|
|
#include "precomp.h"
#define MAX_AUDIT_BUFFER 4096
#define MAX_MSG_BUFFER 2048
WCHAR gszAuditBuffer[MAX_AUDIT_BUFFER];
WCHAR * gpszAuditBuffer = gszAuditBuffer;
WCHAR gszAuditMsgBuffer[MAX_MSG_BUFFER];
WCHAR * gpszAuditMsgBuffer = gszAuditMsgBuffer;
DWORDPerformAudit( DWORD dwCategoryId, DWORD dwAuditId, PSID pSid, DWORD dwParamCnt, LPWSTR * ppszArgArray, BOOL bSuccess, BOOL bDoAudit ){ SE_ADT_PARAMETER_ARRAY * pParArray = NULL; NTSTATUS ntStatus = STATUS_SUCCESS; DWORD dwStrSize = 0; DWORD i = 0; DWORD dwAllocSize = 0; BYTE * pbyteCurAddr = NULL; DWORD dwSidLength = RtlLengthSid(pSid); UNICODE_STRING * pusStrArray = NULL; WCHAR * pszModuleName = L"IPSec Server";
//
// dwCategoryId should be equal to SE_CATEGID_POLICY_CHANGE.
//
dwCategoryId = SE_CATEGID_POLICY_CHANGE;
for (i = 0; i < dwParamCnt; i++) { dwStrSize += (wcslen(ppszArgArray[i]) + 1) * sizeof(WCHAR); }
dwStrSize += (wcslen(pszModuleName) + 1) * sizeof(WCHAR);
dwAllocSize = sizeof(SE_ADT_PARAMETER_ARRAY) + dwParamCnt * sizeof(UNICODE_STRING) + dwStrSize; dwAllocSize += PtrAlignSize(dwSidLength);
if (dwAllocSize > MAX_AUDIT_BUFFER) { return (ERROR_BUFFER_OVERFLOW); }
pParArray = (SE_ADT_PARAMETER_ARRAY *) gpszAuditBuffer;
pParArray->CategoryId = dwCategoryId; pParArray->AuditId = dwAuditId; pParArray->ParameterCount = dwParamCnt + 2; pParArray->Length = dwAllocSize; pParArray->Flags = 0;
if (bSuccess) { pParArray->Type = EVENTLOG_AUDIT_SUCCESS; } else { pParArray->Type = EVENTLOG_AUDIT_FAILURE; }
pbyteCurAddr = (BYTE *) (pParArray + 1);
pParArray->Parameters[0].Type = SeAdtParmTypeSid; pParArray->Parameters[0].Length = dwSidLength; pParArray->Parameters[0].Data[0] = 0; pParArray->Parameters[0].Data[1] = 0; pParArray->Parameters[0].Address = pSid;
memcpy((BYTE *) pbyteCurAddr, (BYTE *) pSid, dwSidLength);
pbyteCurAddr = (BYTE *) pbyteCurAddr + PtrAlignSize(dwSidLength);
pusStrArray = (UNICODE_STRING *) pbyteCurAddr;
pusStrArray[0].Length = wcslen(pszModuleName) * sizeof(WCHAR); pusStrArray[0].MaximumLength = pusStrArray[0].Length + sizeof(WCHAR); pusStrArray[0].Buffer = (LPWSTR) pszModuleName;
pParArray->Parameters[1].Type = SeAdtParmTypeString; pParArray->Parameters[1].Length = sizeof(UNICODE_STRING) + pusStrArray[0].MaximumLength; pParArray->Parameters[1].Data[0] = 0; pParArray->Parameters[1].Data[1] = 0; pParArray->Parameters[1].Address = (PVOID) &pusStrArray[0];
for (i = 0; i < dwParamCnt; i++) {
pusStrArray[i+1].Length = wcslen(ppszArgArray[i]) * sizeof(WCHAR); pusStrArray[i+1].MaximumLength = pusStrArray[i+1].Length + sizeof(WCHAR); pusStrArray[i+1].Buffer = (LPWSTR) ppszArgArray[i];
pParArray->Parameters[i+2].Type = SeAdtParmTypeString; pParArray->Parameters[i+2].Length = sizeof(UNICODE_STRING) + pusStrArray[i+1].MaximumLength; pParArray->Parameters[i+2].Data[0] = 0; pParArray->Parameters[i+2].Data[1] = 0; pParArray->Parameters[i+2].Address = (PVOID) &pusStrArray[i+1];
}
if (bDoAudit) { ntStatus = LsaIWriteAuditEvent(pParArray, 0); }
return (ERROR_SUCCESS);}
VOIDAuditEvent( DWORD dwCategoryId, DWORD dwAuditId, DWORD dwStrId, LPWSTR * ppszArguments, BOOL bSuccess, BOOL bDoAudit ){ DWORD dwError = 0; LPWSTR pszArgArray[3]; DWORD dwParamCnt = 0;
EnterCriticalSection(&gcSPDAuditSection);
