//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 2000
//
// File: A Z E V E N T . C P P
//
// Contents: Functions to construct and report Authz audit event
//
//
// History:
// 07-January-2000 kumarp created
//
//------------------------------------------------------------------------
/*
- how to create an event buffer without creating hEventSource?
- need to protect rm->hAuditEvent using a critsec
*/
#include "pch.h"
#pragma hdrstop
// #include <nt.h>
// #include <ntrtl.h>
// #include <nturtl.h>
// #include <windows.h>
// #include <msaudite.h>
#include "authzp.h"
#include "adtdef.h"
//#include "p2prov.h"
#include "ncevent.h"
#include "azaudit.h"
// static AzAuditInfoInternal g_RmAuditInfo;
HRESULT WINAPI AuthzEventSourceCallback(
HANDLE hEventSource,
EVENT_SOURCE_MSG msg,
PVOID pUser,
PVOID pData
)
{
HRESULT hr = S_OK;
switch (msg)
{
case ESM_START_SENDING_EVENTS:
break;
case ESM_STOP_SENDING_EVENTS:
break;
case ESM_NEW_QUERY:
break;
case ESM_CANCEL_QUERY:
break;
case ESM_ACCESS_CHECK:
break;
default:
hr = E_FAIL;
break;
}
UNREFERENCED_PARAMETER(hEventSource);
UNREFERENCED_PARAMETER(pUser);
UNREFERENCED_PARAMETER(pData);
return hr;
}
PCWSTR c_aAzpAccessEventPropertyNames[] =
{
L"OperationType",
L"Objecttype",
L"ObjectName",
// L"HandleId",
// L"OperationId",
L"PrimaryUserSid",
L"ClientUserSid",
L"AccessMask",
};
const UINT c_cAzAccessProperties =
sizeof(c_aAzpAccessEventPropertyNames) / sizeof(PCWSTR);
CIMTYPE c_aAzpAccessEventPropertyTypes[] =
{
CIM_STRING,
CIM_STRING,
CIM_STRING,
// CIM_UINT64,
// CIM_UINT64,
CIM_UINT8 | CIM_FLAG_ARRAY,
CIM_UINT8 | CIM_FLAG_ARRAY,
CIM_UINT32,
};
const UINT c_cAzAccessPropertyTypes =
sizeof(c_aAzpAccessEventPropertyTypes) / sizeof(CIMTYPE);
const DWORD c_aAzAccessPropIndexes[c_cAzAccessProperties] =
{ 0, 1, 2, 3, 4, 5 }; //, 6, 7 };
DWORD AzpCreateAuditEvent(
IN HANDLE hEventSource,
OUT HANDLE* phAuditEvent,
OUT HANDLE* phAuditEventPropSubset
)
{
DWORD dwError = NO_ERROR;
HANDLE hAuditEvent = INVALID_HANDLE_VALUE;
HANDLE hAuditEventPropSubset = INVALID_HANDLE_VALUE;
//
// initialize out params
//
*phAuditEvent = INVALID_HANDLE_VALUE;
*phAuditEventPropSubset = INVALID_HANDLE_VALUE;
//
// create the audit event
//
ASSERT(c_cAzAccessProperties == c_cAzAccessPropertyTypes);
hAuditEvent =
//WmiCreateEventWithProps( hEventSource,
WmiCreateObjectWithProps( hEventSource,
L"AuditEvent_AuthzAccess",
WMI_CREATEOBJ_LOCKABLE,
c_cAzAccessProperties,
c_aAzpAccessEventPropertyNames,
c_aAzpAccessEventPropertyTypes );
if (hAuditEvent == INVALID_HANDLE_VALUE)
{
dwError = GetLastError();
goto Cleanup;
}
hAuditEventPropSubset =
// WmiCreateEventPropSubset( hAuditEvent,
WmiCreateObjectPropSubset( hAuditEvent,
//WMI_CREATEOBJ_LOCKABLE,
0,
c_cAzAccessProperties,
(DWORD*) c_aAzAccessPropIndexes );
if (hAuditEventPropSubset == INVALID_HANDLE_VALUE)
{
dwError = GetLastError();
goto Cleanup;
}
*phAuditEvent = hAuditEvent;
*phAuditEventPropSubset = hAuditEventPropSubset;
Cleanup:
if (dwError != NO_ERROR)
{
if (hAuditEvent != INVALID_HANDLE_VALUE)
{
(void) WmiDestroyObject( hAuditEvent );
}
if (hAuditEventPropSubset != INVALID_HANDLE_VALUE)
{
(void) WmiDestroyObject( hAuditEventPropSubset );
}
}
return dwError;
}
DWORD AzpInitRmAuditInfo(
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo
)
{
DWORD dwError = NO_ERROR;
HANDLE hEventSource=NULL;
//
// connect to the WMI event server
//
hEventSource =
WmiEventSourceConnect( L"root\\default",
L"AuthzAuditEventProvider", //kk
0, 0, 0, NULL,
AuthzEventSourceCallback );
if (hEventSource == INVALID_HANDLE_VALUE)
{
dwError = GetLastError();;
goto Cleanup;
}
//
// if the RM does not want to provide its own event,
// create a default one
//
if (!FLAG_ON(pRmAuditInfo->dwFlags, AUTHZ_RM_AUDIT_USE_GIVEN_EVENT))
{
ASSERT(pRmAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
dwError = AzpCreateAuditEvent( hEventSource,
&pRmAuditInfo->hAuditEvent,
&pRmAuditInfo->hAuditEventPropSubset );
if (dwError != NO_ERROR)
{
goto Cleanup;
}
}
Cleanup:
return dwError;
}
DWORD AzpInitClientAuditInfo(
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
OUT PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo
)
{
DWORD dwError = NO_ERROR;
//
// if the client wants us to create a separate event, create one.
