#include <ntoskrnl.h>#include <debug.h>
Include dependency graph for audit.c:
Go to the source code of this file.
Macros | |
| #define | NDEBUG |
| #define | SEP_PRIVILEGE_SET_MAX_COUNT 60 |
Variables | |
| UNICODE_STRING | SeSubsystemName = RTL_CONSTANT_STRING(L"Security") |
Macro Definition Documentation
◆ NDEBUG
◆ SEP_PRIVILEGE_SET_MAX_COUNT
Function Documentation
◆ NtAccessCheckAndAuditAlarm()
| _Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ PGENERIC_MAPPING | GenericMapping, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _Out_ PACCESS_MASK | GrantedAccess, | ||
| _Out_ PNTSTATUS | AccessStatus, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID that is used as identification instance for auditing. [in] ObjectTypeName The name of the object type. [in] ObjectName The object name. [in] SecurityDescriptor A security descriptor. [in] DesiredAccess The desired access rights masks requested by the caller. [in] GenericMapping The generic mapping of access mask rights. [in] ObjectCreation Set this to TRUE if the object has just been created. [out] GrantedAccess Returns the granted access rights. [out] AccessStatus Returns a NTSTATUS status code indicating whether access check can be granted or not. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
- Returns
- See SepAccessCheckAndAuditAlarm.
Definition at line 2125 of file audit.c.
2137{
2138 /* Call the internal function */
2140 HandleId,
2141 NULL,
2142 ObjectTypeName,
2143 ObjectName,
2144 SecurityDescriptor,
2145 NULL,
2146 DesiredAccess,
2147 AuditEventObjectAccess,
2148 0,
2149 NULL,
2150 0,
2151 GenericMapping,
2152 GrantedAccess,
2153 AccessStatus,
2154 GenerateOnClose,
2155 FALSE);
2156}
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:79
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2664
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:64
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:422
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
Referenced by AccessCheckAndAuditAlarmA(), and AccessCheckAndAuditAlarmW().
◆ NtAccessCheckByTypeAndAuditAlarm()
| _Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSID | PrincipalSelfSid, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ AUDIT_EVENT_TYPE | AuditType, | ||
| _In_ ULONG | Flags, | ||
| _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST | ObjectTypeList, | ||
| _In_ ULONG | ObjectTypeLength, | ||
| _In_ PGENERIC_MAPPING | GenericMapping, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _Out_ PACCESS_MASK | GrantedAccess, | ||
| _Out_ PNTSTATUS | AccessStatus, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID that is used as identification instance for auditing. [in] ObjectTypeName The name of the object type. [in] ObjectName The object name. [in] SecurityDescriptor A security descriptor. [in] PrincipalSelfSid A principal self user SID. [in] DesiredAccess The desired access rights masks requested by the caller. [in] AuditType Type of audit to start, influencing how the audit should be done. [in] Flags Flag bitmask, used to check if auditing can be done without privileges. [in] ObjectTypeList A list of object types. [in] ObjectTypeLength The length size of the list. [in] GenericMapping The generic mapping of access mask rights. [in] ObjectCreation Set this to TRUE if the object has just been created. [out] GrantedAccess Returns the granted access rights. [out] AccessStatus Returns a NTSTATUS status code indicating whether access check can be granted or not. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
- Returns
- See SepAccessCheckAndAuditAlarm.
Definition at line 2222 of file audit.c.
2239{
2240 /* Call the internal function */
2242 HandleId,
2243 NULL,
2244 ObjectTypeName,
2245 ObjectName,
2246 SecurityDescriptor,
2247 PrincipalSelfSid,
2248 DesiredAccess,
2249 AuditType,
2250 Flags,
2251 ObjectTypeList,
2252 ObjectTypeLength,
2253 GenericMapping,
2254 GrantedAccess,
2255 AccessStatus,
2256 GenerateOnClose,
2257 FALSE);
2258}
◆ NtAccessCheckByTypeResultListAndAuditAlarm()
| _Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSID | PrincipalSelfSid, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ AUDIT_EVENT_TYPE | AuditType, | ||
| _In_ ULONG | Flags, | ||
| _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST | ObjectTypeList, | ||
| _In_ ULONG | ObjectTypeListLength, | ||
| _In_ PGENERIC_MAPPING | GenericMapping, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _Out_writes_(ObjectTypeListLength) PACCESS_MASK | GrantedAccessList, | ||
| _Out_writes_(ObjectTypeListLength) PNTSTATUS | AccessStatusList, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID that is used as identification instance for auditing. [in] ObjectTypeName The name of the object type. [in] ObjectName The object name. [in] SecurityDescriptor A security descriptor. [in] PrincipalSelfSid A principal self user SID. [in] DesiredAccess The desired access rights masks requested by the caller. [in] AuditType Type of audit to start, influencing how the audit should be done. [in] Flags Flag bitmask, used to check if auditing can be done without privileges. [in] ObjectTypeList A list of object types. [in] ObjectTypeLength The length size of the list. [in] GenericMapping The generic mapping of access mask rights. [in] ObjectCreation Set this to TRUE if the object has just been created. [out] GrantedAccessList Returns the granted access rights. [out] AccessStatusList Returns a NTSTATUS status code indicating whether access check can be granted or not. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
- Returns
- See SepAccessCheckAndAuditAlarm.
Definition at line 2324 of file audit.c.
