static
DWORD
MapSidToName(
HANDLE hLsa,
PSID pSid,
PWSTR* ppwszName
)
{
DWORD dwError = 0;
PSTR pszSid = NULL;
LSA_QUERY_LIST QueryList;
PLSA_SECURITY_OBJECT* ppObjects = NULL;
dwError = LwNtStatusToWin32Error(
RtlAllocateCStringFromSid(&pszSid, pSid));
BAIL_ON_LTNET_ERROR(dwError);
QueryList.ppszStrings = (PCSTR*) &pszSid;
dwError = LsaFindObjects(
hLsa,
NULL,
0,
LSA_OBJECT_TYPE_UNDEFINED,
LSA_QUERY_TYPE_BY_SID,
1,
QueryList,
&ppObjects);
BAIL_ON_LTNET_ERROR(dwError);
if (ppObjects[0] == NULL)
{
dwError = LW_ERROR_NO_SUCH_OBJECT;
BAIL_ON_LTNET_ERROR(dwError);
}
dwError = LwAllocateWc16sPrintfW(
ppwszName,
L"%s\\%s",
ppObjects[0]->pszNetbiosDomainName,
ppObjects[0]->pszSamAccountName);
BAIL_ON_LTNET_ERROR(dwError);
cleanup:
LsaFreeSecurityObjectList(1, ppObjects);
LTNET_SAFE_FREE_STRING(pszSid);
return dwError;
error:
*ppwszName = NULL;
goto cleanup;
}
static
DWORD
UmnSrvWriteUserEvent(
PLW_EVENTLOG_CONNECTION pEventlog,
long long PreviousRun,
PUSER_MONITOR_PASSWD pOld,
long long Now,
struct passwd *pNew
)
{
DWORD dwError = 0;
// Do not free. The field values are borrowed from other structures.
USER_CHANGE change = { { 0 } };
LW_EVENTLOG_RECORD record = { 0 };
char oldTimeBuf[128] = { 0 };
char newTimeBuf[128] = { 0 };
struct tm oldTmBuf = { 0 };
struct tm newTmBuf = { 0 };
time_t temp = 0;
PCSTR pOperation = NULL;
if (PreviousRun)
{
temp = PreviousRun;
localtime_r(&temp, &oldTmBuf);
strftime(
oldTimeBuf,
sizeof(oldTimeBuf),
"%Y/%m/%d %H:%M:%S",
&oldTmBuf);
}
else
{
strcpy(oldTimeBuf, "unknown");
}
temp = Now;
localtime_r(&temp, &newTmBuf);
strftime(
newTimeBuf,
sizeof(newTimeBuf),
"%Y/%m/%d %H:%M:%S",
&newTmBuf);
if (pOld)
{
memcpy(&change.OldValue, pOld, sizeof(change.OldValue));
}
if (pNew)
{
change.NewValue.pw_name = pNew->pw_name;
change.NewValue.pw_passwd = pNew->pw_passwd;
change.NewValue.pw_uid = pNew->pw_uid;
change.NewValue.pw_gid = pNew->pw_gid;
change.NewValue.pw_gecos = pNew->pw_gecos;
change.NewValue.pw_dir = pNew->pw_dir;
change.NewValue.pw_shell = pNew->pw_shell;
change.NewValue.LastUpdated = Now;
}
dwError = LwMbsToWc16s(
"Application",
&record.pLogname);
BAIL_ON_UMN_ERROR(dwError);
if (!PreviousRun)
{
dwError = LwMbsToWc16s(
"Success Audit",
&record.pEventType);
}
else
{
dwError = LwMbsToWc16s(
"Information",
&record.pEventType);
}
BAIL_ON_UMN_ERROR(dwError);
record.EventDateTime = Now;
dwError = LwMbsToWc16s(
