archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntos/se/adtinit.c

478 lines
9.3 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. adtinit.c
  9. Abstract:
  11. Auditing - Initialization Routines
  13. Author:
  15. Scott Birrell (ScottBi) November 12, 1991
  17. Environment:
  19. Kernel Mode only
  21. Revision History:
  23. --*/
  25. #include "pch.h"
  27. #pragma hdrstop
  30. #ifdef ALLOC_PRAGMA
  31. #pragma alloc_text(PAGE,SepAdtValidateAuditBounds)
  32. #pragma alloc_text(PAGE,SepAdtInitializeBounds)
  33. #pragma alloc_text(INIT,SepAdtInitializeCrashOnFail)
  34. #pragma alloc_text(INIT,SepAdtInitializePrivilegeAuditing)
  35. #pragma alloc_text(INIT,SepAdtInitializeAuditingOptions)
  36. #endif
  39. BOOLEAN
  40. SepAdtValidateAuditBounds(
  41. ULONG Upper,
  42. ULONG Lower
  43. )
  45. /*++
  47. Routine Description:
  49. Examines the audit queue high and low water mark values and performs
  50. a general sanity check on them.
  52. Arguments:
  54. Upper - High water mark.
  56. Lower - Low water mark.
  58. Return Value:
  60. TRUE - values are acceptable.
  62. FALSE - values are unacceptable.
  65. --*/
  67. {
  68. PAGED_CODE();
  70. if ( Lower >= Upper ) {
  71. return( FALSE );
  72. }
  74. if ( Lower < 16 ) {
  75. return( FALSE );
  76. }
  78. if ( (Upper - Lower) < 16 ) {
  79. return( FALSE );
  80. }
  82. return( TRUE );
  83. }
  86. VOID
  87. SepAdtInitializeBounds(
  88. VOID
  89. )
  91. /*++
  93. Routine Description:
  95. Queries the registry for the high and low water mark values for the
  96. audit log. If they are not found or are unacceptable, returns without
  97. modifying the current values, which are statically initialized.
  99. Arguments:
  101. None.
  103. Return Value:
  105. None.
  107. --*/
  109. {
  111. HANDLE KeyHandle;
  112. OBJECT_ATTRIBUTES ObjectAttributes;
  113. UNICODE_STRING KeyName;
  114. UNICODE_STRING ValueName;
  115. NTSTATUS Status;
  116. PSEP_AUDIT_BOUNDS AuditBounds;
  117. PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
  118. ULONG Length;
  120. PAGED_CODE();
  122. //
  123. // Get the high and low water marks out of the registry.
  124. //
  126. RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
  128. InitializeObjectAttributes(
  129. &ObjectAttributes,
  130. &KeyName,
  131. OBJ_CASE_INSENSITIVE,
  132. NULL,
  133. NULL
  134. );
  136. Status = NtOpenKey(
  137. &KeyHandle,
  138. KEY_QUERY_VALUE,
  139. &ObjectAttributes
  140. );
  142. if (!NT_SUCCESS( Status )) {
  144. //
  145. // Didn't work, take the defaults
  146. //
  148. return;
  149. }
  151. RtlInitUnicodeString( &ValueName, L"Bounds");
  153. Length = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) - sizeof( UCHAR ) + sizeof( SEP_AUDIT_BOUNDS );
  155. KeyValueInformation = ExAllocatePool( PagedPool, Length );
  157. if ( KeyValueInformation == NULL ) {
  159. NtClose( KeyHandle );
  160. return;
  161. }
  163. Status = NtQueryValueKey(
  164. KeyHandle,
  165. &ValueName,
  166. KeyValuePartialInformation,
  167. (PVOID)KeyValueInformation,
  168. Length,
  169. &Length
  170. );
  172. NtClose( KeyHandle );
  174. if (!NT_SUCCESS( Status )) {
  176. ExFreePool( KeyValueInformation );
  177. return;
  178. }
  181. AuditBounds = (PSEP_AUDIT_BOUNDS) &KeyValueInformation->Data;
  183. //
  184. // Sanity check what we got back
  185. //
  187. if(!SepAdtValidateAuditBounds( AuditBounds->UpperBound, AuditBounds->LowerBound )) {
  189. //
  190. // The values we got back are not to our liking. Use the defaults.
  191. //
  193. ExFreePool( KeyValueInformation );
  194. return;
  195. }
  197. //
  198. // Take what we got from the registry.
  199. //
  201. SepAdtMaxListLength = AuditBounds->UpperBound;
  202. SepAdtMinListLength = AuditBounds->LowerBound;
  204. ExFreePool( KeyValueInformation );
  206. return;
  207. }
  211. NTSTATUS
  212. SepAdtInitializeCrashOnFail(
  213. VOID
  214. )
  216. /*++
  218. Routine Description:
  220. Reads the registry to see if the user has told us to crash if an audit fails.
  222. Arguments:
  224. None.
  226. Return Value:
  228. STATUS_SUCCESS
  230. --*/
  232. {
  233. HANDLE KeyHandle;
  234. NTSTATUS Status;
  235. NTSTATUS TmpStatus;
  236. OBJECT_ATTRIBUTES Obja;
  237. ULONG ResultLength;
  238. UNICODE_STRING KeyName;
  239. UNICODE_STRING ValueName;
  240. CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
  241. PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
  243. PAGED_CODE();
  245. SepCrashOnAuditFail = FALSE;
  247. //
  248. // Check the value of the CrashOnAudit flag in the registry.
