Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

605 lines
14 KiB

  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A D T U T I L . C
  8. //
  9. // Contents: Functions to test generic audit support in LSA
  10. //
  11. //
  12. // History:
  13. // 07-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  16. #include "pch.h"
  17. #pragma hdrstop
  18. #include "authz.h"
  19. #include "authzi.h"
  20. #include "adtgen.h"
  21. //
  22. // defining USE_LOCAL_AUDIT causes audits to be processed in proc
  23. // instead of being sent to lsa. This allows much faster debug
  24. // cycle since LSA is not involved. The audit marshal/process code
  25. // is taken directly from LSA. Thus the same code path is exercised
  26. // as that when this is not defined.
  27. //
  28. //#define USE_LOCAL_AUDIT
  29. #ifdef USE_LOCAL_AUDIT
  30. #include "\nt\ds\security\base\lsa\server\cfiles\adtgenp.h"
  31. #endif
  32. // ----------------------------------------------------------------------
  33. //
  34. // forward declarations
  35. //
  36. DWORD
  37. EnableSinglePrivilege(
  38. IN PWCHAR szPrivName
  39. );
  40. // ----------------------------------------------------------------------
  41. EXTERN_C
  42. DWORD
  43. TestEventGen( ULONG NumIter )
  44. {
  45. NTSTATUS Status = STATUS_SUCCESS;
  46. DWORD dwError=NO_ERROR;
  47. HANDLE hAudit = NULL;
  48. AUDIT_PARAMS AuditParams;
  49. AUDIT_PARAM ParamArray[SE_MAX_AUDIT_PARAMETERS];
  50. PSID pUserSid = NULL;
  51. AUTHZ_AUDIT_EVENT_TYPE_LEGACY AuditEventInfoLegacy = { 0 };
  52. //AUDIT_EVENT_INFO AuditEventInfo = { 0 };
  53. AUTHZ_AUDIT_EVENT_TYPE_OLD AuditEventType;
  54. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hEventType = NULL;
  55. BOOL fDone=FALSE;
  56. PWSTR szMsg = NULL;
  57. BOOL fResult;
  58. AUDIT_OBJECT_TYPE Objects[3] =
  59. {
  60. {
  61. { /* f3548725-0458-11d4-bd96-006008269001 */
  62. 0xf3548725,
  63. 0x0458,
  64. 0x11d4,
  65. {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
  66. },
  67. 0, 0, STANDARD_RIGHTS_ALL
  68. },
  69. {
  70. { /* f3548726-0458-11d4-bd96-006008269001 */
  71. 0xf3548726,
  72. 0x0458,
  73. 0x11d4,
  74. {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
  75. },
  76. 0, 1, STANDARD_RIGHTS_ALL
  77. },
  78. {
  79. { /* f3548727-0458-11d4-bd96-006008269001 */
  80. 0xf3548727,
  81. 0x0458,
  82. 0x11d4,
  83. {0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
  84. },
  85. 0, 2, STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY
  86. },
  87. };
  88. AUDIT_OBJECT_TYPES ObjectTypes =
  89. {
  90. 3, 0, Objects
  91. };
  92. AuditParams.Parameters = ParamArray;
  93. wprintf(L"[%03d] begin...\n", GetCurrentThreadId());
  94. // AuditEventInfo.Version = AUDIT_TYPE_LEGACY;
  95. // //AuditEventInfo.u.Legacy = &AuditEventInfoLegacy;
  96. // AuditEventInfo.u.Legacy.CategoryId = SE_CATEGID_OBJECT_ACCESS;
  97. // AuditEventInfo.u.Legacy.AuditId = SE_AUDITID_OBJECT_OPERATION;
  98. // AuditEventInfo.u.Legacy.ParameterCount = 11;
  99. fResult = AuthziInitializeAuditEventType(
  100. 0,
  101. SE_CATEGID_OBJECT_ACCESS,
  102. SE_AUDITID_OBJECT_OPERATION,
  103. 11,
  104. &hEventType
  105. );
  106. if ( !fResult )
  107. {
  108. szMsg = L"AuthziInitializeAuditEventType";
  109. goto Cleanup;
  110. }
  111. #ifdef USE_LOCAL_AUDIT
