windows-nt/Source/XPSP1/NT/ds/security/authz/test/audit/adttest.cpp

606 lines
14 KiB
C++
Raw Normal View History

2020-09-26 03:20:57 -05:00
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 2000
//
// File: A D T U T I L . C
//
// Contents: Functions to test generic audit support in LSA
//
//
// History:
// 07-January-2000 kumarp created
//
//------------------------------------------------------------------------
#include "pch.h"
#pragma hdrstop
#include "authz.h"
#include "authzi.h"
#include "adtgen.h"
//
// defining USE_LOCAL_AUDIT causes audits to be processed in proc
// instead of being sent to lsa. This allows much faster debug
// cycle since LSA is not involved. The audit marshal/process code
// is taken directly from LSA. Thus the same code path is exercised
// as that when this is not defined.
//
//#define USE_LOCAL_AUDIT
#ifdef USE_LOCAL_AUDIT
#include "\nt\ds\security\base\lsa\server\cfiles\adtgenp.h"
#endif
// ----------------------------------------------------------------------
//
// forward declarations
//
DWORD
EnableSinglePrivilege(
IN PWCHAR szPrivName
);
// ----------------------------------------------------------------------
EXTERN_C
DWORD
TestEventGen( ULONG NumIter )
{
NTSTATUS Status = STATUS_SUCCESS;
DWORD dwError=NO_ERROR;
HANDLE hAudit = NULL;
AUDIT_PARAMS AuditParams;
AUDIT_PARAM ParamArray[SE_MAX_AUDIT_PARAMETERS];
PSID pUserSid = NULL;
AUTHZ_AUDIT_EVENT_TYPE_LEGACY AuditEventInfoLegacy = { 0 };
//AUDIT_EVENT_INFO AuditEventInfo = { 0 };
AUTHZ_AUDIT_EVENT_TYPE_OLD AuditEventType;
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hEventType = NULL;
BOOL fDone=FALSE;
PWSTR szMsg = NULL;
BOOL fResult;
AUDIT_OBJECT_TYPE Objects[3] =
{
{
{ /* f3548725-0458-11d4-bd96-006008269001 */
0xf3548725,
0x0458,
0x11d4,
{0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
},
0, 0, STANDARD_RIGHTS_ALL
},
{
{ /* f3548726-0458-11d4-bd96-006008269001 */
0xf3548726,
0x0458,
0x11d4,
{0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
},
0, 1, STANDARD_RIGHTS_ALL
},
{
{ /* f3548727-0458-11d4-bd96-006008269001 */
0xf3548727,
0x0458,
0x11d4,
{0xbd, 0x96, 0x00, 0x60, 0x08, 0x26, 0x90, 0x01}
},
0, 2, STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY
},
};
AUDIT_OBJECT_TYPES ObjectTypes =
{
3, 0, Objects
};
AuditParams.Parameters = ParamArray;
wprintf(L"[%03d] begin...\n", GetCurrentThreadId());
// AuditEventInfo.Version = AUDIT_TYPE_LEGACY;
// //AuditEventInfo.u.Legacy = &AuditEventInfoLegacy;
// AuditEventInfo.u.Legacy.CategoryId = SE_CATEGID_OBJECT_ACCESS;
// AuditEventInfo.u.Legacy.AuditId = SE_AUDITID_OBJECT_OPERATION;
// AuditEventInfo.u.Legacy.ParameterCount = 11;
fResult = AuthziInitializeAuditEventType(
0,
SE_CATEGID_OBJECT_ACCESS,
SE_AUDITID_OBJECT_OPERATION,
11,
&hEventType
);
if ( !fResult )
{
szMsg = L"AuthziInitializeAuditEventType";
goto Cleanup;
}
#ifdef USE_LOCAL_AUDIT
Status = LsapRegisterAuditEvent( &AuditEventInfo, &hAudit );
if (!NT_SUCCESS(Status))
{
szMsg = L"LsapRegisterAuditEvent";
goto Cleanup;
}
#else
// fResult = AuthzpRegisterAuditEvent( &AuditEventInfo, &hAudit );
// if (!fResult)
// {
// szMsg = L"AuthzRegisterAuditEvent";
// goto Cleanup;
// }
#endif
//
// initialize the AuditParams structure
//
// fResult = AuthziInitializeAuditParams(
// //
// // flags
// //
// 0,
// &AuditParams,
// //
// // sid of the user generating this audit
// //
// &pUserSid,
// //
// // resource manager name
// //
// L"mysubsystem",
// //
// // generate a success audit
// //
// APF_AuditSuccess,
// //
// // there are 9 params to follow
// //
// 9,
// //
// // operation type
// //
// APT_String, L"test",
// //
// // object type
// //
// APT_String, L"File",
// //
// // object name
// //
// APT_String, L"foo-obj",
// //
// // handle id
// //
// APT_Pointer, 0x123,
// //
// // primary user info
// //
// APT_LogonId | AP_PrimaryLogonId,
// //
// // client user info
// //
// APT_LogonId | AP_ClientLogonId,
// //
// // requested accesses
// // 1 refers to 0 based index of the
// // parameter (object-type) that is
// // passed to this function.