2341{
2342 /* Call the internal function */
2344 HandleId,
2345 NULL,
2346 ObjectTypeName,
2347 ObjectName,
2348 SecurityDescriptor,
2349 PrincipalSelfSid,
2350 DesiredAccess,
2351 AuditType,
2352 Flags,
2353 ObjectTypeList,
2354 ObjectTypeListLength,
2355 GenericMapping,
2356 GrantedAccessList,
2357 AccessStatusList,
2358 GenerateOnClose,
2359 TRUE);
2360}
◆ NtAccessCheckByTypeResultListAndAuditAlarmByHandle()
| _Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ HANDLE | ClientToken, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSID | PrincipalSelfSid, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ AUDIT_EVENT_TYPE | AuditType, | ||
| _In_ ULONG | Flags, | ||
| _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST | ObjectTypeList, | ||
| _In_ ULONG | ObjectTypeListLength, | ||
| _In_ PGENERIC_MAPPING | GenericMapping, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _Out_writes_(ObjectTypeListLength) PACCESS_MASK | GrantedAccessList, | ||
| _Out_writes_(ObjectTypeListLength) PNTSTATUS | AccessStatusList, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID that is used as identification instance for auditing. [in] ClientToken A handle to a client access token. [in] ObjectTypeName The name of the object type. [in] ObjectName The object name. [in] SecurityDescriptor A security descriptor. [in] PrincipalSelfSid A principal self user SID. [in] DesiredAccess The desired access rights masks requested by the caller. [in] AuditType Type of audit to start, influencing how the audit should be done. [in] Flags Flag bitmask, used to check if auditing can be done without privileges. [in] ObjectTypeList A list of object types. [in] ObjectTypeLength The length size of the list. [in] GenericMapping The generic mapping of access mask rights. [in] ObjectCreation Set this to TRUE if the object has just been created. [out] GrantedAccessList Returns the granted access rights. [out] AccessStatusList Returns a NTSTATUS status code indicating whether access check can be granted or not. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
- Returns
- See SepAccessCheckAndAuditAlarm.
Definition at line 2430 of file audit.c.
2448{
2449 UNREFERENCED_PARAMETER(ObjectCreation);
2450
2451 /* Call the internal function */
2453 HandleId,
2454 &ClientToken,
2455 ObjectTypeName,
2456 ObjectName,
2457 SecurityDescriptor,
2458 PrincipalSelfSid,
2459 DesiredAccess,
2460 AuditType,
2461 Flags,
2462 ObjectTypeList,
2463 ObjectTypeListLength,
2464 GenericMapping,
2465 GrantedAccessList,
2466 AccessStatusList,
2467 GenerateOnClose,
2468 TRUE);
2469}
◆ NtCloseObjectAuditAlarm()
| NTSTATUS NTAPI NtCloseObjectAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_ PVOID | HandleId, | ||
| _In_ BOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when an object is about to be closed.
- Parameters
-
[in] SubsystemName A Unicode string that points to the name of the subsystem. [in] HandleId A handle of an ID used for identification instance for auditing. [in] GenerateOnClose A boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
- Returns
- Returns STATUS_SUCCESS if all the operations have completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the security subject context does not have the audit privilege to actually begin auditing procedures in the first place.
Definition at line 1358 of file audit.c.
1362{
1364 UNICODE_STRING CapturedSubsystemName;
1366 BOOLEAN UseImpersonationToken;
1367 PETHREAD CurrentThread;
1372 PAGED_CODE();
1373
1374 /* Get the previous mode (only user mode is supported!) */
1377
1378 /* Do we even need to do anything? */
1380 {
1381 /* Nothing to do, return success */
1383 }
1384
1385 /* Capture the security subject context */
1387
1388 /* Check for audit privilege */
1390 {
1394 }
1395
1396 /* Probe and capture the subsystem name */
1398 PreviousMode,
1399 SubsystemName);
1401 {
1404 }
1405
1406 /* Get the current thread and check if it's impersonating */
1407 CurrentThread = PsGetCurrentThread();
1409 {
1410 /* Get the impersonation token */
1412 &CopyOnOpen,
1413 &EffectiveOnly,
1414 &ImpersonationLevel);
1415 UseImpersonationToken = TRUE;
1416 }
1417 else
1418 {
1419 /* Get the primary token */
1421 UseImpersonationToken = FALSE;
1422 }
1423
1424 /* Call the internal function */
1425 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426 HandleId,
1427 Token->UserAndGroups->Sid);
1428
1429 /* Release the captured subsystem name */
1431
1432 /* Check what token we used */
1433 if (UseImpersonationToken)
1434 {
1435 /* Release impersonation token */
1437 }
1438 else
1439 {
1440 /* Release primary token */
1442 }
1443
1445
1446Cleanup:
1447
1448 /* Release the security subject context */
1450
1452}
_In_ PVOID _In_ ULONG _Out_ PVOID _In_ ULONG _Inout_ PULONG _In_ KPROCESSOR_MODE PreviousMode
Definition: KdSystemDebugControl.c:35
Definition: tokenizer.hpp:28
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:871
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
Definition: pstypes.h:1191
Definition: setypes.h:217
Definition: setypes.h:216
Definition: env_spec_w32.h:368
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:157
Referenced by ObjectCloseAuditAlarmA(), and ObjectCloseAuditAlarmW().
◆ NtDeleteObjectAuditAlarm()
| NTSTATUS NTAPI NtDeleteObjectAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_ PVOID | HandleId, | ||
| _In_ BOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when an object is about to be deleted.
@unimplemented
- Parameters
-
[in] SubsystemName A Unicode string that points to the name of the subsystem. [in] HandleId A handle of an ID used for identification instance for auditing. [in] GenerateOnClose A boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
- Returns
- To be added...
Definition at line 1475 of file audit.c.
Referenced by ObjectDeleteAuditAlarmA(), and ObjectDeleteAuditAlarmW().
◆ NtOpenObjectAuditAlarm()
| __kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_opt_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ HANDLE | ClientTokenHandle, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ ACCESS_MASK | GrantedAccess, | ||
| _In_opt_ PPRIVILEGE_SET | PrivilegeSet, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _In_ BOOLEAN | AccessGranted, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when an object is about to be opened.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID used for identification instance for auditing. [in] ObjectTypeName A Unicode string that points to an object type name. [in] ObjectName The name of the object. [in] SecurityDescriptor A security descriptor. [in] ClientTokenHandle A handle to a client access token. [in] DesiredAccess The desired access rights masks requested by the caller. [in] GrantedAccess The granted access mask rights. [in] PrivilegeSet If specified, the function will use this set of privileges to audit. [in] ObjectCreation Set this to TRUE if the object has just been created. [in] AccessGranted Set this to TRUE if the access attempt was deemed as granted. [out] GenerateOnClose A boolean flag returned to the caller once audit generation procedure finishes.
