You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
245 lines
6.8 KiB
245 lines
6.8 KiB
/****************************** Module Header ******************************\
|
|
* Module Name: audit.c
|
|
*
|
|
* Copyright (c) 1991, Microsoft Corporation
|
|
*
|
|
* Implementation of routines that access/manipulate the system audit log
|
|
*
|
|
* History:
|
|
* 12-09-91 Davidc Created.
|
|
* 5-6-92 DaveHart Fleshed out.
|
|
\***************************************************************************/
|
|
|
|
#include "msgina.h"
|
|
|
|
#include "authzi.h"
|
|
#include "msaudite.h"
|
|
|
|
/***************************************************************************\
|
|
* GetAuditLogStatus
|
|
*
|
|
* Purpose : Fills the global data with audit log status information
|
|
*
|
|
* Returns: TRUE on success, FALSE on failure
|
|
*
|
|
* History:
|
|
* 12-09-91 Davidc Created.
|
|
* 5-6-92 DaveHart Fleshed out.
|
|
\***************************************************************************/
|
|
|
|
BOOL
|
|
GetAuditLogStatus(
|
|
PGLOBALS pGlobals
|
|
)
|
|
{
|
|
EVENTLOG_FULL_INFORMATION EventLogFullInformation;
|
|
DWORD dwBytesNeeded;
|
|
HANDLE AuditLogHandle;
|
|
|
|
|
|
|
|
//
|
|
// Assume the log is not full. If we can't get to EventLog, tough.
|
|
//
|
|
|
|
pGlobals->AuditLogFull = FALSE;
|
|
|
|
AuditLogHandle = OpenEventLog( NULL, TEXT("Security"));
|
|
|
|
if (AuditLogHandle) {
|
|
if (GetEventLogInformation(AuditLogHandle,
|
|
EVENTLOG_FULL_INFO,
|
|
&EventLogFullInformation,
|
|
sizeof(EventLogFullInformation),
|
|
&dwBytesNeeded ) ) {
|
|
if (EventLogFullInformation.dwFull != FALSE) {
|
|
pGlobals->AuditLogFull = TRUE;
|
|
}
|
|
}
|
|
CloseEventLog(AuditLogHandle);
|
|
}
|
|
|
|
|
|
//
|
|
// There's no way in the current event logger to tell how full the log
|
|
// is, always indicate we're NOT near full.
|
|
//
|
|
|
|
pGlobals->AuditLogNearFull = FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
|
|
/***************************************************************************\
|
|
* DisableAuditing
|
|
*
|
|
* Purpose : Disable auditing via LSA.
|
|
*
|
|
* Returns: TRUE on success, FALSE on failure
|
|
*
|
|
* History:
|
|
* 5-6-92 DaveHart Created.
|
|
\***************************************************************************/
|
|
|
|
BOOL
|
|
DisableAuditing()
|
|
{
|
|
NTSTATUS Status, IgnoreStatus;
|
|
PPOLICY_AUDIT_EVENTS_INFO AuditInfo;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
|
LSA_HANDLE PolicyHandle;
|
|
|
|
//
|
|
// Set up the Security Quality Of Service for connecting to the
|
|
// LSA policy object.
