archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/termsrv/winsta/server/audit.c

731 lines
22 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*******************************************************************************
  2. * AUDIT.C
  3. *
  4. * This module contains the routines for logging audit events
  5. *
  6. * Copyright (C) 1997-1999 Microsoft Corp.
  7. *******************************************************************************/
  9. #include "precomp.h"
  10. #pragma hdrstop
  12. #include <rpc.h>
  13. #include <msaudite.h>
  14. #include <ntlsa.h>
  15. #include <authz.h>
  16. #include <authzi.h>
  17. #include <winsock2.h>
  19. HANDLE AuditLogHandle = NULL;
  20. HANDLE SystemLogHandle = NULL;
  22. #define MAX_INSTANCE_MEMORYERR 20
  24. /*
  25. * Global data
  26. */
  27. //Authz Changes
  28. AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
  29. extern RTL_CRITICAL_SECTION g_AuthzCritSection;
  30. //END Authz Changes
  32. /*
  33. * External procedures defined
  34. */
  35. VOID
  36. AuditEvent( PWINSTATION pWinstation, ULONG EventId );
  38. NTSTATUS
  39. AuthzReportEventW( IN PAUTHZ_AUDIT_EVENT_TYPE_HANDLE pHAET,
  40. IN DWORD Flags,
  41. IN ULONG EventId,
  42. IN PSID pUserID,
  43. IN USHORT NumStrings,
  44. IN ULONG DataSize OPTIONAL, //Future - DO NOT USE
  45. IN PWSTR* Strings,
  46. IN PVOID Data OPTIONAL //Future - DO NOT USE
  47. );
  50. BOOL AuthzInit( IN DWORD Flags,
  51. IN USHORT CategoryID,
  52. IN USHORT AuditID,
  53. IN USHORT ParameterCount,
  54. OUT PAUTHZ_AUDIT_EVENT_TYPE_HANDLE phAuditEventType
  55. );
  57. BOOLEAN
  58. AuditingEnabled ();
  60. VOID
  61. AuditEnd();
  63. /*
  64. * Internal procedures defined
  65. */
  66. NTSTATUS
  67. AdtBuildLuidString(
  68. IN PLUID Value,
  69. OUT PUNICODE_STRING ResultantString
  70. );
  74. BOOLEAN
  75. IsAuditLogFull(
  76. HANDLE LogHandle
  77. )
  78. {
  79. BOOLEAN retval = TRUE;
  80. EVENTLOG_FULL_INFORMATION EventLogFullInformation;
  81. DWORD dwBytesNeeded;
  83. if (GetEventLogInformation(LogHandle,
  84. EVENTLOG_FULL_INFO,
  85. &EventLogFullInformation,
  86. sizeof(EventLogFullInformation),
  87. &dwBytesNeeded ) ) {
  88. if (EventLogFullInformation.dwFull == FALSE) {
  89. retval = FALSE;
  90. }
  91. }
  93. return retval;
  94. }
  98. NTSTATUS
  99. AdtBuildLuidString(
  100. IN PLUID Value,
  101. OUT PUNICODE_STRING ResultantString
  102. )
  104. /*++
  106. Routine Description:
  108. This function builds a unicode string representing the passed LUID.
  110. The resultant string will be formatted as follows:
  112. (0x00005678,0x12340000)
  114. Arguments:
  116. Value - The value to be transformed to printable format (Unicode string).
  118. ResultantString - Points to the unicode string header. The body of this
  119. unicode string will be set to point to the resultant output value
  120. if successful. Otherwise, the Buffer field of this parameter
  121. will be set to NULL.
  123. FreeWhenDone - If TRUE, indicates that the body of the ResultantString
  124. must be freed to process heap when no longer needed.
  127. Return Values:
  129. STATUS_NO_MEMORY - indicates memory could not be allocated
  130. for the string body.
