archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntos/se/rmaudit.c

206 lines
4.9 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. rmaudit.c
  9. Abstract:
  11. This module contains the Reference Monitor Auditing Command Workers.
  12. These workers call functions in the Auditing sub-component to do the real
  13. work.
  15. Author:
  17. Scott Birrell (ScottBi) November 14,1991
  19. Environment:
  21. Kernel mode only.
  23. Revision History:
  25. --*/
  27. #include "pch.h"
  29. #pragma hdrstop
  31. VOID
  32. SepRmSetAuditLogWrkr(
  33. IN PRM_COMMAND_MESSAGE CommandMessage,
  34. OUT PRM_REPLY_MESSAGE ReplyMessage
  35. );
  38. #ifdef ALLOC_PRAGMA
  39. #pragma alloc_text(PAGE,SepRmSetAuditEventWrkr)
  40. #pragma alloc_text(PAGE,SepRmSetAuditLogWrkr)
  41. #endif
  45. VOID
  46. SepRmSetAuditEventWrkr(
  47. IN PRM_COMMAND_MESSAGE CommandMessage,
  48. OUT PRM_REPLY_MESSAGE ReplyMessage
  49. )
  51. /*++
  53. Routine Description:
  55. This function carries out the Reference Monitor Set Audit Event
  56. Command. This command enables or disables auditing and optionally
  57. sets the auditing events.
  60. Arguments:
  62. CommandMessage - Pointer to structure containing RM command message
  63. information consisting of an LPC PORT_MESSAGE structure followed
  64. by the command number (RmSetAuditStateCommand) and a single command
  65. parameter in structure form.
  67. ReplyMessage - Pointer to structure containing RM reply message
  68. information consisting of an LPC PORT_MESSAGE structure followed
  69. by the command ReturnedStatus field in which a status code from the
  70. command will be returned.
  72. Return Value:
  74. VOID
  76. --*/
  78. {
  80. PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
  81. POLICY_AUDIT_EVENT_TYPE EventType;
  83. PAGED_CODE();
  85. SepAdtInitializeBounds();
  87. ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
  89. //
  90. // Strict check that command is correct one for this worker.
  91. //
  93. ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand );
  95. //
  96. // Extract the AuditingMode flag and put it in the right place.
  97. //
  99. SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
  100. AuditingMode);
  102. //
  103. // For each element in the passed array, process changes to audit
  104. // nothing, and then success or failure flags.
  105. //
  107. EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
  108. EventAuditingOptions;
  111. for ( EventType=AuditEventMinType;
  112. EventType <= AuditEventMaxType;
  113. EventType++ ) {
  115. SeAuditingState[EventType].AuditOnSuccess = FALSE;
  116. SeAuditingState[EventType].AuditOnFailure = FALSE;
  118. if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) {
  120. SeAuditingState[EventType].AuditOnSuccess = TRUE;
  121. }
  123. if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) {
  125. SeAuditingState[EventType].AuditOnFailure = TRUE;
  126. }
  127. }
  129. //
  130. // Set the flag to indicate that we're auditing detailed events.
  131. // This is merely a timesaver so we can skip auditing setup in
  132. // time critical places like process creation.
  133. //
  135. //
  136. // Despite what the UI may imply, we never audit failures for detailed events, since
  137. // none of them can fail for security related reasons, and we're not interested in
  138. // auditing out of memory errors and stuff like that. So just set this flag when
  139. // they want to see successes and ignore the failure case.
  140. //
  141. // We may have to revisit this someday.
  142. //
  144. if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) {
  146. SeDetailedAuditing = TRUE;
  148. } else {
  150. SeDetailedAuditing = FALSE;
  151. }
  153. return;
  154. }
  158. VOID
  159. SepRmSetAuditLogWrkr(
  160. IN PRM_COMMAND_MESSAGE CommandMessage,
  161. OUT PRM_REPLY_MESSAGE ReplyMessage
  162. )
  164. /*++
  166. Routine Description:
  168. This function carries out the Reference Monitor Set Audit Log
  169. Command. This command stores parameters related to the Audit Log.
  171. Arguments:
  173. CommandMessage - Pointer to structure containing RM command message
  174. information consisting of an LPC PORT_MESSAGE structure followed
  175. by the command number (RmSetAuditStateCommand) and a single command
  176. parameter in structure form.
  178. ReplyMessage - Pointer to structure containing RM reply message
  179. information consisting of an LPC PORT_MESSAGE structure followed
  180. by the command ReturnedStatus field in which a status code from the
  181. command will be returned.
  183. Return Value:
  185. None. A status code is returned in ReplyMessage->ReturnedStatus
  187. --*/
  189. {
  190. PAGED_CODE();
  192. #if DBG
  193. DbgPrint("Security: RM Set Audit Log Command Received\n");
  194. #endif
  196. //
  197. // Call private function in Auditing Sub-component to do the work.
  198. //
  200. SepAdtSetAuditLogInformation(
  201. (PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams
  202. );
  204. ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
  205. }