source3/utils/net_rpc_audit.c

   1 /*
   2    Samba Unix/Linux SMB client library
   3    Distributed SMB/CIFS Server Management Utility
   4    Copyright (C) 2006,2008 Guenther Deschner
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
  18
  19 #include "includes.h"
  20 #include "utils/net.h"
  21
  22 /********************************************************************
  23 ********************************************************************/
  24
  25 static int net_help_audit(struct net_context *c, int argc, const char **argv)
  26 {
  27         d_printf("net rpc audit list                       View configured Auditing policies\n");
  28         d_printf("net rpc audit enable                     Enable Auditing\n");
  29         d_printf("net rpc audit disable                    Disable Auditing\n");
  30         d_printf("net rpc audit get <category>             View configured Auditing policy setting\n");
  31         d_printf("net rpc audit set <category> <policy>    Set Auditing policies\n\n");
  32         d_printf("\tcategory can be one of: SYSTEM, LOGON, OBJECT, PRIVILEGE, PROCESS, POLICY, SAM, DIRECTORY or ACCOUNT\n");
  33         d_printf("\tpolicy can be one of: SUCCESS, FAILURE, ALL or NONE\n\n");
  34
  35         return -1;
  36 }
  37
  38 /********************************************************************
  39 ********************************************************************/
  40
  41 static void print_auditing_category(const char *policy, const char *value)
  42 {
  43         fstring padding;
  44         int pad_len, col_len = 30;
  45
  46         if (policy == NULL) {
  47                 policy = "Unknown";
  48         }
  49         if (value == NULL) {
  50                 value = "Invalid";
  51         }
  52
  53         /* calculate padding space for d_printf to look nicer */
  54         pad_len = col_len - strlen(policy);
  55         padding[pad_len] = 0;
  56         do padding[--pad_len] = ' '; while (pad_len > 0);
  57
  58         d_printf("\t%s%s%s\n", policy, padding, value);
  59 }
  60
  61 /********************************************************************
  62 ********************************************************************/
  63
  64 static NTSTATUS rpc_audit_get_internal(struct net_context *c,
  65                                        const DOM_SID *domain_sid,
  66                                        const char *domain_name,
  67                                        struct cli_state *cli,
  68                                        struct rpc_pipe_client *pipe_hnd,
  69                                        TALLOC_CTX *mem_ctx,
  70                                        int argc,
  71                                        const char **argv)
  72 {
  73         POLICY_HND pol;
  74         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
  75         union lsa_PolicyInformation *info = NULL;
  76         int i;
  77         uint32_t audit_category;
  78
  79         if (argc < 1 || argc > 2) {
  80                 d_printf("insufficient arguments\n");
  81                 net_help_audit(c, argc, argv);
  82                 return NT_STATUS_INVALID_PARAMETER;
  83         }
  84
  85         if (!get_audit_category_from_param(argv[0], &audit_category)) {
  86                 d_printf("invalid auditing category: %s\n", argv[0]);
  87                 return NT_STATUS_INVALID_PARAMETER;
  88         }
  89
  90         result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
  91                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
  92                                         &pol);
  93
  94         if (!NT_STATUS_IS_OK(result)) {
  95                 goto done;
  96         }
  97
  98         result = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
  99                                             &pol,
 100                                             LSA_POLICY_INFO_AUDIT_EVENTS,
 101                                             &info);
 102
 103         if (!NT_STATUS_IS_OK(result)) {
 104                 goto done;
 105         }
 106
 107         for (i=0; i < info->audit_events.count; i++) {
 108
 109                 const char *val = NULL, *policy = NULL;
 110
 111                 if (i != audit_category) {
 112                         continue;
 113                 }
 114
 115                 val = audit_policy_str(mem_ctx, info->audit_events.settings[i]);
 116                 policy = audit_description_str(i);
 117                 print_auditing_category(policy, val);
 118         }
 119
 120  done:
 121         if (!NT_STATUS_IS_OK(result)) {
 122                 d_printf("failed to get auditing policy: %s\n",
 123                         nt_errstr(result));
 124         }
 125
 126         return result;
 127 }
 128
 129 /********************************************************************
 130 ********************************************************************/
 131
 132 static NTSTATUS rpc_audit_set_internal(struct net_context *c,
 133                                        const DOM_SID *domain_sid,
 134                                        const char *domain_name,
 135                                        struct cli_state *cli,
 136                                        struct rpc_pipe_client *pipe_hnd,
 137                                        TALLOC_CTX *mem_ctx,
 138                                        int argc,
 139                                        const char **argv)
 140 {
 141         POLICY_HND pol;
 142         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 143         union lsa_PolicyInformation *info = NULL;
 144         uint32_t audit_policy, audit_category;
 145
 146         if (argc < 2 || argc > 3) {
 147                 d_printf("insufficient arguments\n");
 148                 net_help_audit(c, argc, argv);
 149                 return NT_STATUS_INVALID_PARAMETER;
 150         }