- Returns
- Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.
Definition at line 1622 of file audit.c.
1635{
1636 PTOKEN ClientToken;
1637 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1641 BOOLEAN LocalGenerateOnClose;
1642 PVOID CapturedHandleId;
1645 PAGED_CODE();
1646
1647 /* Only user mode is supported! */
1649
1650 /* Start clean */
1651 ClientToken = NULL;
1652 CapturedSecurityDescriptor = NULL;
1653 CapturedPrivilegeSet = NULL;
1657
1658 /* Reference the client token */
1660 TOKEN_QUERY,
1661 SeTokenObjectType,
1662 UserMode,
1663 (PVOID*)&ClientToken,
1664 NULL);
1666 {
1668 ClientTokenHandle, Status);
1670 }
1671
1672 /* Capture the security subject context */
1674
1675 /* Validate the token's impersonation level */
1678 {
1682 }
1683
1684 /* Check for audit privilege */
1686 {
1690 }
1691
1692 /* Check for NULL SecurityDescriptor */
1694 {
1695 /* Nothing to do */
1698 }
1699
1700 /* Capture the security descriptor */
1702 UserMode,
1703 PagedPool,
1704 FALSE,
1705 &CapturedSecurityDescriptor);
1707 {
1710 }
1711
1712 _SEH2_TRY
1713 {
1714 /* Check if we have a privilege set */
1716 {
1717 /* Probe the basic privilege set structure */
1719
1720 /* Validate privilege count */
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1723 {
1726 }
1727
1728 /* Calculate the size of the PrivilegeSet structure */
1730
1731 /* Probe the whole structure */
1733
1734 /* Allocate a temp buffer */
1736 PrivilegeSetSize,
1737 TAG_PRIVILEGE_SET);
1739 {
1743 }
1744
1745 /* Copy the privileges */
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747 }
1748
1750 {
1752 CapturedHandleId = *(PVOID*)HandleId;
1753 }
1754
1756 }
1758 {
1762 }
1763 _SEH2_END;
1764
1765 /* Probe and capture the subsystem name */
1767 UserMode,
1768 SubsystemName);
1770 {
1773 }
1774
1775 /* Probe and capture the object type name */
1777 UserMode,
1778 ObjectTypeName);
1780 {
1783 }
1784
1785 /* Probe and capture the object name */
1787 UserMode,
1788 ObjectName);
1790 {
1793 }
1794
1795 /* Call the internal function */
1797 &CapturedSubsystemName,
1798 CapturedHandleId,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1802 ClientToken,
1803 DesiredAccess,
1804 GrantedAccess,
1805 CapturedPrivilegeSet,
1806 ObjectCreation,
1807 AccessGranted,
1808 &LocalGenerateOnClose);
1809
1811
1812 /* Enter SEH to copy the data back to user mode */
1813 _SEH2_TRY
1814 {
1815 *GenerateOnClose = LocalGenerateOnClose;
1816 }
1818 {
1821 }
1822 _SEH2_END;
1823
1824Cleanup:
1825
1828
1831
1834
1837
1840
1841 /* Release the security subject context */
1843
1844 ObDereferenceObject(ClientToken);
1845
1847}
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
Definition: nsiface.idl:2307
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
Definition: setypes.h:85
Definition: ms-dtyp.idl:301
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:419
Referenced by ObjectOpenAuditAlarmA(), and ObjectOpenAuditAlarmW().
◆ NtPrivilegedServiceAuditAlarm()
| __kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm | ( | _In_opt_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PUNICODE_STRING | ServiceName, | ||
| _In_ HANDLE | ClientTokenHandle, | ||
| _In_ PPRIVILEGE_SET | Privileges, | ||
| _In_ BOOLEAN | AccessGranted | ||
| ) |
Raises an alarm audit message when a caller attempts to request a privileged service call.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] ServiceName A Unicode string that points to a name of the privileged service. [in] ClientTokenHandle A handle to a client access token. [in] Privileges An array set of privileges. [in] AccessGranted Set this to TRUE if the access attempt was deemed as granted.
- Returns
- Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.
Definition at line 1883 of file audit.c.
1889{
1891 PTOKEN ClientToken;
1893 UNICODE_STRING CapturedSubsystemName;
1894 UNICODE_STRING CapturedServiceName;
1895 ULONG PrivilegeCount, PrivilegesSize;
1898 PAGED_CODE();
1899
1900 /* Get the previous mode (only user mode is supported!) */
1903
1906
1907 /* Reference the client token */
1909 TOKEN_QUERY,
1910 SeTokenObjectType,
1911 PreviousMode,
1912 (PVOID*)&ClientToken,
1913 NULL);
1915 {
1918 }
1919
1920 /* Validate the token's impersonation level */
1923 {
1925 ObDereferenceObject(ClientToken);
1927 }
1928
1929 /* Capture the security subject context */
1931
1932 /* Check for audit privilege */
1934 {
1938 }
1939
1940 /* Do we have a subsystem name? */
1942 {
1943 /* Probe and capture the subsystem name */
1945 PreviousMode,
1946 SubsystemName);
1948 {
1951 }
1952 }
1953
1954 /* Do we have a service name? */
1956 {
1957 /* Probe and capture the service name */
1959 PreviousMode,
1960 ServiceName);
1962 {
1965 }
1966 }
1967
1968 _SEH2_TRY
1969 {
1970 /* Probe the basic privilege set structure */
1972
1973 /* Validate privilege count */
1974 PrivilegeCount = Privileges->PrivilegeCount;
1976 {
1979 }
1980
1981 /* Calculate the size of the Privileges structure */
1983
1984 /* Probe the whole structure */
1986
1987 /* Allocate a temp buffer */
1989 PrivilegesSize,
1990 TAG_PRIVILEGE_SET);
1992 {
1996 }
1997
1998 /* Copy the privileges */
2000 }
2002 {
2006 }
2007 _SEH2_END;
2008
2009 /* Call the internal function */
2011 SubsystemName ? &CapturedSubsystemName : NULL,
2013 ClientToken,
2014 SubjectContext.PrimaryToken,
2015 CapturedPrivileges,
2016 AccessGranted);
2017
2019
2020Cleanup:
2021 /* Cleanup resources */
2024
2027
2030
2031 /* Release the security subject context */
2033
2034 ObDereferenceObject(ClientToken);
2035
2037}
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17
Referenced by PrivilegedServiceAuditAlarmA(), and PrivilegedServiceAuditAlarmW().
