archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/base/ntos/se/adtp.h

305 lines
6.9 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. adtp.h
  9. Abstract:
  11. Auditing - Private Defines, Fuction Prototypes and Macro Functions
  13. Author:
  15. Scott Birrell (ScottBi) November 6, 1991
  17. Environment:
  19. Revision History:
  21. --*/
  23. #ifndef _ADTP_H_
  24. #define _ADTP_H_
  26. #include "tokenp.h"
  28. //
  29. // Audit Log Information
  30. //
  32. POLICY_AUDIT_LOG_INFO SepAdtLogInformation;
  34. extern BOOLEAN SepAdtAuditingEnabled;
  36. //
  37. // High and low water marks to control the length of the audit queue
  38. //
  40. extern ULONG SepAdtMaxListLength;
  41. extern ULONG SepAdtMinListLength;
  42. //
  43. // Set when LSA has died.
  44. //
  45. extern PKEVENT SepAdtLsaDeadEvent;
  46. //
  47. // Structure used to query the above values from the registry
  48. //
  50. typedef struct _SEP_AUDIT_BOUNDS {
  52. ULONG UpperBound;
  53. ULONG LowerBound;
  55. } SEP_AUDIT_BOUNDS, *PSEP_AUDIT_BOUNDS;
  58. //
  59. // Number of events discarded
  60. //
  62. extern ULONG SepAdtCountEventsDiscarded;
  65. //
  66. // Number of events on the queue
  67. //
  69. extern ULONG SepAdtCurrentListLength;
  72. //
  73. // Flag to tell us that we're discarding audits
  74. //
  76. extern BOOLEAN SepAdtDiscardingAudits;
  78. //
  79. // Flag to tell us that we should crash if we miss an audit.
  80. //
  82. extern BOOLEAN SepCrashOnAuditFail;
  84. //
  85. // Value name for verbose privilege auditing
  86. //
  88. #define FULL_PRIVILEGE_AUDITING L"FullPrivilegeAuditing"
  90. //
  91. // security descriptor to be used for adding a SACL on system processes
  92. //
  94. extern PSECURITY_DESCRIPTOR SepProcessAuditSd;
  96. //
  97. // security descriptor to check if a given token has any one of
  98. // following sids in it:
  99. // -- SeLocalSystemSid
  100. // -- SeLocalServiceSid
  101. // -- SeNetworkServiceSid
  102. //
  104. extern PSECURITY_DESCRIPTOR SepImportantProcessSd;
  106. //
  107. // pseudo access bit used in each ACE of SepImportantProcessSd
  108. //
  110. #define SEP_QUERY_MEMBERSHIP 1
  112. //
  113. // used with SepImportantProcessSd
  114. //
  116. extern GENERIC_MAPPING GenericMappingForMembershipCheck;
  118. NTSTATUS
  119. SepAdtMarshallAuditRecord(
  120. IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
  121. OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters,
  122. OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType
  123. );
  126. BOOLEAN
  127. SepAdtPrivilegeObjectAuditAlarm (
  128. IN PUNICODE_STRING CapturedSubsystemName OPTIONAL,
  129. IN PVOID HandleId,
  130. IN PTOKEN ClientToken OPTIONAL,
  131. IN PTOKEN PrimaryToken,
  132. IN PVOID ProcessId,
  133. IN ACCESS_MASK DesiredAccess,
  134. IN PPRIVILEGE_SET CapturedPrivileges,
  135. IN BOOLEAN AccessGranted
  136. );
  138. VOID
  139. SepAdtTraverseAuditAlarm(
  140. IN PLUID OperationID,
  141. IN PVOID DirectoryObject,
  142. IN PSID UserSid,
  143. IN LUID AuthenticationId,
  144. IN ACCESS_MASK DesiredAccess,
  145. IN PPRIVILEGE_SET Privileges OPTIONAL,
  146. IN BOOLEAN AccessGranted,
  147. IN BOOLEAN GenerateAudit,
  148. IN BOOLEAN GenerateAlarm
  149. );
  151. VOID
  152. SepAdtCreateInstanceAuditAlarm(
  153. IN PLUID OperationID,
  154. IN PVOID Object,
  155. IN PSID UserSid,
  156. IN LUID AuthenticationId,
  157. IN ACCESS_MASK DesiredAccess,
  158. IN PPRIVILEGE_SET Privileges OPTIONAL,
  159. IN BOOLEAN AccessGranted,
  160. IN BOOLEAN GenerateAudit,
  161. IN BOOLEAN GenerateAlarm
  162. );
  164. VOID
  165. SepAdtCreateObjectAuditAlarm(
  166. IN PLUID OperationID,
  167. IN PUNICODE_STRING DirectoryName,
  168. IN PUNICODE_STRING ComponentName,
  169. IN PSID UserSid,
  170. IN LUID AuthenticationId,
  171. IN ACCESS_MASK DesiredAccess,
  172. IN BOOLEAN AccessGranted,
  173. IN BOOLEAN GenerateAudit,