 151
 152         if (!get_audit_category_from_param(argv[0], &audit_category)) {
 153                 d_printf("invalid auditing category: %s\n", argv[0]);
 154                 return NT_STATUS_INVALID_PARAMETER;
 155         }
 156
 157         audit_policy = LSA_AUDIT_POLICY_CLEAR;
 158
 159         if (strequal(argv[1], "Success")) {
 160                 audit_policy |= LSA_AUDIT_POLICY_SUCCESS;
 161         } else if (strequal(argv[1], "Failure")) {
 162                 audit_policy |= LSA_AUDIT_POLICY_FAILURE;
 163         } else if (strequal(argv[1], "All")) {
 164                 audit_policy |= LSA_AUDIT_POLICY_ALL;
 165         } else if (strequal(argv[1], "None")) {
 166                 audit_policy = LSA_AUDIT_POLICY_CLEAR;
 167         } else {
 168                 d_printf("invalid auditing policy: %s\n", argv[1]);
 169                 return NT_STATUS_INVALID_PARAMETER;
 170         }
 171
 172         result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
 173                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
 174                                         &pol);
 175
 176         if (!NT_STATUS_IS_OK(result)) {
 177                 goto done;
 178         }
 179
 180         result = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
 181                                             &pol,
 182                                             LSA_POLICY_INFO_AUDIT_EVENTS,
 183                                             &info);
 184
 185         if (!NT_STATUS_IS_OK(result)) {
 186                 goto done;
 187         }
 188
 189         info->audit_events.settings[audit_category] = audit_policy;
 190
 191         result = rpccli_lsa_SetInfoPolicy(pipe_hnd, mem_ctx,
 192                                           &pol,
 193                                           LSA_POLICY_INFO_AUDIT_EVENTS,
 194                                           info);
 195
 196         if (!NT_STATUS_IS_OK(result)) {
 197                 goto done;
 198         }
 199
 200         result = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
 201                                             &pol,
 202                                             LSA_POLICY_INFO_AUDIT_EVENTS,
 203                                             &info);
 204         {
 205                 const char *val = audit_policy_str(mem_ctx, info->audit_events.settings[audit_category]);
 206                 const char *policy = audit_description_str(audit_category);
 207                 print_auditing_category(policy, val);
 208         }
 209
 210  done:
 211         if (!NT_STATUS_IS_OK(result)) {
 212                 d_printf("failed to set audit policy: %s\n", nt_errstr(result));
 213         }
 214
 215         return result;
 216 }
 217
 218 /********************************************************************
 219 ********************************************************************/
 220
 221 static NTSTATUS rpc_audit_enable_internal_ext(struct rpc_pipe_client *pipe_hnd,
 222                                               TALLOC_CTX *mem_ctx,
 223                                               int argc,
 224                                               const char **argv,
 225                                               bool enable)
 226 {
 227         POLICY_HND pol;
 228         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 229         union lsa_PolicyInformation *info = NULL;
 230
 231         result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
 232                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
 233                                         &pol);
 234
 235         if (!NT_STATUS_IS_OK(result)) {
 236                 goto done;
 237         }
 238
 239         result = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
 240                                             &pol,
 241                                             LSA_POLICY_INFO_AUDIT_EVENTS,
 242                                             &info);
 243         if (!NT_STATUS_IS_OK(result)) {
 244                 goto done;
 245         }
 246
 247         info->audit_events.auditing_mode = enable;
 248
 249         result = rpccli_lsa_SetInfoPolicy(pipe_hnd, mem_ctx,
 250                                           &pol,
 251                                           LSA_POLICY_INFO_AUDIT_EVENTS,
 252                                           info);
 253
 254         if (!NT_STATUS_IS_OK(result)) {
 255                 goto done;
 256         }
 257
 258  done:
 259         if (!NT_STATUS_IS_OK(result)) {
 260                 d_printf("failed to %s audit policy: %s\n",
 261                         enable ? "enable":"disable", nt_errstr(result));
 262         }
 263
 264         return result;
 265 }
 266
 267 /********************************************************************
 268 ********************************************************************/
 269
 270 static NTSTATUS rpc_audit_disable_internal(struct net_context *c,
 271                                            const DOM_SID *domain_sid,
 272                                            const char *domain_name,
 273                                            struct cli_state *cli,
 274                                            struct rpc_pipe_client *pipe_hnd,
 275                                            TALLOC_CTX *mem_ctx,
 276                                            int argc,
 277                                            const char **argv)
 278 {
 279         return rpc_audit_enable_internal_ext(pipe_hnd, mem_ctx, argc, argv,
 280                                              false);
 281 }
 282
 283 /********************************************************************
 284 ********************************************************************/
 285
 286 static NTSTATUS rpc_audit_enable_internal(struct net_context *c,
 287                                           const DOM_SID *domain_sid,
