Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

347 lines
8.5 KiB

  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A Z E V E N T . C P P
  8. //
  9. // Contents: Functions to construct and report Authz audit event
  10. //
  11. //
  12. // History:
  13. // 07-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  16. /*
  17. - how to create an event buffer without creating hEventSource?
  18. - need to protect rm->hAuditEvent using a critsec
  19. */
  20. #include "pch.h"
  21. #pragma hdrstop
  22. // #include <nt.h>
  23. // #include <ntrtl.h>
  24. // #include <nturtl.h>
  25. // #include <windows.h>
  26. // #include <msaudite.h>
  27. #include "authzp.h"
  28. #include "adtdef.h"
  29. //#include "p2prov.h"
  30. #include "ncevent.h"
  31. #include "azaudit.h"
  32. // static AzAuditInfoInternal g_RmAuditInfo;
  33. HRESULT WINAPI AuthzEventSourceCallback(
  34. HANDLE hEventSource,
  35. EVENT_SOURCE_MSG msg,
  36. PVOID pUser,
  37. PVOID pData
  38. )
  39. {
  40. HRESULT hr = S_OK;
  41. switch (msg)
  42. {
  43. case ESM_START_SENDING_EVENTS:
  44. break;
  45. case ESM_STOP_SENDING_EVENTS:
  46. break;
  47. case ESM_NEW_QUERY:
  48. break;
  49. case ESM_CANCEL_QUERY:
  50. break;
  51. case ESM_ACCESS_CHECK:
  52. break;
  53. default:
  54. hr = E_FAIL;
  55. break;
  56. }
  57. UNREFERENCED_PARAMETER(hEventSource);
  58. UNREFERENCED_PARAMETER(pUser);
  59. UNREFERENCED_PARAMETER(pData);
  60. return hr;
  61. }
  62. PCWSTR c_aAzpAccessEventPropertyNames[] =
  63. {
  64. L"OperationType",
  65. L"Objecttype",
  66. L"ObjectName",
  67. // L"HandleId",
  68. // L"OperationId",
  69. L"PrimaryUserSid",
  70. L"ClientUserSid",
  71. L"AccessMask",
  72. };
  73. const UINT c_cAzAccessProperties =
  74. sizeof(c_aAzpAccessEventPropertyNames) / sizeof(PCWSTR);
  75. CIMTYPE c_aAzpAccessEventPropertyTypes[] =
  76. {
  77. CIM_STRING,
  78. CIM_STRING,
  79. CIM_STRING,
  80. // CIM_UINT64,
  81. // CIM_UINT64,
  82. CIM_UINT8 | CIM_FLAG_ARRAY,
  83. CIM_UINT8 | CIM_FLAG_ARRAY,
  84. CIM_UINT32,
  85. };
  86. const UINT c_cAzAccessPropertyTypes =
  87. sizeof(c_aAzpAccessEventPropertyTypes) / sizeof(CIMTYPE);
  88. const DWORD c_aAzAccessPropIndexes[c_cAzAccessProperties] =
  89. { 0, 1, 2, 3, 4, 5 }; //, 6, 7 };
  90. DWORD AzpCreateAuditEvent(
  91. IN HANDLE hEventSource,
  92. OUT HANDLE* phAuditEvent,
  93. OUT HANDLE* phAuditEventPropSubset
  94. )
  95. {
  96. DWORD dwError = NO_ERROR;
  97. HANDLE hAuditEvent = INVALID_HANDLE_VALUE;
  98. HANDLE hAuditEventPropSubset = INVALID_HANDLE_VALUE;
  99. //
  100. // initialize out params
  101. //
  102. *phAuditEvent = INVALID_HANDLE_VALUE;
  103. *phAuditEventPropSubset = INVALID_HANDLE_VALUE;
  104. //
  105. // create the audit event
  106. //
  107. ASSERT(c_cAzAccessProperties == c_cAzAccessPropertyTypes);
  108. hAuditEvent =
  109. //WmiCreateEventWithProps( hEventSource,
  110. WmiCreateObjectWithProps( hEventSource,
  111. L"AuditEvent_AuthzAccess",
  112. WMI_CREATEOBJ_LOCKABLE,
  113. c_cAzAccessProperties,
  114. c_aAzpAccessEventPropertyNames,
  115. c_aAzpAccessEventPropertyTypes );
  116. if (hAuditEvent == INVALID_HANDLE_VALUE)
  117. {
  118. dwError = GetLastError();
  119. goto Cleanup;
  120. }
  121. hAuditEventPropSubset =
  122. // WmiCreateEventPropSubset( hAuditEvent,
  123. WmiCreateObjectPropSubset( hAuditEvent,
  124. //WMI_CREATEOBJ_LOCKABLE,
  125. 0,
  126. c_cAzAccessProperties,
  127. (DWORD*) c_aAzAccessPropIndexes );
  128. if (hAuditEventPropSubset == INVALID_HANDLE_VALUE)
  129. {
  130. dwError = GetLastError();
  131. goto Cleanup;
  132. }
  133. *phAuditEvent = hAuditEvent;
  134. *phAuditEventPropSubset = hAuditEventPropSubset;
  135. Cleanup:
  136. if (dwError != NO_ERROR)
  137. {
  138. if (hAuditEvent != INVALID_HANDLE_VALUE)
  139. {
  140. (void) WmiDestroyObject( hAuditEvent );
  141. }
  142. if (hAuditEventPropSubset != INVALID_HANDLE_VALUE)
  143. {
  144. (void) WmiDestroyObject( hAuditEventPropSubset );
  145. }
  146. }
  147. return dwError;
  148. }
  149. DWORD AzpInitRmAuditInfo(
  150. IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo
  151. )
  152. {
  153. DWORD dwError = NO_ERROR;
  154. HANDLE hEventSource=NULL;
  155. //
  156. // connect to the WMI event server
  157. //
  158. hEventSource =
  159. WmiEventSourceConnect( L"root\\default",
  160. L"AuthzAuditEventProvider", //kk
  161. 0, 0, 0, NULL,
  162. AuthzEventSourceCallback );
  163. if (hEventSource == INVALID_HANDLE_VALUE)
  164. {
  165. dwError = GetLastError();;
  166. goto Cleanup;
  167. }
  168. //
  169. // if the RM does not want to provide its own event,
  170. // create a default one
  171. //
  172. if (!FLAG_ON(pRmAuditInfo->dwFlags, AUTHZ_RM_AUDIT_USE_GIVEN_EVENT))
  173. {
  174. ASSERT(pRmAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
  175. dwError = AzpCreateAuditEvent( hEventSource,
  176. &pRmAuditInfo->hAuditEvent,
  177. &pRmAuditInfo->hAuditEventPropSubset );
  178. if (dwError != NO_ERROR)
  179. {
  180. goto Cleanup;
  181. }
  182. }
  183. Cleanup:
  184. return dwError;
  185. }
  186. DWORD AzpInitClientAuditInfo(
  187. IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
  188. OUT PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo
  189. )
  190. {
  191. DWORD dwError = NO_ERROR;
  192. //
  193. // if the client wants us to create a separate event, create one.