◆ NtPrivilegeObjectAuditAlarm()
| NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_ PVOID | HandleId, | ||
| _In_ HANDLE | ClientToken, | ||
| _In_ ULONG | DesiredAccess, | ||
| _In_ PPRIVILEGE_SET | Privileges, | ||
| _In_ BOOLEAN | AccessGranted | ||
| ) |
Raises an alarm audit message when a caller attempts to access a privileged object.
- Parameters
-
[in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID that is used as identification instance for auditing. [in] ClientToken A handle to a client access token. [in] DesiredAccess A handle to a client access token. [in] Privileges An array set of privileges. [in] AccessGranted Set this to TRUE if the access attempt was deemed as granted.
- Returns
- To be added...
Definition at line 2066 of file audit.c.
Referenced by ObjectPrivilegeAuditAlarmA(), and ObjectPrivilegeAuditAlarmW().
◆ SeAuditHardLinkCreation()
| VOID NTAPI SeAuditHardLinkCreation | ( | _In_ PUNICODE_STRING | FileName, |
| _In_ PUNICODE_STRING | LinkName, | ||
| _In_ BOOLEAN | bSuccess | ||
| ) |
Performs an audit against a hard link creation.
@unimplemented
- Parameters
-
[in] FileName A Unicode string that points to the name of the file. [in] LinkName A Unicode string that points to a link. [out] bSuccess If TRUE, the function has successfully audited the hard link and security access can be granted, FALSE otherwise.
- Returns
- Nothing.
◆ SeAuditingFileEvents()
| BOOLEAN NTAPI SeAuditingFileEvents | ( | _In_ BOOLEAN | AccessGranted, |
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor | ||
| ) |
Determines whether auditing against file events is being done or not.
@unimplemented
- Parameters
-
[in] AccessGranted If set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE. [in] SecurityDescriptor A security descriptor.
- Returns
- Returns TRUE if auditing is being currently done, FALSE otherwise.
◆ SeAuditingFileEventsWithContext()
| BOOLEAN NTAPI SeAuditingFileEventsWithContext | ( | _In_ BOOLEAN | AccessGranted, |
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSECURITY_SUBJECT_CONTEXT | SubjectSecurityContext | ||
| ) |
Determines whether auditing against file events with subject context is being done or not.
@unimplemented
- Parameters
-
[in] AccessGranted If set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE. [in] SecurityDescriptor A security descriptor. [in] SubjectSecurityContext If specified, the function will check if security auditing is currently being done with this context.
- Returns
- Returns TRUE if auditing is being currently done, FALSE otherwise.
◆ SeAuditingFileOrGlobalEvents()
| BOOLEAN NTAPI SeAuditingFileOrGlobalEvents | ( | _In_ BOOLEAN | AccessGranted, |
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ PSECURITY_SUBJECT_CONTEXT | SubjectSecurityContext | ||
| ) |
Determines whether auditing against files or global events with subject context is being done or not.
@unimplemented
- Parameters
-
[in] AccessGranted If set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE. [in] SecurityDescriptor A security descriptor. [in] SubjectSecurityContext If specified, the function will check if security auditing is currently being done with this context.
- Returns
- Returns TRUE if auditing is being currently done, FALSE otherwise.
◆ SeAuditingHardLinkEvents()
| BOOLEAN NTAPI SeAuditingHardLinkEvents | ( | _In_ BOOLEAN | AccessGranted, |
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor | ||
| ) |
Determines whether auditing against hard links events is being done or not.
@unimplemented
- Parameters
-
[in] AccessGranted If set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE. [in] SecurityDescriptor A security descriptor.
- Returns
- Returns TRUE if auditing is being currently done, FALSE otherwise.
◆ SeAuditingHardLinkEventsWithContext()
| BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext | ( | _In_ BOOLEAN | AccessGranted, |
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSECURITY_SUBJECT_CONTEXT | SubjectSecurityContext | ||
| ) |
Determines whether auditing against hard links events with subject context is being done or not.
@unimplemented
- Parameters
-
[in] AccessGranted If set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE. [in] SecurityDescriptor A security descriptor. [in] SubjectSecurityContext If specified, the function will check if security auditing is currently being done with this context.
- Returns
- Returns TRUE if auditing is being currently done, FALSE otherwise.
◆ SeAuditProcessCreate()
Peforms a security auditing against a process that is about to be created.
@unimplemented
- Parameters
-
[in] Process An object that points to a process which is in process of creation.
- Returns
- Nothing.
Definition at line 56 of file audit.c.
58{
59 /* FIXME */
60}
Referenced by PspCreateProcess().
◆ SeAuditProcessExit()
Peforms a security auditing against a process that is about to be terminated.
@unimplemented
- Parameters
-
[in] Process An object that points to a process which is in process of termination.
- Returns
- Nothing.
Definition at line 77 of file audit.c.
79{
80 /* FIXME */
81}
Referenced by PspExitThread().
◆ SeCloseObjectAuditAlarm()
| VOID NTAPI SeCloseObjectAuditAlarm | ( | _In_ PVOID | Object, |
| _In_ HANDLE | Handle, | ||
| _In_ BOOLEAN | PerformAction | ||
| ) |
Closes an alarm audit of an object.
