2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/audit.c
5 * PURPOSE: Audit functions
7 * PROGRAMMERS: Eric Kohl
10 /* INCLUDES *******************************************************************/
16 /* PRIVATE FUNCTIONS***********************************************************/
20 SeDetailedAuditingWithToken(IN PTOKEN Token
)
28 SeAuditProcessCreate(IN PEPROCESS Process
)
35 SeAuditProcessExit(IN PEPROCESS Process
)
42 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject
,
44 OUT POBJECT_NAME_INFORMATION
*AuditInfo
)
46 OBJECT_NAME_INFORMATION LocalNameInfo
;
47 POBJECT_NAME_INFORMATION ObjectNameInfo
= NULL
;
48 ULONG ReturnLength
= 8;
54 /* Check if we should do auditing */
60 /* Now query the name */
61 Status
= ObQueryNameString(FileObject
,
63 sizeof(LocalNameInfo
),
65 if (((Status
== STATUS_BUFFER_OVERFLOW
) ||
66 (Status
== STATUS_BUFFER_TOO_SMALL
) ||
67 (Status
== STATUS_INFO_LENGTH_MISMATCH
)) &&
68 (ReturnLength
!= sizeof(LocalNameInfo
)))
70 /* Allocate required size */
71 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
76 /* Query the name again */
77 Status
= ObQueryNameString(FileObject
,
84 /* Check if we got here due to failure */
85 if ((ObjectNameInfo
) &&
86 (!(NT_SUCCESS(Status
)) || (ReturnLength
== sizeof(LocalNameInfo
))))
88 /* First, free any buffer we might've allocated */
90 if (ObjectNameInfo
) ExFreePool(ObjectNameInfo
);
92 /* Now allocate a temporary one */
93 ReturnLength
= sizeof(OBJECT_NAME_INFORMATION
);
94 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
95 sizeof(OBJECT_NAME_INFORMATION
),
100 RtlZeroMemory(ObjectNameInfo
, ReturnLength
);
101 Status
= STATUS_SUCCESS
;
105 /* Check if memory allocation failed */
106 if (!ObjectNameInfo
) Status
= STATUS_NO_MEMORY
;
108 /* Return the audit name */
109 *AuditInfo
= ObjectNameInfo
;
117 SeLocateProcessImageName(IN PEPROCESS Process
,
118 OUT PUNICODE_STRING
*ProcessImageName
)
120 POBJECT_NAME_INFORMATION AuditName
;
121 PUNICODE_STRING ImageName
;
122 PFILE_OBJECT FileObject
;
123 NTSTATUS Status
= STATUS_SUCCESS
;
128 *ProcessImageName
= NULL
;
130 /* Check if we have audit info */
131 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
134 /* Get the file object */
135 Status
= PsReferenceProcessFilePointer(Process
, &FileObject
);
136 if (!NT_SUCCESS(Status
)) return Status
;
138 /* Initialize the audit structure */
139 Status
= SeInitializeProcessAuditName(FileObject
, TRUE
, &AuditName
);
140 if (NT_SUCCESS(Status
))
143 if (InterlockedCompareExchangePointer((PVOID
*)&Process
->
144 SeAuditProcessCreationInfo
.ImageFileName
,
148 /* Someone beat us to it, deallocate our copy */
149 ExFreePool(AuditName
);
153 /* Dereference the file object */
154 ObDereferenceObject(FileObject
);
155 if (!NT_SUCCESS(Status
)) return Status
;
158 /* Get audit info again, now we have it for sure */
159 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
161 /* Allocate the output string */
162 ImageName
= ExAllocatePoolWithTag(NonPagedPool
,
163 AuditName
->Name
.MaximumLength
+
164 sizeof(UNICODE_STRING
),
166 if (!ImageName
) return STATUS_NO_MEMORY
;
168 /* Make a copy of it */
169 RtlCopyMemory(ImageName
,
171 AuditName
->Name
.MaximumLength
+ sizeof(UNICODE_STRING
));
173 /* Fix up the buffer */
174 ImageName
->Buffer
= (PWSTR
)(ImageName
+ 1);
177 *ProcessImageName
= ImageName
;
183 /* PUBLIC FUNCTIONS ***********************************************************/
190 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName
,
191 IN PUNICODE_STRING LinkName
,
202 SeAuditingFileEvents(IN BOOLEAN AccessGranted
,