dwError = FormatMessage( FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ARGUMENT_ARRAY, ghIpsecServerModule, dwStrId, LANG_NEUTRAL, gpszAuditMsgBuffer, MAX_MSG_BUFFER, (va_list *) ppszArguments ); if (dwError == 0) { wsprintf( gpszAuditMsgBuffer, L"IPSec Services encountered an error while auditing event ID 0x%x", dwStrId ); }
gpszAuditMsgBuffer[MAX_MSG_BUFFER - 1] = 0;
if (dwError != 0) {
switch (dwAuditId) {
case SE_AUDITID_IPSEC_POLICY_CHANGED: dwParamCnt = 1; pszArgArray[0] = (LPWSTR) gpszAuditMsgBuffer; break;
default: LeaveCriticalSection(&gcSPDAuditSection); return;
}
(VOID) PerformAudit( dwCategoryId, dwAuditId, gpIpsecServerSid, dwParamCnt, (LPWSTR *) pszArgArray, bSuccess, bDoAudit );
}
LeaveCriticalSection(&gcSPDAuditSection); return;}
VOIDAuditOneArgErrorEvent( DWORD dwCategoryId, DWORD dwAuditId, DWORD dwStrId, DWORD dwErrorCode, BOOL bSuccess, BOOL bDoAudit ){ DWORD dwError = 0; LPVOID lpvMsgBuf = NULL; WCHAR szAuditLocalMsgBuffer[MAX_PATH]; WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;
szAuditLocalMsgBuffer[0] = L'\0';
dwError = FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, dwErrorCode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPWSTR) &lpvMsgBuf, 0, NULL ); if (!dwError) { wsprintf( pszAuditLocalMsgBuffer, L"0x%x", dwErrorCode ); AuditEvent( dwCategoryId, dwAuditId, dwStrId, (LPWSTR *) &pszAuditLocalMsgBuffer, bSuccess, bDoAudit ); return; }
AuditEvent( dwCategoryId, dwAuditId, dwStrId, (LPWSTR *) &lpvMsgBuf, bSuccess, bDoAudit );
if (lpvMsgBuf) { LocalFree(lpvMsgBuf); }
return;}
VOIDAuditIPSecPolicyEvent( DWORD dwCategoryId, DWORD dwAuditId, DWORD dwStrId, LPWSTR pszPolicyName, BOOL bSuccess, BOOL bDoAudit ){ WCHAR szAuditLocalMsgBuffer[MAX_PATH]; WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;
szAuditLocalMsgBuffer[0] = L'\0';
wsprintf(pszAuditLocalMsgBuffer, L"%s", pszPolicyName);
AuditEvent( dwCategoryId, dwAuditId, dwStrId, (LPWSTR *) &pszAuditLocalMsgBuffer, bSuccess, bDoAudit );
return;}
VOIDAuditIPSecPolicyErrorEvent( DWORD dwCategoryId, DWORD dwAuditId, DWORD dwStrId, LPWSTR pszPolicyName, DWORD dwErrorCode, BOOL bSuccess, BOOL bDoAudit ){ DWORD dwError = 0; WCHAR szAuditPolicyMsgBuffer[MAX_PATH]; WCHAR * pszAuditPolicyMsgBuffer = szAuditPolicyMsgBuffer; WCHAR szAuditErrorMsgBuffer[MAX_PATH]; WCHAR * pszAuditErrorMsgBuffer = szAuditErrorMsgBuffer; LPWSTR pszArgArray[2]; LPWSTR * ppszArgArray = pszArgArray; LPVOID lpvMsgBuf = NULL;
szAuditPolicyMsgBuffer[0] = L'\0'; szAuditErrorMsgBuffer[0] = L'\0';
wsprintf(pszAuditPolicyMsgBuffer, L"%s", pszPolicyName);
dwError = FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, dwErrorCode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPWSTR) &lpvMsgBuf, 0, NULL ); if (!dwError) { wsprintf( pszAuditErrorMsgBuffer, L"0x%x", dwErrorCode ); pszArgArray[0] = pszAuditPolicyMsgBuffer; pszArgArray[1] = pszAuditErrorMsgBuffer; AuditEvent( dwCategoryId, dwAuditId, dwStrId, (LPWSTR *) ppszArgArray, bSuccess, bDoAudit ); return; }
pszArgArray[0] = pszAuditPolicyMsgBuffer; pszArgArray[1] = (LPWSTR) lpvMsgBuf; AuditEvent( dwCategoryId, dwAuditId, dwStrId, (LPWSTR *) ppszArgArray, bSuccess, bDoAudit );
if (lpvMsgBuf) { LocalFree(lpvMsgBuf); }
return;}
|
