreadProc( PVOID p ){ TestEventGen( (ULONG) (ULONG_PTR) p );
return 0;}
DWORD WaitForTonsOfObjects( IN DWORD dwNumThreads, IN HANDLE* phThreads, IN BOOL fWaitAll, IN DWORD dwMilliseconds ){ LONG dwNumBundles=dwNumThreads / MAXIMUM_WAIT_OBJECTS; DWORD dwRem = dwNumThreads % MAXIMUM_WAIT_OBJECTS; DWORD dwError = NO_ERROR; for (LONG i=0; i<dwNumBundles-1; i++) { dwError = WaitForMultipleObjects( MAXIMUM_WAIT_OBJECTS, &phThreads[i*MAXIMUM_WAIT_OBJECTS], fWaitAll, dwMilliseconds ); if ( dwError == WAIT_FAILED ) { goto Cleanup; } }
dwError = WaitForMultipleObjects( dwRem, &phThreads[i*MAXIMUM_WAIT_OBJECTS], fWaitAll, dwMilliseconds ); Cleanup: return dwError;}
EXTERN_CNTSTATUSTestEventGenMulti( IN USHORT NumThreads, IN ULONG NumIter ){ NTSTATUS Status = STATUS_SUCCESS; HANDLE* phThreads = NULL; DWORD* pdwThreadIds = NULL; PWSTR szMsg = NULL; DWORD dwError;
#ifdef USE_LOCAL_AUDIT
Status = LsapAdtInitGenericAudits(); if (!NT_SUCCESS(Status)) { goto Cleanup; }#endif
dwError = EnableSinglePrivilege( SE_AUDIT_NAME );
if ( dwError != NO_ERROR ) { szMsg = L"EnableSinglePrivilege: SeAuditPrivilege"; Status = dwError; goto Cleanup; } phThreads = (HANDLE*) LocalAlloc( LMEM_ZEROINIT, sizeof(HANDLE) * NumThreads ); if ( !phThreads ) { Status = STATUS_NO_MEMORY; szMsg = L"LsapAllocateLsaHeap"; goto Cleanup; }
wprintf(L"Creating %d threads...\n", NumThreads); for (int i=0; i<NumThreads; i++) { phThreads[i] = CreateThread( NULL, 0, TestEventGenThreadProc, (PVOID) NumIter, CREATE_SUSPENDED, NULL ); if (!phThreads[i]) { szMsg = L"CreateThread"; goto Cleanup; } } wprintf(L"...done\n");
wprintf(L"Waiting for the threads to finish work...\n");
for (int i=0; i<NumThreads; i++) { ResumeThread( phThreads[i] ); }
dwError = WaitForTonsOfObjects( NumThreads, phThreads, TRUE, INFINITE ); if ( dwError == WAIT_FAILED ) { szMsg = L"WaitForMultipleObjects"; Status = STATUS_UNSUCCESSFUL; goto Cleanup; } for (int i=0; i<NumThreads; i++) { CloseHandle( phThreads[i] ); } RtlZeroMemory( phThreads, sizeof(HANDLE) * NumThreads ); Cleanup: if ( szMsg ) { wprintf (L"%s: %x\n", szMsg, Status); }
for (i=0; i<NumThreads; i++) { if (phThreads[i]) { TerminateThread( phThreads[i], 0 ); } }
LocalFree( phThreads ); //LocalFree( pdwThreadIds );
return Status;}
EXTERN_CNTSTATUSGetSidName( IN PSID pSid, OUT PWSTR szName ){ NTSTATUS Status = STATUS_SUCCESS; LSA_OBJECT_ATTRIBUTES ObjectAttrs = { 0 }; PLSA_REFERENCED_DOMAIN_LIST pDomains; PLSA_TRANSLATED_NAME pNames; LSA_HANDLE hLsa;
*szName = UNICODE_NULL; Status = LsaOpenPolicy( NULL, &ObjectAttrs, POLICY_LOOKUP_NAMES, &hLsa ); if (NT_SUCCESS(Status)) { Status = LsaLookupSids( hLsa, 1, &pSid, &pDomains, &pNames ); if (NT_SUCCESS(Status)) { if (pDomains->Entries > 0) { lstrcpyn( szName, pDomains->Domains[0].Name.Buffer, pDomains->Domains[0].Name.Length / sizeof(WCHAR) + 1); lstrcat( szName, L"\\" ); if ( pNames[0].Use == SidTypeUser ) { lstrcat( szName, pNames[0].Name.Buffer ); } else { lstrcat( szName, L"unknown" ); } } } } return Status;}
DWORD EnableSinglePrivilege( IN PWCHAR szPrivName ){ DWORD dwError=NO_ERROR; HANDLE hToken; LUID luidPriv; TOKEN_PRIVILEGES Privileges; //LUID_AND_ATTRIBUTES lna[1];
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { goto GetError; }
if (!LookupPrivilegeValue(NULL, szPrivName, &Privileges.Privileges[0].Luid)) { goto GetError; }
Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
Privileges.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &Privileges, 0, NULL, 0 )) { goto GetError; }
CloseHandle(hToken);
Cleanup:
return dwError; GetError: dwError = GetLastError(); goto Cleanup;}
EXTERN_CNTSTATUSkElfReportEventW ( IN HANDLE LogHandle, IN USHORT EventType, IN USHORT EventCategory OPTIONAL, IN ULONG EventID, IN PSID UserSid, IN USHORT NumStrings, IN ULONG DataSize, IN PUNICODE_STRING *Strings, IN PVOID Data, IN USHORT Flags, IN OUT PULONG RecordNumber OPTIONAL, IN OUT PULONG TimeWritten OPTIONAL ){ NTSTATUS Status = STATUS_SUCCESS; PCWSTR szT; WCHAR szUserName[256]; ASSERT((EventType == EVENTLOG_AUDIT_SUCCESS) || (EventType == EVENTLOG_AUDIT_FAILURE)); return Status; wprintf(L"-----------------------------------------------------------------\n"); if (EventType == EVENTLOG_AUDIT_SUCCESS) { szT = L"AUDIT_SUCCESS"; } else { szT = L"AUDIT_FAILURE"; }
wprintf(L"Type\t: %s\n", szT);
wprintf(L"Category: %d\n", EventCategory); wprintf(L"AuditId\t: %d\n", EventID);
if (STATUS_SUCCESS == GetSidName( UserSid, szUserName )) { wprintf(L"UserSid\t: %s\n\n", szUserName); } else { wprintf(L"UserSid\t: <NA>\n\n"); }
wprintf(L"#strings: %d\n", NumStrings);
for (int i=0; i<NumStrings; i++) { wprintf(L"[%02d]\t: %wZ\n", i, Strings[i]); }
return Status;}
|