  132. All other Result Codes are generated by called routines.
  134. --*/
  136. {
  137. NTSTATUS Status;
  138. UNICODE_STRING IntegerString;
  140. ULONG Buffer[(16*sizeof(WCHAR))/sizeof(ULONG)];
  143. IntegerString.Buffer = (PWCHAR)&Buffer[0];
  144. IntegerString.MaximumLength = 16*sizeof(WCHAR);
  147. //
  148. // Length (in WCHARS) is 3 for (0x
  149. // 10 for 1st hex number
  150. // 3 for ,0x
  151. // 10 for 2nd hex number
  152. // 1 for )
  153. // 1 for null termination
  154. //
  156. ResultantString->Length = 0;
  157. ResultantString->MaximumLength = 28 * sizeof(WCHAR);
  159. ResultantString->Buffer = RtlAllocateHeap( RtlProcessHeap(), 0,
  160. ResultantString->MaximumLength);
  161. if (ResultantString->Buffer == NULL) {
  162. return(STATUS_NO_MEMORY);
  163. }
  165. Status = RtlAppendUnicodeToString( ResultantString, L"(0x" );
  166. Status = RtlIntegerToUnicodeString( Value->HighPart, 16, &IntegerString );
  167. Status = RtlAppendUnicodeToString( ResultantString, IntegerString.Buffer );
  169. Status = RtlAppendUnicodeToString( ResultantString, L",0x" );
  170. Status = RtlIntegerToUnicodeString( Value->LowPart, 16, &IntegerString );
  171. Status = RtlAppendUnicodeToString( ResultantString, IntegerString.Buffer );
  173. Status = RtlAppendUnicodeToString( ResultantString, L")" );
  175. return(STATUS_SUCCESS);
  176. }
  179. VOID
  180. AuditEvent( PWINSTATION pWinstation, ULONG EventId )
  181. {
  182. NTSTATUS Status;
  183. UNICODE_STRING LuidString;
  184. PWSTR StringPointerArray[6];
  185. USHORT StringIndex = 0;
  186. TOKEN_STATISTICS TokenInformation;
  187. ULONG ReturnLength;
  188. LUID LogonId = {0,0};
  189. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET = NULL;
  191. if (!AuditingEnabled() )
  192. return;
  194. // Initialize LuidString.
  195. LuidString.Length = 0;
  196. LuidString.Buffer = NULL;
  198. //
  199. //AUTHZ Changes
  200. //
  202. if( !AuthzInit( 0, SE_CATEGID_LOGON, (USHORT)EventId, 6, &hAET ))
  203. goto badAuthzInit;
  205. if (pWinstation->UserName && (wcslen(pWinstation->UserName) > 0)) {
  206. StringPointerArray[StringIndex] = pWinstation->UserName;
  207. } else {
  208. StringPointerArray[StringIndex] = L"Unknown";
  209. }
  210. StringIndex++;
  212. if (pWinstation->Domain && (wcslen(pWinstation->Domain) > 0)) {
  213. StringPointerArray[StringIndex] = pWinstation->Domain;
  214. } else {
  215. StringPointerArray [StringIndex] = L"Unknown";
  216. }
  217. StringIndex++;
  219. if (pWinstation->UserToken != NULL) {
  220. Status = NtQueryInformationToken (
  221. pWinstation->UserToken,
  222. TokenStatistics,
  223. &TokenInformation,
  224. sizeof(TokenInformation),
  225. &ReturnLength
  226. );
  228. if (NT_SUCCESS(Status)) {
  230. Status = AdtBuildLuidString( &(TokenInformation.AuthenticationId), &LuidString );
  231. } else {
  232. Status = AdtBuildLuidString( &LogonId, &LuidString );
  233. }