//
if ( FLAG_ON( pClientAuditInfo->dwFlags, AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT ))
{
ASSERT(FALSE); // nyi
ASSERT(pClientAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
dwError = AzpCreateAuditEvent( pRmAuditInfo->hEventSource,
&pClientAuditInfo->hAuditEvent,
&pClientAuditInfo->hAuditEventPropSubset );
if (dwError != NO_ERROR)
{
goto Cleanup;
}
}
Cleanup:
return dwError;
}
DWORD
AzpGenerateAuditEvent(
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
IN PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo,
IN PAUTHZI_CLIENT_CONTEXT pClientContext,
IN PAUTHZ_AUDIT_INFO pAuditInfo,
IN DWORD dwAccessMask
)
{
DWORD dwError = NO_ERROR;
BOOL fResult = 0;
HANDLE hAuditEvent = NULL;
HANDLE hAuditEventPropSubset = NULL;
PSID psidPrimaryUser = NULL;
PSID psidResourceManager = NULL;
DWORD dwPrimaryUserSidSize = 0;
DWORD dwRmSidSize = 0;
//
// kk code to get to client and rm audit info
//
//
// determine which audit-event-handle to use
//
if (pAuditInfo->dwFlags & AUTHZ_AUDIT_USE_GIVEN_EVENT)
{
ASSERT(FALSE);
hAuditEvent = pAuditInfo->hAuditEvent;
hAuditEventPropSubset = pAuditInfo->hAuditEventPropSubset;
}
else if (pClientAuditInfo->dwFlags & (AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT |
AUTHZ_CLIENT_AUDIT_USE_GIVEN_EVENT))
{
hAuditEvent = pClientAuditInfo->hAuditEvent;
hAuditEventPropSubset = pClientAuditInfo->hAuditEventPropSubset;
}
else
{
hAuditEvent = pRmAuditInfo->hAuditEvent;
hAuditEventPropSubset = pRmAuditInfo->hAuditEventPropSubset;
}
ASSERT(hAuditEvent != INVALID_HANDLE_VALUE);
ASSERT(hAuditEventPropSubset != INVALID_HANDLE_VALUE);
//ASSERT(pClientContext->SidCount);
//psidPrimaryUser = pClientContext->Sids[0].Sid;
psidPrimaryUser = pClientAuditInfo->psidClient;
dwPrimaryUserSidSize = pClientAuditInfo->dwClientSidSize;
psidResourceManager = pRmAuditInfo->psidRmProcess;
dwRmSidSize = pRmAuditInfo->dwRmProcessSidSize;
// fResult = WmiSetEventProps( hAuditEventPropSubset,
fResult = WmiSetObjectProps( hAuditEventPropSubset,
pAuditInfo->szOperationType,
pAuditInfo->szObjectType,
pAuditInfo->szObjectName,
psidPrimaryUser,
dwPrimaryUserSidSize,
psidResourceManager,
dwRmSidSize,
dwAccessMask
);
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
//
// call LSA and send the event to it
//
fResult = WmiCommitObject( hAuditEvent );
if (!fResult)
{
dwError = GetLastError();
goto Cleanup;
}
Cleanup:
return dwError;
}