archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/base/lsa/server/adtp.h

934 lines
31 KiB
Raw Normal View History

commiting as it is
4 years ago
  2. /*++
  4. Copyright (c) 1991 Microsoft Corporation
  6. Module Name:
  8. adtp.h
  10. Abstract:
  12. Local Security Authority - Audit Log Management - Private Defines,
  13. data and function prototypes.
  15. Functions, data and defines in this module are internal to the
  16. Auditing Subcomponent of the LSA Subsystem.
  18. Author:
  20. Scott Birrell (ScottBi) November 20, 1991
  22. Environment:
  24. Revision History:
  26. --*/
  28. #ifndef _LSAP_ADTP_
  29. #define _LSAP_ADTP_
  32. #include "ausrvp.h"
  33. #include "cfiles\adtdebug.h"
  35. //
  36. // Names of the registry keys where security event log information
  37. // is rooted and the object names are listed under an event source
  38. // module.
  39. //
  41. #define LSAP_ADT_AUDIT_MODULES_KEY_NAME L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\EventLog\\Security"
  42. #define LSAP_ADT_OBJECT_NAMES_KEY_NAME L"ObjectNames"
  44. #define MAX_OBJECT_TYPES 32
  47. //
  48. // Macros for setting fields in an SE_AUDIT_PARAMETERS array.
  49. //
  50. // These must be kept in sync with similar macros in se\sepaudit.c.
  51. //
  54. #define LsapSetParmTypeSid( AuditParameters, Index, Sid ) \
  55. { \
  56. if( Sid ) { \
  57. \
  58. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSid; \
  59. (AuditParameters).Parameters[(Index)].Length = RtlLengthSid( (Sid) ); \
  60. (AuditParameters).Parameters[(Index)].Address = (Sid); \
  61. \
  62. } else { \
  63. \
  64. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNone; \
  65. (AuditParameters).Parameters[(Index)].Length = 0; \
  66. (AuditParameters).Parameters[(Index)].Address = NULL; \
  67. \
  68. } \
  69. }
  72. #define LsapSetParmTypeAccessMask( AuditParameters, Index, AccessMask, ObjectTypeIndex ) \
  73. { \
  74. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeAccessMask; \
  75. (AuditParameters).Parameters[(Index)].Length = sizeof( ACCESS_MASK ); \
  76. (AuditParameters).Parameters[(Index)].Data[0] = (AccessMask); \
  77. (AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \
  78. }
  82. #define LsapSetParmTypeString( AuditParameters, Index, String ) \
  83. { \
  84. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeString; \
  85. (AuditParameters).Parameters[(Index)].Length = \
  86. sizeof(UNICODE_STRING)+(String)->Length; \
  87. (AuditParameters).Parameters[(Index)].Address = (String); \
  88. }
  91. #define LsapSetParmTypeUlong( AuditParameters, Index, Ulong ) \
  92. { \
  93. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUlong; \
  94. (AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
  95. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
  96. }
  99. #define LsapSetParmTypeHexUlong( AuditParameters, Index, Ulong ) \
  100. { \
  101. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexUlong; \
  102. (AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
  103. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
  104. }
  107. #define LsapSetParmTypeHexInt64( AuditParameters, Index, Qword ) \
  108. { \
  109. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexInt64; \
  110. (AuditParameters).Parameters[(Index)].Length = sizeof( (Qword) ); \
  111. *(PULONGLONG)((AuditParameters).Parameters[(Index)].Data) = (Qword); \
  112. }
  115. #define LsapSetParmTypeTime( AuditParameters, Index, Time ) \
  116. { \
  117. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeTime; \
  118. (AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
  119. *(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Time); \
  120. }
  123. #define LsapSetParmTypeDateTime( AuditParameters, Index, Time ) \
  124. { \
  125. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeDateTime; \
  126. (AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
  127. *(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Time); \
  128. }
  131. #define LsapSetParmTypeDuration( AuditParameters, Index, Duration ) \
  132. { \
  133. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeDuration; \
  134. (AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
  135. *(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Duration); \
  136. }
  139. #define LsapSetParmTypeGuid( AuditParameters, Index, pGuid ) \
