mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
347 lines
8.5 KiB
347 lines
8.5 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 2000
|
|
//
|
|
// File: A Z E V E N T . C P P
|
|
//
|
|
// Contents: Functions to construct and report Authz audit event
|
|
//
|
|
//
|
|
// History:
|
|
// 07-January-2000 kumarp created
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
/*
|
|
- how to create an event buffer without creating hEventSource?
|
|
|
|
- need to protect rm->hAuditEvent using a critsec
|
|
|
|
*/
|
|
|
|
#include "pch.h"
|
|
#pragma hdrstop
|
|
|
|
// #include <nt.h>
|
|
// #include <ntrtl.h>
|
|
// #include <nturtl.h>
|
|
|
|
// #include <windows.h>
|
|
// #include <msaudite.h>
|
|
|
|
#include "authzp.h"
|
|
|
|
#include "adtdef.h"
|
|
//#include "p2prov.h"
|
|
#include "ncevent.h"
|
|
#include "azaudit.h"
|
|
|
|
|
|
// static AzAuditInfoInternal g_RmAuditInfo;
|
|
|
|
HRESULT WINAPI AuthzEventSourceCallback(
|
|
HANDLE hEventSource,
|
|
EVENT_SOURCE_MSG msg,
|
|
PVOID pUser,
|
|
PVOID pData
|
|
)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
switch (msg)
|
|
{
|
|
case ESM_START_SENDING_EVENTS:
|
|
break;
|
|
|
|
case ESM_STOP_SENDING_EVENTS:
|
|
break;
|
|
|
|
case ESM_NEW_QUERY:
|
|
break;
|
|
|
|
case ESM_CANCEL_QUERY:
|
|
break;
|
|
|
|
case ESM_ACCESS_CHECK:
|
|
break;
|
|
|
|
default:
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
UNREFERENCED_PARAMETER(hEventSource);
|
|
UNREFERENCED_PARAMETER(pUser);
|
|
UNREFERENCED_PARAMETER(pData);
|
|
|
|
return hr;
|
|
}
|
|
|
|
PCWSTR c_aAzpAccessEventPropertyNames[] =
|
|
{
|
|
L"OperationType",
|
|
L"Objecttype",
|
|
L"ObjectName",
|
|
// L"HandleId",
|
|
// L"OperationId",
|
|
L"PrimaryUserSid",
|
|
L"ClientUserSid",
|
|
L"AccessMask",
|
|
};
|
|
const UINT c_cAzAccessProperties =
|
|
sizeof(c_aAzpAccessEventPropertyNames) / sizeof(PCWSTR);
|
|
|
|
CIMTYPE c_aAzpAccessEventPropertyTypes[] =
|
|
{
|
|
CIM_STRING,
|
|
CIM_STRING,
|
|
CIM_STRING,
|
|
// CIM_UINT64,
|
|
// CIM_UINT64,
|
|
CIM_UINT8 | CIM_FLAG_ARRAY,
|
|
CIM_UINT8 | CIM_FLAG_ARRAY,
|
|
CIM_UINT32,
|
|
};
|
|
const UINT c_cAzAccessPropertyTypes =
|
|
sizeof(c_aAzpAccessEventPropertyTypes) / sizeof(CIMTYPE);
|
|
|
|
const DWORD c_aAzAccessPropIndexes[c_cAzAccessProperties] =
|
|
{ 0, 1, 2, 3, 4, 5 }; //, 6, 7 };
|
|
|
|
DWORD AzpCreateAuditEvent(
|
|
IN HANDLE hEventSource,
|
|
OUT HANDLE* phAuditEvent,
|
|
OUT HANDLE* phAuditEventPropSubset
|
|
)
|
|
{
|
|
DWORD dwError = NO_ERROR;
|
|
HANDLE hAuditEvent = INVALID_HANDLE_VALUE;
|
|
HANDLE hAuditEventPropSubset = INVALID_HANDLE_VALUE;
|
|
|
|
//
|
|
// initialize out params
