summaryrefslogtreecommitdiffstats
path: root/private/ntos/se/adtinit.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--private/ntos/se/adtinit.c422
1 files changed, 422 insertions, 0 deletions
diff --git a/private/ntos/se/adtinit.c b/private/ntos/se/adtinit.c
new file mode 100644
index 000000000..21cb34fe2
--- /dev/null
+++ b/private/ntos/se/adtinit.c
@@ -0,0 +1,422 @@
+/*++
+
+Copyright (c) 1991 Microsoft Corporation
+
+Module Name:
+
+ adtinit.c
+
+Abstract:
+
+ Auditing - Initialization Routines
+
+Author:
+
+ Scott Birrell (ScottBi) November 12, 1991
+
+Environment:
+
+ Kernel Mode only
+
+Revision History:
+
+--*/
+
+
+#include <nt.h>
+#include "sep.h"
+#include "adt.h"
+#include "adtp.h"
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE,SepAdtInitializePhase1)
+#pragma alloc_text(PAGE,SepAdtInitializeBounds)
+#pragma alloc_text(PAGE,SepAdtValidateAuditBounds)
+#endif
+
+
+
+BOOLEAN
+SepAdtValidateAuditBounds(
+ ULONG Upper,
+ ULONG Lower
+ )
+
+/*++
+
+Routine Description:
+
+ Examines the audit queue high and low water mark values and performs
+ a general sanity check on them.
+
+Arguments:
+
+ Upper - High water mark.
+
+ Lower - Low water mark.
+
+Return Value:
+
+ TRUE - values are acceptable.
+
+ FALSE - values are unacceptable.
+
+
+--*/
+
+{
+ PAGED_CODE();
+
+ if ( Lower >= Upper ) {
+ return( FALSE );
+ }
+
+ if ( Lower < 16 ) {
+ return( FALSE );
+ }
+
+ if ( (Upper - Lower) < 16 ) {
+ return( FALSE );
+ }
+
+ return( TRUE );
+}
+
+BOOLEAN
+SepAdtInitializePhase1()
+
+/*++
+
+Routine Description:
+
+ This function performs Phase 1 Initialization for the Auditing subcomponent
+ of Security. Global variables are initialized within the Nt Executive
+ and Auditing is turned off.
+
+Arguments:
+
+ None
+
+Return Value:
+
+ BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
+
+--*/
+
+{
+ PAGED_CODE();
+
+ RtlInitUnicodeString( &SeSubsystemName, L"Security" );
+
+ return( TRUE );
+}
+
+
+
+
+VOID
+SepAdtInitializeBounds(
+ VOID
+ )
+
+/*++
+
+Routine Description:
+
+ Queries the registry for the high and low water mark values for the
+ audit log. If they are not found or are unacceptable, returns without
+ modifying the current values, which are statically initialized.
+
+Arguments:
+
+ None.
+
+Return Value:
+
+ None.
+
+--*/
+
+{
+
+ HANDLE KeyHandle;
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ UNICODE_STRING KeyName;
+ UNICODE_STRING ValueName;
+ NTSTATUS Status;
+ PSEP_AUDIT_BOUNDS AuditBounds;
+ PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
+ ULONG Length;
+
+ PAGED_CODE();
+
+ //
+ // Get the high and low water marks out of the registry.
+ //
+
+ RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
+
+ InitializeObjectAttributes(
+ &ObjectAttributes,
+ &KeyName,
+ OBJ_CASE_INSENSITIVE,
+ NULL,
+ NULL
+ );
+
+ Status = NtOpenKey(
+ &KeyHandle,
+ KEY_QUERY_VALUE,
+ &ObjectAttributes
+ );
+
+ if (!NT_SUCCESS( Status )) {
+
+ //
+ // Didn't work, take the defaults
+ //
+
+ return;
+ }
+
+ RtlInitUnicodeString( &ValueName, L"Bounds");
+
+ Length = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) - sizeof( UCHAR ) + sizeof( SEP_AUDIT_BOUNDS );
+
+ KeyValueInformation = ExAllocatePool( PagedPool, Length );
+
+ if ( KeyValueInformation == NULL ) {
+
+ NtClose( KeyHandle );
+ return;
+ }
+
+ Status = NtQueryValueKey(
+ KeyHandle,
+ &ValueName,
+ KeyValuePartialInformation,
+ (PVOID)KeyValueInformation,
+ Length,
+ &Length
+ );
+
+ NtClose( KeyHandle );
+
+ if (!NT_SUCCESS( Status )) {
+
+ ExFreePool( KeyValueInformation );
+ return;
+ }
+
+
+ AuditBounds = (PSEP_AUDIT_BOUNDS) &KeyValueInformation->Data;
+
+ //
+ // Sanity check what we got back
+ //
+
+ if(!SepAdtValidateAuditBounds( AuditBounds->UpperBound, AuditBounds->LowerBound )) {
+
+ //
+ // The values we got back are not to our liking. Use the defaults.
