windows-nt/Source/XPSP1/NT/base/ntos/se/adtinit.c

479 lines
9.3 KiB
C
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
adtinit.c
Abstract:
Auditing - Initialization Routines
Author:
Scott Birrell (ScottBi) November 12, 1991
Environment:
Kernel Mode only
Revision History:
--*/
#include "pch.h"
#pragma hdrstop
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,SepAdtValidateAuditBounds)
#pragma alloc_text(PAGE,SepAdtInitializeBounds)
#pragma alloc_text(INIT,SepAdtInitializeCrashOnFail)
#pragma alloc_text(INIT,SepAdtInitializePrivilegeAuditing)
#pragma alloc_text(INIT,SepAdtInitializeAuditingOptions)
#endif
BOOLEAN
SepAdtValidateAuditBounds(
ULONG Upper,
ULONG Lower
)
/*++
Routine Description:
Examines the audit queue high and low water mark values and performs
a general sanity check on them.
Arguments:
Upper - High water mark.
Lower - Low water mark.
Return Value:
TRUE - values are acceptable.
FALSE - values are unacceptable.
--*/
{
PAGED_CODE();
if ( Lower >= Upper ) {
return( FALSE );
}
if ( Lower < 16 ) {
return( FALSE );
}
if ( (Upper - Lower) < 16 ) {
return( FALSE );
}
return( TRUE );
}
VOID
SepAdtInitializeBounds(
VOID
)
/*++
Routine Description:
Queries the registry for the high and low water mark values for the
audit log. If they are not found or are unacceptable, returns without
modifying the current values, which are statically initialized.
Arguments:
None.
Return Value:
None.
--*/
{
HANDLE KeyHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName;
UNICODE_STRING ValueName;
NTSTATUS Status;
PSEP_AUDIT_BOUNDS AuditBounds;
PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
ULONG Length;
PAGED_CODE();
//
// Get the high and low water marks out of the registry.
//
RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
InitializeObjectAttributes(
&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
Status = NtOpenKey(
&KeyHandle,
KEY_QUERY_VALUE,
&ObjectAttributes
);
if (!NT_SUCCESS( Status )) {
//
// Didn't work, take the defaults
//
return;
}
RtlInitUnicodeString( &ValueName, L"Bounds");
Length = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) - sizeof( UCHAR ) + sizeof( SEP_AUDIT_BOUNDS );
KeyValueInformation = ExAllocatePool( PagedPool, Length );
if ( KeyValueInformation == NULL ) {
NtClose( KeyHandle );
return;
}
Status = NtQueryValueKey(
KeyHandle,
&ValueName,
KeyValuePartialInformation,
(PVOID)KeyValueInformation,
Length,
&Length
);
NtClose( KeyHandle );
if (!NT_SUCCESS( Status )) {
ExFreePool( KeyValueInformation );
return;
}
AuditBounds = (PSEP_AUDIT_BOUNDS) &KeyValueInformation->Data;
//
// Sanity check what we got back
//
if(!SepAdtValidateAuditBounds( AuditBounds->UpperBound, AuditBounds->LowerBound )) {
//
// The values we got back are not to our liking. Use the defaults.
//
ExFreePool( KeyValueInformation );
return;
}
//
// Take what we got from the registry.
//
SepAdtMaxListLength = AuditBounds->UpperBound;
SepAdtMinListLength = AuditBounds->LowerBound;
ExFreePool( KeyValueInformation );
return;
}
NTSTATUS
SepAdtInitializeCrashOnFail(
VOID
)
/*++
Routine Description:
Reads the registry to see if the user has told us to crash if an audit fails.
Arguments:
None.
Return Value:
STATUS_SUCCESS
--*/
{
HANDLE KeyHandle;
NTSTATUS Status;
NTSTATUS TmpStatus;
OBJECT_ATTRIBUTES Obja;
ULONG ResultLength;
UNICODE_STRING KeyName;
UNICODE_STRING ValueName;
CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
PAGED_CODE();
SepCrashOnAuditFail = FALSE;
//
// Check the value of the CrashOnAudit flag in the registry.