|
|
//
|
|
*phAuditEvent = INVALID_HANDLE_VALUE;
|
|
*phAuditEventPropSubset = INVALID_HANDLE_VALUE;
|
|
|
|
//
|
|
// create the audit event
|
|
//
|
|
ASSERT(c_cAzAccessProperties == c_cAzAccessPropertyTypes);
|
|
|
|
hAuditEvent =
|
|
//WmiCreateEventWithProps( hEventSource,
|
|
WmiCreateObjectWithProps( hEventSource,
|
|
L"AuditEvent_AuthzAccess",
|
|
WMI_CREATEOBJ_LOCKABLE,
|
|
c_cAzAccessProperties,
|
|
c_aAzpAccessEventPropertyNames,
|
|
c_aAzpAccessEventPropertyTypes );
|
|
|
|
if (hAuditEvent == INVALID_HANDLE_VALUE)
|
|
{
|
|
dwError = GetLastError();
|
|
goto Cleanup;
|
|
}
|
|
|
|
hAuditEventPropSubset =
|
|
// WmiCreateEventPropSubset( hAuditEvent,
|
|
WmiCreateObjectPropSubset( hAuditEvent,
|
|
//WMI_CREATEOBJ_LOCKABLE,
|
|
0,
|
|
c_cAzAccessProperties,
|
|
(DWORD*) c_aAzAccessPropIndexes );
|
|
|
|
if (hAuditEventPropSubset == INVALID_HANDLE_VALUE)
|
|
{
|
|
dwError = GetLastError();
|
|
goto Cleanup;
|
|
}
|
|
|
|
*phAuditEvent = hAuditEvent;
|
|
*phAuditEventPropSubset = hAuditEventPropSubset;
|
|
|
|
Cleanup:
|
|
|
|
if (dwError != NO_ERROR)
|
|
{
|
|
if (hAuditEvent != INVALID_HANDLE_VALUE)
|
|
{
|
|
(void) WmiDestroyObject( hAuditEvent );
|
|
}
|
|
|
|
if (hAuditEventPropSubset != INVALID_HANDLE_VALUE)
|
|
{
|
|
(void) WmiDestroyObject( hAuditEventPropSubset );
|
|
}
|
|
}
|
|
|
|
return dwError;
|
|
}
|
|
|
|
DWORD AzpInitRmAuditInfo(
|
|
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo
|
|
)
|
|
{
|
|
DWORD dwError = NO_ERROR;
|
|
HANDLE hEventSource=NULL;
|
|
|
|
//
|
|
// connect to the WMI event server
|
|
//
|
|
hEventSource =
|
|
WmiEventSourceConnect( L"root\\default",
|
|
L"AuthzAuditEventProvider", //kk
|
|
0, 0, 0, NULL,
|
|
AuthzEventSourceCallback );
|
|
if (hEventSource == INVALID_HANDLE_VALUE)
|
|
{
|
|
dwError = GetLastError();;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// if the RM does not want to provide its own event,
|
|
// create a default one
|
|
//
|
|
if (!FLAG_ON(pRmAuditInfo->dwFlags, AUTHZ_RM_AUDIT_USE_GIVEN_EVENT))
|
|
{
|
|
ASSERT(pRmAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
|
|
|
|
dwError = AzpCreateAuditEvent( hEventSource,
|
|
&pRmAuditInfo->hAuditEvent,
|
|
&pRmAuditInfo->hAuditEventPropSubset );
|
|
if (dwError != NO_ERROR)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
return dwError;
|
|
}
|
|
|
|
DWORD AzpInitClientAuditInfo(
|
|
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
|
|
OUT PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo
|
|
)
|
|
{
|
|
DWORD dwError = NO_ERROR;
|
|
|
|
//
|
|
// if the client wants us to create a separate event, create one.
