/*
* @implemented
*/
NTSTATUS
WINAPI
LsaSetInformationPolicy(IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
IN PVOID Buffer)
{
NTSTATUS Status;
TRACE("(%p,0x%08x,%p)\n", PolicyHandle, InformationClass, Buffer);
RpcTryExcept
{
Status = LsarSetInformationPolicy((LSAPR_HANDLE)PolicyHandle,
InformationClass,
(PLSAPR_POLICY_INFORMATION)Buffer);
}
RpcExcept(EXCEPTION_EXECUTE_HANDLER)
{
Status = I_RpcMapWin32Status(RpcExceptionCode());
}
RpcEndExcept;
return Status;
}
NTSTATUS
LsapAdtInitialize(
IN ULONG Pass
)
/*++
Routine Description:
This function performs initialization of auditing within the LSA, and
it also issues commands to the Reference Monitor to enable it to
complete any initialization of auditing variables that is dependent
on the content of the LSA Database. At time of call, the main
System Init thread is in the Reference Monitor awaiting completion
of all LSA initialization, and the Reference Monitor Command
Server thread is waiting for commands.
The following steps are performed:
o Read the Audit Event and Audit Log information from the LSA
Database.
o Call the Event Logging function to open the Audit Log
o Issue a Reference Monitor command to write the Audit Event Info
to the Reference-Monitor's in-memory database.
Arguments:
Pass - Specifies the stage of initialization to be performed.
Pass 1 - Initialization required before Audit Records can
be written to the Audit Log. Any Audit Records received
during this time will be "cached" by the LSA and will
be written out at Pass 2.
Pass 2 - Write out Audit Records cached during Pass 1.
Return Value:
NTSTATUS - Standard Nt Result Code.
All Result Codes are generated by called routines.
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
NTSTATUS SecondaryStatus = STATUS_SUCCESS;
ULONG AuditLogInfoLength = sizeof (POLICY_AUDIT_LOG_INFO);
ULONG AuditEventInfoLength = sizeof (LSARM_POLICY_AUDIT_EVENTS_INFO);
ULONG AuditFullQueryInfoLength = sizeof (POLICY_AUDIT_FULL_QUERY_INFO);
BOOLEAN AcquiredLock = FALSE;
UNICODE_STRING UnicodeString;
PUNICODE_STRING Strings;
PSID Sid = NULL;
LSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo;
Strings = &UnicodeString;
RtlInitUnicodeString( Strings, L"System Restart");
RtlInitUnicodeString( &LsapSubsystemName, L"Security" );
if (Pass == 1) {
Status = LsapAdtInitializeLogQueue();
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
//
// Acquire the LSA Database Lock.
//
Status = LsapDbAcquireLock();
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
AcquiredLock = TRUE;
//
// Read the Audit Log Information from the PolAdtLg attribute of the Lsa
// Database object.
//
Status = LsapDbReadAttributeObject(
LsapDbHandle,
&LsapDbNames[PolAdtLg],
&LsapAdtLogInformation,
&AuditLogInfoLength
);
if (!NT_SUCCESS(Status)) {
LsapLogError(
"LsapAdtInitialize: Read Audit Log Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
//
// Query the Audit Log Full Information in the LSA Database. Note
// that it is too early to update a log full condition, so don't
// try to write to the Audit Log.
//
Status = LsapAdtQueryAuditLogFullInfo(
LsapDbHandle,
(ULONG) 0,
&LsapAdtLogFullInformation
);
if (!NT_SUCCESS(Status)) {
LsapLogError(
"LsapAdtInitialize: Update Audit Log Full Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
//
// Read the Audit Event Information from the AdtEvent attribute of the Lsa
// Database object. The information consists of the Auditing Mode and
// the Auditing Options for each Audit Event Type.
//
Status = LsapDbReadAttributeObject(
LsapDbHandle,
&LsapDbNames[PolAdtEv],
&AuditEventsInfo,
&AuditEventInfoLength
);
if (!NT_SUCCESS(Status)) {
//
// This section of code is temporary and allows an old
// Policy Database to work with the new Audit Event Categories
// without the need to re-install. The Audit Event Information
// is overwritten with the new format and all auditing is turned
// off.