203 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
214 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted
,
215 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
216 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
227 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted
,
228 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
239 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted
,
240 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
241 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
252 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted
,
253 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
254 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
)
265 SeCloseObjectAuditAlarm(IN PVOID Object
,
267 IN BOOLEAN PerformAction
)
276 SeDeleteObjectAuditAlarm(IN PVOID Object
,
287 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
288 IN PVOID Object OPTIONAL
,
289 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
290 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
291 IN PACCESS_STATE AccessState
,
292 IN BOOLEAN ObjectCreated
,
293 IN BOOLEAN AccessGranted
,
294 IN KPROCESSOR_MODE AccessMode
,
295 OUT PBOOLEAN GenerateOnClose
)
299 /* Audits aren't done on kernel-mode access */
300 if (AccessMode
== KernelMode
) return;
302 /* Otherwise, unimplemented! */
311 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
312 IN PVOID Object OPTIONAL
,
313 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
314 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
315 IN PACCESS_STATE AccessState
,
316 IN BOOLEAN ObjectCreated
,
317 IN BOOLEAN AccessGranted
,
318 IN KPROCESSOR_MODE AccessMode
,
319 OUT PBOOLEAN GenerateOnClose
)
329 SePrivilegeObjectAuditAlarm(IN HANDLE Handle
,
330 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
331 IN ACCESS_MASK DesiredAccess
,
332 IN PPRIVILEGE_SET Privileges
,
333 IN BOOLEAN AccessGranted
,
334 IN KPROCESSOR_MODE CurrentMode
)
339 /* SYSTEM CALLS ***************************************************************/
343 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
345 IN PUNICODE_STRING ObjectTypeName
,
346 IN PUNICODE_STRING ObjectName
,
347 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
348 IN ACCESS_MASK DesiredAccess
,
349 IN PGENERIC_MAPPING GenericMapping
,
350 IN BOOLEAN ObjectCreation
,
351 OUT PACCESS_MASK GrantedAccess
,
352 OUT PNTSTATUS AccessStatus
,
353 OUT PBOOLEAN GenerateOnClose
)
356 return STATUS_NOT_IMPLEMENTED
;
361 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
363 IN BOOLEAN GenerateOnClose
)
366 return STATUS_NOT_IMPLEMENTED
;
371 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
373 IN BOOLEAN GenerateOnClose
)
376 return STATUS_NOT_IMPLEMENTED
;
381 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
383 IN PUNICODE_STRING ObjectTypeName
,
384 IN PUNICODE_STRING ObjectName
,
385 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
386 IN HANDLE ClientToken
,
387 IN ULONG DesiredAccess
,
388 IN ULONG GrantedAccess
,
389 IN PPRIVILEGE_SET Privileges
,
390 IN BOOLEAN ObjectCreation
,
391 IN BOOLEAN AccessGranted
,
392 OUT PBOOLEAN GenerateOnClose
)
395 return STATUS_NOT_IMPLEMENTED
;
400 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName
,
401 IN PUNICODE_STRING ServiceName
,
402 IN HANDLE ClientToken
,
403 IN PPRIVILEGE_SET Privileges
,
404 IN BOOLEAN AccessGranted
)
407 return STATUS_NOT_IMPLEMENTED
;
412 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
414 IN HANDLE ClientToken
,
415 IN ULONG DesiredAccess
,
416 IN PPRIVILEGE_SET Privileges
,
417 IN BOOLEAN AccessGranted
)
420 return STATUS_NOT_IMPLEMENTED
;