log.h

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		log.h
 *
 * Abstract:
 *
 *		This module defines various macros used for logging.
 *
 * Author:
 *
 *		Eugene Tsyrklevich 17-Mar-2004
 *
 * Revision History:
 *
 *		None.
 */


#ifndef __LOG_H__
#define __LOG_H__


#include <NTDDK.h>
#include "ntproto.h"
#include "misc.h"


/* maximum number of alerts the kernel will queue */
#define	MAXIMUM_OUTSTANDING_ALERTS	1000

#define	LOG_USER_EVENT_NAME	L"\\BaseNamedObjects\\OzoneLogEvent"


/*
 * Logging SubSystems
 */

#define	LOG_SS_DRIVER_INTERNAL			(1 <<  0)
#define	LOG_SS_POLICY					(1 <<  1)
#define	LOG_SS_POLICY_PARSER			(1 <<  2)
#define	LOG_SS_FILE						(1 <<  3)
#define	LOG_SS_DIRECTORY				(1 <<  3)	// same as LOG_SS_FILE, used in HookedNtCreateFile
#define	LOG_SS_SEMAPHORE				(1 <<  4)
#define	LOG_SS_EVENT					(1 <<  5)
#define	LOG_SS_SECTION					(1 <<  6)
#define	LOG_SS_REGISTRY					(1 <<  7)
#define	LOG_SS_PROCESS					(1 <<  8)
#define	LOG_SS_HOOKPROC					(1 <<  9)
#define	LOG_SS_LEARN					(1 << 10)
#define	LOG_SS_PATHPROC					(1 << 11)
#define	LOG_SS_NETWORK					(1 << 12)
#define	LOG_SS_TIME						(1 << 13)
#define	LOG_SS_SYSINFO					(1 << 14)
#define	LOG_SS_JOB						(1 << 15)
#define	LOG_SS_MUTANT					(1 << 16)
#define	LOG_SS_PORT						(1 << 17)
#define	LOG_SS_SYMLINK					(1 << 18)
#define	LOG_SS_TIMER					(1 << 19)
#define	LOG_SS_TOKEN					(1 << 20)
#define	LOG_SS_NAMEDPIPE				(1 << 21)
#define	LOG_SS_MAILSLOT					(1 << 22)
#define	LOG_SS_DRIVER					(1 << 23)
#define	LOG_SS_DIROBJ					(1 << 24)
#define	LOG_SS_ATOM						(1 << 25)
#define	LOG_SS_VDM						(1 << 26)
#define	LOG_SS_DEBUG					(1 << 27)
#define	LOG_SS_DRIVE					(1 << 28)
#define	LOG_SS_MISC						(1 << 29)


/* log the following subsytems */

#define	LOG_SUBSYSTEMS						(LOG_SS_ATOM			|	\
											LOG_SS_DIROBJ			|	\
											LOG_SS_DRIVER			|	\
											LOG_SS_DRIVER_INTERNAL	|	\
											LOG_SS_EVENT			|	\
											LOG_SS_FILE				|	\
											LOG_SS_HOOKPROC			|	\
											LOG_SS_JOB				|	\
											LOG_SS_LEARN			|	\
											LOG_SS_MAILSLOT			|	\
											LOG_SS_MISC				|	\
											LOG_SS_MUTANT			|	\
											LOG_SS_NAMEDPIPE		|	\
											LOG_SS_NETWORK			|	\
											LOG_SS_PATHPROC			|	\
											LOG_SS_POLICY			|	\
											LOG_SS_POLICY_PARSER	|	\
											LOG_SS_PORT				|	\
											LOG_SS_PROCESS			|	\
											LOG_SS_REGISTRY			|	\
											LOG_SS_SECTION			|	\
											LOG_SS_SEMAPHORE		|	\
											LOG_SS_SYMLINK			|	\
											LOG_SS_SYSINFO			|	\
											LOG_SS_TIME				|	\
											LOG_SS_TIMER			|	\
											LOG_SS_TOKEN			|	\
											LOG_SS_VDM				|	\
											LOG_SS_DRIVE			|	\
											LOG_SS_DEBUG)

#define	LOG_PRIORITY_VERBOSE		1
#define	LOG_PRIORITY_DEBUG			2
#define	LOG_PRIORITY_WARNING		3
#define	LOG_PRIORITY_ERROR			4
#define	LOG_PRIORITY_CRITICAL		5


#define	MINIMUM_LOGGING_PRIORITY	LOG_PRIORITY_DEBUG


#define	LOG(subsystem, priority, msg)					\
	do {												\
		if (priority >= LOG_PRIORITY_WARNING) {			\
			DbgPrint msg;								\
		} else if (priority > MINIMUM_LOGGING_PRIORITY){\
			KdPrint(msg);								\
		} else if (subsystem & LOG_SUBSYSTEMS) {		\
			if (priority == MINIMUM_LOGGING_PRIORITY) {	\
				KdPrint(msg);							\
			}											\
		}												\
	} while(0)



