1 files changed, 221 insertions, 0 deletions
diff --git a/private/ntos/se/rmaudit.c b/private/ntos/se/rmaudit.c
new file mode 100644
index 000000000..5d0accf52
--- /dev/null
+++ b/private/ntos/se/rmaudit.c
@@ -0,0 +1,221 @@
+/*++
+
+Copyright (c) 1989  Microsoft Corporation
+
+Module Name:
+
+    rmaudit.c
+
+Abstract:
+
+   This module contains the Reference Monitor Auditing Command Workers.
+   These workers call functions in the Auditing sub-component to do the real
+   work.
+
+Author:
+
+    Scott Birrell      (ScottBi)        November 14,1991
+
+Environment:
+
+    Kernel mode only.
+
+Revision History:
+
+--*/
+
+#include <nt.h>
+#include <ntlsa.h>
+#include <ntos.h>
+#include <ntrmlsa.h>
+#include "sep.h"
+#include "adt.h"
+#include "adtp.h"
+#include "rmp.h"
+
+VOID
+SepRmSetAuditLogWrkr(
+    IN PRM_COMMAND_MESSAGE CommandMessage,
+    OUT PRM_REPLY_MESSAGE ReplyMessage
+    );
+
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE,SepRmSetAuditEventWrkr)
+#pragma alloc_text(PAGE,SepRmSetAuditLogWrkr)
+#endif
+
+
+
+VOID
+SepRmSetAuditEventWrkr(
+    IN PRM_COMMAND_MESSAGE CommandMessage,
+    OUT PRM_REPLY_MESSAGE ReplyMessage
+    )
+
+/*++
+
+Routine Description:
+
+    This function carries out the Reference Monitor Set Audit Event
+    Command.  This command enables or disables auditing and optionally
+    sets the auditing events.
+
+
+Arguments:
+
+    CommandMessage - Pointer to structure containing RM command message
+        information consisting of an LPC PORT_MESSAGE structure followed
+        by the command number (RmSetAuditStateCommand) and a single command
+        parameter in structure form.
+
+    ReplyMessage - Pointer to structure containing RM reply message
+        information consisting of an LPC PORT_MESSAGE structure followed
+        by the command ReturnedStatus field in which a status code from the
+        command will be returned.
+
+Return Value:
+
+    VOID
+
+--*/
+
+{
+
+    PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
+    POLICY_AUDIT_EVENT_TYPE EventType;
+
+    PAGED_CODE();
+
+    SepAdtInitializeBounds();
+
+    ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
+
+    //
+    // Strict check that command is correct one for this worker.
+    //
+
+    ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand );
+
+    //
+    // Extract the AuditingMode flag and put it in the right place.
+    //
+
+    SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
+                                AuditingMode);
+
+    //
+    // For each element in the passed array, process changes to audit
+    // nothing, and then success or failure flags.
+    //
+
+    EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
+                           EventAuditingOptions;
+
+
+    for ( EventType=AuditEventMinType;
+          EventType <= AuditEventMaxType;
+          EventType++ ) {
+
+        SeAuditingState[EventType].AuditOnSuccess = FALSE;
+        SeAuditingState[EventType].AuditOnFailure = FALSE;
+
+        if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) {
+
+            SeAuditingState[EventType].AuditOnSuccess = TRUE;
+        }
+
+        if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) {
+
+            SeAuditingState[EventType].AuditOnFailure = TRUE;
+        }
+    }
+
+    //
+    // Set the flag to indicate that we're auditing detailed events.
+    // This is merely a timesaver so we can skip auditing setup in
+    // time critical places like process creation.
+    //
+
+    //
+    // Despite what the UI may imply, we never audit failures for detailed events, since
+    // none of them can fail for security related reasons, and we're not interested in
+    // auditing out of memory errors and stuff like that.  So just set this flag when
+    // they want to see successes and ignore the failure case.
+    //
+    // We may have to revisit this someday.
+    //
+
+    if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) {
+
+        SeDetailedAuditing = TRUE;
+
+    } else {
+
+        SeDetailedAuditing = FALSE;
+    }
+
+    return;
+}
+
+
+
+VOID
+SepRmSetAuditLogWrkr(
+    IN PRM_COMMAND_MESSAGE CommandMessage,
+    OUT PRM_REPLY_MESSAGE ReplyMessage
+    )
+
+/*++
+
+Routine Description:
+
+    This function carries out the Reference Monitor Set Audit Log
+    Command.  This command stores parameters related to the Audit Log.
+
+Arguments:
+
+    CommandMessage - Pointer to structure containing RM command message
+        information consisting of an LPC PORT_MESSAGE structure followed
+        by the command number (RmSetAuditStateCommand) and a single command
+        parameter in structure form.
+
+    ReplyMessage - Pointer to structure containing RM reply message
+        information consisting of an LPC PORT_MESSAGE structure followed
+        by the command ReturnedStatus field in which a status code from the
+        command will be returned.
+
+Return Value:
+
+    None.  A status code is returned in ReplyMessage->ReturnedStatus
+
+--*/
+
+{
+    //
+    // Strict check that command is correct one for this worker.
+    //
+
+/* BUGWARNING - SCOTTBI - Auditing is disabled
+
+    ASSERT( CommandMessage->CommandNumber == RmSetAuditLogCommand );
+
+*/
+
+    PAGED_CODE();
+
+#if DBG
+    DbgPrint("Security: RM Set Audit Log Command Received\n");
+#endif
+
+    //
+    // Call private function in Auditing Sub-component to do the work.
+    //
+
+    SepAdtSetAuditLogInformation(
+        (PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams
+        );
+
+    ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
+}
+