"User Monitor",
&record.pEventSource);
BAIL_ON_UMN_ERROR(dwError);
if (pOld != NULL && pNew != NULL)
{
pOperation = "changed";
}
else if (pOld != NULL && pNew == NULL)
{
pOperation = "deleted";
}
else if (pOld == NULL && pNew != NULL)
{
pOperation = "added";
}
else
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_UMN_ERROR(dwError);
}
dwError = LwAllocateWc16sPrintfW(
&record.pEventCategory,
L"User %hhs",
pOperation);
BAIL_ON_UMN_ERROR(dwError);
if (pNew != NULL)
{
record.EventSourceId = pNew->pw_uid;
dwError = LwMbsToWc16s(
pNew->pw_name,
&record.pUser);
BAIL_ON_UMN_ERROR(dwError);
}
else
{
record.EventSourceId = pOld->pw_uid;
dwError = LwMbsToWc16s(
pOld->pw_name,
&record.pUser);
BAIL_ON_UMN_ERROR(dwError);
}
// Leave computer NULL so it is filled in by the eventlog
dwError = LwAllocateWc16sPrintfW(
&record.pDescription,
L"Between %hhs and %hhs, user '%hhs' was %hhs.\n"
L"Passwd (from passwd struct)\n"
L"\tOld: %hhs\n"
L"\tNew: %hhs\n"
L"Uid\n"
L"\tOld: %d\n"
L"\tNew: %d\n"
L"Primary group id\n"
L"\tOld: %d\n"
L"\tNew: %d\n"
L"Gecos\n"
L"\tOld: %hhs\n"
L"\tNew: %hhs\n"
L"Home directory\n"
L"\tOld: %hhs\n"
L"\tNew: %hhs\n"
L"Shell\n"
L"\tOld: %hhs\n"
L"\tNew: %hhs",
oldTimeBuf,
newTimeBuf,
pOld ? pOld->pw_name : pNew->pw_name,
pOperation,
pOld ? pOld->pw_passwd : "",
pNew ? pNew->pw_passwd : "",
pOld ? pOld->pw_uid : -1,
pNew ? pNew->pw_uid : -1,
pOld ? pOld->pw_gid : -1,
pNew ? pNew->pw_gid : -1,
pOld ? pOld->pw_gecos : "",
pNew ? pNew->pw_gecos : "",
pOld ? pOld->pw_dir : "",
pNew ? pNew->pw_dir : "",
pOld ? pOld->pw_shell : "",
pNew ? pNew->pw_shell : "");
BAIL_ON_UMN_ERROR(dwError);
dwError = EncodeUserChange(
&change,
&record.DataLen,
(PVOID*)&record.pData);
BAIL_ON_UMN_ERROR(dwError);
dwError = LwEvtWriteRecords(
pEventlog,
1,
&record);
BAIL_ON_UMN_ERROR(dwError);
cleanup:
LW_SAFE_FREE_MEMORY(record.pLogname);
LW_SAFE_FREE_MEMORY(record.pEventType);
LW_SAFE_FREE_MEMORY(record.pEventSource);
LW_SAFE_FREE_MEMORY(record.pEventCategory);
LW_SAFE_FREE_MEMORY(record.pUser);
LW_SAFE_FREE_MEMORY(record.pDescription);
LW_SAFE_FREE_MEMORY(record.pData);
return dwError;
error:
goto cleanup;
}
DWORD
UmnSrvWriteADGroupEvent(
PLW_EVENTLOG_CONNECTION pEventlog,
long long PreviousRun,
PUSER_MONITOR_GROUP pOld,
long long Now,
PLSA_SECURITY_OBJECT pNew
)
{
DWORD dwError = 0;
// Do not free. The field values are borrowed from other structures.