/*
 * Alert SubSystems (sorted in the same order as RULEs in policy.h)
 *
 * We have an alert subsystem for each category of alert that Ozone generates.
 * (These are mostly the same as RuleTypes plus several extra ones)
 */

#define	ALERT_SS_FILE							0
#define	ALERT_SS_DIRECTORY						1
#define	ALERT_SS_MAILSLOT					    2
#define	ALERT_SS_NAMEDPIPE					    3
#define	ALERT_SS_REGISTRY						4
#define	ALERT_SS_SECTION						5
#define	ALERT_SS_DLL							6
#define	ALERT_SS_EVENT							7
#define	ALERT_SS_SEMAPHORE						8
#define	ALERT_SS_JOB						    9
#define	ALERT_SS_MUTANT						   10
#define	ALERT_SS_PORT						   11
#define	ALERT_SS_SYMLINK					   12
#define	ALERT_SS_TIMER						   13
#define	ALERT_SS_PROCESS					   14
#define	ALERT_SS_DRIVER						   15
#define	ALERT_SS_DIROBJ						   16
#define	ALERT_SS_ATOM						   17

#define	ALERT_SS_NETWORK					   18
#define	ALERT_SS_SERVICE					   19
#define	ALERT_SS_TIME						   20
#define	ALERT_SS_TOKEN						   21
#define	ALERT_SS_SYSCALL					   22
#define	ALERT_SS_VDM						   23
#define	ALERT_SS_DEBUG						   24
#define	ALERT_SS_BOPROT						   25


/* 
 * Alert Rules
 */

#define	ALERT_RULE_NONE							0

#define	ALERT_RULE_PROCESS_EXEC_2EXTS			1		// Executing a binary with more than one extension
#define	ALERT_RULE_PROCESS_EXEC_UNKNOWN			2		// Executing a binary with an unknown extension
#define	ALERT_RULE_PROCESS_EXEC_NOEXT			3		// Executing binary without an extension

#define	ALERT_RULE_BOPROT_INVALIDCALL			1		// System call originating directly from user code


/* defined in policy.h */
typedef unsigned char ACTION_TYPE;
typedef struct _POLICY_RULE POLICY_RULE, *PPOLICY_RULE;
typedef enum _AlertPriority ALERT_PRIORITY;


#pragma pack(push, 1)
typedef	struct _SECURITY_ALERT
{
	struct _SECURITY_ALERT	*Next;

	/* size of the entire alert = sizeof(SECURITY_ALERT) + strlen(ObjectName) + sizeof(SID) */
	USHORT					Size;
	UCHAR					AlertSubsystem;
	UCHAR					AlertType;
	UCHAR					AlertRuleNumber;
	UCHAR/*ALERT_PRIORITY*/	Priority;
	UCHAR/*ACTION_TYPE*/	Action;				/* UINT8 Action that was taken (denied, logged) */
	ULONG					ProcessId;
	USHORT					ObjectNameLength;
	USHORT					ProcessNameLength;
	USHORT					PolicyNameLength;
	USHORT					PolicyLineNumber;

	/* space for ObjectName, ProcessName, PolicyName and SID are dynamically allocated */
	WCHAR					ObjectName[ANYSIZE_ARRAY];

	/* ProcessName follows the zero-terminated ObjectName */
//	WCHAR					ProcessName[ANYSIZE_ARRAY];

	/* PolicyName follows the zero-terminated ProcessName */
//	WCHAR					PolicyName[ANYSIZE_ARRAY];

	/* SID follows the zero-terminated PolicyName */
//	SID_AND_ATTRIBUTES		UserInfo;

} SECURITY_ALERT, *PSECURITY_ALERT;
#pragma pack(pop)


extern KSPIN_LOCK			gLogSpinLock;
extern PSECURITY_ALERT		LogList;
extern PSECURITY_ALERT		LastAlert;
extern USHORT				NumberOfAlerts;


BOOLEAN			InitLog();
VOID			ShutdownLog();
VOID			LogAlert(UCHAR AlertSubSystem, UCHAR OperationType, UCHAR AlertRuleNumber, ACTION_TYPE ActionTaken, ALERT_PRIORITY AlertPriority, PWSTR PolicyFilename, USHORT PolicyLineNumber, PCHAR ObjectName);
ALERT_PRIORITY	GetObjectAccessAlertPriority(UCHAR AlertSubSystem, UCHAR Operation, ACTION_TYPE ActionTaken);
BOOLEAN			LogPostBootup();

PCHAR			FilterObjectName(PCHAR ObjectName);


#endif	/* __LOG_H__ */