test: adtp.h Source File

00001 /*++ 00002 00003 Copyright (c) 1991 Microsoft Corporation 00004 00005 Module Name: 00006 00007 adtp.h 00008 00009 Abstract: 00010 00011 Auditing - Private Defines, Fuction Prototypes and Macro Functions 00012 00013 Author: 00014 00015 Scott Birrell (ScottBi) November 6, 1991 00016 00017 Environment: 00018 00019 Revision History: 00020 00021 --*/ 00022 00023 #include "tokenp.h" 00024 00025 // 00026 // Audit Log Information 00027 // 00028 00029 POLICY_AUDIT_LOG_INFO SepAdtLogInformation; 00030 00031 extern BOOLEAN SepAdtAuditingEnabled; 00032 00033 // 00034 // High and low water marks to control the length of the audit queue 00035 // 00036 00037 extern ULONG SepAdtMaxListLength; 00038 extern ULONG SepAdtMinListLength; 00039 00040 // 00041 // Structure used to query the above values from the registry 00042 // 00043 00044 typedef struct _SEP_AUDIT_BOUNDS { 00045 00046 ULONG UpperBound; 00047 ULONG LowerBound; 00048 00049 } SEP_AUDIT_BOUNDS, *PSEP_AUDIT_BOUNDS; 00050 00051 00052 // 00053 // Number of events discarded 00054 // 00055 00056 extern ULONG SepAdtCountEventsDiscarded; 00057 00058 00059 // 00060 // Number of events on the queue 00061 // 00062 00063 extern ULONG SepAdtCurrentListLength; 00064 00065 00066 // 00067 // Flag to tell us that we're discarding audits 00068 // 00069 00070 extern BOOLEAN SepAdtDiscardingAudits; 00071 00072 // 00073 // Flag to tell us that we should crash if we miss 00074 // and audit. 00075 // 00076 00077 extern BOOLEAN SepCrashOnAuditFail; 00078 00079 // 00080 // Value name for verbose privilege auditing 00081 // 00082 00083 #define FULL_PRIVILEGE_AUDITING L"FullPrivilegeAuditing" 00084 00085 00086 VOID 00087 SepAdtSetAuditEventInformation( 00088 IN OPTIONAL PBOOLEAN AuditingMode, 00089 IN OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions 00090 ); 00091 00092 VOID 00093 SepAdtGetAuditEventInformation( 00094 OUT OPTIONAL PBOOLEAN AuditingMode, 00095 OUT OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions 00096 ); 00097 00098 VOID 00099 SepAdtSetAuditLogInformation( 00100 IN PPOLICY_AUDIT_LOG_INFO AuditLogInformation 00101 ); 00102 00103 NTSTATUS 00104 SepAdtMarshallAuditRecord( 00105 IN PSE_ADT_PARAMETER_ARRAY AuditParameters, 00106 OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters, 00107 OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType 00108 ); 00109 00110 00111 BOOLEAN 00112 SepAdtPrivilegeObjectAuditAlarm ( 00113 IN PUNICODE_STRING CapturedSubsystemName OPTIONAL, 00114 IN PVOID HandleId, 00115 IN PTOKEN ClientToken OPTIONAL, 00116 IN PTOKEN PrimaryToken, 00117 IN PVOID ProcessId, 00118 IN ACCESS_MASK DesiredAccess, 00119 IN PPRIVILEGE_SET CapturedPrivileges, 00120 IN BOOLEAN AccessGranted 00121 ); 00122 00123 VOID 00124 SepAdtTraverseAuditAlarm( 00125 IN PLUID OperationID, 00126 IN PVOID DirectoryObject, 00127 IN PSID UserSid, 00128 IN LUID AuthenticationId, 00129 IN ACCESS_MASK DesiredAccess, 00130 IN PPRIVILEGE_SET Privileges OPTIONAL, 00131 IN BOOLEAN AccessGranted, 00132 IN BOOLEAN GenerateAudit, 00133 IN BOOLEAN GenerateAlarm 00134 ); 00135 00136 VOID 00137 SepAdtCreateInstanceAuditAlarm( 00138 IN PLUID OperationID, 00139 IN PVOID Object, 00140 IN PSID UserSid, 00141 IN LUID AuthenticationId, 00142 IN ACCESS_MASK DesiredAccess, 00143 IN PPRIVILEGE_SET Privileges OPTIONAL, 00144 IN BOOLEAN AccessGranted, 00145 IN BOOLEAN GenerateAudit, 00146 IN BOOLEAN GenerateAlarm 00147 ); 00148 00149 VOID 00150 SepAdtCreateObjectAuditAlarm( 00151 IN PLUID OperationID, 00152 IN PUNICODE_STRING DirectoryName, 00153 IN PUNICODE_STRING ComponentName, 00154 IN PSID UserSid, 00155 IN LUID AuthenticationId, 00156 IN ACCESS_MASK DesiredAccess, 00157 IN BOOLEAN AccessGranted, 00158 IN BOOLEAN GenerateAudit, 00159 IN BOOLEAN GenerateAlarm 00160 ); 00161 00162 00163 VOID 00164 SepAdtHandleAuditAlarm( 00165 IN PUNICODE_STRING Source, 00166 IN LUID OperationId, 00167 IN HANDLE Handle, 00168 IN PSID UserSid 00169 ); 00170 00171 VOID 00172 SepAdtPrivilegedServiceAuditAlarm ( 00173 IN PUNICODE_STRING CapturedSubsystemName, 00174 IN PUNICODE_STRING CapturedServiceName, 00175 IN PTOKEN ClientToken OPTIONAL, 00176 IN PTOKEN PrimaryToken, 00177 IN PPRIVILEGE_SET CapturedPrivileges, 00178 IN BOOLEAN AccessGranted 00179 ); 00180 00181 00182 VOID 00183 SepAdtCloseObjectAuditAlarm( 00184 IN