GROUP_CHANGE change = { { 0 } };
LW_EVENTLOG_RECORD record = { 0 };
char oldTimeBuf[128] = { 0 };
char newTimeBuf[128] = { 0 };
struct tm oldTmBuf = { 0 };
struct tm newTmBuf = { 0 };
time_t temp = 0;
PCSTR pOperation = NULL;
if (PreviousRun)
{
temp = PreviousRun;
localtime_r(&temp, &oldTmBuf);
strftime(
oldTimeBuf,
sizeof(oldTimeBuf),
"%Y/%m/%d %H:%M:%S",
&oldTmBuf);
}
else
{
strcpy(oldTimeBuf, "unknown");
}
temp = Now;
localtime_r(&temp, &newTmBuf);
strftime(
newTimeBuf,
sizeof(newTimeBuf),
"%Y/%m/%d %H:%M:%S",
&newTmBuf);
if (pOld)
{
memcpy(&change.OldValue, pOld, sizeof(change.OldValue));
}
if (pNew)
{
change.NewValue.gr_name = pNew->groupInfo.pszUnixName;
change.NewValue.gr_passwd = pNew->groupInfo.pszPasswd ?
pNew->groupInfo.pszPasswd : "x";
change.NewValue.gr_gid = pNew->groupInfo.gid;
change.NewValue.LastUpdated = Now;
}
dwError = LwMbsToWc16s(
"Application",
&record.pLogname);
BAIL_ON_UMN_ERROR(dwError);
if (!PreviousRun)
{
dwError = LwMbsToWc16s(
"Success Audit",
&record.pEventType);
}
else
{
dwError = LwMbsToWc16s(
"Information",
&record.pEventType);
}
BAIL_ON_UMN_ERROR(dwError);
record.EventDateTime = Now;
dwError = LwMbsToWc16s(
"User Monitor",
&record.pEventSource);
BAIL_ON_UMN_ERROR(dwError);
if (pOld != NULL && pNew != NULL)
{
pOperation = "changed";
}
else if (pOld != NULL && pNew == NULL)
{
pOperation = "deleted";
}
else if (pOld == NULL && pNew != NULL)
{
pOperation = "added";
}
else
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_UMN_ERROR(dwError);
}
dwError = LwAllocateWc16sPrintfW(
&record.pEventCategory,
L"AD Group %hhs",
pOperation);
BAIL_ON_UMN_ERROR(dwError);
if (pNew != NULL)
{
record.EventSourceId = pNew->groupInfo.gid;
dwError = LwMbsToWc16s(
pNew->groupInfo.pszUnixName,
&record.pUser);
BAIL_ON_UMN_ERROR(dwError);
}
else
{
record.EventSourceId = pOld->gr_gid;
dwError = LwMbsToWc16s(
pOld->gr_name,
&record.pUser);
BAIL_ON_UMN_ERROR(dwError);
}
// Do not free. This value is borrowed from other structures.
record.pComputer = (PWSTR)UmnEvtGetEventComputerName();
dwError = LwAllocateWc16sPrintfW(
&record.pDescription,
L"Between %hhs and %hhs, group '%hhs' was %hhs.\n"
L"Passwd (from group struct)\n"
L"\tOld: %hhs\n"
L"\tNew: %hhs\n"
L"Gid\n"
L"\tOld: %d\n"
L"\tNew: %d",
oldTimeBuf,
newTimeBuf,
pOld ? pOld->gr_name : pNew->groupInfo.pszUnixName,
pOperation,
pOld ? pOld->gr_passwd : "",
pNew ? (pNew->groupInfo.pszPasswd ?
pNew->groupInfo.pszPasswd : "x") : "",
pOld ? pOld->gr_gid : -1,
pNew ? pNew->groupInfo.gid : -1);
BAIL_ON_UMN_ERROR(dwError);
dwError = EncodeGroupChange(
&change,
&record.DataLen,
(PVOID*)&record.pData);
BAIL_ON_UMN_ERROR(dwError);
dwError = LwEvtWriteRecords(
pEventlog,
1,
&record);
BAIL_ON_UMN_ERROR(dwError);
cleanup:
LW_SAFE_FREE_MEMORY(record.pLogname);
LW_SAFE_FREE_MEMORY(record.pEventType);
LW_SAFE_FREE_MEMORY(record.pEventSource);
LW_SAFE_FREE_MEMORY(record.pEventCategory);
LW_SAFE_FREE_MEMORY(record.pUser);
LW_SAFE_FREE_MEMORY(record.pDescription);
LW_SAFE_FREE_MEMORY(record.pData);
return dwError;
error:
goto cleanup;
}