 288                                           const char *domain_name,
 289                                           struct cli_state *cli,
 290                                           struct rpc_pipe_client *pipe_hnd,
 291                                           TALLOC_CTX *mem_ctx,
 292                                           int argc,
 293                                           const char **argv)
 294 {
 295         return rpc_audit_enable_internal_ext(pipe_hnd, mem_ctx, argc, argv,
 296                                              true);
 297 }
 298
 299 /********************************************************************
 300 ********************************************************************/
 301
 302 static NTSTATUS rpc_audit_list_internal(struct net_context *c,
 303                                         const DOM_SID *domain_sid,
 304                                         const char *domain_name,
 305                                         struct cli_state *cli,
 306                                         struct rpc_pipe_client *pipe_hnd,
 307                                         TALLOC_CTX *mem_ctx,
 308                                         int argc,
 309                                         const char **argv)
 310 {
 311         POLICY_HND pol;
 312         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 313         union lsa_PolicyInformation *info = NULL;
 314         int i;
 315
 316         result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
 317                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
 318                                         &pol);
 319
 320         if (!NT_STATUS_IS_OK(result)) {
 321                 goto done;
 322         }
 323
 324         result = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
 325                                             &pol,
 326                                             LSA_POLICY_INFO_AUDIT_EVENTS,
 327                                             &info);
 328         if (!NT_STATUS_IS_OK(result)) {
 329                 goto done;
 330         }
 331
 332         printf("Auditing:\t\t");
 333         switch (info->audit_events.auditing_mode) {
 334                 case true:
 335                         printf("Enabled");
 336                         break;
 337                 case false:
 338                         printf("Disabled");
 339                         break;
 340                 default:
 341                         printf("unknown (%d)", info->audit_events.auditing_mode);
 342                         break;
 343         }
 344         printf("\n");
 345
 346         printf("Auditing categories:\t%d\n", info->audit_events.count);
 347         printf("Auditing settings:\n");
 348
 349         for (i=0; i < info->audit_events.count; i++) {
 350                 const char *val = audit_policy_str(mem_ctx, info->audit_events.settings[i]);
 351                 const char *policy = audit_description_str(i);
 352                 print_auditing_category(policy, val);
 353         }
 354
 355  done:
 356         if (!NT_STATUS_IS_OK(result)) {
 357                 d_printf("failed to list auditing policies: %s\n",
 358                         nt_errstr(result));
 359         }
 360
 361         return result;
 362 }
 363
 364 /********************************************************************
 365 ********************************************************************/
 366
 367 static int rpc_audit_get(struct net_context *c, int argc, const char **argv)
 368 {
 369         return run_rpc_command(c, NULL, PI_LSARPC, 0,
 370                 rpc_audit_get_internal, argc, argv);
 371 }
 372
 373 /********************************************************************
 374 ********************************************************************/
 375
 376 static int rpc_audit_set(struct net_context *c, int argc, const char **argv)
 377 {
 378         return run_rpc_command(c, NULL, PI_LSARPC, 0,
 379                 rpc_audit_set_internal, argc, argv);
 380 }
 381
 382 /********************************************************************
 383 ********************************************************************/
 384
 385 static int rpc_audit_enable(struct net_context *c, int argc, const char **argv)
 386 {
 387         return run_rpc_command(c, NULL, PI_LSARPC, 0,
 388                 rpc_audit_enable_internal, argc, argv);
 389 }
 390
 391 /********************************************************************
 392 ********************************************************************/
 393
 394 static int rpc_audit_disable(struct net_context *c, int argc, const char **argv)
 395 {
 396         return run_rpc_command(c, NULL, PI_LSARPC, 0,
 397                 rpc_audit_disable_internal, argc, argv);
 398 }
 399
 400 /********************************************************************
 401 ********************************************************************/
 402
 403 static int rpc_audit_list(struct net_context *c, int argc, const char **argv)
 404 {
 405         return run_rpc_command(c, NULL, PI_LSARPC, 0,
 406                 rpc_audit_list_internal, argc, argv);
 407 }
 408
 409 /********************************************************************
 410 ********************************************************************/
 411
 412 int net_rpc_audit(struct net_context *c, int argc, const char **argv)
 413 {
 414         struct functable func[] = {
 415                 {"get", rpc_audit_get},
 416                 {"set", rpc_audit_set},
 417                 {"enable", rpc_audit_enable},
 418                 {"disable", rpc_audit_disable},
 419                 {"list", rpc_audit_list},
 420                 {NULL, NULL}
 421         };
 422
 423         if (argc)
 424                 return net_run_function(c, argc, argv, func, net_help_audit);
 425
 426         return net_help_audit(c, argc, argv);
 427 }