diff options
Diffstat (limited to 'private/ntos/se/rmaudit.c')
-rw-r--r-- | private/ntos/se/rmaudit.c | 221 |
1 files changed, 221 insertions, 0 deletions
diff --git a/private/ntos/se/rmaudit.c b/private/ntos/se/rmaudit.c new file mode 100644 index 000000000..5d0accf52 --- /dev/null +++ b/private/ntos/se/rmaudit.c @@ -0,0 +1,221 @@ +/*++ + +Copyright (c) 1989 Microsoft Corporation + +Module Name: + + rmaudit.c + +Abstract: + + This module contains the Reference Monitor Auditing Command Workers. + These workers call functions in the Auditing sub-component to do the real + work. + +Author: + + Scott Birrell (ScottBi) November 14,1991 + +Environment: + + Kernel mode only. + +Revision History: + +--*/ + +#include <nt.h> +#include <ntlsa.h> +#include <ntos.h> +#include <ntrmlsa.h> +#include "sep.h" +#include "adt.h" +#include "adtp.h" +#include "rmp.h" + +VOID +SepRmSetAuditLogWrkr( + IN PRM_COMMAND_MESSAGE CommandMessage, + OUT PRM_REPLY_MESSAGE ReplyMessage + ); + + +#ifdef ALLOC_PRAGMA +#pragma alloc_text(PAGE,SepRmSetAuditEventWrkr) +#pragma alloc_text(PAGE,SepRmSetAuditLogWrkr) +#endif + + + +VOID +SepRmSetAuditEventWrkr( + IN PRM_COMMAND_MESSAGE CommandMessage, + OUT PRM_REPLY_MESSAGE ReplyMessage + ) + +/*++ + +Routine Description: + + This function carries out the Reference Monitor Set Audit Event + Command. This command enables or disables auditing and optionally + sets the auditing events. + + +Arguments: + + CommandMessage - Pointer to structure containing RM command message + information consisting of an LPC PORT_MESSAGE structure followed + by the command number (RmSetAuditStateCommand) and a single command + parameter in structure form. + + ReplyMessage - Pointer to structure containing RM reply message + information consisting of an LPC PORT_MESSAGE structure followed + by the command ReturnedStatus field in which a status code from the + command will be returned. + +Return Value: + + VOID + +--*/ + +{ + + PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; + POLICY_AUDIT_EVENT_TYPE EventType; + + PAGED_CODE(); + + SepAdtInitializeBounds(); + + ReplyMessage->ReturnedStatus = STATUS_SUCCESS; + + // + // Strict check that command is correct one for this worker. + // + + ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand ); + + // + // Extract the AuditingMode flag and put it in the right place. + // + + SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)-> + AuditingMode); + + // + // For each element in the passed array, process changes to audit + // nothing, and then success or failure flags. + // + + EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)-> + EventAuditingOptions; + + + for ( EventType=AuditEventMinType; + EventType <= AuditEventMaxType; + EventType++ ) { + + SeAuditingState[EventType].AuditOnSuccess = FALSE; + SeAuditingState[EventType].AuditOnFailure = FALSE; + + if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) { + + SeAuditingState[EventType].AuditOnSuccess = TRUE; + } + + if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) { + + SeAuditingState[EventType].AuditOnFailure = TRUE; + } + } + + // + // Set the flag to indicate that we're auditing detailed events. + // This is merely a timesaver so we can skip auditing setup in + // time critical places like process creation. + // + + // + // Despite what the UI may imply, we never audit failures for detailed events, since + // none of them can fail for security related reasons, and we're not interested in + // auditing out of memory errors and stuff like that. So just set this flag when + // they want to see successes and ignore the failure case. + // + // We may have to revisit this someday. + // + + if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) { + + SeDetailedAuditing = TRUE; + + } else { + + SeDetailedAuditing = FALSE; + } + + return; +} + + + +VOID +SepRmSetAuditLogWrkr( + IN PRM_COMMAND_MESSAGE CommandMessage, + OUT PRM_REPLY_MESSAGE ReplyMessage + ) + +/*++ + +Routine Description: + + This function carries out the Reference Monitor Set Audit Log + Command. This command stores parameters related to the Audit Log. + +Arguments: + + CommandMessage - Pointer to structure containing RM command message + information consisting of an LPC PORT_MESSAGE structure followed + by the command number (RmSetAuditStateCommand) and a single command + parameter in structure form. + + ReplyMessage - Pointer to structure containing RM reply message + information consisting of an LPC PORT_MESSAGE structure followed + by the command ReturnedStatus field in which a status code from the + command will be returned. + +Return Value: + + None. A status code is returned in ReplyMessage->ReturnedStatus + +--*/ + +{ + // + // Strict check that command is correct one for this worker. + // + +/* BUGWARNING - SCOTTBI - Auditing is disabled + + ASSERT( CommandMessage->CommandNumber == RmSetAuditLogCommand ); + +*/ + + PAGED_CODE(); + +#if DBG + DbgPrint("Security: RM Set Audit Log Command Received\n"); +#endif + + // + // Call private function in Auditing Sub-component to do the work. + // + + SepAdtSetAuditLogInformation( + (PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams + ); + + ReplyMessage->ReturnedStatus = STATUS_SUCCESS; +} + |