Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

245 lines
6.8 KiB

/****************************** Module Header ******************************\
* Module Name: audit.c
*
* Copyright (c) 1991, Microsoft Corporation
*
* Implementation of routines that access/manipulate the system audit log
*
* History:
* 12-09-91 Davidc Created.
* 5-6-92 DaveHart Fleshed out.
\***************************************************************************/
#include "msgina.h"
#include "authzi.h"
#include "msaudite.h"
/***************************************************************************\
* GetAuditLogStatus
*
* Purpose : Fills the global data with audit log status information
*
* Returns: TRUE on success, FALSE on failure
*
* History:
* 12-09-91 Davidc Created.
* 5-6-92 DaveHart Fleshed out.
\***************************************************************************/
BOOL
GetAuditLogStatus(
PGLOBALS pGlobals
)
{
EVENTLOG_FULL_INFORMATION EventLogFullInformation;
DWORD dwBytesNeeded;
HANDLE AuditLogHandle;
//
// Assume the log is not full. If we can't get to EventLog, tough.
//
pGlobals->AuditLogFull = FALSE;
AuditLogHandle = OpenEventLog( NULL, TEXT("Security"));
if (AuditLogHandle) {
if (GetEventLogInformation(AuditLogHandle,
EVENTLOG_FULL_INFO,
&EventLogFullInformation,
sizeof(EventLogFullInformation),
&dwBytesNeeded ) ) {
if (EventLogFullInformation.dwFull != FALSE) {
pGlobals->AuditLogFull = TRUE;
}
}
CloseEventLog(AuditLogHandle);
}
//
// There's no way in the current event logger to tell how full the log
// is, always indicate we're NOT near full.
//
pGlobals->AuditLogNearFull = FALSE;
return TRUE;
}
/***************************************************************************\
* DisableAuditing
*
* Purpose : Disable auditing via LSA.
*
* Returns: TRUE on success, FALSE on failure
*
* History:
* 5-6-92 DaveHart Created.
\***************************************************************************/
BOOL
DisableAuditing()
{
NTSTATUS Status, IgnoreStatus;
PPOLICY_AUDIT_EVENTS_INFO AuditInfo;
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
LSA_HANDLE PolicyHandle;
//
// Set up the Security Quality Of Service for connecting to the
// LSA policy object.
//
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQualityOfService.EffectiveOnly = FALSE;
//
// Set up the object attributes to open the Lsa policy object
//
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
0L,
NULL,
NULL
);
ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
//
// Open the local LSA policy object
//
Status = LsaOpenPolicy(
NULL,
&ObjectAttributes,
POLICY_VIEW_AUDIT_INFORMATION | POLICY_SET_AUDIT_REQUIREMENTS,
&PolicyHandle
);
if (!NT_SUCCESS(Status)) {
DebugLog((DEB_ERROR, "Failed to open LsaPolicyObject Status = 0x%lx", Status));
return FALSE;
}
Status = LsaQueryInformationPolicy(
PolicyHandle,
PolicyAuditEventsInformation,
(PVOID *)&AuditInfo
);
if (!NT_SUCCESS(Status)) {
IgnoreStatus = LsaClose(PolicyHandle);
ASSERT(NT_SUCCESS(IgnoreStatus));
DebugLog((DEB_ERROR, "Failed to query audit event info Status = 0x%lx", Status));
return FALSE;
}
if (AuditInfo->AuditingMode) {
AuditInfo->AuditingMode = FALSE;
Status = LsaSetInformationPolicy(
PolicyHandle,
PolicyAuditEventsInformation,
AuditInfo
);
} else {
Status = STATUS_SUCCESS;
}
IgnoreStatus = LsaFreeMemory(AuditInfo);
ASSERT(NT_SUCCESS(IgnoreStatus));
IgnoreStatus = LsaClose(PolicyHandle);
ASSERT(NT_SUCCESS(IgnoreStatus));
if (!NT_SUCCESS(Status)) {
DebugLog((DEB_ERROR, "Failed to disable auditing Status = 0x%lx", Status));
return FALSE;
}
return TRUE;
}
DWORD
GenerateCachedUnlockAudit(
IN PSID pUserSid,
IN PCWSTR pszUser,
IN PCWSTR pszDomain
)
{
DWORD dwRet = ERROR_SUCCESS;
WCHAR szComputerName[CNLEN + sizeof('\0')] = L"-";
DWORD dwComputerNameSize = ARRAYSIZE(szComputerName);
LUID Luid;
LUID SystemLuid = SYSTEM_LUID;
if( !pUserSid || !pszUser )
{
DebugLog((DEB_ERROR, "GenerateCachedUnlockAudit got invalid parameters"));
ASSERT(FALSE);
dwRet = ERROR_INVALID_PARAMETER;
goto ErrorReturn;
}
//
// Generate a locally unique id to include in the logon sid
// Note that this is a dummy SID. We don't want to use the logon
// LUID as this is specific to logon/logoff. Also a NULL LUID
// is seen as meaningless, so we have to generate a random one
//
if( !AllocateLocallyUniqueId(&Luid) )
{
dwRet = GetLastError();
DebugLog((DEB_ERROR, "AllocateLocallyUniqueId failed, error = 0x%lx", dwRet));
goto ErrorReturn;
}
//
// Ignore the failure
//
GetComputerName(szComputerName, &dwComputerNameSize);
if( !AuthziSourceAudit(
APF_AuditSuccess,
SE_CATEGID_LOGON, //category id
SE_AUDITID_SUCCESSFUL_LOGON, //audit id
L"Security",
pUserSid, //the user sid
12, //count for va section
APT_String, pszUser,
APT_String, pszDomain ? pszDomain : L"-",
APT_Luid, Luid,
APT_Ulong, CachedUnlock,
APT_String, L"Winlogon",
APT_String, L"Winlogon unlock cache",
APT_String, szComputerName,
APT_String, L"-",
APT_String, L"SYSTEM",
APT_String, L"NT AUTHORITY",
APT_Luid, SystemLuid,
APT_Ulong, GetCurrentProcessId()
) )
{
DebugLog((DEB_ERROR, "AuthziSourceAudit failed, error = 0x%lx", dwRet));
dwRet = GetLastError();
}
ErrorReturn:
return dwRet;
}