//
if (Status == STATUS_BUFFER_OVERFLOW) {
KdPrint(("LsapAdtInitialize: Old Audit Event Info detected\n"
"Replacing with new format, all auditing disabled\n"));
//
// Initialize Default Event Auditing Options. No auditing is specified
// for any event type.
//
Status = LsapAdtInitializeDefaultAuditing(
LSAP_DB_UPDATE_POLICY_DATABASE,
&AuditEventsInfo
);
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
} else {
LsapLogError(
"LsapAdtInitialize: Read Audit Event Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
}
//
// Set global flags to tell us if we're supposed to be auditing
// successful logons, failed logons, or both
//
//
LsapAdtAuditingLogon( &AuditEventsInfo );
//
// During system initialization, we are effectively logged on as
// system.
//
LsapAdtSystemRestart( &AuditEventsInfo );
(VOID) LsapAdtInitializeCrashOnFail();
//
// Send a command to the Reference Monitor to write the Auditing
// State to its in-memory data.
//
Status = LsapCallRm(
RmAuditSetCommand,
&AuditEventsInfo,
sizeof (LSARM_POLICY_AUDIT_EVENTS_INFO),
NULL,
0
);
if (!NT_SUCCESS(Status)) {
LsapLogError("LsapAdtInitialize: LsapCallRm returned 0x%lx\n", Status);
goto AuditInitError;
}
RtlCopyMemory(
&LsapAdtEventsInformation,
&AuditEventsInfo,
sizeof(LSARM_POLICY_AUDIT_EVENTS_INFO)
);
LsapAdtInitializeDriveLetters();
//
// Initialize privilege values we need
//
ChangeNotifyPrivilege = RtlConvertLongToLuid( SE_CHANGE_NOTIFY_PRIVILEGE );
AuditPrivilege = RtlConvertLongToLuid( SE_AUDIT_PRIVILEGE );
CreateTokenPrivilege = RtlConvertLongToLuid( SE_CREATE_TOKEN_PRIVILEGE );
AssignPrimaryTokenPrivilege = RtlConvertLongToLuid( SE_ASSIGNPRIMARYTOKEN_PRIVILEGE );
BackupPrivilege = RtlConvertLongToLuid( SE_BACKUP_PRIVILEGE );
RestorePrivilege = RtlConvertLongToLuid( SE_RESTORE_PRIVILEGE );
DebugPrivilege = RtlConvertLongToLuid( SE_DEBUG_PRIVILEGE );
//
// Tell base/wincon how to shut us down.
// First, tell base to shut us down as late in the game as possible.
//
SetProcessShutdownParameters(LSAP_SHUTDOWN_LEVEL, SHUTDOWN_NORETRY);
// And, tell them what function to call when we are being shutdown:
SetConsoleCtrlHandler(LsapShutdownNotification, TRUE);
} else if (Pass == 2) {
//
// Write out any Audit Records that were cached during the
// first stage of initialization. The Audit Log will be opened
// on the first write if necessary.
//
//
// BUGBUG - ScottBi 8/6/92 - This action cannot be taken here
// unless we know that the EventLog service is running. For now,
// an attempt is made to open the log each time an Audit Record
// is generated, and the cache grows until a limit is reached,
// at which point auditing is turned off and subsequent records
// are discarded.
//
/*
Status = LsapAdtWriteLog( NULL, (ULONG) 0);
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
*/
}
AuditInitFinish:
if (AcquiredLock) {
LsapDbReleaseLock();
}
return(Status);
AuditInitError:
//
// If the Audit Log is full, signal the Log Full condition
//
if (Status == STATUS_LOG_FILE_FULL) {
SecondaryStatus = LsapAdtSignalLogFull();
}
//
// If auditing failed to initialize, output warning and disable
// auditing.
//
if (Pass == 1) {
LsapLogError(
"LSA: Warning - Audit Initialization Pass 1 Returned 0x%lx\n"
" Auditing has been disabled\n",
Status
);
} else {
LsapLogError(
"LSA: Warning - Audit Initialization Pass 2 Returned 0x%lx\n"
" Auditing has been disabled\n",
Status
);
}
LsapAdtEventsInformation.AuditingMode = FALSE;
Status = LsarSetInformationPolicy(
LsapDbHandle,
PolicyAuditEventsInformation,
(PLSAPR_POLICY_INFORMATION) &LsapAdtEventsInformation
);
goto AuditInitFinish;
}