  234. } else {
  235. Status = AdtBuildLuidString( &LogonId, &LuidString );
  236. }
  237. StringPointerArray[StringIndex] = LuidString.Buffer;
  238. StringIndex++;
  240. if (pWinstation->WinStationName && (wcslen(pWinstation->WinStationName) > 0)) {
  241. StringPointerArray[StringIndex] = pWinstation->WinStationName;
  242. } else {
  243. StringPointerArray[StringIndex] = L"Unknown" ;
  244. }
  245. StringIndex++;
  247. if (pWinstation->Client.ClientName && (wcslen(pWinstation->Client.ClientName) > 0)) {
  248. StringPointerArray[StringIndex] = pWinstation->Client.ClientName;
  249. } else {
  250. StringPointerArray[StringIndex] = L"Unknown";
  251. }
  253. StringIndex++;
  255. StringPointerArray[StringIndex] = L"Unknown";
  257. if( pWinstation->pLastClientAddress != NULL )
  258. {
  259. PSTR szIPV4 = NULL;
  260. TCHAR tchWideIP[ 80 ];
  261. int cchWideIP = sizeof( tchWideIP ) / sizeof( TCHAR );
  263. if( pWinstation->pLastClientAddress->length < 16 )
  264. {
  265. /* currently only ipv4 apis are in use */
  266. struct in_addr Ipv4;
  268. RtlCopyMemory( &Ipv4 , &pWinstation->pLastClientAddress->addr[0] , pWinstation->pLastClientAddress->length );
  270. szIPV4 = inet_ntoa( Ipv4 );
  272. // convert ansi to wide
  274. if( MultiByteToWideChar(
  275. CP_ACP, // code page
  276. 0, // character-type options
  277. szIPV4, // string to map
  278. -1, // number of bytes in string
  279. tchWideIP, // wide-character buffer
  280. cchWideIP // size of buffer
  281. ) != 0 )
  282. {
  283. StringPointerArray[StringIndex] = tchWideIP;
  284. }
  285. }
  287. }
  289. StringIndex++;
  291. //Authz Changes
  293. Status = AuthzReportEventW( &hAET,
  294. APF_AuditSuccess,
  295. EventId,
  296. pWinstation->pUserSid,
  297. StringIndex,
  298. 0,
  299. StringPointerArray,
  300. NULL
  301. );
  303. //end authz changes
  306. if ( !NT_SUCCESS(Status))
  307. DBGPRINT(("Termsrv - failed to report event \n" ));
  309. badAuthzInit:
  310. if( hAET != NULL )
  311. AuthziFreeAuditEventType( hAET );
  313. if (LuidString.Buffer != NULL) {
  314. RtlFreeHeap(RtlProcessHeap(), 0, LuidString.Buffer);
  315. }
  316. }
  321. /***************************************************************************\
  322. * AuditingEnabled
  323. *
  324. * Purpose : Check auditing via LSA.
  325. *
  326. * Returns: TRUE on success, FALSE on failure
  327. *
  328. * History:
  329. * 5-6-92 DaveHart Created.
  330. \***************************************************************************/
  332. BOOLEAN
  333. AuditingEnabled()
  334. {
  335. NTSTATUS Status, IgnoreStatus;
  336. PPOLICY_AUDIT_EVENTS_INFO AuditInfo;
  337. OBJECT_ATTRIBUTES ObjectAttributes;
  338. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  339. LSA_HANDLE PolicyHandle;
  340. BOOLEAN ReturnValue;
  342. //
  343. // Set up the Security Quality Of Service for connecting to the
  344. // LSA policy object.
