windows-nt/Source/XPSP1/NT/net/ipsec/spd/server/audit.c

361 lines
8.5 KiB
C
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
#include "precomp.h"
#define MAX_AUDIT_BUFFER 4096
#define MAX_MSG_BUFFER 2048
WCHAR gszAuditBuffer[MAX_AUDIT_BUFFER];
WCHAR * gpszAuditBuffer = gszAuditBuffer;
WCHAR gszAuditMsgBuffer[MAX_MSG_BUFFER];
WCHAR * gpszAuditMsgBuffer = gszAuditMsgBuffer;
DWORD
PerformAudit(
DWORD dwCategoryId,
DWORD dwAuditId,
PSID pSid,
DWORD dwParamCnt,
LPWSTR * ppszArgArray,
BOOL bSuccess,
BOOL bDoAudit
)
{
SE_ADT_PARAMETER_ARRAY * pParArray = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
DWORD dwStrSize = 0;
DWORD i = 0;
DWORD dwAllocSize = 0;
BYTE * pbyteCurAddr = NULL;
DWORD dwSidLength = RtlLengthSid(pSid);
UNICODE_STRING * pusStrArray = NULL;
WCHAR * pszModuleName = L"IPSec Server";
//
// dwCategoryId should be equal to SE_CATEGID_POLICY_CHANGE.
//
dwCategoryId = SE_CATEGID_POLICY_CHANGE;
for (i = 0; i < dwParamCnt; i++) {
dwStrSize += (wcslen(ppszArgArray[i]) + 1) * sizeof(WCHAR);
}
dwStrSize += (wcslen(pszModuleName) + 1) * sizeof(WCHAR);
dwAllocSize = sizeof(SE_ADT_PARAMETER_ARRAY) +
dwParamCnt * sizeof(UNICODE_STRING) + dwStrSize;
dwAllocSize += PtrAlignSize(dwSidLength);
if (dwAllocSize > MAX_AUDIT_BUFFER) {
return (ERROR_BUFFER_OVERFLOW);
}
pParArray = (SE_ADT_PARAMETER_ARRAY *) gpszAuditBuffer;
pParArray->CategoryId = dwCategoryId;
pParArray->AuditId = dwAuditId;
pParArray->ParameterCount = dwParamCnt + 2;
pParArray->Length = dwAllocSize;
pParArray->Flags = 0;
if (bSuccess) {
pParArray->Type = EVENTLOG_AUDIT_SUCCESS;
}
else {
pParArray->Type = EVENTLOG_AUDIT_FAILURE;
}
pbyteCurAddr = (BYTE *) (pParArray + 1);
pParArray->Parameters[0].Type = SeAdtParmTypeSid;
pParArray->Parameters[0].Length = dwSidLength;
pParArray->Parameters[0].Data[0] = 0;
pParArray->Parameters[0].Data[1] = 0;
pParArray->Parameters[0].Address = pSid;
memcpy((BYTE *) pbyteCurAddr, (BYTE *) pSid, dwSidLength);
pbyteCurAddr = (BYTE *) pbyteCurAddr + PtrAlignSize(dwSidLength);
pusStrArray = (UNICODE_STRING *) pbyteCurAddr;
pusStrArray[0].Length = wcslen(pszModuleName) * sizeof(WCHAR);
pusStrArray[0].MaximumLength = pusStrArray[0].Length + sizeof(WCHAR);
pusStrArray[0].Buffer = (LPWSTR) pszModuleName;
pParArray->Parameters[1].Type = SeAdtParmTypeString;
pParArray->Parameters[1].Length = sizeof(UNICODE_STRING) +
pusStrArray[0].MaximumLength;
pParArray->Parameters[1].Data[0] = 0;
pParArray->Parameters[1].Data[1] = 0;
pParArray->Parameters[1].Address = (PVOID) &pusStrArray[0];
for (i = 0; i < dwParamCnt; i++) {
pusStrArray[i+1].Length = wcslen(ppszArgArray[i]) * sizeof(WCHAR);
pusStrArray[i+1].MaximumLength = pusStrArray[i+1].Length + sizeof(WCHAR);
pusStrArray[i+1].Buffer = (LPWSTR) ppszArgArray[i];
pParArray->Parameters[i+2].Type = SeAdtParmTypeString;
pParArray->Parameters[i+2].Length = sizeof(UNICODE_STRING) +
pusStrArray[i+1].MaximumLength;
pParArray->Parameters[i+2].Data[0] = 0;
pParArray->Parameters[i+2].Data[1] = 0;
pParArray->Parameters[i+2].Address = (PVOID) &pusStrArray[i+1];
}
if (bDoAudit) {
ntStatus = LsaIWriteAuditEvent(pParArray, 0);
}
return (ERROR_SUCCESS);
}
VOID
AuditEvent(
DWORD dwCategoryId,
DWORD dwAuditId,
DWORD dwStrId,
LPWSTR * ppszArguments,
BOOL bSuccess,
BOOL bDoAudit
)
{
DWORD dwError = 0;
