From 9011382e28567c85569a8e9c86b68c01ae6ef113 Mon Sep 17 00:00:00 2001
From: Eric Kohl <eric.kohl@reactos.org>
Date: Sun, 17 Jan 2021 11:46:34 +0100
Subject: [PATCH] [SYSSETUP][INF] Add audit events setup

---
 dll/win32/syssetup/security.c | 142 ++++++++++++++++++++++++++++++++++
 media/inf/defltwk.inf         |  10 +++
 2 files changed, 152 insertions(+)

diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c
index 2ac2c3a4917..ff2c329dc2e 100644
--- a/dll/win32/syssetup/security.c
+++ b/dll/win32/syssetup/security.c
@@ -756,6 +756,146 @@ ApplyEventlogSettings(
 }
 
 
+static
+VOID
+ApplyAuditEvents(
+    _In_ HINF hSecurityInf)
+{
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    INFCONTEXT InfContext;
+    WCHAR szOptionName[256];
+    INT nValue;
+    LSA_HANDLE PolicyHandle = NULL;
+    POLICY_AUDIT_EVENTS_INFO AuditInfo;
+    PULONG AuditOptions = NULL;
+    NTSTATUS Status;
+
+    DPRINT("ApplyAuditEvents(%p)\n", hSecurityInf);
+
+    if (!SetupFindFirstLineW(hSecurityInf,
+                             L"Event Audit",
+                             NULL,
+                             &InfContext))
+    {
+        DPRINT1("SetupFindFirstLineW failed\n");
+        return;
+    }
+
+    ZeroMemory(&ObjectAttributes, sizeof(LSA_OBJECT_ATTRIBUTES));
+
+    Status = LsaOpenPolicy(NULL,
+                           &ObjectAttributes,
+                           POLICY_SET_AUDIT_REQUIREMENTS,
+                           &PolicyHandle);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status);
+        return;
+    }
+
+    AuditOptions = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
+                             (AuditCategoryAccountLogon + 1) * sizeof(ULONG));
+    if (AuditOptions == NULL)
+    {
+        DPRINT1("Failed to allocate the auditiing options array!\n");
+        goto done;
+    }
+
+    AuditInfo.AuditingMode = TRUE;
+    AuditInfo.EventAuditingOptions = AuditOptions;
+    AuditInfo.MaximumAuditEventCount = AuditCategoryAccountLogon + 1;
+
+    do
+    {
+        /* Retrieve the group name */
+        if (!SetupGetStringFieldW(&InfContext,
+                                  0,
+                                  szOptionName,
+                                  ARRAYSIZE(szOptionName),
+                                  NULL))
+        {
+            DPRINT1("SetupGetStringFieldW() failed\n");
+            continue;
+        }
+
+        DPRINT("Option: '%S'\n", szOptionName);
+
+        if (!SetupGetIntField(&InfContext,
+                              1,
+                              &nValue))
+        {
+            DPRINT1("SetupGetStringFieldW() failed\n");
+            continue;
+        }
+
+        DPRINT("Value: %d\n", nValue);
+
+        if ((nValue < POLICY_AUDIT_EVENT_UNCHANGED) || (nValue > POLICY_AUDIT_EVENT_NONE))
+        {
+            DPRINT1("Invalid audit option!\n");
+            continue;
+        }
+
+        if (_wcsicmp(szOptionName, L"AuditSystemEvents") == 0)
+        {
+            AuditOptions[AuditCategorySystem] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditLogonEvents") == 0)
+        {
+            AuditOptions[AuditCategoryLogon] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditObjectAccess") == 0)
+        {
+            AuditOptions[AuditCategoryObjectAccess] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditPrivilegeUse") == 0)
+        {
+            AuditOptions[AuditCategoryPrivilegeUse] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditProcessTracking") == 0)
+        {
+            AuditOptions[AuditCategoryDetailedTracking] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditPolicyChange") == 0)
+        {
+            AuditOptions[AuditCategoryPolicyChange] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditAccountManage") == 0)
+        {
+            AuditOptions[AuditCategoryAccountManagement] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditDSAccess") == 0)
+        {
+            AuditOptions[AuditCategoryDirectoryServiceAccess] = (ULONG)nValue;
+        }
+        else if (_wcsicmp(szOptionName, L"AuditAccountLogon") == 0)
+        {
+            AuditOptions[AuditCategoryAccountLogon] = (ULONG)nValue;
+        }
+        else
+        {
+            DPRINT1("Invalid auditing option '%S'\n", szOptionName);
+        }
+    }
+    while (SetupFindNextLine(&InfContext, &InfContext));
+
+    Status = LsaSetInformationPolicy(PolicyHandle,
+                                     PolicyAuditEventsInformation,
+                                     (PVOID)&AuditInfo);
+    if (Status != STATUS_SUCCESS)
+    {
+        DPRINT1("LsaSetInformationPolicy() failed (Status 0x%08lx)\n", Status);
+    }
+
+done:
+    if (AuditOptions != NULL)
+        HeapFree(GetProcessHeap(), 0, AuditOptions);
+
+    if (PolicyHandle != NULL)
+        LsaClose(PolicyHandle);
+}
+
+
 VOID
 InstallSecurity(VOID)
 {
@@ -782,6 +922,8 @@ InstallSecurity(VOID)
         ApplyEventlogSettings(hSecurityInf, L"Security Log", L"Security");
         ApplyEventlogSettings(hSecurityInf, L"System Log", L"System");
 
+        ApplyAuditEvents(hSecurityInf);
+
         SetupCloseInfFile(hSecurityInf);
     }
 
diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf
index 6675540e95a..540edd39416 100644
--- a/media/inf/defltwk.inf
+++ b/media/inf/defltwk.inf
@@ -22,6 +22,16 @@ AuditLogRetentionPeriod = 1
 RetentionDays = 7
 RestrictGuestAccess = 1
 
+[Event Audit]
+AuditSystemEvents = 0;
+AuditObjectAccess = 0;
+AuditPrivilegeUse = 0;
+AuditPolicyChange = 0;
+AuditAccountManage = 0;
+AuditProcessTracking = 0;
+AuditAccountLogon = 0;
+AuditLogonEvents = 0;
+
 [Privilege Rights]
 SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
 SeAuditPrivilege = *S-1-5-19, *S-1-5-20