archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/base/ntos/se/adtinit.c

368 lines
6.9 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. adtinit.c
  9. Abstract:
  11. Auditing - Initialization Routines
  13. Author:
  15. Scott Birrell (ScottBi) November 12, 1991
  17. Environment:
  19. Kernel Mode only
  21. Revision History:
  23. 06-February-2002 kumarp security review
  25. --*/
  27. #include "pch.h"
  29. #pragma hdrstop
  32. #ifdef ALLOC_PRAGMA
  33. #pragma alloc_text(PAGE,SepAdtValidateAuditBounds)
  34. #pragma alloc_text(PAGE,SepAdtInitializeBounds)
  35. #pragma alloc_text(INIT,SepAdtInitializeCrashOnFail)
  36. #pragma alloc_text(INIT,SepAdtInitializePrivilegeAuditing)
  37. #pragma alloc_text(INIT,SepAdtInitializeAuditingOptions)
  38. #endif
  41. BOOLEAN
  42. SepAdtValidateAuditBounds(
  43. ULONG Upper,
  44. ULONG Lower
  45. )
  47. /*++
  49. Routine Description:
  51. Examines the audit queue high and low water mark values and performs
  52. a general sanity check on them.
  54. Arguments:
  56. Upper - High water mark.
  58. Lower - Low water mark.
  60. Return Value:
  62. TRUE - values are acceptable.
  64. FALSE - values are unacceptable.
  67. --*/
  69. {
  70. PAGED_CODE();
  72. if ( Lower >= Upper ) {
  73. return( FALSE );
  74. }
  76. if ( Lower < 16 ) {
  77. return( FALSE );
  78. }
  80. if ( (Upper - Lower) < 16 ) {
  81. return( FALSE );
  82. }
  84. return( TRUE );
  85. }
  88. VOID
  89. SepAdtInitializeBounds(
  90. VOID
  91. )
  93. /*++
  95. Routine Description:
  97. Queries the registry for the high and low water mark values for the
  98. audit log. If they are not found or are unacceptable, returns without
  99. modifying the current values, which are statically initialized.
  101. Arguments:
  103. None.
  105. Return Value:
  107. None.
  109. --*/
  111. {
  112. NTSTATUS Status;
  113. PSEP_AUDIT_BOUNDS AuditBounds;
  114. UCHAR Buffer[8];
  117. PAGED_CODE();
  119. Status = SepRegQueryHelper(
  120. L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa",
  121. L"Bounds",
  122. REG_BINARY,
  123. 8, // 8 bytes
  124. Buffer,
  125. NULL
  126. );
  128. if (!NT_SUCCESS( Status )) {
  130. //
  131. // Didn't work, take the defaults
  132. //
  134. return;
  135. }
  137. AuditBounds = (PSEP_AUDIT_BOUNDS) Buffer;
  139. //
  140. // Sanity check what we got back
  141. //
  143. if(SepAdtValidateAuditBounds( AuditBounds->UpperBound,
  144. AuditBounds->LowerBound ))
  145. {
  146. //
  147. // Take what we got from the registry.
  148. //
  150. SepAdtMaxListLength = AuditBounds->UpperBound;
  151. SepAdtMinListLength = AuditBounds->LowerBound;
  152. }
  153. }
  157. NTSTATUS
  158. SepAdtInitializeCrashOnFail(
  159. VOID
  160. )
  162. /*++
  164. Routine Description:
  166. Reads the registry to see if the user has told us to crash if an audit fails.
  168. Arguments:
  170. None.
  172. Return Value:
  174. STATUS_SUCCESS
  176. --*/
  178. {
  179. NTSTATUS Status;
  180. ULONG CrashOnAuditFail = 0;
  182. PAGED_CODE();
  184. SepCrashOnAuditFail = FALSE;
  186. //
  187. // Check the value of the CrashOnAudit flag in the registry.
  188. //
  190. Status = SepRegQueryDwordValue(
  191. L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa",
  192. CRASH_ON_AUDIT_FAIL_VALUE,
  193. &CrashOnAuditFail
  194. );
  196. //
  197. // If the key isn't there, don't turn on CrashOnFail.