  140. { \
  141. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeGuid; \
  142. (AuditParameters).Parameters[(Index)].Length = sizeof( GUID ); \
  143. (AuditParameters).Parameters[(Index)].Address = (pGuid); \
  144. }
  147. #define LsapSetParmTypeNoLogon( AuditParameters, Index ) \
  148. { \
  149. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoLogonId; \
  150. }
  153. #define LsapSetParmTypeLogonId( AuditParameters, Index, LogonId ) \
  154. { \
  155. PLUID TmpLuid; \
  156. \
  157. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeLogonId; \
  158. (AuditParameters).Parameters[(Index)].Length = sizeof( (LogonId) ); \
  159. TmpLuid = (PLUID)(&(AuditParameters).Parameters[(Index)].Data[0]); \
  160. *TmpLuid = (LogonId); \
  161. }
  164. #define LsapSetParmTypePrivileges( AuditParameters, Index, Privileges ) \
  165. { \
  166. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePrivs; \
  167. (AuditParameters).Parameters[(Index)].Length = LsapPrivilegeSetSize( (Privileges) ); \
  168. (AuditParameters).Parameters[(Index)].Address = (Privileges); \
  169. }
  172. #define LsapSetParmTypeStringList( AuditParameters, Index, StringList ) \
  173. { \
  174. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeStringList; \
  175. (AuditParameters).Parameters[(Index)].Length = LsapStringListSize( (StringList) ); \
  176. (AuditParameters).Parameters[(Index)].Address = (StringList); \
  177. }
  180. #define LsapSetParmTypeSidList( AuditParameters, Index, SidList ) \
  181. { \
  182. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSidList; \
  183. (AuditParameters).Parameters[(Index)].Length = LsapSidListSize( (SidList) ); \
  184. (AuditParameters).Parameters[(Index)].Address = (SidList); \
  185. }
  188. #define LsapSetParmTypeUac( AuditParameters, Index, OldUac, NewUac ) \
  189. { \
  190. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUserAccountControl; \
  191. (AuditParameters).Parameters[(Index)].Length = 2 * sizeof(ULONG); \
  192. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (OldUac); \
  193. (AuditParameters).Parameters[(Index)].Data[1] = (ULONG_PTR) (NewUac); \
  194. }
  197. #define LsapSetParmTypeNoUac( AuditParameters, Index ) \
  198. { \
  199. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoUac; \
  200. }
  203. #define LsapSetParmTypePtr( AuditParameters, Index, Ptr ) \
  204. { \
  205. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePtr; \
  206. (AuditParameters).Parameters[(Index)].Length = sizeof(ULONG_PTR); \
  207. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (Ptr); \
  208. }
  211. #define LsapSetParmTypeMessage( AuditParameters, Index, MessageId ) \
  212. { \
  213. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeMessage; \
  214. (AuditParameters).Parameters[(Index)].Length = sizeof(ULONG); \
  215. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (MessageId); \
  216. }
  218. #define LsapSetParmTypeSockAddr( AuditParameters, Index, pSockAddr ) \
  219. { \
  220. USHORT sa_family = ((SOCKADDR*) pSockAddr)->sa_family; \
  221. \
  222. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSockAddr;\
  223. if ( sa_family == AF_INET6 ) \
  224. { \
  225. (AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR_IN6);\
  226. } \
  227. else if ( sa_family == AF_INET ) \
  228. { \
  229. (AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR_IN);\
  230. } \
  231. else \
  232. { \
  233. (AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR);\
  234. if ( sa_family != 0 ) \
  235. { \
  236. AdtAssert(FALSE, ("LsapSetParmTypeSockAddr: invalid sa_family: %d",sa_family)); \
  237. } \
  238. } \
  239. (AuditParameters).Parameters[(Index)].Address = (pSockAddr); \
  240. }
  244. #define IsInRange(item,min_val,max_val) \
  245. (((item) >= min_val) && ((item) <= max_val))
  247. //
  248. // see msaudite.mc for def. of valid category-id
  249. //
  250. #define IsValidCategoryId(c) \
  251. (IsInRange((c), SE_ADT_MIN_CATEGORY_ID, SE_ADT_MAX_CATEGORY_ID))
  253. //
  254. // see msaudite.mc for def. of valid audit-id
  255. //
  257. #define IsValidAuditId(a) \
  258. (IsInRange((a), SE_ADT_MIN_AUDIT_ID, SE_ADT_MAX_AUDIT_ID))
  260. //
  261. // check for reasonable value of parameter count. we must have atleast
  262. // 2 parameters in the audit-params array. Thus the min limit is 3.