PUNICODE_STRING CapturedSubsystemName, 00185 IN PVOID HandleId, 00186 IN PVOID Object, 00187 IN PSID UserSid, 00188 IN LUID AuthenticationId 00189 ); 00190 00191 VOID 00192 SepAdtDeleteObjectAuditAlarm( 00193 IN PUNICODE_STRING CapturedSubsystemName, 00194 IN PVOID HandleId, 00195 IN PVOID Object, 00196 IN PSID UserSid, 00197 IN LUID AuthenticationId 00198 ); 00199 00200 BOOLEAN 00201 SepAdtOpenObjectAuditAlarm ( 00202 IN PUNICODE_STRING CapturedSubsystemName, 00203 IN PVOID *HandleId OPTIONAL, 00204 IN PUNICODE_STRING CapturedObjectTypeName, 00205 IN PVOID Object OPTIONAL, 00206 IN PUNICODE_STRING CapturedObjectName OPTIONAL, 00207 IN PTOKEN ClientToken OPTIONAL, 00208 IN PTOKEN PrimaryToken, 00209 IN ACCESS_MASK DesiredAccess, 00210 IN ACCESS_MASK GrantedAccess, 00211 IN PLUID OperationId, 00212 IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, 00213 IN BOOLEAN ObjectCreated, 00214 IN BOOLEAN AccessGranted, 00215 IN BOOLEAN GenerateAudit, 00216 IN BOOLEAN GenerateAlarm, 00217 IN HANDLE ProcessID, 00218 IN POLICY_AUDIT_EVENT_TYPE AuditType, 00219 IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 00220 IN ULONG ObjectTypeListLength, 00221 IN PACCESS_MASK GrantedAccessArray OPTIONAL 00222 ); 00223 00224 BOOLEAN 00225 SepAdtOpenObjectForDeleteAuditAlarm( 00226 IN PUNICODE_STRING CapturedSubsystemName, 00227 IN PVOID *HandleId, 00228 IN PUNICODE_STRING CapturedObjectTypeName, 00229 IN PVOID Object, 00230 IN PUNICODE_STRING CapturedObjectName, 00231 IN PTOKEN ClientToken OPTIONAL, 00232 IN PTOKEN PrimaryToken, 00233 IN ACCESS_MASK DesiredAccess, 00234 IN ACCESS_MASK GrantedAccess, 00235 IN PLUID OperationId, 00236 IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL, 00237 IN BOOLEAN ObjectCreated, 00238 IN BOOLEAN AccessGranted, 00239 IN BOOLEAN GenerateAudit, 00240 IN BOOLEAN GenerateAlarm, 00241 IN HANDLE ProcessID 00242 ); 00243 00244 VOID 00245 SepAdtObjectReferenceAuditAlarm( 00246 IN PLUID OperationID OPTIONAL, 00247 IN PVOID Object, 00248 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, 00249 IN ACCESS_MASK DesiredAccess, 00250 IN PPRIVILEGE_SET Privileges OPTIONAL, 00251 IN BOOLEAN AccessGranted, 00252 IN BOOLEAN GenerateAudit, 00253 IN BOOLEAN GenerateAlarm 00254 ); 00255 00256 // 00257 // BOOLEAN 00258 // SepAdtAuditThisEvent( 00259 // IN POLICY_AUDIT_EVENT_TYPE AuditType, 00260 // IN PBOOLEAN AccessGranted 00261 // ); 00262 // 00263 00264 #define SepAdtAuditThisEvent(AuditType, AccessGranted) \ 00265 (SepAdtAuditingEnabled && \ 00266 ((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) || \ 00267 (SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted)))) 00268 00269 #define SepAdtAuditThisEventEx(AuditType, AccessGranted, AccessDenied ) \ 00270 (SepAdtAuditingEnabled && \ 00271 ((SeAuditingState[AuditType].AuditOnSuccess && AccessGranted) || \ 00272 (SeAuditingState[AuditType].AuditOnFailure && AccessDenied))) 00273 00274 VOID 00275 SepAdtInitializeBounds( 00276 VOID 00277 ); 00278 00279 VOID 00280 SepAuditFailed( 00281 VOID 00282 ); 00283 00284 NTSTATUS 00285 SepAdtInitializeCrashOnFail( 00286 VOID 00287 ); 00288 00289 BOOLEAN 00290 SepInitializePrivilegeFilter( 00291 BOOLEAN Verbose 00292 ); 00293 00294 BOOLEAN 00295 SepAdtInitializePrivilegeAuditing( 00296 VOID 00297 ); 00298 00299 // ---------------------------------------------------------------------- 00300 // The following is used only temporarily for NT5. 00301 // 00302 // NT5 does not provide any facility to enable/disable auditing at 00303 // audit-event level. It only supports it at audit category level. 00304 // This creates problems if one wants to audit only certain specific 00305 // audit events of a category. The current design gives you all or none for 00306 // each category. 00307 // 00308 // Post NT5 auditing will provide a better/flexible design that wil address 00309 // this issue. For now, to delight some valuable customers, we provide this 00310 // hack / registry based solution. This solution will be removed post NT5. 00311 // 00312 00313 VOID 00314 SepAdtInitializeAuditingOptions( 00315 VOID 00316 ); 00317 00318 typedef struct _SEP_AUDIT_OPTIONS 00319 { 00320 BOOLEAN DoNotAuditCloseObjectEvents; 00321 } SEP_AUDIT_OPTIONS; 00322 00323 extern SEP_AUDIT_OPTIONS SepAuditOptions; 00324 00325 // ----------------------------------------------------------------------