// //
// APT_Ulong | AP_AccessMask,
// STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, 1,
// //
// // object properties
// // 1 refers to 0 based index of the
// // parameter (object-type) that is
// // passed to this function.
// //
// APT_ObjectTypeList, &ObjectTypes, 1,
// //
// // additional info
// //
// APT_String, L"this is not a real obj-opn"
// );
// if (!fResult)
// {
// #ifdef USE_LOCAL_AUDIT
// Status = STATUS_UNSUCCESSFUL;
// wprintf(L"[%03d] AuthzInitAuditParams: %x\n",
// GetCurrentThreadId(), GetLastError());
// #endif
// szMsg = L"AuthzInitAuditParams";
// goto Cleanup;
// }
for (ULONG i=0; i<NumIter; i++)
{
Sleep( 10 );
#ifdef USE_LOCAL_AUDIT
Status = LsapGenAuditEvent( hAudit, 0, &AuditParams, 0 );
if (!NT_SUCCESS(Status))
{
szMsg = L"LsapGenAuditEvent";
goto Cleanup;
}
#else
// fResult = AuthzGenAuditEvent( hAudit, 0, &AuditParams, 0 );
// if (!fResult)
// {
// szMsg = L"AuthzGenAuditEvent";
// goto Cleanup;
// }
#endif
}
Cleanup:
#ifdef USE_LOCAL_AUDIT
if (!NT_SUCCESS(Status))
{
dwError = Status;
}
#else
if (!fResult)
{
dwError = GetLastError();
}
#endif
wprintf(L"[%03d] end: %s %x\n",
GetCurrentThreadId(), szMsg ? szMsg : L"", dwError);
LocalFree( pUserSid );
if ( hAudit )
{
#ifdef USE_LOCAL_AUDIT
Status = LsapUnregisterAuditEvent( &hAudit );
if (!NT_SUCCESS(Status))
{
wprintf (L"LsapUnregisterAuditEvent: %x\n", Status);
}
#else
fResult = AuthziFreeAuditEventType( hEventType );
if (!fResult)
{
dwError = GetLastError();
wprintf (L"AuthziFreeAuditEventType: %x\n", dwError);
}
#endif
}
return dwError;
}
DWORD WINAPI TestEventGenThreadProc( PVOID p )
{
TestEventGen( (ULONG) (ULONG_PTR) p );
return 0;
}
DWORD WaitForTonsOfObjects(
IN DWORD dwNumThreads,
IN HANDLE* phThreads,
IN BOOL fWaitAll,
IN DWORD dwMilliseconds
)
{
LONG dwNumBundles=dwNumThreads / MAXIMUM_WAIT_OBJECTS;
DWORD dwRem = dwNumThreads % MAXIMUM_WAIT_OBJECTS;
DWORD dwError = NO_ERROR;
for (LONG i=0; i<dwNumBundles-1; i++)
{
dwError = WaitForMultipleObjects( MAXIMUM_WAIT_OBJECTS,
&phThreads[i*MAXIMUM_WAIT_OBJECTS],
fWaitAll,
dwMilliseconds );
if ( dwError == WAIT_FAILED )
{
goto Cleanup;
}
}
dwError = WaitForMultipleObjects( dwRem,
&phThreads[i*MAXIMUM_WAIT_OBJECTS],
fWaitAll,
dwMilliseconds );
Cleanup:
return dwError;
}
EXTERN_C
NTSTATUS
TestEventGenMulti(
IN USHORT NumThreads,
IN ULONG NumIter
)
{
NTSTATUS Status = STATUS_SUCCESS;
HANDLE* phThreads = NULL;
DWORD* pdwThreadIds = NULL;
PWSTR szMsg = NULL;
DWORD dwError;
#ifdef USE_LOCAL_AUDIT
Status = LsapAdtInitGenericAudits();
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
#endif
dwError = EnableSinglePrivilege( SE_AUDIT_NAME );
if ( dwError != NO_ERROR )
{
szMsg = L"EnableSinglePrivilege: SeAuditPrivilege";
Status = dwError;
goto Cleanup;
}
phThreads = (HANDLE*) LocalAlloc( LMEM_ZEROINIT,
sizeof(HANDLE) * NumThreads );
if ( !phThreads )
{
Status = STATUS_NO_MEMORY;
szMsg = L"LsapAllocateLsaHeap";
goto Cleanup;
}
wprintf(L"Creating %d threads...\n", NumThreads);
for (int i=0; i<NumThreads; i++)
{
phThreads[i] = CreateThread( NULL, 0,
TestEventGenThreadProc, (PVOID) NumIter,
CREATE_SUSPENDED, NULL );
if (!phThreads[i])
{