  345. //
  347. SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  348. SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
  349. SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  350. SecurityQualityOfService.EffectiveOnly = FALSE;
  352. //
  353. // Set up the object attributes to open the Lsa policy object
  354. //
  356. InitializeObjectAttributes(
  357. &ObjectAttributes,
  358. NULL,
  359. 0L,
  360. NULL,
  361. NULL
  362. );
  363. ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
  365. //
  366. // Open the local LSA policy object
  367. //
  369. Status = LsaOpenPolicy(
  370. NULL,
  371. &ObjectAttributes,
  372. POLICY_VIEW_AUDIT_INFORMATION | POLICY_SET_AUDIT_REQUIREMENTS,
  373. &PolicyHandle
  374. );
  375. if (!NT_SUCCESS(Status)) {
  376. DBGPRINT(("Termsrv: Failed to open LsaPolicyObject Status = 0x%lx", Status));
  377. return FALSE;
  378. }
  380. Status = LsaQueryInformationPolicy(
  381. PolicyHandle,
  382. PolicyAuditEventsInformation,
  383. (PVOID *)&AuditInfo
  384. );
  385. IgnoreStatus = LsaClose(PolicyHandle);
  386. ASSERT(NT_SUCCESS(IgnoreStatus));
  388. if (!NT_SUCCESS(Status)) {
  389. DBGPRINT(("Termsrv: Failed to query audit event info Status = 0x%lx", Status));
  390. return FALSE;
  391. }
  393. ReturnValue = (AuditInfo->AuditingMode &&
  394. ((AuditInfo->EventAuditingOptions)[AuditCategoryLogon] &
  395. POLICY_AUDIT_EVENT_SUCCESS));
  397. LsaFreeMemory(AuditInfo);
  399. return ReturnValue;
  400. }
  403. VOID WriteErrorLogEntry(
  404. IN NTSTATUS NtStatusCode,
  405. IN PVOID pRawData,
  406. IN ULONG RawDataLength
  407. )
  408. {
  409. NTSTATUS Status;
  410. ULONG Length;
  413. if ( !SystemLogHandle ) {
  414. UNICODE_STRING ModuleName;
  416. RtlInitUnicodeString( &ModuleName, L"TermService");
  418. Status = ElfRegisterEventSourceW( NULL, &ModuleName, &SystemLogHandle );
  420. if (!NT_SUCCESS(Status)) {
  421. DBGPRINT(("Termsrv - failed to open System log file\n"));
  422. return;
  423. }
  424. }
  426. if (IsAuditLogFull(SystemLogHandle))
  427. return;
  429. Status = ElfReportEventW( SystemLogHandle,
  430. EVENTLOG_ERROR_TYPE,
  431. 0,
  432. NtStatusCode,
  433. NULL,
  434. 0,
  435. RawDataLength,
  436. NULL,
  437. pRawData,
  438. 0,
  439. NULL,
  440. NULL );
  441. if ( !NT_SUCCESS(Status))
  442. DBGPRINT(("Termsrv - failed to report event \n" ));
  443. }
  446. // This function is duplicated in \nt\termsrv\sessdir\dis\tssdis.cpp.
  447. /****************************************************************************/
  448. // PostErrorValueEvent
  449. //
  450. // Utility function used to create a system log error event containing one
  451. // hex DWORD error code value.
  452. /****************************************************************************/
  453. void PostErrorValueEvent(unsigned EventCode, DWORD ErrVal)
  454. {
  455. HANDLE hLog;
  456. WCHAR hrString[128];
  457. PWSTR String = NULL;
  458. extern WCHAR gpszServiceName[];
  459. static DWORD numInstances = 0;
  460. //
  461. //count the numinstances of out of memory error, if this is more than
  462. //a specified number, we just won't log them
  463. //
  464. if( STATUS_COMMITMENT_LIMIT == ErrVal )
  465. {
  466. if( numInstances > MAX_INSTANCE_MEMORYERR )