@unimplemented
- Parameters
-
[in] Object An arbitrary pointer data that points to the object. [in] Handle A handle of the said object. [in] PerformAction Set this to TRUE to perform any auxiliary action, otherwise set to FALSE.
- Returns
- Nothing.
◆ SeDeleteObjectAuditAlarm()
Deletes an alarm audit of an object.
@unimplemented
- Parameters
-
[in] Object An arbitrary pointer data that points to the object. [in] Handle A handle of the said object.
- Returns
- Nothing.
◆ SeDetailedAuditingWithToken()
Peforms a detailed security auditing with an access token.
@unimplemented
- Returns
- To be added...
Definition at line 34 of file audit.c.
Referenced by ObInitProcess(), PspCreateProcess(), and PspExitThread().
◆ SeInitializeProcessAuditName()
| NTSTATUS NTAPI SeInitializeProcessAuditName | ( | _In_ PFILE_OBJECT | FileObject, |
| _In_ BOOLEAN | DoAudit, | ||
| _Out_ POBJECT_NAME_INFORMATION * | AuditInfo | ||
| ) |
Initializes a process audit name and returns it to the caller.
- Parameters
-
[in] FileObject File object that points to a name to be queried. [in] DoAudit If set to TRUE, the function will perform various security auditing onto the audit name. [out] AuditInfo The returned audit info data.
- Returns
- Returns STATUS_SUCCESS if process audit name initialization has completed successfully. STATUS_NO_MEMORY is returned if pool allocation for object name info has failed. A failure NTSTATUS code is returned otherwise.
Definition at line 105 of file audit.c.
109{
110 OBJECT_NAME_INFORMATION LocalNameInfo;
114
115 PAGED_CODE();
116 ASSERT(AuditInfo);
117
118 /* Check if we should do auditing */
119 if (DoAudit)
120 {
121 /* FIXME: TODO */
122 }
123
124 /* Now query the name */
126 &LocalNameInfo,
127 sizeof(LocalNameInfo),
128 &ReturnLength);
133 {
134 /* Allocate required size */
136 ReturnLength,
137 TAG_SEPA);
138 if (ObjectNameInfo)
139 {
140 /* Query the name again */
142 ObjectNameInfo,
143 ReturnLength,
144 &ReturnLength);
145 }
146 }
147
148 /* Check if we got here due to failure */
149 if ((ObjectNameInfo) &&
151 {
152 /* First, free any buffer we might've allocated */
155
156 /* Now allocate a temporary one */
160 TAG_SEPA);
161 if (ObjectNameInfo)
162 {
163 /* Clear it */
166 }
167 }
168
169 /* Check if memory allocation failed */
171
172 /* Return the audit name */
173 *AuditInfo = ObjectNameInfo;
174
175 /* Return status */
177}
_In_ PVOID _In_ ULONG _Out_ PVOID _In_ ULONG _Inout_ PULONG ReturnLength
Definition: KdSystemDebugControl.c:34
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
Definition: nt_native.h:1272
Referenced by MmInitializeProcessAddressSpace(), and SeLocateProcessImageName().
◆ SeLocateProcessImageName()
| NTSTATUS NTAPI SeLocateProcessImageName | ( | _In_ PEPROCESS | Process, |
| _Out_ PUNICODE_STRING * | ProcessImageName | ||
| ) |
Finds the process image name of a specific process.
- Parameters
-
[in] Process Process object submitted by the caller, where the image name is to be located. [out] ProcessImageName An output Unicode string structure with the located process image name.
- Returns
- Returns STATUS_SUCCESS if process image name has been located successfully. STATUS_NO_MEMORY is returned if pool allocation for the image name has failed. A failure NTSTATUS code is returned otherwise.
Definition at line 199 of file audit.c.
202{
203 POBJECT_NAME_INFORMATION AuditName;
207
208 PAGED_CODE();
209
210 /* Assume failure */
211 *ProcessImageName = NULL;
212
213 /* Check if we have audit info */
214 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215 if (!AuditName)
216 {
217 /* Get the file object */
220
221 /* Initialize the audit structure */
224 {
225 /* Set it */
227 SeAuditProcessCreationInfo.ImageFileName,
228 AuditName,
229 NULL))
230 {
231 /* Someone beat us to it, deallocate our copy */
232 ExFreePool(AuditName);
233 }
234 }
235
236 /* Dereference the file object */
239 }
240
241 /* Get audit info again, now we have it for sure */
242 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243
244 /* Allocate the output string */
248 TAG_SEPA);
250
251 /* Make a copy of it */
253 &AuditName->Name,
255
256 /* Fix up the buffer */
258
259 /* Return it */
260 *ProcessImageName = ImageName;
261
262 /* Return status */
264}
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
#define InterlockedCompareExchangePointer
Definition: interlocked.h:144
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
NTSTATUS NTAPI PsReferenceProcessFilePointer(_In_ PEPROCESS Process, _Outptr_ PFILE_OBJECT *FileObject)
Definition: query.c:24
Referenced by NtQueryInformationProcess(), and QSI_DEF().
◆ SeOpenObjectAuditAlarm()
| VOID NTAPI SeOpenObjectAuditAlarm | ( | _In_ PUNICODE_STRING | ObjectTypeName, |
| _In_opt_ PVOID | Object, | ||
| _In_opt_ PUNICODE_STRING | AbsoluteObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ PACCESS_STATE | AccessState, | ||
| _In_ BOOLEAN | ObjectCreated, | ||
| _In_ BOOLEAN | AccessGranted, | ||
| _In_ KPROCESSOR_MODE | AccessMode, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Creates an audit with alarm notification of an object that is being opened.
@unimplemented
- Parameters
-
[in] ObjectTypeName A Unicode string that points to the object type name. [in] Object If specified, the function will use this parameter to directly open the object. [in] AbsoluteObjectName If specified, the function will use this parameter to directly open the object through the absolute name of the object. [in] SecurityDescriptor A security descriptor. [in] AccessState An access state right mask when opening the object. [in] ObjectCreated Set this to TRUE if the object has been fully created, FALSE otherwise. [in] AccessGranted Set this to TRUE if access was deemed as granted. [in] AccessMode Processor level access mode. [out] GenerateOnClose A boolean flag returned to the caller once audit generation procedure finishes.