  198. //
  200. if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
  201. return( STATUS_SUCCESS );
  202. }
  205. if (NT_SUCCESS( Status )) {
  207. if ( CrashOnAuditFail == LSAP_CRASH_ON_AUDIT_FAIL) {
  208. SepCrashOnAuditFail = TRUE;
  209. }
  210. }
  212. return( STATUS_SUCCESS );
  213. }
  216. BOOLEAN
  217. SepAdtInitializePrivilegeAuditing(
  218. VOID
  219. )
  221. /*++
  223. Routine Description:
  225. Checks to see if there is an entry in the registry telling us to do full privilege auditing
  226. (which currently means audit everything we normall audit, plus backup and restore privileges).
  228. Arguments:
  230. None
  232. Return Value:
  234. BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
  236. --*/
  238. {
  239. HANDLE KeyHandle;
  240. NTSTATUS Status;
  241. NTSTATUS TmpStatus;
  242. OBJECT_ATTRIBUTES Obja;
  243. ULONG ResultLength;
  244. UNICODE_STRING KeyName;
  245. UNICODE_STRING ValueName;
  246. CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
  247. PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
  248. BOOLEAN Verbose;
  250. PAGED_CODE();
  252. //
  253. // Query the registry to set up the privilege auditing filter.
  254. //
  256. RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
  258. InitializeObjectAttributes( &Obja,
  259. &KeyName,
  260. OBJ_CASE_INSENSITIVE,
  261. NULL,
  262. NULL
  263. );
  265. Status = NtOpenKey(
  266. &KeyHandle,
  267. KEY_QUERY_VALUE | KEY_SET_VALUE,
  268. &Obja
  269. );
  272. if (!NT_SUCCESS( Status )) {
  274. if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
  276. return ( SepInitializePrivilegeFilter( FALSE ));
  278. } else {
  280. return( FALSE );
  281. }
  282. }
  284. //
  285. // ISSUE-2002/02/06-kumarp : should we convert FULL_PRIVILEGE_AUDITING
  286. // to type REG_DWORD ?
  287. //
  289. RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING );
  291. Status = NtQueryValueKey(
  292. KeyHandle,
  293. &ValueName,
  294. KeyValuePartialInformation,
  295. KeyInfo,
  296. sizeof(KeyInfo),
  297. &ResultLength
  298. );
  300. TmpStatus = NtClose(KeyHandle);
  301. ASSERT(NT_SUCCESS(TmpStatus));
  303. if (!NT_SUCCESS( Status )) {
  305. Verbose = FALSE;
  307. } else {
  309. pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
  310. Verbose = (BOOLEAN) *(pKeyInfo->Data);
  311. }
  313. return ( SepInitializePrivilegeFilter( Verbose ));
  314. }
  317. VOID
  318. SepAdtInitializeAuditingOptions(
  319. VOID
  320. )
  322. /*++
  324. Routine Description:
  326. Initialize options that control auditing.
  327. (please refer to note in adtp.h near the def. of SEP_AUDIT_OPTIONS)
  329. Arguments:
  331. None
  333. Return Value:
  335. None
  337. --*/
  339. {
  340. NTSTATUS Status;
  341. ULONG OptionValue = 0;
  343. PAGED_CODE();
  345. //
  346. // initialize the default value
  347. //
  349. SepAuditOptions.DoNotAuditCloseObjectEvents = FALSE;
  351. //
  352. // if the value is present and set to 1, set the global
  353. // auditing option accordingly
  354. //
  356. Status = SepRegQueryDwordValue(
  357. L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\AuditingOptions",
  358. L"DoNotAuditCloseObjectEvents",
  359. &OptionValue
  360. );
  362. if (NT_SUCCESS(Status) && OptionValue)
  363. {
  364. SepAuditOptions.DoNotAuditCloseObjectEvents = TRUE;
  365. }
  367. return;
  368. }