  112. Status = LsapRegisterAuditEvent( &AuditEventInfo, &hAudit );
  113. if (!NT_SUCCESS(Status))
  114. {
  115. szMsg = L"LsapRegisterAuditEvent";
  116. goto Cleanup;
  117. }
  118. #else
  119. // fResult = AuthzpRegisterAuditEvent( &AuditEventInfo, &hAudit );
  120. // if (!fResult)
  121. // {
  122. // szMsg = L"AuthzRegisterAuditEvent";
  123. // goto Cleanup;
  124. // }
  125. #endif
  126. //
  127. // initialize the AuditParams structure
  128. //
  129. // fResult = AuthziInitializeAuditParams(
  130. // //
  131. // // flags
  132. // //
  133. // 0,
  134. // &AuditParams,
  135. // //
  136. // // sid of the user generating this audit
  137. // //
  138. // &pUserSid,
  139. // //
  140. // // resource manager name
  141. // //
  142. // L"mysubsystem",
  143. // //
  144. // // generate a success audit
  145. // //
  146. // APF_AuditSuccess,
  147. // //
  148. // // there are 9 params to follow
  149. // //
  150. // 9,
  151. // //
  152. // // operation type
  153. // //
  154. // APT_String, L"test",
  155. // //
  156. // // object type
  157. // //
  158. // APT_String, L"File",
  159. // //
  160. // // object name
  161. // //
  162. // APT_String, L"foo-obj",
  163. // //
  164. // // handle id
  165. // //
  166. // APT_Pointer, 0x123,
  167. // //
  168. // // primary user info
  169. // //
  170. // APT_LogonId | AP_PrimaryLogonId,
  171. // //
  172. // // client user info
  173. // //
  174. // APT_LogonId | AP_ClientLogonId,
  175. // //
  176. // // requested accesses
  177. // // 1 refers to 0 based index of the
  178. // // parameter (object-type) that is
  179. // // passed to this function.
  180. // //
  181. // APT_Ulong | AP_AccessMask,
  182. // STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, 1,
  183. // //
  184. // // object properties
  185. // // 1 refers to 0 based index of the
  186. // // parameter (object-type) that is
  187. // // passed to this function.
  188. // //
  189. // APT_ObjectTypeList, &ObjectTypes, 1,
  190. // //
  191. // // additional info
  192. // //
  193. // APT_String, L"this is not a real obj-opn"
  194. // );
  195. // if (!fResult)
  196. // {
  197. // #ifdef USE_LOCAL_AUDIT
  198. // Status = STATUS_UNSUCCESSFUL;
  199. // wprintf(L"[%03d] AuthzInitAuditParams: %x\n",
  200. // GetCurrentThreadId(), GetLastError());
  201. // #endif
  202. // szMsg = L"AuthzInitAuditParams";
  203. // goto Cleanup;
  204. // }
  205. for (ULONG i=0; i<NumIter; i++)
  206. {
  207. Sleep( 10 );
  208. #ifdef USE_LOCAL_AUDIT
  209. Status = LsapGenAuditEvent( hAudit, 0, &AuditParams, 0 );
  210. if (!NT_SUCCESS(Status))
  211. {
  212. szMsg = L"LsapGenAuditEvent";
  213. goto Cleanup;
  214. }
  215. #else
  216. // fResult = AuthzGenAuditEvent( hAudit, 0, &AuditParams, 0 );
  217. // if (!fResult)
  218. // {
  219. // szMsg = L"AuthzGenAuditEvent";
  220. // goto Cleanup;
  221. // }
  222. #endif
  223. }
  224. Cleanup:
  225. #ifdef USE_LOCAL_AUDIT
  226. if (!NT_SUCCESS(Status))
  227. {
  228. dwError = Status;
  229. }
  230. #else
  231. if (!fResult)
  232. {
  233. dwError = GetLastError();
  234. }
  235. #endif
  236. wprintf(L"[%03d] end: %s %x\n",
  237. GetCurrentThreadId(), szMsg ? szMsg : L"", dwError);
  238. LocalFree( pUserSid );
  239. if ( hAudit )
  240. {
  241. #ifdef USE_LOCAL_AUDIT
  242. Status = LsapUnregisterAuditEvent( &hAudit );