  194. //
  195. if ( FLAG_ON( pClientAuditInfo->dwFlags, AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT ))
  196. {
  197. ASSERT(FALSE); // nyi
  198. ASSERT(pClientAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
  199. dwError = AzpCreateAuditEvent( pRmAuditInfo->hEventSource,
  200. &pClientAuditInfo->hAuditEvent,
  201. &pClientAuditInfo->hAuditEventPropSubset );
  202. if (dwError != NO_ERROR)
  203. {
  204. goto Cleanup;
  205. }
  206. }
  207. Cleanup:
  208. return dwError;
  209. }
  210. DWORD
  211. AzpGenerateAuditEvent(
  212. IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
  213. IN PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo,
  214. IN PAUTHZI_CLIENT_CONTEXT pClientContext,
  215. IN PAUTHZ_AUDIT_INFO pAuditInfo,
  216. IN DWORD dwAccessMask
  217. )
  218. {
  219. DWORD dwError = NO_ERROR;
  220. BOOL fResult = 0;
  221. HANDLE hAuditEvent = NULL;
  222. HANDLE hAuditEventPropSubset = NULL;
  223. PSID psidPrimaryUser = NULL;
  224. PSID psidResourceManager = NULL;
  225. DWORD dwPrimaryUserSidSize = 0;
  226. DWORD dwRmSidSize = 0;
  227. //
  228. // kk code to get to client and rm audit info
  229. //
  230. //
  231. // determine which audit-event-handle to use
  232. //
  233. if (pAuditInfo->dwFlags & AUTHZ_AUDIT_USE_GIVEN_EVENT)
  234. {
  235. ASSERT(FALSE);
  236. hAuditEvent = pAuditInfo->hAuditEvent;
  237. hAuditEventPropSubset = pAuditInfo->hAuditEventPropSubset;
  238. }
  239. else if (pClientAuditInfo->dwFlags & (AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT |
  240. AUTHZ_CLIENT_AUDIT_USE_GIVEN_EVENT))
  241. {
  242. hAuditEvent = pClientAuditInfo->hAuditEvent;
  243. hAuditEventPropSubset = pClientAuditInfo->hAuditEventPropSubset;
  244. }
  245. else
  246. {
  247. hAuditEvent = pRmAuditInfo->hAuditEvent;
  248. hAuditEventPropSubset = pRmAuditInfo->hAuditEventPropSubset;
  249. }
  250. ASSERT(hAuditEvent != INVALID_HANDLE_VALUE);
  251. ASSERT(hAuditEventPropSubset != INVALID_HANDLE_VALUE);
  252. //ASSERT(pClientContext->SidCount);
  253. //psidPrimaryUser = pClientContext->Sids[0].Sid;
  254. psidPrimaryUser = pClientAuditInfo->psidClient;
  255. dwPrimaryUserSidSize = pClientAuditInfo->dwClientSidSize;
  256. psidResourceManager = pRmAuditInfo->psidRmProcess;
  257. dwRmSidSize = pRmAuditInfo->dwRmProcessSidSize;
  258. // fResult = WmiSetEventProps( hAuditEventPropSubset,
  259. fResult = WmiSetObjectProps( hAuditEventPropSubset,
  260. pAuditInfo->szOperationType,
  261. pAuditInfo->szObjectType,
  262. pAuditInfo->szObjectName,
  263. psidPrimaryUser,
  264. dwPrimaryUserSidSize,
  265. psidResourceManager,
  266. dwRmSidSize,
  267. dwAccessMask
  268. );
  269. if (!fResult)
  270. {
  271. dwError = GetLastError();
  272. goto Cleanup;
  273. }
  274. //
  275. // call LSA and send the event to it
  276. //
  277. fResult = WmiCommitObject( hAuditEvent );
  278. if (!fResult)
  279. {
  280. dwError = GetLastError();
  281. goto Cleanup;
  282. }
  283. Cleanup:
  284. return dwError;
  285. }