  467. return;
  468. //
  469. //if applicable, tell the user that we won't log any more of the out of memory errors
  470. //
  471. if( numInstances >= MAX_INSTANCE_MEMORYERR - 1 ) {
  472. wsprintfW(hrString, L"0x%X. This type of error will not be logged again to avoid clutter.", ErrVal);
  473. String = hrString;
  474. }
  475. numInstances++;
  476. }
  478. hLog = RegisterEventSource(NULL, gpszServiceName);
  479. if (hLog != NULL) {
  480. if( NULL == String ) {
  481. wsprintfW(hrString, L"0x%X", ErrVal);
  482. String = hrString;
  483. }
  484. ReportEvent(hLog, EVENTLOG_ERROR_TYPE, 0, EventCode, NULL, 1, 0,
  485. (const WCHAR **)&String, NULL);
  486. DeregisterEventSource(hLog);
  487. }
  488. }
  490. /*************************************************************
  491. * AuthzInit Purpose : Initialize authz for logging an event to the security log
  492. *Flags - unused
  493. *Category Id - Security Category to which this event belongs
  494. *Audit Id - An id for the event
  495. *PArameter count - Number of parameters that will be passed to the logging function later
  496. ****************************************************************/
  498. BOOL AuthzInit( IN DWORD Flags,
  499. IN USHORT CategoryID,
  500. IN USHORT AuditID,
  501. IN USHORT ParameterCount,
  502. OUT PAUTHZ_AUDIT_EVENT_TYPE_HANDLE phAuditEventType
  503. )
  504. {
  505. BOOL fAuthzInit = TRUE;
  506. BOOLEAN WasEnabled = FALSE;
  507. NTSTATUS Status;
  509. if( NULL == phAuditEventType )
  510. goto badAuthzInit;
  512. Status = RtlAdjustPrivilege(
  513. SE_SECURITY_PRIVILEGE | SE_AUDIT_PRIVILEGE,
  514. TRUE, // Enable the PRIVILEGE
  515. FALSE, // Don't Use Thread token (under impersonation)
  516. &WasEnabled
  517. );
  519. if ( Status == STATUS_NO_TOKEN ) {
  520. DBGPRINT(("TERMSRV: AuditEvent: RtlAdjustPrivilege failure 0x%x\n",Status));
  521. return FALSE;
  522. }
  525. *phAuditEventType = NULL;
  527. //
  528. //only one thread can create hRM
  529. //
  530. RtlEnterCriticalSection( &g_AuthzCritSection );
  531. if( NULL == hRM )
  532. {
  533. fAuthzInit = AuthzInitializeResourceManager( 0,
  534. NULL,
  535. NULL,
  536. NULL,
  537. L"Terminal Server",
  538. &hRM
  539. );
  541. }
  542. RtlLeaveCriticalSection( &g_AuthzCritSection );
  544. if ( !fAuthzInit )
  545. {
  546. DBGPRINT(("TERMSRV: AuditEvent: AuthzInitializeResourceManager failed with %d\n", GetLastError()));
  547. goto badAuthzInit;
  548. }
  551. fAuthzInit = AuthziInitializeAuditEventType( Flags,
  552. CategoryID,
  553. AuditID,
  554. ParameterCount,
  555. phAuditEventType
  556. );
  558. if ( !fAuthzInit )
  559. {
  560. DBGPRINT(("TERMSRV: AuditEvent: AuthziInitializeAuditEventType failed with %d\n", GetLastError()));
  561. goto badAuthzInit;
  562. }
  564. badAuthzInit:
  565. if( !fAuthzInit )
  566. {
  567. if( NULL != *phAuditEventType )
  568. {
  569. if( !AuthziFreeAuditEventType( *phAuditEventType ))
  570. DBGPRINT(("TERMSRV: AuditEvent: AuthziFreeAuditEventType failed with %d\n", GetLastError()));
  571. *phAuditEventType = NULL;
  572. }
  573. }
  575. if( !WasEnabled ) {
  577. /*
  578. * Principle of least rights says to not go around with privileges
  579. * held you do not need. So we must disable the privilege.