  249. //
  251. RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
  253. InitializeObjectAttributes( &Obja,
  254. &KeyName,
  255. OBJ_CASE_INSENSITIVE,
  256. NULL,
  257. NULL
  258. );
  260. Status = NtOpenKey(
  261. &KeyHandle,
  262. KEY_QUERY_VALUE | KEY_SET_VALUE,
  263. &Obja
  264. );
  266. if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
  267. return( STATUS_SUCCESS );
  268. }
  270. RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE );
  272. Status = NtQueryValueKey(
  273. KeyHandle,
  274. &ValueName,
  275. KeyValuePartialInformation,
  276. KeyInfo,
  277. sizeof(KeyInfo),
  278. &ResultLength
  279. );
  281. TmpStatus = NtClose(KeyHandle);
  282. ASSERT(NT_SUCCESS(TmpStatus));
  284. //
  285. // If the key isn't there, don't turn on CrashOnFail.
  286. //
  288. if (NT_SUCCESS( Status )) {
  290. pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
  291. if ((UCHAR) *(pKeyInfo->Data) == LSAP_CRASH_ON_AUDIT_FAIL) {
  292. SepCrashOnAuditFail = TRUE;
  293. }
  294. }
  296. return( STATUS_SUCCESS );
  297. }
  300. BOOLEAN
  301. SepAdtInitializePrivilegeAuditing(
  302. VOID
  303. )
  305. /*++
  307. Routine Description:
  309. Checks to see if there is an entry in the registry telling us to do full privilege auditing
  310. (which currently means audit everything we normall audit, plus backup and restore privileges).
  312. Arguments:
  314. None
  316. Return Value:
  318. BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
  320. --*/
  322. {
  323. HANDLE KeyHandle;
  324. NTSTATUS Status;
  325. NTSTATUS TmpStatus;
  326. OBJECT_ATTRIBUTES Obja;
  327. ULONG ResultLength;
  328. UNICODE_STRING KeyName;
  329. UNICODE_STRING ValueName;
  330. CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
  331. PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
  332. BOOLEAN Verbose;
  334. PAGED_CODE();
  336. //
  337. // Query the registry to set up the privilege auditing filter.
  338. //
  340. RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
  342. InitializeObjectAttributes( &Obja,
  343. &KeyName,
  344. OBJ_CASE_INSENSITIVE,
  345. NULL,
  346. NULL
  347. );
  349. Status = NtOpenKey(
  350. &KeyHandle,
  351. KEY_QUERY_VALUE | KEY_SET_VALUE,
  352. &Obja
  353. );
  356. if (!NT_SUCCESS( Status )) {
  358. if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
  360. return ( SepInitializePrivilegeFilter( FALSE ));
  362. } else {
  364. return( FALSE );
  365. }
  366. }
  368. RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING );
  370. Status = NtQueryValueKey(
  371. KeyHandle,
  372. &ValueName,
  373. KeyValuePartialInformation,
  374. KeyInfo,
  375. sizeof(KeyInfo),
  376. &ResultLength
  377. );
  379. TmpStatus = NtClose(KeyHandle);
  380. ASSERT(NT_SUCCESS(TmpStatus));
  382. if (!NT_SUCCESS( Status )) {
  384. Verbose = FALSE;
  386. } else {
  388. pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
  389. Verbose = (BOOLEAN) *(pKeyInfo->Data);
  390. }
  392. return ( SepInitializePrivilegeFilter( Verbose ));
  393. }
  396. VOID
  397. SepAdtInitializeAuditingOptions(
  398. VOID
  399. )
  401. /*++
  403. Routine Description:
  405. Initialize options that control auditing.
  406. (please refer to note in adtp.h near the def. of SEP_AUDIT_OPTIONS)
  408. Arguments:
  410. None
  412. Return Value:
  414. None
  416. --*/
  418. {
  419. HANDLE KeyHandle;
  420. NTSTATUS Status;
  421. NTSTATUS TmpStatus;
  422. OBJECT_ATTRIBUTES Obja;
  423. ULONG ResultLength;
  424. UNICODE_STRING KeyName;
  425. UNICODE_STRING ValueName;
  426. CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
  428. PAGED_CODE();
  430. //
  431. // Query the registry
  432. //
  433. RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\AuditingOptions");
  435. InitializeObjectAttributes( &Obja,
  436. &KeyName,
  437. OBJ_CASE_INSENSITIVE,
  438. NULL,
  439. NULL
  440. );
  442. Status = NtOpenKey(
  443. &KeyHandle,
  444. KEY_QUERY_VALUE,
  445. &Obja
  446. );
  449. if (!NT_SUCCESS( Status )) {
  451. goto Cleanup;
  452. }
  454. RtlInitUnicodeString( &ValueName, L"DoNotAuditCloseObjectEvents" );
  456. Status = NtQueryValueKey(
  457. KeyHandle,
  458. &ValueName,
  459. KeyValuePartialInformation,
  460. KeyInfo,
  461. sizeof(KeyInfo),
  462. &ResultLength
  463. );
  465. TmpStatus = NtClose(KeyHandle);
  466. ASSERT(NT_SUCCESS(TmpStatus));
  468. if (NT_SUCCESS( Status )) {
  469. //
  470. // we check for the presence of this value, its value does not matter
  471. //
  472. SepAuditOptions.DoNotAuditCloseObjectEvents = TRUE;
  473. }
  475. Cleanup:
  477. return;
  478. }