17 Jan
2021
17 Jan
'21
10:46 a.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=9011382e28567c85569a8…
commit 9011382e28567c85569a8e9c86b68c01ae6ef113
Author: Eric Kohl <eric.kohl(a)reactos.org>
AuthorDate: Sun Jan 17 11:46:34 2021 +0100
Commit: Eric Kohl <eric.kohl(a)reactos.org>
CommitDate: Sun Jan 17 11:46:34 2021 +0100
[SYSSETUP][INF] Add audit events setup
---
dll/win32/syssetup/security.c | 142 ++++++++++++++++++++++++++++++++++++++++++
media/inf/defltwk.inf | 10 +++
2 files changed, 152 insertions(+)
diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c
index 2ac2c3a4917..ff2c329dc2e 100644
--- a/dll/win32/syssetup/security.c
+++ b/dll/win32/syssetup/security.c
@@ -756,6 +756,146 @@ ApplyEventlogSettings(
}
+static
+VOID
+ApplyAuditEvents(
+ _In_ HINF hSecurityInf)
+{
+ LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+ INFCONTEXT InfContext;
+ WCHAR szOptionName[256];
+ INT nValue;
+ LSA_HANDLE PolicyHandle = NULL;
+ POLICY_AUDIT_EVENTS_INFO AuditInfo;
+ PULONG AuditOptions = NULL;
+ NTSTATUS Status;
+
+ DPRINT("ApplyAuditEvents(%p)\n", hSecurityInf);
+
+ if (!SetupFindFirstLineW(hSecurityInf,
+ L"Event Audit",
+ NULL,
+ &InfContext))
+ {
+ DPRINT1("SetupFindFirstLineW failed\n");
+ return;
+ }
+
+ ZeroMemory(&ObjectAttributes, sizeof(LSA_OBJECT_ATTRIBUTES));
+
+ Status = LsaOpenPolicy(NULL,
+ &ObjectAttributes,
+ POLICY_SET_AUDIT_REQUIREMENTS,
+ &PolicyHandle);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status);
+ return;
+ }
+
+ AuditOptions = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
+ (AuditCategoryAccountLogon + 1) * sizeof(ULONG));
+ if (AuditOptions == NULL)
+ {
+ DPRINT1("Failed to allocate the auditiing options array!\n");
+ goto done;
+ }
+
+ AuditInfo.AuditingMode = TRUE;
+ AuditInfo.EventAuditingOptions = AuditOptions;
+ AuditInfo.MaximumAuditEventCount = AuditCategoryAccountLogon + 1;
+
+ do
+ {
+ /* Retrieve the group name */
+ if (!SetupGetStringFieldW(&InfContext,
+ 0,
+ szOptionName,
+ ARRAYSIZE(szOptionName),
+ NULL))
+ {
+ DPRINT1("SetupGetStringFieldW() failed\n");
+ continue;
+ }
+
+ DPRINT("Option: '%S'\n", szOptionName);
+
+ if (!SetupGetIntField(&InfContext,
+ 1,
+ &nValue))
+ {
+ DPRINT1("SetupGetStringFieldW() failed\n");
+ continue;
+ }
+
+ DPRINT("Value: %d\n", nValue);
+
+ if ((nValue < POLICY_AUDIT_EVENT_UNCHANGED) || (nValue >
POLICY_AUDIT_EVENT_NONE))
+ {
+ DPRINT1("Invalid audit option!\n");
+ continue;
+ }
+
+ if (_wcsicmp(szOptionName, L"AuditSystemEvents") == 0)
+ {
+ AuditOptions[AuditCategorySystem] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditLogonEvents") == 0)
+ {
+ AuditOptions[AuditCategoryLogon] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditObjectAccess") == 0)
+ {
+ AuditOptions[AuditCategoryObjectAccess] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditPrivilegeUse") == 0)
+ {
+ AuditOptions[AuditCategoryPrivilegeUse] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditProcessTracking") == 0)
+ {
+ AuditOptions[AuditCategoryDetailedTracking] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditPolicyChange") == 0)
+ {
+ AuditOptions[AuditCategoryPolicyChange] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditAccountManage") == 0)
+ {
+ AuditOptions[AuditCategoryAccountManagement] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditDSAccess") == 0)
+ {
+ AuditOptions[AuditCategoryDirectoryServiceAccess] = (ULONG)nValue;
+ }
+ else if (_wcsicmp(szOptionName, L"AuditAccountLogon") == 0)
+ {
+ AuditOptions[AuditCategoryAccountLogon] = (ULONG)nValue;
+ }
+ else
+ {
+ DPRINT1("Invalid auditing option '%S'\n", szOptionName);
+ }
+ }
+ while (SetupFindNextLine(&InfContext, &InfContext));
+
+ Status = LsaSetInformationPolicy(PolicyHandle,
+ PolicyAuditEventsInformation,
+ (PVOID)&AuditInfo);
+ if (Status != STATUS_SUCCESS)
+ {
+ DPRINT1("LsaSetInformationPolicy() failed (Status 0x%08lx)\n",
Status);
+ }
+
+done:
+ if (AuditOptions != NULL)
+ HeapFree(GetProcessHeap(), 0, AuditOptions);
+
+ if (PolicyHandle != NULL)
+ LsaClose(PolicyHandle);
+}
+
+
VOID
InstallSecurity(VOID)
{
@@ -782,6 +922,8 @@ InstallSecurity(VOID)
ApplyEventlogSettings(hSecurityInf, L"Security Log",
L"Security");
ApplyEventlogSettings(hSecurityInf, L"System Log",
L"System");
+ ApplyAuditEvents(hSecurityInf);
+
SetupCloseInfFile(hSecurityInf);
}
diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf
index 6675540e95a..540edd39416 100644
--- a/media/inf/defltwk.inf
+++ b/media/inf/defltwk.inf
@@ -22,6 +22,16 @@ AuditLogRetentionPeriod = 1
RetentionDays = 7
RestrictGuestAccess = 1
+[Event Audit]
+AuditSystemEvents = 0;
+AuditObjectAccess = 0;
+AuditPrivilegeUse = 0;
+AuditPolicyChange = 0;
+AuditAccountManage = 0;
+AuditProcessTracking = 0;
+AuditAccountLogon = 0;
+AuditLogonEvents = 0;
+
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
SeAuditPrivilege = *S-1-5-19, *S-1-5-20