archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/gina/msgina/audit.c

245 lines
6.8 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /****************************** Module Header ******************************\
  2. * Module Name: audit.c
  3. *
  4. * Copyright (c) 1991, Microsoft Corporation
  5. *
  6. * Implementation of routines that access/manipulate the system audit log
  7. *
  8. * History:
  9. * 12-09-91 Davidc Created.
  10. * 5-6-92 DaveHart Fleshed out.
  11. \***************************************************************************/
  13. #include "msgina.h"
  15. #include "authzi.h"
  16. #include "msaudite.h"
  18. /***************************************************************************\
  19. * GetAuditLogStatus
  20. *
  21. * Purpose : Fills the global data with audit log status information
  22. *
  23. * Returns: TRUE on success, FALSE on failure
  24. *
  25. * History:
  26. * 12-09-91 Davidc Created.
  27. * 5-6-92 DaveHart Fleshed out.
  28. \***************************************************************************/
  30. BOOL
  31. GetAuditLogStatus(
  32. PGLOBALS pGlobals
  33. )
  34. {
  35. EVENTLOG_FULL_INFORMATION EventLogFullInformation;
  36. DWORD dwBytesNeeded;
  37. HANDLE AuditLogHandle;
  41. //
  42. // Assume the log is not full. If we can't get to EventLog, tough.
  43. //
  45. pGlobals->AuditLogFull = FALSE;
  47. AuditLogHandle = OpenEventLog( NULL, TEXT("Security"));
  49. if (AuditLogHandle) {
  50. if (GetEventLogInformation(AuditLogHandle,
  51. EVENTLOG_FULL_INFO,
  52. &EventLogFullInformation,
  53. sizeof(EventLogFullInformation),
  54. &dwBytesNeeded ) ) {
  55. if (EventLogFullInformation.dwFull != FALSE) {
  56. pGlobals->AuditLogFull = TRUE;
  57. }
  58. }
  59. CloseEventLog(AuditLogHandle);
  60. }
  63. //
  64. // There's no way in the current event logger to tell how full the log
  65. // is, always indicate we're NOT near full.
  66. //
  68. pGlobals->AuditLogNearFull = FALSE;
  70. return TRUE;
  71. }
  76. /***************************************************************************\
  77. * DisableAuditing
  78. *
  79. * Purpose : Disable auditing via LSA.
  80. *
  81. * Returns: TRUE on success, FALSE on failure
  82. *
  83. * History:
  84. * 5-6-92 DaveHart Created.
  85. \***************************************************************************/
  87. BOOL
  88. DisableAuditing()
  89. {
  90. NTSTATUS Status, IgnoreStatus;
  91. PPOLICY_AUDIT_EVENTS_INFO AuditInfo;
  92. OBJECT_ATTRIBUTES ObjectAttributes;
  93. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  94. LSA_HANDLE PolicyHandle;
  96. //
  97. // Set up the Security Quality Of Service for connecting to the
  98. // LSA policy object.