+ //
+
+ ExFreePool( KeyValueInformation );
+ return;
+ }
+
+ //
+ // Take what we got from the registry.
+ //
+
+ SepAdtMaxListLength = AuditBounds->UpperBound;
+ SepAdtMinListLength = AuditBounds->LowerBound;
+
+ ExFreePool( KeyValueInformation );
+
+ return;
+}
+
+
+
+NTSTATUS
+SepAdtInitializeCrashOnFail(
+ VOID
+ )
+
+/*++
+
+Routine Description:
+
+ Reads the registry to see if the user has told us to crash if an audit fails.
+
+Arguments:
+
+ None.
+
+Return Value:
+
+ STATUS_SUCCESS
+
+--*/
+
+{
+ HANDLE KeyHandle;
+ NTSTATUS Status;
+ NTSTATUS TmpStatus;
+ OBJECT_ATTRIBUTES Obja;
+ ULONG ResultLength;
+ UNICODE_STRING KeyName;
+ UNICODE_STRING ValueName;
+ CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
+ PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
+
+ SepCrashOnAuditFail = FALSE;
+
+ //
+ // Check the value of the CrashOnAudit flag in the registry.
+ //
+
+ RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
+
+ InitializeObjectAttributes( &Obja,
+ &KeyName,
+ OBJ_CASE_INSENSITIVE,
+ NULL,
+ NULL
+ );
+
+ Status = NtOpenKey(
+ &KeyHandle,
+ KEY_QUERY_VALUE | KEY_SET_VALUE,
+ &Obja
+ );
+
+ if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
+ return( STATUS_SUCCESS );
+ }
+
+ RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE );
+
+ Status = NtQueryValueKey(
+ KeyHandle,
+ &ValueName,
+ KeyValuePartialInformation,
+ KeyInfo,
+ sizeof(KeyInfo),
+ &ResultLength
+ );
+
+ TmpStatus = NtClose(KeyHandle);
+ ASSERT(NT_SUCCESS(TmpStatus));
+
+ //
+ // If the key isn't there, don't turn on CrashOnFail.
+ //
+
+ if (NT_SUCCESS( Status )) {
+
+ pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
+ if ((UCHAR) *(pKeyInfo->Data) == LSAP_CRASH_ON_AUDIT_FAIL) {
+ SepCrashOnAuditFail = TRUE;
+ }
+ }
+
+ return( STATUS_SUCCESS );
+}
+
+
+BOOLEAN
+SepAdtInitializePrivilegeAuditing(
+ VOID
+ )
+
+/*++
+
+Routine Description:
+
+ Checks to see if there is an entry in the registry telling us to do full privilege auditing
+ (which currently means audit everything we normall audit, plus backup and restore privileges).
+
+Arguments:
+
+ None
+
+Return Value:
+
+ BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
+
+--*/
+
+{
+ HANDLE KeyHandle;
+ NTSTATUS Status;
+ NTSTATUS TmpStatus;
+ OBJECT_ATTRIBUTES Obja;
+ ULONG ResultLength;
+ UNICODE_STRING KeyName;
+ UNICODE_STRING ValueName;
+ CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
+ PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
+ BOOLEAN Verbose;
+
+ PAGED_CODE();
+
+ //
+ // Query the registry to set up the privilege auditing filter.
+ //
+
+ RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
+
+ InitializeObjectAttributes( &Obja,
+ &KeyName,
+ OBJ_CASE_INSENSITIVE,
+ NULL,
+ NULL
+ );
+
+ Status = NtOpenKey(
+ &KeyHandle,
+ KEY_QUERY_VALUE | KEY_SET_VALUE,
+ &Obja
+ );
+
+
+ if (!NT_SUCCESS( Status )) {
+
+ if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
+
+ return ( SepInitializePrivilegeFilter( FALSE ));
+
+ } else {
+
+ return( FALSE );
+ }
+ }
+
+ RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING );
+
+ Status = NtQueryValueKey(
+ KeyHandle,
+ &ValueName,
+ KeyValuePartialInformation,
+ KeyInfo,
+ sizeof(KeyInfo),
+ &ResultLength
+ );
+
+ TmpStatus = NtClose(KeyHandle);
+ ASSERT(NT_SUCCESS(TmpStatus));
+
+ if (!NT_SUCCESS( Status )) {
+
+ Verbose = FALSE;
+
+ } else {
+
+ pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
+ Verbose = (BOOLEAN) *(pKeyInfo->Data);
+ }
+
+ return ( SepInitializePrivilegeFilter( Verbose ));
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-24 21:58:29 +0200