mirror of https://github.com/lianthony/NT4.0
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
155 lines
3.8 KiB
155 lines
3.8 KiB
/*++
|
|
|
|
Copyright (c) 1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
adt.h
|
|
|
|
Abstract:
|
|
|
|
Local Security Authority - Audit Log Management - Public Defines,
|
|
data and function prototypes.
|
|
|
|
Functions, data and defines in this module are exported to the
|
|
whole of the Lsa subsystem from the Auditing Sub-component.
|
|
|
|
Author:
|
|
|
|
Scott Birrell (ScottBi) November 20, 1991
|
|
|
|
Environment:
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
//
|
|
// Initialization Pass for Auditing.
|
|
//
|
|
|
|
extern ULONG LsapAdtInitializationPass;
|
|
|
|
|
|
//
|
|
// Flag indicating whether shutdown is in progress
|
|
//
|
|
|
|
extern BOOLEAN LsapShutdownInProgress;
|
|
|
|
//
|
|
// Audit Log Information. This must be kept in sync with the information
|
|
// in the Lsa Database.
|
|
//
|
|
|
|
extern POLICY_AUDIT_LOG_INFO LsapAdtLogInformation;
|
|
|
|
extern LSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation;
|
|
|
|
//
|
|
// Audit Log Full Information.
|
|
//
|
|
|
|
extern POLICY_AUDIT_FULL_QUERY_INFO LsapAdtLogFullInformation;
|
|
|
|
//
|
|
// Audit Log Maximum Record Id. Audit Records are numbered serially until
|
|
// this limit is reached, then numbering wraps to 0.
|
|
//
|
|
|
|
#define LSAP_ADT_MAXIMUM_RECORD_ID (0x7fffffffL)
|
|
|
|
//
|
|
// Flag for console handler indicating how late we should be shutdown.
|
|
// This number is intentionally lower than the value used by the
|
|
// the service controller.
|
|
//
|
|
|
|
#define LSAP_SHUTDOWN_LEVEL 400
|
|
|
|
//
|
|
// Options for LsapAdtQueryAuditLogFullInfo
|
|
//
|
|
|
|
#define LSAP_ADT_LOG_FULL_UPDATE ((ULONG)(0x00000001L))
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtWriteLogWrkr(
|
|
IN PLSA_COMMAND_MESSAGE CommandMessage,
|
|
OUT PLSA_REPLY_MESSAGE ReplyMessage
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtSetInfoLog(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN PPOLICY_AUDIT_LOG_INFO PolicyAuditLogInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitialize(
|
|
IN ULONG Pass
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitializeDefaultAuditing(
|
|
IN ULONG Options,
|
|
OUT PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInformation
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditingLogon(
|
|
PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo
|
|
);
|
|
|
|
|
|
VOID
|
|
LsapAdtAuditPackageLoad(
|
|
PUNICODE_STRING PackageFileName
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtQueryAuditLogFullInfo(
|
|
IN PLSAPR_HANDLE PolicyHandle,
|
|
IN ULONG Options,
|
|
OUT PPOLICY_AUDIT_FULL_QUERY_INFO PolicyAuditFullQueryInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtGenerateLsaAuditEvent(
|
|
IN LSAPR_HANDLE ObjectHandle,
|
|
IN ULONG AuditEventCategory,
|
|
IN ULONG AuditEventId,
|
|
IN PPRIVILEGE_SET Privileges,
|
|
IN ULONG SidCount,
|
|
IN PSID *Sids OPTIONAL,
|
|
IN ULONG UnicodeStringCount,
|
|
IN PUNICODE_STRING UnicodeStrings OPTIONAL,
|
|
IN PLSARM_POLICY_AUDIT_EVENTS_INFO PolicyAuditEventsInfo OPTIONAL
|
|
);
|
|
|
|
#define LsapAdtAuditingEnabled() \
|
|
(LsapAdtEventsInformation.AuditingMode)
|
|
|
|
#define LsapAdtAuditingPolicyChanges() \
|
|
(LsapAdtAuditingEnabled() && \
|
|
(LsapAdtEventsInformation.EventAuditingOptions[ AuditCategoryPolicyChange ] & POLICY_AUDIT_EVENT_SUCCESS))
|
|
|
|
|
|
//
|
|
// Macro to determine the size of a PRIVILEGE_SET
|
|
//
|
|
|
|
#define LsapPrivilegeSetSize( PrivilegeSet ) \
|
|
( ( PrivilegeSet ) == NULL ? 0 : \
|
|
((( PrivilegeSet )->PrivilegeCount > 0) \
|
|
? \
|
|
((ULONG)sizeof(PRIVILEGE_SET) + \
|
|
( \
|
|
(( PrivilegeSet )->PrivilegeCount - ANYSIZE_ARRAY) * \
|
|
(ULONG)sizeof(LUID_AND_ATTRIBUTES) \
|
|
) \
|
|
) \
|
|
: ((ULONG)sizeof(PRIVILEGE_SET) - (ULONG)sizeof(LUID_AND_ATTRIBUTES)) \
|
|
))
|
|
|