- Returns
- Nothing.
Definition at line 1213 of file audit.c.
1223{
1224 PAGED_CODE();
1225
1226 /* Audits aren't done on kernel-mode access */
1228
1229 /* Otherwise, unimplemented! */
1230 //UNIMPLEMENTED;
1231 return;
1232}
Referenced by IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), and ObCheckObjectAccess().
◆ SeOpenObjectForDeleteAuditAlarm()
| VOID NTAPI SeOpenObjectForDeleteAuditAlarm | ( | _In_ PUNICODE_STRING | ObjectTypeName, |
| _In_opt_ PVOID | Object, | ||
| _In_opt_ PUNICODE_STRING | AbsoluteObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ PACCESS_STATE | AccessState, | ||
| _In_ BOOLEAN | ObjectCreated, | ||
| _In_ BOOLEAN | AccessGranted, | ||
| _In_ KPROCESSOR_MODE | AccessMode, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Creates an audit with alarm notification of an object that is being opened for deletion.
@unimplemented
- Parameters
-
[in] ObjectTypeName A Unicode string that points to the object type name. [in] Object If specified, the function will use this parameter to directly open the object. [in] AbsoluteObjectName If specified, the function will use this parameter to directly open the object through the absolute name of the object. [in] SecurityDescriptor A security descriptor. [in] AccessState An access state right mask when opening the object. [in] ObjectCreated Set this to TRUE if the object has been fully created, FALSE otherwise. [in] AccessGranted Set this to TRUE if access was deemed as granted. [in] AccessMode Processor level access mode. [out] GenerateOnClose A boolean flag returned to the caller once audit generation procedure finishes.
- Returns
- Nothing.
◆ SepAccessCheckAndAuditAlarm()
| _Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_opt_ PVOID | HandleId, | ||
| _In_ PHANDLE | ClientTokenHandle, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_opt_ PSID | PrincipalSelfSid, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ AUDIT_EVENT_TYPE | AuditType, | ||
| _In_ ULONG | Flags, | ||
| _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST | ObjectTypeList, | ||
| _In_ ULONG | ObjectTypeListLength, | ||
| _In_ PGENERIC_MAPPING | GenericMapping, | ||
| _Out_writes_(ObjectTypeListLength) PACCESS_MASK | GrantedAccessList, | ||
| _Out_writes_(ObjectTypeListLength) PNTSTATUS | AccessStatusList, | ||
| _Out_ PBOOLEAN | GenerateOnClose, | ||
| _In_ BOOLEAN | UseResultList | ||
| ) |
Performs security auditing, if the specific object can be granted security access or not.
- Parameters
-
[in] SubsystemName A Unicode string that represents the name of a subsystem that actuates the auditing process. [in] HandleId A handle to an ID used to identify an object where auditing is to be done. [in] SubjectContext Security subject context. [in] ObjectTypeName A Unicode string that represents the name of an object type. [in] ObjectName The name of the object. [in] SecurityDescriptor A security descriptor with internal security information details for audit. [in] PrincipalSelfSid A principal self user SID. [in] DesiredAccess The desired access rights masks requested by the caller. [in] AuditType Type of audit to start. This parameter influences how an audit should be done. [in] Flags Flag bitmask parameter. [in] HaveAuditPrivilege If set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit. [in] ObjectTypeList A list of object types. [in] ObjectTypeListLength The length size of the list. [in] GenericMapping The generic mapping table of access rights used whilst performing auditing sequence procedure. [out] GrantedAccessList This parameter is used to return to the caller a list of actual granted access rights masks that the audited object has. [out] AccessStatusList This parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise. [in] UseResultList If set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
- Returns
- Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the general requirements by the function. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation has failed. STATUS_PRIVILEGE_NOT_HELD is returned if the current security subject context does not have the required audit privilege to actually perform auditing in the first place. STATUS_INVALID_SECURITY_DESCR is returned if the security descriptor provided by the caller is not valid, that is, such descriptor doesn't belong to the main user (owner) and current group. STATUS_GENERIC_NOT_MAPPED is returned if the access rights masks aren't actually mapped. A failure NTSTATUS code is returned otherwise.
Definition at line 614 of file audit.c.
