blob: 5d0accf523a57af122a1081e4151c4e85140f090 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
rmaudit.c
Abstract:
This module contains the Reference Monitor Auditing Command Workers.
These workers call functions in the Auditing sub-component to do the real
work.
Author:
Scott Birrell (ScottBi) November 14,1991
Environment:
Kernel mode only.
Revision History:
--*/
#include <nt.h>
#include <ntlsa.h>
#include <ntos.h>
#include <ntrmlsa.h>
#include "sep.h"
#include "adt.h"
#include "adtp.h"
#include "rmp.h"
VOID
SepRmSetAuditLogWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,SepRmSetAuditEventWrkr)
#pragma alloc_text(PAGE,SepRmSetAuditLogWrkr)
#endif
�
VOID
SepRmSetAuditEventWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
)
/*++
Routine Description:
This function carries out the Reference Monitor Set Audit Event
Command. This command enables or disables auditing and optionally
sets the auditing events.
Arguments:
CommandMessage - Pointer to structure containing RM command message
information consisting of an LPC PORT_MESSAGE structure followed
by the command number (RmSetAuditStateCommand) and a single command
parameter in structure form.
ReplyMessage - Pointer to structure containing RM reply message
information consisting of an LPC PORT_MESSAGE structure followed
by the command ReturnedStatus field in which a status code from the
command will be returned.
Return Value:
VOID
--*/
{
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
POLICY_AUDIT_EVENT_TYPE EventType;
PAGED_CODE();
SepAdtInitializeBounds();
ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
//
// Strict check that command is correct one for this worker.
//
ASSERT( CommandMessage->CommandNumber == RmAuditSetCommand );
//
// Extract the AuditingMode flag and put it in the right place.
//
SepAdtAuditingEnabled = (((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
AuditingMode);
//
// For each element in the passed array, process changes to audit
// nothing, and then success or failure flags.
//
EventAuditingOptions = ((PLSARM_POLICY_AUDIT_EVENTS_INFO) CommandMessage->CommandParams)->
EventAuditingOptions;
for ( EventType=AuditEventMinType;
EventType <= AuditEventMaxType;
EventType++ ) {
SeAuditingState[EventType].AuditOnSuccess = FALSE;
SeAuditingState[EventType].AuditOnFailure = FALSE;
if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_SUCCESS ) {
SeAuditingState[EventType].AuditOnSuccess = TRUE;
}
if ( EventAuditingOptions[EventType] & POLICY_AUDIT_EVENT_FAILURE ) {
SeAuditingState[EventType].AuditOnFailure = TRUE;
}
}
//
// Set the flag to indicate that we're auditing detailed events.
// This is merely a timesaver so we can skip auditing setup in
// time critical places like process creation.
//
//
// Despite what the UI may imply, we never audit failures for detailed events, since
// none of them can fail for security related reasons, and we're not interested in
// auditing out of memory errors and stuff like that. So just set this flag when
// they want to see successes and ignore the failure case.
//
// We may have to revisit this someday.
//
if ( SeAuditingState[AuditCategoryDetailedTracking].AuditOnSuccess && SepAdtAuditingEnabled ) {
SeDetailedAuditing = TRUE;
} else {
SeDetailedAuditing = FALSE;
}
return;
}
VOID
SepRmSetAuditLogWrkr(
IN PRM_COMMAND_MESSAGE CommandMessage,
OUT PRM_REPLY_MESSAGE ReplyMessage
)
/*++
Routine Description:
This function carries out the Reference Monitor Set Audit Log
Command. This command stores parameters related to the Audit Log.
Arguments:
CommandMessage - Pointer to structure containing RM command message
information consisting of an LPC PORT_MESSAGE structure followed
by the command number (RmSetAuditStateCommand) and a single command
parameter in structure form.
ReplyMessage - Pointer to structure containing RM reply message
information consisting of an LPC PORT_MESSAGE structure followed
by the command ReturnedStatus field in which a status code from the
command will be returned.
Return Value:
None. A status code is returned in ReplyMessage->ReturnedStatus
--*/
{
//
// Strict check that command is correct one for this worker.
//
/* BUGWARNING - SCOTTBI - Auditing is disabled
ASSERT( CommandMessage->CommandNumber == RmSetAuditLogCommand );
*/
PAGED_CODE();
#if DBG
DbgPrint("Security: RM Set Audit Log Command Received\n");
#endif
//
// Call private function in Auditing Sub-component to do the work.
//
SepAdtSetAuditLogInformation(
(PPOLICY_AUDIT_LOG_INFO) CommandMessage->CommandParams
);
ReplyMessage->ReturnedStatus = STATUS_SUCCESS;
}
|
