2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/audit.c
5 * PURPOSE: Audit functions
7 * PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de>
10 /* INCLUDES *******************************************************************/
16 /* PRIVATE FUNCTIONS***********************************************************/
20 SeDetailedAuditingWithToken(IN PTOKEN Token
)
28 SeAuditProcessCreate(IN PEPROCESS Process
)
35 SeAuditProcessExit(IN PEPROCESS Process
)
42 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject
,
44 OUT POBJECT_NAME_INFORMATION
*AuditInfo
)
46 OBJECT_NAME_INFORMATION LocalNameInfo
;
47 POBJECT_NAME_INFORMATION ObjectNameInfo
= NULL
;
48 ULONG ReturnLength
= 8;
53 /* Check if we should do auditing */
59 /* Now query the name */
60 Status
= ObQueryNameString(FileObject
,
62 sizeof(LocalNameInfo
),
64 if (((Status
== STATUS_BUFFER_OVERFLOW
) ||
65 (Status
== STATUS_BUFFER_TOO_SMALL
) ||
66 (Status
== STATUS_INFO_LENGTH_MISMATCH
)) &&
67 (ReturnLength
!= sizeof(LocalNameInfo
)))
69 /* Allocate required size */
70 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
75 /* Query the name again */
76 Status
= ObQueryNameString(FileObject
,
83 /* Check if we got here due to failure */
84 if ((ObjectNameInfo
) &&
85 (!(NT_SUCCESS(Status
)) || (ReturnLength
== sizeof(LocalNameInfo
))))
87 /* First, free any buffer we might've allocated */
89 if (ObjectNameInfo
) ExFreePool(ObjectNameInfo
);
91 /* Now allocate a temporary one */
92 ReturnLength
= sizeof(OBJECT_NAME_INFORMATION
);
93 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
94 sizeof(OBJECT_NAME_INFORMATION
),
99 RtlZeroMemory(ObjectNameInfo
, ReturnLength
);
100 Status
= STATUS_SUCCESS
;
104 /* Check if memory allocation failed */
105 if (!ObjectNameInfo
) Status
= STATUS_NO_MEMORY
;
107 /* Return the audit name */
108 *AuditInfo
= ObjectNameInfo
;
116 SeLocateProcessImageName(IN PEPROCESS Process
,
117 OUT PUNICODE_STRING
*ProcessImageName
)
119 POBJECT_NAME_INFORMATION AuditName
;
120 PUNICODE_STRING ImageName
;
121 PFILE_OBJECT FileObject
;
122 NTSTATUS Status
= STATUS_SUCCESS
;
126 *ProcessImageName
= NULL
;
128 /* Check if we have audit info */
129 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
132 /* Get the file object */
133 Status
= PsReferenceProcessFilePointer(Process
, &FileObject
);
134 if (!NT_SUCCESS(Status
)) return Status
;
136 /* Initialize the audit structure */
137 Status
= SeInitializeProcessAuditName(FileObject
, TRUE
, &AuditName
);
138 if (NT_SUCCESS(Status
))
141 if (InterlockedCompareExchangePointer((PVOID
*)&Process
->
142 SeAuditProcessCreationInfo
.ImageFileName
,
146 /* Someone beat us to it, deallocate our copy */
147 ExFreePool(AuditName
);
151 /* Dereference the file object */
152 ObDereferenceObject(FileObject
);
153 if (!NT_SUCCESS(Status
)) return Status
;
156 /* Get audit info again, now we have it for sure */
157 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
159 /* Allocate the output string */
160 ImageName
= ExAllocatePoolWithTag(NonPagedPool
,
161 AuditName
->Name
.MaximumLength
+
162 sizeof(UNICODE_STRING
),
164 if (!ImageName
) return STATUS_NO_MEMORY
;
166 /* Make a copy of it */
167 RtlCopyMemory(ImageName
,
169 AuditName
->Name
.MaximumLength
+ sizeof(UNICODE_STRING
));
171 /* Fix up the buffer */
172 ImageName
->Buffer
= (PWSTR
)(ImageName
+ 1);
175 *ProcessImageName
= ImageName
;
181 /* PUBLIC FUNCTIONS ***********************************************************/
188 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName
,
189 IN PUNICODE_STRING LinkName
,
200 SeAuditingFileEvents(IN BOOLEAN AccessGranted
,