632{
634 ULONG ResultListLength;
635 GENERIC_MAPPING LocalGenericMapping;
636 PTOKEN SubjectContextToken, ClientToken;
637 BOOLEAN AllocatedResultLists;
638 BOOLEAN HaveAuditPrivilege;
639 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
643 PSID CapturedPrincipalSelfSid;
644 POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList;
646 BOOLEAN LocalGenerateOnClose;
648 PAGED_CODE();
649
650 /* Only user mode is supported! */
652
653 /* Start clean */
654 AllocatedResultLists = FALSE;
655 ClientToken = NULL;
656 CapturedSecurityDescriptor = NULL;
660 CapturedPrincipalSelfSid = NULL;
661 CapturedObjectTypeList = NULL;
662
663 /* Validate AuditType */
665 (AuditType != AuditEventDirectoryServiceAccess))
666 {
669 }
670
671 /* Capture the security subject context */
673
674 /* Did the caller pass a token handle? */
676 {
677 /* Check if we have a token in the subject context */
679 {
683 }
684
685 /* Check if we have a valid impersonation level */
687 {
690 SubjectContext.ImpersonationLevel);
692 }
693 }
694
695 /* Are we using a result list? */
696 if (UseResultList)
697 {
698 /* The list length equals the object type list length */
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701 {
705 }
706
707 /* Allocate a safe buffer from paged pool */
710 TAG_SEPA);
712 {
716 }
717
718 SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists = TRUE;
720 }
721 else
722 {
723 /* List length is 1 */
724 ResultListLength = 1;
725 SafeGrantedAccessList = &GrantedAccess;
726 SafeAccessStatusList = &AccessStatus;
727 }
728
729 _SEH2_TRY
730 {
731 /* Probe output buffers */
732 ProbeForWrite(AccessStatusList,
733 ResultListLength * sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
735 ProbeForWrite(GrantedAccessList,
736 ResultListLength * sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
738
739 /* Probe generic mapping and make a local copy */
741 LocalGenericMapping = * GenericMapping;
742 }
744 {
748 }
749 _SEH2_END;
750
751 /* Do we have a client token? */
753 {
754 /* Reference the client token */
756 TOKEN_QUERY,
757 SeTokenObjectType,
758 UserMode,
759 (PVOID*)&ClientToken,
760 NULL);
762 {
764 *ClientTokenHandle, Status);
766 }
767
768 SubjectContextToken = SubjectContext.ClientToken;
769 SubjectContext.ClientToken = ClientToken;
770 }
771
772 /* Check for audit privilege */
775 {
779 }
780
781 /* Generic access must already be mapped to non-generic access types! */
783 {
787 }
788
789 /* Capture the security descriptor */
791 UserMode,
792 PagedPool,
793 FALSE,
794 &CapturedSecurityDescriptor);
796 {
799 }
800
801 /* Validate the Security descriptor */
804 {
808 }
809
810 /* Probe and capture the subsystem name */
812 UserMode,
813 SubsystemName);
815 {
818 }
819
820 /* Probe and capture the object type name */
822 UserMode,
823 ObjectTypeName);
825 {
828 }
829
830 /* Probe and capture the object name */
832 UserMode,
833 ObjectName);
835 {
838 }
839
840 /* Check if we have a PrincipalSelfSid */
842 {
843 /* Capture it */
845 UserMode,
846 PagedPool,
847 FALSE,
848 &CapturedPrincipalSelfSid);
850 {
853 }
854 }
855
856 /* Capture the object type list */
858 ObjectTypeListLength,
859 UserMode,
860 &CapturedObjectTypeList);
862 {
865 }
866
867 /* Call the worker routine with the captured buffers */
869 HandleId,
870 &SubjectContext,
871 &CapturedObjectTypeName,
872 &CapturedObjectName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
875 DesiredAccess,
876 AuditType,
877 HaveAuditPrivilege,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
884 UseResultList);
887
888 /* Enter SEH to copy the data back to user mode */
889 _SEH2_TRY
890 {
891 /* Loop all result entries (only 1 when no list was requested) */
892 ASSERT(UseResultList || (ResultListLength == 1));
894 {
897 }
898
899 *GenerateOnClose = LocalGenerateOnClose;
900 }
902 {
905 }
906 _SEH2_END;
907
908Cleanup:
909
912
915
918
921
924
927
929 {
930 ObDereferenceObject(ClientToken);
931 SubjectContext.ClientToken = SubjectContextToken;
932 }
933
934 if (AllocatedResultLists)
936
937 /* Release the security subject context */
939
941}
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:378
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
Captures a list of object types and converts it to an internal form for use by the kernel....
Definition: objtype.c:282
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:109
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:89
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
Definition: nt_native.h:564
Definition: se.h:52
Definition: ms-dtyp.idl:198
Referenced by NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), and NtAccessCheckByTypeResultListAndAuditAlarmByHandle().
◆ SepAccessCheckAndAuditAlarmWorker()
|
static |
Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel.
@unimplemented
- Parameters
-
[in] SubsystemName A Unicode string that represents the name of a subsystem that actuates the auditing process. [in] HandleId A handle to an ID used to identify an object where auditing is to be done. [in] SubjectContext Security subject context. [in] ObjectTypeName A Unicode string that represents the name of an object type. [in] ObjectName The name of the object. [in] SecurityDescriptor A security descriptor with internal security information details for audit. [in] PrincipalSelfSid A principal self user SID. [in] DesiredAccess The desired access rights masks requested by the caller. [in] AuditType Type of audit to start. This parameter influences how an audit should be done. [in] HaveAuditPrivilege If set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit. [in] ObjectTypeList A list of object types. [in] ObjectTypeListLength The length size of the list. [in] GenericMapping The generic mapping table of access rights used whilst performing auditing sequence procedure. [out] GrantedAccessList This parameter is used to return to the caller a list of actual granted access rights masks that the audited object has. [out] AccessStatusList This parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE. [out] GenerateOnClose Returns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise. [in] UseResultList If set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
- Returns
- Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success.
FIXME: we should do some real work here...
HACK: we just pretend all access is granted!
Definition at line 489 of file audit.c.
507{
509
510 /* Get the length of the result list */
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512
514 UNIMPLEMENTED;
515
518 {
521 }
522
524
526}
Referenced by SepAccessCheckAndAuditAlarm().
◆ SepAdtCloseObjectAuditAlarm()
| VOID NTAPI SepAdtCloseObjectAuditAlarm | ( | _In_ PUNICODE_STRING | SubsystemName, |
| _In_ PVOID | HandleId, | ||
| _In_ PSID | Sid | ||
| ) |
Closes an audit alarm event of an object.
- Parameters
-
[in] SubsystemName A Unicode string pointing to the name of the subsystem where auditing alarm event has to be closed. [in] HandleId A handle to an ID where such ID represents the identification of the object where audit alarm is to be closed. [in] Sid A SID that represents the user who attempted to close the audit alarm.
- Returns
- Nothing.
Definition at line 287 of file audit.c.
Referenced by NtCloseObjectAuditAlarm().
◆ SepAdtPrivilegedServiceAuditAlarm()
| VOID NTAPI SepAdtPrivilegedServiceAuditAlarm | ( | _In_ PSECURITY_SUBJECT_CONTEXT | SubjectContext, |
| _In_opt_ PUNICODE_STRING | SubsystemName, | ||
| _In_opt_ PUNICODE_STRING | ServiceName, | ||
| _In_ PTOKEN | Token, | ||
| _In_ PTOKEN | PrimaryToken, | ||
| _In_ PPRIVILEGE_SET | Privileges, | ||
| _In_ BOOLEAN | AccessGranted | ||
| ) |
Performs an audit alarm to a privileged service request. This is a worker function.
