windows-xp/Source/XPSP1/NT/net/ipsec/spd/server/audit.c

#include "precomp.h"


#define MAX_AUDIT_BUFFER    4096

#define MAX_MSG_BUFFER      2048

WCHAR gszAuditBuffer[MAX_AUDIT_BUFFER];

WCHAR * gpszAuditBuffer = gszAuditBuffer;

WCHAR gszAuditMsgBuffer[MAX_MSG_BUFFER];

WCHAR * gpszAuditMsgBuffer = gszAuditMsgBuffer;


DWORD
PerformAudit(
    DWORD dwCategoryId,
    DWORD dwAuditId,
    PSID pSid,
    DWORD dwParamCnt,
    LPWSTR * ppszArgArray,
    BOOL bSuccess,
    BOOL bDoAudit
    )
{
    SE_ADT_PARAMETER_ARRAY * pParArray = NULL;
    NTSTATUS ntStatus = STATUS_SUCCESS;
    DWORD dwStrSize = 0;
    DWORD i = 0;
    DWORD dwAllocSize = 0;
    BYTE * pbyteCurAddr = NULL;
    DWORD dwSidLength = RtlLengthSid(pSid);
    UNICODE_STRING * pusStrArray = NULL;
    WCHAR * pszModuleName = L"IPSec Server";


    //
    // dwCategoryId should be equal to SE_CATEGID_POLICY_CHANGE.
    //

    dwCategoryId = SE_CATEGID_POLICY_CHANGE;

    for (i = 0; i < dwParamCnt; i++) {
        dwStrSize += (wcslen(ppszArgArray[i]) + 1) * sizeof(WCHAR);
    }

    dwStrSize += (wcslen(pszModuleName) + 1) * sizeof(WCHAR);

    dwAllocSize = sizeof(SE_ADT_PARAMETER_ARRAY) +
                  dwParamCnt * sizeof(UNICODE_STRING) + dwStrSize;
    dwAllocSize += PtrAlignSize(dwSidLength);

    if (dwAllocSize > MAX_AUDIT_BUFFER) {
        return (ERROR_BUFFER_OVERFLOW);
    }

    pParArray = (SE_ADT_PARAMETER_ARRAY *) gpszAuditBuffer;

    pParArray->CategoryId = dwCategoryId;
    pParArray->AuditId = dwAuditId;
    pParArray->ParameterCount = dwParamCnt + 2;
    pParArray->Length = dwAllocSize;
    pParArray->Flags = 0;

    if (bSuccess) {
        pParArray->Type = EVENTLOG_AUDIT_SUCCESS;
    }
    else {
        pParArray->Type = EVENTLOG_AUDIT_FAILURE;
    }

    pbyteCurAddr = (BYTE *) (pParArray + 1);

    pParArray->Parameters[0].Type = SeAdtParmTypeSid;
    pParArray->Parameters[0].Length = dwSidLength;
    pParArray->Parameters[0].Data[0] = 0;
    pParArray->Parameters[0].Data[1] = 0;
    pParArray->Parameters[0].Address = pSid;

    memcpy((BYTE *) pbyteCurAddr, (BYTE *) pSid, dwSidLength);

    pbyteCurAddr = (BYTE *) pbyteCurAddr + PtrAlignSize(dwSidLength);

    pusStrArray = (UNICODE_STRING *) pbyteCurAddr;

    pusStrArray[0].Length = wcslen(pszModuleName) * sizeof(WCHAR);
    pusStrArray[0].MaximumLength = pusStrArray[0].Length + sizeof(WCHAR);
    pusStrArray[0].Buffer = (LPWSTR) pszModuleName;

    pParArray->Parameters[1].Type = SeAdtParmTypeString;
    pParArray->Parameters[1].Length = sizeof(UNICODE_STRING) +
                                      pusStrArray[0].MaximumLength;
    pParArray->Parameters[1].Data[0] = 0;
    pParArray->Parameters[1].Data[1] = 0;
    pParArray->Parameters[1].Address = (PVOID) &pusStrArray[0];

    for (i = 0; i < dwParamCnt; i++) {

        pusStrArray[i+1].Length = wcslen(ppszArgArray[i]) * sizeof(WCHAR);
        pusStrArray[i+1].MaximumLength = pusStrArray[i+1].Length + sizeof(WCHAR);
        pusStrArray[i+1].Buffer = (LPWSTR) ppszArgArray[i];

        pParArray->Parameters[i+2].Type = SeAdtParmTypeString;
        pParArray->Parameters[i+2].Length = sizeof(UNICODE_STRING) +
                                            pusStrArray[i+1].MaximumLength;
        pParArray->Parameters[i+2].Data[0] = 0;
        pParArray->Parameters[i+2].Data[1] = 0;
        pParArray->Parameters[i+2].Address = (PVOID) &pusStrArray[i+1];

    }

    if (bDoAudit) {
        ntStatus = LsaIWriteAuditEvent(pParArray, 0);
    }

    return (ERROR_SUCCESS);
}


VOID
AuditEvent(
    DWORD dwCategoryId,
    DWORD dwAuditId,
    DWORD dwStrId,
    LPWSTR * ppszArguments,
    BOOL bSuccess,
    BOOL bDoAudit
    )
{
    DWORD dwError = 0;
    LPWSTR pszArgArray[3];
    DWORD dwParamCnt = 0;