  243. if (!NT_SUCCESS(Status))
  244. {
  245. wprintf (L"LsapUnregisterAuditEvent: %x\n", Status);
  246. }
  247. #else
  248. fResult = AuthziFreeAuditEventType( hEventType );
  249. if (!fResult)
  250. {
  251. dwError = GetLastError();
  252. wprintf (L"AuthziFreeAuditEventType: %x\n", dwError);
  253. }
  254. #endif
  255. }
  256. return dwError;
  257. }
  258. DWORD WINAPI TestEventGenThreadProc( PVOID p )
  259. {
  260. TestEventGen( (ULONG) (ULONG_PTR) p );
  261. return 0;
  262. }
  263. DWORD WaitForTonsOfObjects(
  264. IN DWORD dwNumThreads,
  265. IN HANDLE* phThreads,
  266. IN BOOL fWaitAll,
  267. IN DWORD dwMilliseconds
  268. )
  269. {
  270. LONG dwNumBundles=dwNumThreads / MAXIMUM_WAIT_OBJECTS;
  271. DWORD dwRem = dwNumThreads % MAXIMUM_WAIT_OBJECTS;
  272. DWORD dwError = NO_ERROR;
  273. for (LONG i=0; i<dwNumBundles-1; i++)
  274. {
  275. dwError = WaitForMultipleObjects( MAXIMUM_WAIT_OBJECTS,
  276. &phThreads[i*MAXIMUM_WAIT_OBJECTS],
  277. fWaitAll,
  278. dwMilliseconds );
  279. if ( dwError == WAIT_FAILED )
  280. {
  281. goto Cleanup;
  282. }
  283. }
  284. dwError = WaitForMultipleObjects( dwRem,
  285. &phThreads[i*MAXIMUM_WAIT_OBJECTS],
  286. fWaitAll,
  287. dwMilliseconds );
  288. Cleanup:
  289. return dwError;
  290. }
  291. EXTERN_C
  292. NTSTATUS
  293. TestEventGenMulti(
  294. IN USHORT NumThreads,
  295. IN ULONG NumIter
  296. )
  297. {
  298. NTSTATUS Status = STATUS_SUCCESS;
  299. HANDLE* phThreads = NULL;
  300. DWORD* pdwThreadIds = NULL;
  301. PWSTR szMsg = NULL;
  302. DWORD dwError;
  303. #ifdef USE_LOCAL_AUDIT
  304. Status = LsapAdtInitGenericAudits();
  305. if (!NT_SUCCESS(Status))
  306. {
  307. goto Cleanup;
  308. }
  309. #endif
  310. dwError = EnableSinglePrivilege( SE_AUDIT_NAME );
  311. if ( dwError != NO_ERROR )
  312. {
  313. szMsg = L"EnableSinglePrivilege: SeAuditPrivilege";
  314. Status = dwError;
  315. goto Cleanup;
  316. }
  317. phThreads = (HANDLE*) LocalAlloc( LMEM_ZEROINIT,
  318. sizeof(HANDLE) * NumThreads );
  319. if ( !phThreads )
  320. {
  321. Status = STATUS_NO_MEMORY;
  322. szMsg = L"LsapAllocateLsaHeap";
  323. goto Cleanup;
  324. }
  325. wprintf(L"Creating %d threads...\n", NumThreads);
  326. for (int i=0; i<NumThreads; i++)
  327. {
  328. phThreads[i] = CreateThread( NULL, 0,
  329. TestEventGenThreadProc, (PVOID) NumIter,
  330. CREATE_SUSPENDED, NULL );
  331. if (!phThreads[i])
  332. {
  333. szMsg = L"CreateThread";
  334. goto Cleanup;
  335. }
  336. }
  337. wprintf(L"...done\n");
  338. wprintf(L"Waiting for the threads to finish work...\n");
  339. for (int i=0; i<NumThreads; i++)
  340. {
  341. ResumeThread( phThreads[i] );
  342. }
  343. dwError = WaitForTonsOfObjects( NumThreads, phThreads, TRUE, INFINITE );
  344. if ( dwError == WAIT_FAILED )
  345. {
  346. szMsg = L"WaitForMultipleObjects";
  347. Status = STATUS_UNSUCCESSFUL;
  348. goto Cleanup;
  349. }
  350. for (int i=0; i<NumThreads; i++)
  351. {
  352. CloseHandle( phThreads[i] );
  353. }
  354. RtlZeroMemory( phThreads, sizeof(HANDLE) * NumThreads );
  355. Cleanup:
  356. if ( szMsg )
  357. {
  358. wprintf (L"%s: %x\n", szMsg, Status);
  359. }
  360. for (i=0; i<NumThreads; i++)
  361. {
  362. if (phThreads[i])
  363. {
  364. TerminateThread( phThreads[i], 0 );
  365. }
  366. }
  367. LocalFree( phThreads );