  174. IN BOOLEAN GenerateAlarm
  175. );
  177. VOID
  178. SepAdtPrivilegedServiceAuditAlarm (
  179. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  180. IN PUNICODE_STRING CapturedSubsystemName,
  181. IN PUNICODE_STRING CapturedServiceName,
  182. IN PTOKEN ClientToken OPTIONAL,
  183. IN PTOKEN PrimaryToken,
  184. IN PPRIVILEGE_SET CapturedPrivileges,
  185. IN BOOLEAN AccessGranted
  186. );
  189. VOID
  190. SepAdtCloseObjectAuditAlarm(
  191. IN PUNICODE_STRING CapturedSubsystemName,
  192. IN PVOID HandleId,
  193. IN PSID UserSid
  194. );
  196. VOID
  197. SepAdtDeleteObjectAuditAlarm(
  198. IN PUNICODE_STRING CapturedSubsystemName,
  199. IN PVOID HandleId,
  200. IN PSID UserSid
  201. );
  203. BOOLEAN
  204. SepAdtOpenObjectAuditAlarm (
  205. IN PUNICODE_STRING CapturedSubsystemName,
  206. IN PVOID *HandleId OPTIONAL,
  207. IN PUNICODE_STRING CapturedObjectTypeName,
  208. IN PUNICODE_STRING CapturedObjectName OPTIONAL,
  209. IN PTOKEN ClientToken OPTIONAL,
  210. IN PTOKEN PrimaryToken,
  211. IN ACCESS_MASK DesiredAccess,
  212. IN ACCESS_MASK GrantedAccess,
  213. IN PLUID OperationId,
  214. IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
  215. IN BOOLEAN AccessGranted,
  216. IN HANDLE ProcessID,
  217. IN POLICY_AUDIT_EVENT_TYPE AuditType,
  218. IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
  219. IN ULONG ObjectTypeListLength,
  220. IN PACCESS_MASK GrantedAccessArray OPTIONAL
  221. );
  223. BOOLEAN
  224. SepAdtOpenObjectForDeleteAuditAlarm(
  225. IN PUNICODE_STRING CapturedSubsystemName,
  226. IN PVOID *HandleId,
  227. IN PUNICODE_STRING CapturedObjectTypeName,
  228. IN PUNICODE_STRING CapturedObjectName,
  229. IN PTOKEN ClientToken OPTIONAL,
  230. IN PTOKEN PrimaryToken,
  231. IN ACCESS_MASK DesiredAccess,
  232. IN ACCESS_MASK GrantedAccess,
  233. IN PLUID OperationId,
  234. IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
  235. IN BOOLEAN AccessGranted,
  236. IN HANDLE ProcessID
  237. );
  239. VOID
  240. SepAdtObjectReferenceAuditAlarm(
  241. IN PVOID Object,
  242. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  243. IN ACCESS_MASK DesiredAccess,
  244. IN BOOLEAN AccessGranted
  245. );
  247. #define SepAdtAuditThisEvent(AuditType, AccessGranted) \
  248. (SepAdtAuditingEnabled && \
  249. ((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) || \
  250. (SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted))))
  252. VOID
  253. SepAdtInitializeBounds(
  254. VOID
  255. );
  257. VOID
  258. SepAuditFailed(
  259. IN NTSTATUS AuditStatus
  260. );
  262. NTSTATUS
  263. SepAdtInitializeCrashOnFail(
  264. VOID
  265. );
  267. BOOLEAN
  268. SepInitializePrivilegeFilter(
  269. BOOLEAN Verbose
  270. );
  272. BOOLEAN
  273. SepAdtInitializePrivilegeAuditing(
  274. VOID
  275. );
  277. // ----------------------------------------------------------------------
  278. // The following is used only temporarily for NT5.
  279. //
  280. // NT5 does not provide any facility to enable/disable auditing at
  281. // audit-event level. It only supports it at audit category level.
  282. // This creates problems if one wants to audit only certain specific
  283. // audit events of a category. The current design gives you all or none for
  284. // each category.
  285. //
  286. // Post NT5 auditing will provide a better/flexible design that wil address
  287. // this issue. For now, to delight some valuable customers, we provide this
  288. // hack / registry based solution. This solution will be removed post NT5.
  289. //
  291. VOID
  292. SepAdtInitializeAuditingOptions(
  293. VOID
  294. );
  296. typedef struct _SEP_AUDIT_OPTIONS
  297. {
  298. BOOLEAN DoNotAuditCloseObjectEvents;
  299. } SEP_AUDIT_OPTIONS;
  301. extern SEP_AUDIT_OPTIONS SepAuditOptions;
  303. // ----------------------------------------------------------------------
  305. #endif // _ADTP_H_