    EnterCriticalSection(&gcSPDAuditSection);

    dwError = FormatMessage(
                  FORMAT_MESSAGE_FROM_HMODULE |
                  FORMAT_MESSAGE_ARGUMENT_ARRAY,
                  ghIpsecServerModule,
                  dwStrId,
                  LANG_NEUTRAL,
                  gpszAuditMsgBuffer,
                  MAX_MSG_BUFFER,
                  (va_list *) ppszArguments
                  );
    if (dwError == 0) {
        wsprintf(
            gpszAuditMsgBuffer,
            L"IPSec Services encountered an error while auditing event ID 0x%x",
            dwStrId
            );
    }

    gpszAuditMsgBuffer[MAX_MSG_BUFFER - 1] = 0;

    if (dwError != 0) {

       switch (dwAuditId) {

       case SE_AUDITID_IPSEC_POLICY_CHANGED:
           dwParamCnt = 1;
           pszArgArray[0] = (LPWSTR) gpszAuditMsgBuffer;
           break;

       default:
           LeaveCriticalSection(&gcSPDAuditSection);
           return;

       }

       (VOID) PerformAudit(
                  dwCategoryId,
                  dwAuditId,
                  gpIpsecServerSid,
                  dwParamCnt,
                  (LPWSTR *) pszArgArray,
                  bSuccess,
                  bDoAudit
                  );

    }

    LeaveCriticalSection(&gcSPDAuditSection);
    return;
}


VOID
AuditOneArgErrorEvent(
    DWORD dwCategoryId,
    DWORD dwAuditId,
    DWORD dwStrId,
    DWORD dwErrorCode,
    BOOL bSuccess,
    BOOL bDoAudit
    )
{
    DWORD dwError = 0;
    LPVOID lpvMsgBuf = NULL;
    WCHAR szAuditLocalMsgBuffer[MAX_PATH];
    WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;


    szAuditLocalMsgBuffer[0] = L'\0';

    dwError = FormatMessage(
                  FORMAT_MESSAGE_ALLOCATE_BUFFER |
                  FORMAT_MESSAGE_FROM_SYSTEM |
                  FORMAT_MESSAGE_IGNORE_INSERTS,
                  NULL,
                  dwErrorCode,
                  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
                  (LPWSTR) &lpvMsgBuf,
                  0,
                  NULL
                  );
    if (!dwError) {
        wsprintf(
            pszAuditLocalMsgBuffer,
            L"0x%x",
            dwErrorCode
            );
        AuditEvent(
            dwCategoryId,
            dwAuditId,
            dwStrId,
            (LPWSTR *) &pszAuditLocalMsgBuffer,
            bSuccess,
            bDoAudit
            );
        return;
    }

    AuditEvent(
        dwCategoryId,
        dwAuditId,
        dwStrId,
        (LPWSTR *) &lpvMsgBuf,
        bSuccess,
        bDoAudit
        );

    if (lpvMsgBuf) {
        LocalFree(lpvMsgBuf);
    }

    return;
}


VOID
AuditIPSecPolicyEvent(
    DWORD dwCategoryId,
    DWORD dwAuditId,
    DWORD dwStrId,
    LPWSTR pszPolicyName,
    BOOL bSuccess,
    BOOL bDoAudit
    )
{
    WCHAR szAuditLocalMsgBuffer[MAX_PATH];
    WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;


    szAuditLocalMsgBuffer[0] = L'\0';

    wsprintf(pszAuditLocalMsgBuffer, L"%s", pszPolicyName);

    AuditEvent(
        dwCategoryId,
        dwAuditId,
        dwStrId,
        (LPWSTR *) &pszAuditLocalMsgBuffer,
        bSuccess,
        bDoAudit
        );

    return;
}


VOID
AuditIPSecPolicyErrorEvent(
    DWORD dwCategoryId,
    DWORD dwAuditId,
    DWORD dwStrId,
    LPWSTR pszPolicyName,
    DWORD dwErrorCode,
    BOOL bSuccess,
    BOOL bDoAudit
    )
{
    DWORD dwError = 0;
    WCHAR szAuditPolicyMsgBuffer[MAX_PATH];
    WCHAR * pszAuditPolicyMsgBuffer = szAuditPolicyMsgBuffer;
    WCHAR szAuditErrorMsgBuffer[MAX_PATH];
    WCHAR * pszAuditErrorMsgBuffer = szAuditErrorMsgBuffer;
    LPWSTR pszArgArray[2];
    LPWSTR * ppszArgArray = pszArgArray;
    LPVOID lpvMsgBuf = NULL;


    szAuditPolicyMsgBuffer[0] = L'\0';
    szAuditErrorMsgBuffer[0] = L'\0';

    wsprintf(pszAuditPolicyMsgBuffer, L"%s", pszPolicyName);

    dwError = FormatMessage(
                  FORMAT_MESSAGE_ALLOCATE_BUFFER |
                  FORMAT_MESSAGE_FROM_SYSTEM |
                  FORMAT_MESSAGE_IGNORE_INSERTS,
                  NULL,
                  dwErrorCode,
                  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
                  (LPWSTR) &lpvMsgBuf,
                  0,
                  NULL
                  );
    if (!dwError) {
        wsprintf(
            pszAuditErrorMsgBuffer,
            L"0x%x",
            dwErrorCode
            );
        pszArgArray[0] = pszAuditPolicyMsgBuffer;
        pszArgArray[1] = pszAuditErrorMsgBuffer;
        AuditEvent(
            dwCategoryId,
            dwAuditId,
            dwStrId,
            (LPWSTR *) ppszArgArray,
            bSuccess,
            bDoAudit
            );
        return;
    }

    pszArgArray[0] = pszAuditPolicyMsgBuffer;
    pszArgArray[1] = (LPWSTR) lpvMsgBuf;
    AuditEvent(
        dwCategoryId,
        dwAuditId,
        dwStrId,
        (LPWSTR *) ppszArgArray,
        bSuccess,
        bDoAudit
        );

    if (lpvMsgBuf) {
        LocalFree(lpvMsgBuf);
    }

    return;
}