//
RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
InitializeObjectAttributes( &Obja,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
Status = NtOpenKey(
&KeyHandle,
KEY_QUERY_VALUE | KEY_SET_VALUE,
&Obja
);
if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
return( STATUS_SUCCESS );
}
RtlInitUnicodeString( &ValueName, CRASH_ON_AUDIT_FAIL_VALUE );
Status = NtQueryValueKey(
KeyHandle,
&ValueName,
KeyValuePartialInformation,
KeyInfo,
sizeof(KeyInfo),
&ResultLength
);
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
//
// If the key isn't there, don't turn on CrashOnFail.
//
if (NT_SUCCESS( Status )) {
pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
if ((UCHAR) *(pKeyInfo->Data) == LSAP_CRASH_ON_AUDIT_FAIL) {
SepCrashOnAuditFail = TRUE;
}
}
return( STATUS_SUCCESS );
}
BOOLEAN
SepAdtInitializePrivilegeAuditing(
VOID
)
/*++
Routine Description:
Checks to see if there is an entry in the registry telling us to do full privilege auditing
(which currently means audit everything we normall audit, plus backup and restore privileges).
Arguments:
None
Return Value:
BOOLEAN - TRUE if Auditing has been initialized correctly, else FALSE.
--*/
{
HANDLE KeyHandle;
NTSTATUS Status;
NTSTATUS TmpStatus;
OBJECT_ATTRIBUTES Obja;
ULONG ResultLength;
UNICODE_STRING KeyName;
UNICODE_STRING ValueName;
CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
BOOLEAN Verbose;
PAGED_CODE();
//
// Query the registry to set up the privilege auditing filter.
//
RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa");
InitializeObjectAttributes( &Obja,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
Status = NtOpenKey(
&KeyHandle,
KEY_QUERY_VALUE | KEY_SET_VALUE,
&Obja
);
if (!NT_SUCCESS( Status )) {
if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
return ( SepInitializePrivilegeFilter( FALSE ));
} else {
return( FALSE );
}
}
RtlInitUnicodeString( &ValueName, FULL_PRIVILEGE_AUDITING );
Status = NtQueryValueKey(
KeyHandle,
&ValueName,
KeyValuePartialInformation,
KeyInfo,
sizeof(KeyInfo),
&ResultLength
);
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
if (!NT_SUCCESS( Status )) {
Verbose = FALSE;
} else {
pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyInfo;
Verbose = (BOOLEAN) *(pKeyInfo->Data);
}
return ( SepInitializePrivilegeFilter( Verbose ));
}
VOID
SepAdtInitializeAuditingOptions(
VOID
)
/*++
Routine Description:
Initialize options that control auditing.
(please refer to note in adtp.h near the def. of SEP_AUDIT_OPTIONS)
Arguments:
None
Return Value:
None
--*/
{
HANDLE KeyHandle;
NTSTATUS Status;
NTSTATUS TmpStatus;
OBJECT_ATTRIBUTES Obja;
ULONG ResultLength;
UNICODE_STRING KeyName;
UNICODE_STRING ValueName;
CHAR KeyInfo[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(BOOLEAN)];
PAGED_CODE();
//
// Query the registry
//
RtlInitUnicodeString( &KeyName, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\AuditingOptions");
InitializeObjectAttributes( &Obja,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
Status = NtOpenKey(
&KeyHandle,
KEY_QUERY_VALUE,
&Obja
);
if (!NT_SUCCESS( Status )) {
goto Cleanup;
}
RtlInitUnicodeString( &ValueName, L"DoNotAuditCloseObjectEvents" );
Status = NtQueryValueKey(
KeyHandle,
&ValueName,
KeyValuePartialInformation,
KeyInfo,
sizeof(KeyInfo),
&ResultLength
);
TmpStatus = NtClose(KeyHandle);
ASSERT(NT_SUCCESS(TmpStatus));
if (NT_SUCCESS( Status )) {
//
// we check for the presence of this value, its value does not matter
//
SepAuditOptions.DoNotAuditCloseObjectEvents = TRUE;
}
Cleanup:
return;
}