201 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
212 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted
,
213 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
214 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
225 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted
,
226 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
237 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted
,
238 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
239 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
250 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted
,
251 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
252 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
)
263 SeCloseObjectAuditAlarm(
266 IN BOOLEAN PerformAction
276 SeDeleteObjectAuditAlarm(IN PVOID Object
,
287 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
288 IN PVOID Object OPTIONAL
,
289 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
290 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
291 IN PACCESS_STATE AccessState
,
292 IN BOOLEAN ObjectCreated
,
293 IN BOOLEAN AccessGranted
,
294 IN KPROCESSOR_MODE AccessMode
,
295 OUT PBOOLEAN GenerateOnClose
)
299 /* Audits aren't done on kernel-mode access */
300 if (AccessMode
== KernelMode
) return;
302 /* Otherwise, unimplemented! */
311 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
312 IN PVOID Object OPTIONAL
,
313 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
314 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
315 IN PACCESS_STATE AccessState
,
316 IN BOOLEAN ObjectCreated
,
317 IN BOOLEAN AccessGranted
,
318 IN KPROCESSOR_MODE AccessMode
,
319 OUT PBOOLEAN GenerateOnClose
)
329 SePrivilegeObjectAuditAlarm(IN HANDLE Handle
,
330 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
331 IN ACCESS_MASK DesiredAccess
,
332 IN PPRIVILEGE_SET Privileges
,
333 IN BOOLEAN AccessGranted
,
334 IN KPROCESSOR_MODE CurrentMode
)
339 /* SYSTEM CALLS ***************************************************************/
343 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
345 IN PUNICODE_STRING ObjectTypeName
,
346 IN PUNICODE_STRING ObjectName
,
347 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
348 IN ACCESS_MASK DesiredAccess
,
349 IN PGENERIC_MAPPING GenericMapping
,
350 IN BOOLEAN ObjectCreation
,
351 OUT PACCESS_MASK GrantedAccess
,
352 OUT PNTSTATUS AccessStatus
,
353 OUT PBOOLEAN GenerateOnClose
)
356 return STATUS_NOT_IMPLEMENTED
;
361 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
363 IN BOOLEAN GenerateOnClose
)
366 return(STATUS_NOT_IMPLEMENTED
);
371 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
373 IN BOOLEAN GenerateOnClose
)
376 return(STATUS_NOT_IMPLEMENTED
);
381 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
383 IN PUNICODE_STRING ObjectTypeName
,
384 IN PUNICODE_STRING ObjectName
,
385 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
386 IN HANDLE ClientToken
,
387 IN ULONG DesiredAccess
,
388 IN ULONG GrantedAccess
,
389 IN PPRIVILEGE_SET Privileges
,
390 IN BOOLEAN ObjectCreation
,
391 IN BOOLEAN AccessGranted
,
392 OUT PBOOLEAN GenerateOnClose
)
395 return(STATUS_NOT_IMPLEMENTED
);
400 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName
,
401 IN PUNICODE_STRING ServiceName
,
402 IN HANDLE ClientToken
,
403 IN PPRIVILEGE_SET Privileges
,
404 IN BOOLEAN AccessGranted
)
407 return(STATUS_NOT_IMPLEMENTED
);
412 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
414 IN HANDLE ClientToken
,
415 IN ULONG DesiredAccess
,
416 IN PPRIVILEGE_SET Privileges
,
417 IN BOOLEAN AccessGranted
)
420 return(STATUS_NOT_IMPLEMENTED
);