  368. //LocalFree( pdwThreadIds );
  369. return Status;
  370. }
  371. EXTERN_C
  372. NTSTATUS
  373. GetSidName(
  374. IN PSID pSid,
  375. OUT PWSTR szName
  376. )
  377. {
  378. NTSTATUS Status = STATUS_SUCCESS;
  379. LSA_OBJECT_ATTRIBUTES ObjectAttrs = { 0 };
  380. PLSA_REFERENCED_DOMAIN_LIST pDomains;
  381. PLSA_TRANSLATED_NAME pNames;
  382. LSA_HANDLE hLsa;
  383. *szName = UNICODE_NULL;
  384. Status = LsaOpenPolicy( NULL, &ObjectAttrs, POLICY_LOOKUP_NAMES, &hLsa );
  385. if (NT_SUCCESS(Status))
  386. {
  387. Status = LsaLookupSids( hLsa, 1, &pSid, &pDomains, &pNames );
  388. if (NT_SUCCESS(Status))
  389. {
  390. if (pDomains->Entries > 0)
  391. {
  392. lstrcpyn( szName, pDomains->Domains[0].Name.Buffer,
  393. pDomains->Domains[0].Name.Length / sizeof(WCHAR) + 1);
  394. lstrcat( szName, L"\\" );
  395. if ( pNames[0].Use == SidTypeUser )
  396. {
  397. lstrcat( szName, pNames[0].Name.Buffer );
  398. }
  399. else
  400. {
  401. lstrcat( szName, L"unknown" );
  402. }
  403. }
  404. }
  405. }
  406. return Status;
  407. }
  408. DWORD
  409. EnableSinglePrivilege(
  410. IN PWCHAR szPrivName
  411. )
  412. {
  413. DWORD dwError=NO_ERROR;
  414. HANDLE hToken;
  415. LUID luidPriv;
  416. TOKEN_PRIVILEGES Privileges;
  417. //LUID_AND_ATTRIBUTES lna[1];
  418. if (!OpenProcessToken(GetCurrentProcess(),
  419. TOKEN_ADJUST_PRIVILEGES,
  420. &hToken))
  421. {
  422. goto GetError;
  423. }
  424. if (!LookupPrivilegeValue(NULL, szPrivName, &Privileges.Privileges[0].Luid))
  425. {
  426. goto GetError;
  427. }
  428. Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  429. Privileges.PrivilegeCount = 1;
  430. if (!AdjustTokenPrivileges(hToken, FALSE, &Privileges, 0, NULL, 0 ))
  431. {
  432. goto GetError;
  433. }
  434. CloseHandle(hToken);
  435. Cleanup:
  436. return dwError;
  437. GetError:
  438. dwError = GetLastError();
  439. goto Cleanup;
  440. }
  441. EXTERN_C
  442. NTSTATUS
  443. kElfReportEventW (
  444. IN HANDLE LogHandle,
  445. IN USHORT EventType,
  446. IN USHORT EventCategory OPTIONAL,
  447. IN ULONG EventID,
  448. IN PSID UserSid,
  449. IN USHORT NumStrings,
  450. IN ULONG DataSize,
  451. IN PUNICODE_STRING *Strings,
  452. IN PVOID Data,
  453. IN USHORT Flags,
  454. IN OUT PULONG RecordNumber OPTIONAL,
  455. IN OUT PULONG TimeWritten OPTIONAL
  456. )
  457. {
  458. NTSTATUS Status = STATUS_SUCCESS;
  459. PCWSTR szT;
  460. WCHAR szUserName[256];
  461. ASSERT((EventType == EVENTLOG_AUDIT_SUCCESS) ||
  462. (EventType == EVENTLOG_AUDIT_FAILURE));
  463. return Status;
  464. wprintf(L"-----------------------------------------------------------------\n");
  465. if (EventType == EVENTLOG_AUDIT_SUCCESS)
  466. {
  467. szT = L"AUDIT_SUCCESS";
  468. }
  469. else
  470. {
  471. szT = L"AUDIT_FAILURE";
  472. }
  473. wprintf(L"Type\t: %s\n", szT);
  474. wprintf(L"Category: %d\n", EventCategory);
  475. wprintf(L"AuditId\t: %d\n", EventID);
  476. if (STATUS_SUCCESS == GetSidName( UserSid, szUserName ))
  477. {
  478. wprintf(L"UserSid\t: %s\n\n", szUserName);
  479. }
  480. else
  481. {
  482. wprintf(L"UserSid\t: <NA>\n\n");
  483. }
  484. wprintf(L"#strings: %d\n", NumStrings);
  485. for (int i=0; i<NumStrings; i++)
  486. {
  487. wprintf(L"[%02d]\t: %wZ\n", i, Strings[i]);
  488. }
  489. return Status;
  490. }