|
|
//
|
|
|
|
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
|
|
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
|
|
SecurityQualityOfService.EffectiveOnly = FALSE;
|
|
|
|
//
|
|
// Set up the object attributes to open the Lsa policy object
|
|
//
|
|
|
|
InitializeObjectAttributes(
|
|
&ObjectAttributes,
|
|
NULL,
|
|
0L,
|
|
NULL,
|
|
NULL
|
|
);
|
|
ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
|
|
|
|
//
|
|
// Open the local LSA policy object
|
|
//
|
|
|
|
Status = LsaOpenPolicy(
|
|
NULL,
|
|
&ObjectAttributes,
|
|
POLICY_VIEW_AUDIT_INFORMATION | POLICY_SET_AUDIT_REQUIREMENTS,
|
|
&PolicyHandle
|
|
);
|
|
if (!NT_SUCCESS(Status)) {
|
|
DebugLog((DEB_ERROR, "Failed to open LsaPolicyObject Status = 0x%lx", Status));
|
|
return FALSE;
|
|
}
|
|
|
|
Status = LsaQueryInformationPolicy(
|
|
PolicyHandle,
|
|
PolicyAuditEventsInformation,
|
|
(PVOID *)&AuditInfo
|
|
);
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
IgnoreStatus = LsaClose(PolicyHandle);
|
|
ASSERT(NT_SUCCESS(IgnoreStatus));
|
|
|
|
DebugLog((DEB_ERROR, "Failed to query audit event info Status = 0x%lx", Status));
|
|
return FALSE;
|
|
}
|
|
|
|
if (AuditInfo->AuditingMode) {
|
|
|
|
AuditInfo->AuditingMode = FALSE;
|
|
|
|
Status = LsaSetInformationPolicy(
|
|
PolicyHandle,
|
|
PolicyAuditEventsInformation,
|
|
AuditInfo
|
|
);
|
|
} else {
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
IgnoreStatus = LsaFreeMemory(AuditInfo);
|
|
ASSERT(NT_SUCCESS(IgnoreStatus));
|
|
|
|
IgnoreStatus = LsaClose(PolicyHandle);
|
|
ASSERT(NT_SUCCESS(IgnoreStatus));
|
|
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
DebugLog((DEB_ERROR, "Failed to disable auditing Status = 0x%lx", Status));
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
DWORD
|
|
GenerateCachedUnlockAudit(
|
|
IN PSID pUserSid,
|
|
IN PCWSTR pszUser,
|
|
IN PCWSTR pszDomain
|
|
)
|
|
{
|
|
DWORD dwRet = ERROR_SUCCESS;
|
|
|
|
WCHAR szComputerName[CNLEN + sizeof('\0')] = L"-";
|
|
DWORD dwComputerNameSize = ARRAYSIZE(szComputerName);
|
|
|
|
LUID Luid;
|
|
LUID SystemLuid = SYSTEM_LUID;
|
|
|
|
if( !pUserSid || !pszUser )
|
|
{
|
|
DebugLog((DEB_ERROR, "GenerateCachedUnlockAudit got invalid parameters"));
|
|
ASSERT(FALSE);
|
|
dwRet = ERROR_INVALID_PARAMETER;
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
//
|
|
// Generate a locally unique id to include in the logon sid
|
|
// Note that this is a dummy SID. We don't want to use the logon
|
|
// LUID as this is specific to logon/logoff. Also a NULL LUID
|
|
// is seen as meaningless, so we have to generate a random one
|
|
//
|
|
if( !AllocateLocallyUniqueId(&Luid) )
|
|
{
|
|
dwRet = GetLastError();
|
|
DebugLog((DEB_ERROR, "AllocateLocallyUniqueId failed, error = 0x%lx", dwRet));
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
//
|
|
// Ignore the failure
|
|
//
|
|
GetComputerName(szComputerName, &dwComputerNameSize);
|
|
|
|
if( !AuthziSourceAudit(
|
|
APF_AuditSuccess,
|
|
SE_CATEGID_LOGON, //category id
|
|
SE_AUDITID_SUCCESSFUL_LOGON, //audit id
|
|
L"Security",
|
|
pUserSid, //the user sid
|
|
12, //count for va section
|
|
APT_String, pszUser,
|
|
APT_String, pszDomain ? pszDomain : L"-",
|
|
APT_Luid, Luid,
|
|
APT_Ulong, CachedUnlock,
|
|
APT_String, L"Winlogon",
|
|
APT_String, L"Winlogon unlock cache",
|
|
APT_String, szComputerName,
|
|
APT_String, L"-",
|
|
APT_String, L"SYSTEM",
|
|
APT_String, L"NT AUTHORITY",
|
|
APT_Luid, SystemLuid,
|
|
APT_Ulong, GetCurrentProcessId()
|
|
) )
|
|
{
|
|
DebugLog((DEB_ERROR, "AuthziSourceAudit failed, error = 0x%lx", dwRet));
|
|
dwRet = GetLastError();
|
|
}
|
|
|
|
ErrorReturn:
|
|
return dwRet;
|
|
}
|