  99. //
  101. SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  102. SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
  103. SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  104. SecurityQualityOfService.EffectiveOnly = FALSE;
  106. //
  107. // Set up the object attributes to open the Lsa policy object
  108. //
  110. InitializeObjectAttributes(
  111. &ObjectAttributes,
  112. NULL,
  113. 0L,
  114. NULL,
  115. NULL
  116. );
  117. ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
  119. //
  120. // Open the local LSA policy object
  121. //
  123. Status = LsaOpenPolicy(
  124. NULL,
  125. &ObjectAttributes,
  126. POLICY_VIEW_AUDIT_INFORMATION | POLICY_SET_AUDIT_REQUIREMENTS,
  127. &PolicyHandle
  128. );
  129. if (!NT_SUCCESS(Status)) {
  130. DebugLog((DEB_ERROR, "Failed to open LsaPolicyObject Status = 0x%lx", Status));
  131. return FALSE;
  132. }
  134. Status = LsaQueryInformationPolicy(
  135. PolicyHandle,
  136. PolicyAuditEventsInformation,
  137. (PVOID *)&AuditInfo
  138. );
  139. if (!NT_SUCCESS(Status)) {
  141. IgnoreStatus = LsaClose(PolicyHandle);
  142. ASSERT(NT_SUCCESS(IgnoreStatus));
  144. DebugLog((DEB_ERROR, "Failed to query audit event info Status = 0x%lx", Status));
  145. return FALSE;
  146. }
  148. if (AuditInfo->AuditingMode) {
  150. AuditInfo->AuditingMode = FALSE;
  152. Status = LsaSetInformationPolicy(
  153. PolicyHandle,
  154. PolicyAuditEventsInformation,
  155. AuditInfo
  156. );
  157. } else {
  158. Status = STATUS_SUCCESS;
  159. }
  162. IgnoreStatus = LsaFreeMemory(AuditInfo);
  163. ASSERT(NT_SUCCESS(IgnoreStatus));
  165. IgnoreStatus = LsaClose(PolicyHandle);
  166. ASSERT(NT_SUCCESS(IgnoreStatus));
  169. if (!NT_SUCCESS(Status)) {
  170. DebugLog((DEB_ERROR, "Failed to disable auditing Status = 0x%lx", Status));
  171. return FALSE;
  172. }
  174. return TRUE;
  175. }
  177. DWORD
  178. GenerateCachedUnlockAudit(
  179. IN PSID pUserSid,
  180. IN PCWSTR pszUser,
  181. IN PCWSTR pszDomain
  182. )
  183. {
  184. DWORD dwRet = ERROR_SUCCESS;
  186. WCHAR szComputerName[CNLEN + sizeof('\0')] = L"-";
  187. DWORD dwComputerNameSize = ARRAYSIZE(szComputerName);
  189. LUID Luid;
  190. LUID SystemLuid = SYSTEM_LUID;
  192. if( !pUserSid || !pszUser )
  193. {
  194. DebugLog((DEB_ERROR, "GenerateCachedUnlockAudit got invalid parameters"));
  195. ASSERT(FALSE);
  196. dwRet = ERROR_INVALID_PARAMETER;
  197. goto ErrorReturn;
  198. }
  200. //
  201. // Generate a locally unique id to include in the logon sid
  202. // Note that this is a dummy SID. We don't want to use the logon
  203. // LUID as this is specific to logon/logoff. Also a NULL LUID
  204. // is seen as meaningless, so we have to generate a random one
  205. //
  206. if( !AllocateLocallyUniqueId(&Luid) )
  207. {
  208. dwRet = GetLastError();
  209. DebugLog((DEB_ERROR, "AllocateLocallyUniqueId failed, error = 0x%lx", dwRet));
  210. goto ErrorReturn;
  211. }
  213. //
  214. // Ignore the failure
  215. //
  216. GetComputerName(szComputerName, &dwComputerNameSize);
  218. if( !AuthziSourceAudit(
  219. APF_AuditSuccess,
  220. SE_CATEGID_LOGON, //category id
  221. SE_AUDITID_SUCCESSFUL_LOGON, //audit id
  222. L"Security",
  223. pUserSid, //the user sid
  224. 12, //count for va section
  225. APT_String, pszUser,
  226. APT_String, pszDomain ? pszDomain : L"-",
  227. APT_Luid, Luid,
  228. APT_Ulong, CachedUnlock,
  229. APT_String, L"Winlogon",
  230. APT_String, L"Winlogon unlock cache",
  231. APT_String, szComputerName,
  232. APT_String, L"-",
  233. APT_String, L"SYSTEM",
  234. APT_String, L"NT AUTHORITY",
  235. APT_Luid, SystemLuid,
  236. APT_Ulong, GetCurrentProcessId()
  237. ) )
  238. {
  239. DebugLog((DEB_ERROR, "AuthziSourceAudit failed, error = 0x%lx", dwRet));
  240. dwRet = GetLastError();
  241. }
  243. ErrorReturn:
  244. return dwRet;
  245. }