szMsg = L"CreateThread";
goto Cleanup;
}
}
wprintf(L"...done\n");
wprintf(L"Waiting for the threads to finish work...\n");
for (int i=0; i<NumThreads; i++)
{
ResumeThread( phThreads[i] );
}
dwError = WaitForTonsOfObjects( NumThreads, phThreads, TRUE, INFINITE );
if ( dwError == WAIT_FAILED )
{
szMsg = L"WaitForMultipleObjects";
Status = STATUS_UNSUCCESSFUL;
goto Cleanup;
}
for (int i=0; i<NumThreads; i++)
{
CloseHandle( phThreads[i] );
}
RtlZeroMemory( phThreads, sizeof(HANDLE) * NumThreads );
Cleanup:
if ( szMsg )
{
wprintf (L"%s: %x\n", szMsg, Status);
}
for (i=0; i<NumThreads; i++)
{
if (phThreads[i])
{
TerminateThread( phThreads[i], 0 );
}
}
LocalFree( phThreads );
//LocalFree( pdwThreadIds );
return Status;
}
EXTERN_C
NTSTATUS
GetSidName(
IN PSID pSid,
OUT PWSTR szName
)
{
NTSTATUS Status = STATUS_SUCCESS;
LSA_OBJECT_ATTRIBUTES ObjectAttrs = { 0 };
PLSA_REFERENCED_DOMAIN_LIST pDomains;
PLSA_TRANSLATED_NAME pNames;
LSA_HANDLE hLsa;
*szName = UNICODE_NULL;
Status = LsaOpenPolicy( NULL, &ObjectAttrs, POLICY_LOOKUP_NAMES, &hLsa );
if (NT_SUCCESS(Status))
{
Status = LsaLookupSids( hLsa, 1, &pSid, &pDomains, &pNames );
if (NT_SUCCESS(Status))
{
if (pDomains->Entries > 0)
{
lstrcpyn( szName, pDomains->Domains[0].Name.Buffer,
pDomains->Domains[0].Name.Length / sizeof(WCHAR) + 1);
lstrcat( szName, L"\\" );
if ( pNames[0].Use == SidTypeUser )
{
lstrcat( szName, pNames[0].Name.Buffer );
}
else
{
lstrcat( szName, L"unknown" );
}
}
}
}
return Status;
}
DWORD
EnableSinglePrivilege(
IN PWCHAR szPrivName
)
{
DWORD dwError=NO_ERROR;
HANDLE hToken;
LUID luidPriv;
TOKEN_PRIVILEGES Privileges;
//LUID_AND_ATTRIBUTES lna[1];
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken))
{
goto GetError;
}
if (!LookupPrivilegeValue(NULL, szPrivName, &Privileges.Privileges[0].Luid))
{
goto GetError;
}
Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
Privileges.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &Privileges, 0, NULL, 0 ))
{
goto GetError;
}
CloseHandle(hToken);
Cleanup:
return dwError;
GetError:
dwError = GetLastError();
goto Cleanup;
}
EXTERN_C
NTSTATUS
kElfReportEventW (
IN HANDLE LogHandle,
IN USHORT EventType,
IN USHORT EventCategory OPTIONAL,
IN ULONG EventID,
IN PSID UserSid,
IN USHORT NumStrings,
IN ULONG DataSize,
IN PUNICODE_STRING *Strings,
IN PVOID Data,
IN USHORT Flags,
IN OUT PULONG RecordNumber OPTIONAL,
IN OUT PULONG TimeWritten OPTIONAL
)
{
NTSTATUS Status = STATUS_SUCCESS;
PCWSTR szT;
WCHAR szUserName[256];
ASSERT((EventType == EVENTLOG_AUDIT_SUCCESS) ||
(EventType == EVENTLOG_AUDIT_FAILURE));
return Status;
wprintf(L"-----------------------------------------------------------------\n");
if (EventType == EVENTLOG_AUDIT_SUCCESS)
{
szT = L"AUDIT_SUCCESS";
}
else
{
szT = L"AUDIT_FAILURE";
}
wprintf(L"Type\t: %s\n", szT);
wprintf(L"Category: %d\n", EventCategory);
wprintf(L"AuditId\t: %d\n", EventID);
if (STATUS_SUCCESS == GetSidName( UserSid, szUserName ))
{
wprintf(L"UserSid\t: %s\n\n", szUserName);
}
else
{
wprintf(L"UserSid\t: <NA>\n\n");
}
wprintf(L"#strings: %d\n", NumStrings);
for (int i=0; i<NumStrings; i++)
{
wprintf(L"[%02d]\t: %wZ\n", i, Strings[i]);
}
return Status;
}