|
|
//
|
|
if ( FLAG_ON( pClientAuditInfo->dwFlags, AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT ))
|
|
{
|
|
ASSERT(FALSE); // nyi
|
|
ASSERT(pClientAuditInfo->hAuditEvent == INVALID_HANDLE_VALUE);
|
|
|
|
dwError = AzpCreateAuditEvent( pRmAuditInfo->hEventSource,
|
|
&pClientAuditInfo->hAuditEvent,
|
|
&pClientAuditInfo->hAuditEventPropSubset );
|
|
if (dwError != NO_ERROR)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
return dwError;
|
|
}
|
|
|
|
DWORD
|
|
AzpGenerateAuditEvent(
|
|
IN PAUTHZ_RM_AUDIT_INFO pRmAuditInfo,
|
|
IN PAUTHZ_CLIENT_AUDIT_INFO pClientAuditInfo,
|
|
IN PAUTHZI_CLIENT_CONTEXT pClientContext,
|
|
IN PAUTHZ_AUDIT_INFO pAuditInfo,
|
|
IN DWORD dwAccessMask
|
|
)
|
|
{
|
|
DWORD dwError = NO_ERROR;
|
|
BOOL fResult = 0;
|
|
HANDLE hAuditEvent = NULL;
|
|
HANDLE hAuditEventPropSubset = NULL;
|
|
PSID psidPrimaryUser = NULL;
|
|
PSID psidResourceManager = NULL;
|
|
DWORD dwPrimaryUserSidSize = 0;
|
|
DWORD dwRmSidSize = 0;
|
|
|
|
//
|
|
// kk code to get to client and rm audit info
|
|
//
|
|
|
|
|
|
//
|
|
// determine which audit-event-handle to use
|
|
//
|
|
if (pAuditInfo->dwFlags & AUTHZ_AUDIT_USE_GIVEN_EVENT)
|
|
{
|
|
ASSERT(FALSE);
|
|
hAuditEvent = pAuditInfo->hAuditEvent;
|
|
hAuditEventPropSubset = pAuditInfo->hAuditEventPropSubset;
|
|
}
|
|
else if (pClientAuditInfo->dwFlags & (AUTHZ_CLIENT_AUDIT_USE_OWN_EVENT |
|
|
AUTHZ_CLIENT_AUDIT_USE_GIVEN_EVENT))
|
|
{
|
|
hAuditEvent = pClientAuditInfo->hAuditEvent;
|
|
hAuditEventPropSubset = pClientAuditInfo->hAuditEventPropSubset;
|
|
}
|
|
else
|
|
{
|
|
hAuditEvent = pRmAuditInfo->hAuditEvent;
|
|
hAuditEventPropSubset = pRmAuditInfo->hAuditEventPropSubset;
|
|
}
|
|
|
|
ASSERT(hAuditEvent != INVALID_HANDLE_VALUE);
|
|
ASSERT(hAuditEventPropSubset != INVALID_HANDLE_VALUE);
|
|
|
|
//ASSERT(pClientContext->SidCount);
|
|
//psidPrimaryUser = pClientContext->Sids[0].Sid;
|
|
psidPrimaryUser = pClientAuditInfo->psidClient;
|
|
dwPrimaryUserSidSize = pClientAuditInfo->dwClientSidSize;
|
|
|
|
psidResourceManager = pRmAuditInfo->psidRmProcess;
|
|
dwRmSidSize = pRmAuditInfo->dwRmProcessSidSize;
|
|
|
|
// fResult = WmiSetEventProps( hAuditEventPropSubset,
|
|
fResult = WmiSetObjectProps( hAuditEventPropSubset,
|
|
pAuditInfo->szOperationType,
|
|
pAuditInfo->szObjectType,
|
|
pAuditInfo->szObjectName,
|
|
psidPrimaryUser,
|
|
dwPrimaryUserSidSize,
|
|
psidResourceManager,
|
|
dwRmSidSize,
|
|
dwAccessMask
|
|
);
|
|
if (!fResult)
|
|
{
|
|
dwError = GetLastError();
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// call LSA and send the event to it
|
|
//
|
|
|
|
fResult = WmiCommitObject( hAuditEvent );
|
|
if (!fResult)
|
|
{
|
|
dwError = GetLastError();
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
|
|
return dwError;
|
|
}
|
|
|
|
|
|
|