  580. */
  581. RtlAdjustPrivilege(
  582. SE_SECURITY_PRIVILEGE | SE_AUDIT_PRIVILEGE,
  583. FALSE, // Disable the PRIVILEGE
  584. FALSE, // Don't Use Thread token
  585. &WasEnabled
  586. );
  588. }
  590. // if( fAuthzInit )
  591. // DBGPRINT(("TERMSRV: Successfully initialized authz = %d\n", AuditID));
  592. return fAuthzInit;
  593. }
  596. /*********************************************************
  597. * Purpose : Log an Event to the security log
  598. * In pHAET
  599. * Audit Event type obtained from a call to AuthzInit() above
  600. * In Flags
  601. * APF_AuditSuccess or others as listed in the header file
  602. * pUserSID - Unused
  603. * NumStrings - Number of strings contained within "Strings"
  604. * DataSize - unused
  605. * Strings- Pointer to a sequence of unicode strings
  606. * Data - unused
  607. *
  608. **********************************************************/
  609. NTSTATUS
  610. AuthzReportEventW( IN PAUTHZ_AUDIT_EVENT_TYPE_HANDLE pHAET,
  611. IN DWORD Flags,
  612. IN ULONG EventId,
  613. IN PSID pUserSID,
  614. IN USHORT NumStrings,
  615. IN ULONG DataSize OPTIONAL, //Future - DO NOT USE
  616. IN PWSTR* Strings,
  617. IN PVOID Data OPTIONAL //Future - DO NOT USE
  618. )
  619. {
  620. NTSTATUS status = STATUS_ACCESS_DENIED;
  621. AUTHZ_AUDIT_EVENT_HANDLE hAE = NULL;
  622. BOOL fSuccess = FALSE;
  623. PAUDIT_PARAMS pParams = NULL;
  625. if( NULL == hRM || NULL == pHAET || *pHAET == NULL )
  626. return status;
  628. fSuccess = AuthziAllocateAuditParams( &pParams, NumStrings );
  630. if ( !fSuccess )
  631. {
  632. DBGPRINT(("TERMSRV: AuditEvent: AuthzAllocateAuditParams failed with %d\n", GetLastError()));
  633. goto BadAuditEvent;
  634. }
  637. if( 6 == NumStrings )
  638. {
  639. fSuccess = AuthziInitializeAuditParamsWithRM( Flags,
  640. hRM,
  641. NumStrings,
  642. pParams,
  643. APT_String, Strings[0],
  644. APT_String, Strings[1],
  645. APT_String, Strings[2],
  646. APT_String, Strings[3],
  647. APT_String, Strings[4],
  648. APT_String, Strings[5]
  649. );
  650. }
  651. else if( 0 == NumStrings )
  652. {
  653. fSuccess = AuthziInitializeAuditParamsWithRM( Flags,
  654. hRM,
  655. NumStrings,
  656. pParams
  657. );
  658. }
  659. else
  660. {
  661. //we don't support anything else
  662. fSuccess = FALSE;
  663. DBGPRINT(("TERMSRV: AuditEvent: unsupported audit type \n"));
  664. goto BadAuditEvent;
  665. }
  667. if ( !fSuccess )
  668. {
  669. DBGPRINT(("TERMSRV: AuditEvent: AuthziInitializeAuditParamsWithRM failed with %d\n", GetLastError()));
  670. goto BadAuditEvent;
  671. }
  673. fSuccess = AuthziInitializeAuditEvent( 0,
  674. hRM,
  675. *pHAET,
  676. pParams,
  677. NULL,
  678. INFINITE,
  679. L"",
  680. L"",
  681. L"",
  682. L"",
  683. &hAE
  684. );
  686. if ( !fSuccess )
  687. {
  688. DBGPRINT(("TERMSRV: AuditEvent: AuthziInitializeAuditEvent failed with %d\n", GetLastError()));
  689. goto BadAuditEvent;
  690. }
  692. fSuccess = AuthziLogAuditEvent( 0,
  693. hAE,
  694. NULL
  695. );
  697. if ( !fSuccess )
  698. {
  699. DBGPRINT(("TERMSRV: AuditEvent: AuthziLogAuditEvent failed with %d\n", GetLastError()));
  700. goto BadAuditEvent;
  701. }
  703. BadAuditEvent:
  705. if( hAE )
  706. AuthzFreeAuditEvent( hAE );
  708. if( pParams )
  709. AuthziFreeAuditParams( pParams );
  711. if( fSuccess )
  712. status = STATUS_SUCCESS;
  714. //if( fSuccess )
  715. // DBGPRINT(("TERMSRV: Successfully audited event with authz= %d\n", EventId));
  716. return status;
  717. }
  720. //
  721. //should only be called once per our process
  722. //
  723. VOID AuditEnd()
  724. {
  725. if( NULL != hRM )
  726. {
  727. if( !AuthzFreeResourceManager( hRM ))
  728. DBGPRINT(("TERMSRV: AuditEvent: AuthzFreeResourceManager failed with %d\n", GetLastError()));
  729. hRM = NULL;
  730. }
  731. }