2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/audit.c
5 * PURPOSE: Audit functions
7 * PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de>
10 /* INCLUDES *******************************************************************/
16 /* PRIVATE FUNCTIONS***********************************************************/
20 SeDetailedAuditingWithToken(IN PTOKEN Token
)
28 SeAuditProcessCreate(IN PEPROCESS Process
)
35 SeAuditProcessExit(IN PEPROCESS Process
)
42 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject
,
44 OUT POBJECT_NAME_INFORMATION
*AuditInfo
)
46 OBJECT_NAME_INFORMATION LocalNameInfo
;
47 POBJECT_NAME_INFORMATION ObjectNameInfo
= NULL
;
48 ULONG ReturnLength
= 8;
53 /* Check if we should do auditing */
59 /* Now query the name */
60 Status
= ObQueryNameString(FileObject
,
62 sizeof(LocalNameInfo
),
64 if (((Status
== STATUS_BUFFER_OVERFLOW
) ||
65 (Status
== STATUS_BUFFER_TOO_SMALL
) ||
66 (Status
== STATUS_INFO_LENGTH_MISMATCH
)) &&
67 (ReturnLength
!= sizeof(LocalNameInfo
)))
69 /* Allocate required size */
70 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
75 /* Query the name again */
76 Status
= ObQueryNameString(FileObject
,
83 /* Check if we got here due to failure */
84 if ((ObjectNameInfo
) &&
85 (!(NT_SUCCESS(Status
)) || (ReturnLength
== sizeof(LocalNameInfo
))))
87 /* First, free any buffer we might've allocated */
89 if (ObjectNameInfo
) ExFreePool(ObjectNameInfo
);
91 /* Now allocate a temporary one */
92 ReturnLength
= sizeof(OBJECT_NAME_INFORMATION
);
93 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
94 sizeof(OBJECT_NAME_INFORMATION
),
99 RtlZeroMemory(ObjectNameInfo
, ReturnLength
);
100 Status
= STATUS_SUCCESS
;
104 /* Check if memory allocation failed */
105 if (!ObjectNameInfo
) Status
= STATUS_NO_MEMORY
;
107 /* Return the audit name */
108 *AuditInfo
= ObjectNameInfo
;
116 SeLocateProcessImageName(IN PEPROCESS Process
,
117 OUT PUNICODE_STRING
*ProcessImageName
)
119 POBJECT_NAME_INFORMATION AuditName
;
120 PUNICODE_STRING ImageName
;
121 PFILE_OBJECT FileObject
;
122 NTSTATUS Status
= STATUS_SUCCESS
;
126 *ProcessImageName
= NULL
;
128 /* Check if we have audit info */
129 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
132 /* Get the file object */
133 Status
= PsReferenceProcessFilePointer(Process
, &FileObject
);
134 if (!NT_SUCCESS(Status
)) return Status
;
136 /* Initialize the audit structure */
137 Status
= SeInitializeProcessAuditName(FileObject
, TRUE
, &AuditName
);
138 if (NT_SUCCESS(Status
))
141 if (InterlockedCompareExchangePointer(&Process
->
142 SeAuditProcessCreationInfo
,
146 /* Someone beat us to it, deallocate our copy */
147 ExFreePool(AuditName
);
151 /* Dereference the file object */
152 ObDereferenceObject(FileObject
);
153 if (!NT_SUCCESS(Status
)) return Status
;
156 /* Allocate the output string */
157 ImageName
= ExAllocatePoolWithTag(NonPagedPool
,
158 AuditName
->Name
.MaximumLength
+
159 sizeof(UNICODE_STRING
),
163 /* Make a copy of it */
164 RtlCopyMemory(ImageName
,
166 AuditName
->Name
.MaximumLength
+ sizeof(UNICODE_STRING
));
168 /* Fix up the buffer */
169 ImageName
->Buffer
= (PWSTR
)(ImageName
+ 1);
172 *ProcessImageName
= ImageName
;
176 /* Otherwise, fail */
177 Status
= STATUS_NO_MEMORY
;
184 /* PUBLIC FUNCTIONS ***********************************************************/
191 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName
,
192 IN PUNICODE_STRING LinkName
,
203 SeAuditingFileEvents(IN BOOLEAN AccessGranted
,
204 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
215 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted
,
216 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
217 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
228 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted
,
229 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
240 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted
,
241 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
242 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
253 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted
,
254 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
255 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
)
266 SeCloseObjectAuditAlarm(
269 IN BOOLEAN PerformAction
279 SeDeleteObjectAuditAlarm(IN PVOID Object
,
290 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
291 IN PVOID Object OPTIONAL
,
292 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
293 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
294 IN PACCESS_STATE AccessState
,
295 IN BOOLEAN ObjectCreated
,
296 IN BOOLEAN AccessGranted
,
297 IN KPROCESSOR_MODE AccessMode
,
298 OUT PBOOLEAN GenerateOnClose
)
302 /* Audits aren't done on kernel-mode access */
303 if (AccessMode
== KernelMode
) return;
305 /* Otherwise, unimplemented! */
314 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
315 IN PVOID Object OPTIONAL
,
316 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
317 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
318 IN PACCESS_STATE AccessState
,
319 IN BOOLEAN ObjectCreated
,
320 IN BOOLEAN AccessGranted
,
321 IN KPROCESSOR_MODE AccessMode
,
322 OUT PBOOLEAN GenerateOnClose
)
332 SePrivilegeObjectAuditAlarm(IN HANDLE Handle
,
333 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
334 IN ACCESS_MASK DesiredAccess
,
335 IN PPRIVILEGE_SET Privileges
,
336 IN BOOLEAN AccessGranted
,
337 IN KPROCESSOR_MODE CurrentMode
)
342 /* SYSTEM CALLS ***************************************************************/
346 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
348 IN PUNICODE_STRING ObjectTypeName
,
349 IN PUNICODE_STRING ObjectName
,
350 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
351 IN ACCESS_MASK DesiredAccess
,
352 IN PGENERIC_MAPPING GenericMapping
,
353 IN BOOLEAN ObjectCreation
,
354 OUT PACCESS_MASK GrantedAccess
,
355 OUT PNTSTATUS AccessStatus
,
356 OUT PBOOLEAN GenerateOnClose
)
359 return STATUS_NOT_IMPLEMENTED
;
364 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
366 IN BOOLEAN GenerateOnClose
)
369 return(STATUS_NOT_IMPLEMENTED
);
374 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
376 IN BOOLEAN GenerateOnClose
)
379 return(STATUS_NOT_IMPLEMENTED
);
384 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
386 IN PUNICODE_STRING ObjectTypeName
,
387 IN PUNICODE_STRING ObjectName
,
388 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
389 IN HANDLE ClientToken
,
390 IN ULONG DesiredAccess
,
391 IN ULONG GrantedAccess
,
392 IN PPRIVILEGE_SET Privileges
,
393 IN BOOLEAN ObjectCreation
,
394 IN BOOLEAN AccessGranted
,
395 OUT PBOOLEAN GenerateOnClose
)
398 return(STATUS_NOT_IMPLEMENTED
);
403 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName
,
404 IN PUNICODE_STRING ServiceName
,
405 IN HANDLE ClientToken
,
406 IN PPRIVILEGE_SET Privileges
,
407 IN BOOLEAN AccessGranted
)
410 return(STATUS_NOT_IMPLEMENTED
);
415 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
417 IN HANDLE ClientToken
,
418 IN ULONG DesiredAccess
,
419 IN PPRIVILEGE_SET Privileges
,
420 IN BOOLEAN AccessGranted
)
423 return(STATUS_NOT_IMPLEMENTED
);