- Parameters
-
[in] SubjectContext A security subject context used for the auditing process. [in] SubsystemName A Unicode string that represents the name of a subsystem that actuated the procedure of alarm auditing of a privileged service. [in] ServiceName A Unicode string that represents the name of a privileged service request for auditing. [in] Token An access token. [in] PrimaryToken A primary access token. [in] Privileges An array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access. [in] AccessGranted When auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
- Returns
- Nothing.
Definition at line 332 of file audit.c.
340{
342}
Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm().
◆ SepOpenObjectAuditAlarm()
| VOID NTAPI SepOpenObjectAuditAlarm | ( | _In_ PSECURITY_SUBJECT_CONTEXT | SubjectContext, |
| _In_ PUNICODE_STRING | SubsystemName, | ||
| _In_opt_ PVOID | HandleId, | ||
| _In_ PUNICODE_STRING | ObjectTypeName, | ||
| _In_ PUNICODE_STRING | ObjectName, | ||
| _In_opt_ PSECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ PTOKEN | ClientToken, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ ACCESS_MASK | GrantedAccess, | ||
| _In_opt_ PPRIVILEGE_SET | Privileges, | ||
| _In_ BOOLEAN | ObjectCreation, | ||
| _In_ BOOLEAN | AccessGranted, | ||
| _Out_ PBOOLEAN | GenerateOnClose | ||
| ) |
Raises an alarm audit message when an object is about to be opened.
@unimplemented
- Parameters
-
[in] SubjectContext A security subject context for auditing. [in] SubsystemName A Unicode string that points to a name of the subsystem. [in] HandleId A handle to an ID used for identification instance for auditing. [in] ObjectTypeName A Unicode string that points to an object type name. [in] ObjectName The name of the object. [in] SecurityDescriptor A security descriptor. [in] ClientToken A client access token, representing the client we want to impersonate. [in] DesiredAccess The desired access rights masks requested by the caller. [in] GrantedAccess The granted access mask rights. [in] Privileges If specified, the function will use this set of privileges to audit. [in] ObjectCreation Set this to TRUE if the object has just been created. [in] AccessGranted Set this to TRUE if the access attempt was deemed as granted. [out] GenerateOnClose A boolean flag returned to the caller once audit generation procedure finishes.
- Returns
- Nothing.
Definition at line 1535 of file audit.c.
1549{
1551 DBG_UNREFERENCED_PARAMETER(SubsystemName);
1552 DBG_UNREFERENCED_PARAMETER(HandleId);
1556 DBG_UNREFERENCED_PARAMETER(ClientToken);
1560 DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1562 UNIMPLEMENTED;
1564}
Referenced by NtOpenObjectAuditAlarm().
◆ SePrivilegedServiceAuditAlarm()
| VOID NTAPI SePrivilegedServiceAuditAlarm | ( | _In_opt_ PUNICODE_STRING | ServiceName, |
| _In_ PSECURITY_SUBJECT_CONTEXT | SubjectContext, | ||
| _In_ PPRIVILEGE_SET | PrivilegeSet, | ||
| _In_ BOOLEAN | AccessGranted | ||
| ) |
Performs an audit alarm to a privileged service request.
- Parameters
-
[in] ServiceName A Unicode string that represents the name of a privileged service request for auditing. [in] SubjectContext A security subject context used for the auditing process. [in] PrivilegeSet An array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access. [in] AccessGranted When auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
- Returns
- Nothing.
Definition at line 369 of file audit.c.
374{
375 PTOKEN EffectiveToken;
376 PSID UserSid;
377 PAGED_CODE();
378
379 /* Get the effective token */
381 EffectiveToken = SubjectContext->ClientToken;
382 else
383 EffectiveToken = SubjectContext->PrimaryToken;
384
385 /* Get the user SID */
387
388 /* Check if this is the local system SID */
390 {
391 /* Nothing to do */
392 return;
393 }
394
395 /* Check if this is the network service or local service SID */
398 {
399 // FIXME: should continue for a certain set of privileges
400 return;
401 }
402
403 /* Call the worker function */
405 &SeSubsystemName,
406 ServiceName,
407 SubjectContext->ClientToken,
408 SubjectContext->PrimaryToken,
409 PrivilegeSet,
410 AccessGranted);
411
412}
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
Referenced by SeCheckAuditPrivilege(), and SeSinglePrivilegeCheck().
◆ SePrivilegeObjectAuditAlarm()
| VOID NTAPI SePrivilegeObjectAuditAlarm | ( | _In_ HANDLE | Handle, |
| _In_ PSECURITY_SUBJECT_CONTEXT | SubjectContext, | ||
| _In_ ACCESS_MASK | DesiredAccess, | ||
| _In_ PPRIVILEGE_SET | Privileges, | ||
| _In_ BOOLEAN | AccessGranted, | ||
| _In_ KPROCESSOR_MODE | CurrentMode | ||
| ) |
Raises an audit with alarm notification message when an object tries to acquire this privilege.
@unimplemented
- Parameters
-
[in] Handle A handle to an object. [in] SubjectContext The security subject context for auditing. [in] DesiredAccess The desired right access masks requested by the caller. [in] Privileges An array set of privileges for auditing. [out] AccessGranted When the auditing procedure routine ends, it returns TRUE to the caller if the object has the required privileges for access, FALSE otherwise. [in] CurrentMode Processor level access mode.
- Returns
- Nothing.
Definition at line 1321 of file audit.c.
Referenced by HasPrivilege(), ObpCreateHandle(), and SeCheckPrivilegedObject().
Variable Documentation
◆ SeSubsystemName
| UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security") |
Definition at line 17 of file audit.c.
Referenced by SePrivilegedServiceAuditAlarm().