LPWSTR pszArgArray[3];
DWORD dwParamCnt = 0;
EnterCriticalSection(&gcSPDAuditSection);
dwError = FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ARGUMENT_ARRAY,
ghIpsecServerModule,
dwStrId,
LANG_NEUTRAL,
gpszAuditMsgBuffer,
MAX_MSG_BUFFER,
(va_list *) ppszArguments
);
if (dwError == 0) {
wsprintf(
gpszAuditMsgBuffer,
L"IPSec Services encountered an error while auditing event ID 0x%x",
dwStrId
);
}
gpszAuditMsgBuffer[MAX_MSG_BUFFER - 1] = 0;
if (dwError != 0) {
switch (dwAuditId) {
case SE_AUDITID_IPSEC_POLICY_CHANGED:
dwParamCnt = 1;
pszArgArray[0] = (LPWSTR) gpszAuditMsgBuffer;
break;
default:
LeaveCriticalSection(&gcSPDAuditSection);
return;
}
(VOID) PerformAudit(
dwCategoryId,
dwAuditId,
gpIpsecServerSid,
dwParamCnt,
(LPWSTR *) pszArgArray,
bSuccess,
bDoAudit
);
}
LeaveCriticalSection(&gcSPDAuditSection);
return;
}
VOID
AuditOneArgErrorEvent(
DWORD dwCategoryId,
DWORD dwAuditId,
DWORD dwStrId,
DWORD dwErrorCode,
BOOL bSuccess,
BOOL bDoAudit
)
{
DWORD dwError = 0;
LPVOID lpvMsgBuf = NULL;
WCHAR szAuditLocalMsgBuffer[MAX_PATH];
WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;
szAuditLocalMsgBuffer[0] = L'\0';
dwError = FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dwErrorCode,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPWSTR) &lpvMsgBuf,
0,
NULL
);
if (!dwError) {
wsprintf(
pszAuditLocalMsgBuffer,
L"0x%x",
dwErrorCode
);
AuditEvent(
dwCategoryId,
dwAuditId,
dwStrId,
(LPWSTR *) &pszAuditLocalMsgBuffer,
bSuccess,
bDoAudit
);
return;
}
AuditEvent(
dwCategoryId,
dwAuditId,
dwStrId,
(LPWSTR *) &lpvMsgBuf,
bSuccess,
bDoAudit
);
if (lpvMsgBuf) {
LocalFree(lpvMsgBuf);
}
return;
}
VOID
AuditIPSecPolicyEvent(
DWORD dwCategoryId,
DWORD dwAuditId,
DWORD dwStrId,
LPWSTR pszPolicyName,
BOOL bSuccess,
BOOL bDoAudit
)
{
WCHAR szAuditLocalMsgBuffer[MAX_PATH];
WCHAR * pszAuditLocalMsgBuffer = szAuditLocalMsgBuffer;
szAuditLocalMsgBuffer[0] = L'\0';
wsprintf(pszAuditLocalMsgBuffer, L"%s", pszPolicyName);
AuditEvent(
dwCategoryId,
dwAuditId,
dwStrId,
(LPWSTR *) &pszAuditLocalMsgBuffer,
bSuccess,
bDoAudit
);
return;
}
VOID
AuditIPSecPolicyErrorEvent(
DWORD dwCategoryId,
DWORD dwAuditId,
DWORD dwStrId,
LPWSTR pszPolicyName,
DWORD dwErrorCode,
BOOL bSuccess,
BOOL bDoAudit
)
{
DWORD dwError = 0;
WCHAR szAuditPolicyMsgBuffer[MAX_PATH];
WCHAR * pszAuditPolicyMsgBuffer = szAuditPolicyMsgBuffer;
WCHAR szAuditErrorMsgBuffer[MAX_PATH];
WCHAR * pszAuditErrorMsgBuffer = szAuditErrorMsgBuffer;
LPWSTR pszArgArray[2];
LPWSTR * ppszArgArray = pszArgArray;
LPVOID lpvMsgBuf = NULL;
szAuditPolicyMsgBuffer[0] = L'\0';
szAuditErrorMsgBuffer[0] = L'\0';
wsprintf(pszAuditPolicyMsgBuffer, L"%s", pszPolicyName);
dwError = FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dwErrorCode,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPWSTR) &lpvMsgBuf,
0,
NULL
);
if (!dwError) {
wsprintf(
pszAuditErrorMsgBuffer,
L"0x%x",
dwErrorCode
);
pszArgArray[0] = pszAuditPolicyMsgBuffer;
pszArgArray[1] = pszAuditErrorMsgBuffer;
AuditEvent(
dwCategoryId,
dwAuditId,
dwStrId,
(LPWSTR *) ppszArgArray,
bSuccess,
bDoAudit
);
return;
}
pszArgArray[0] = pszAuditPolicyMsgBuffer;
pszArgArray[1] = (LPWSTR) lpvMsgBuf;
AuditEvent(
dwCategoryId,
dwAuditId,
dwStrId,
(LPWSTR *) ppszArgArray,
bSuccess,
bDoAudit
);
if (lpvMsgBuf) {
LocalFree(lpvMsgBuf);
}
return;
}