在 IRP_MJ_CREATE 上添加审核
文件系统中安全检查的另一个重要方面是根据需要) 添加审核 (。 通常,这是作为执行安全决策的同一组例程的一部分完成的,因为审核的目的是记录系统做出的安全决策。 例如,以下代码可用于在完成访问检查后在文件系统中实现审核:
{
UNICODE_STRING FileAuditObjectName;
RtlInitUnicodeString(&FileAuditObjectName, L"File");
if ( SeAuditingFileOrGlobalEvents (AccessGranted,
&Fcb->SecurityDescriptor,
&AccessState->SubjectSecurityContext)) {
//
// Must pass complete Windows path name, including device name.
//
ConstructAuditFileName(Irp, Fcb, &AuditName);
if (IrpSp->Parameters.Create.SecurityContext->FullCreateOptions
& FILE_DELETE_ON_CLOSE) {
SeOpenObjectForDeleteAuditAlarm(&FileAuditObjectName,
NULL,
&AuditName,
&Fcb->SecurityDescriptor,
AccessState,
FALSE, // Object not created.
// Was it successful?
// Based on SeAccessCheck
SeAccessCheckAccessGranted,
// UserMode or KernelMode
EffectiveMode,
&AccessState->GenerateOnClose
);
} else {
SeOpenObjectAuditAlarm(&FileAuditObjectName,
NULL,
&AuditName,
&Fcb->SecurityDescriptor,
AccessState,
FALSE, // object not created
// Was it successful?
// Based on SeAccessCheck
AccessGranted,
// UserMode or KernelMode
EffectiveMode,
&AccessState->GenerateOnClose
);
}
//
// Free file name here if needed.
//
}