  263. // The max limit is determined by the value in ntlsa.h
  264. //
  266. #define IsValidParameterCount(p) \
  267. (IsInRange((p), 2, SE_MAX_AUDIT_PARAMETERS))
  270. //
  271. // macro used by LsapAdtDemarshallAuditInfo and LsapAuditFailed
  272. // to decide when not to assert in DBG build
  273. //
  275. #define LsapAdtNeedToAssert( Status ) \
  276. (( Status != STATUS_LOG_FILE_FULL ) && \
  277. ( Status != STATUS_DISK_FULL ) && \
  278. ( Status != STATUS_INSUFFICIENT_RESOURCES ) && \
  279. ( Status != STATUS_NO_MEMORY ) && \
  280. ( Status != STATUS_COMMITMENT_LIMIT ))
  283. #define SEP_MAX_PRIVILEGE_COUNT (SE_MAX_WELL_KNOWN_PRIVILEGE-SE_MIN_WELL_KNOWN_PRIVILEGE+32)
  285. #define IsValidPrivilegeCount( count ) ((count == 0) || \
  286. ((count > 0) && \
  287. (count <= SEP_MAX_PRIVILEGE_COUNT)))
  291. ///////////////////////////////////////////////////////////////////////////
  292. // //
  293. // Private data for Audit Log Management //
  294. // //
  295. ///////////////////////////////////////////////////////////////////////////
  297. #define LSAP_ADT_LOG_FULL_SHUTDOWN_TIMEOUT (ULONG) 0x0000012cL
  299. extern RTL_CRITICAL_SECTION LsapAdtLogFullLock;
  301. //
  302. // Structure describing a queued audit record
  303. //
  305. typedef struct _LSAP_ADT_QUEUED_RECORD {
  307. LIST_ENTRY Link;
  308. SE_ADT_PARAMETER_ARRAY Buffer;
  310. } LSAP_ADT_QUEUED_RECORD, *PLSAP_ADT_QUEUED_RECORD;
  312. //
  313. // Audit Log Queue Header. The queue is maintained in chronological
  314. // (FIFO) order. New records are appended to the back of the queue.
  315. //
  317. typedef struct _LSAP_ADT_LOG_QUEUE_HEAD {
  319. PLSAP_ADT_QUEUED_RECORD FirstQueuedRecord;
  320. PLSAP_ADT_QUEUED_RECORD LastQueuedRecord;
  322. } LSAP_ADT_LOG_QUEUE_HEAD, *PLSAP_ADT_LOG_QUEUE_HEAD;
  324. //
  325. // String that will be passed in for SubsystemName for audits generated
  326. // by LSA (eg, logon, logoff, restart, etc).
  327. //
  329. extern UNICODE_STRING LsapSubsystemName;
  331. //
  332. // String that will be passed in for SubsystemName for some audits generated
  333. // by LSA for LSA objects (PolicyObject, SecretObject, TrustedDomainObject, UserAccountObject).
  334. //
  336. extern UNICODE_STRING LsapLsaName;
  338. //
  339. // max number of replacement string params that we support in
  340. // eventlog audit record.
  341. //
  342. #define SE_MAX_AUDIT_PARAM_STRINGS 48
  344. //
  345. // Maximum number of strings used to represent an ObjectTypeList.
  346. //
  348. #define LSAP_ADT_OBJECT_TYPE_STRINGS 1
  350. ///////////////////////////////////////////////////////////////////////////////
  351. // /
  352. // The following structures and data are used by LSA to contain /
  353. // drive letter-device name mapping information. LSA obtains this /
  354. // information once during initialization and saves it for use /
  355. // by auditing code. /
  356. // /
  357. ///////////////////////////////////////////////////////////////////////////////
  360. ///////////////////////////////////////////////////////////////////////////////
  361. // /
  362. // The DRIVE_MAPPING structure contains the drive letter (without /
  363. // the colon) and a unicode string containing the name of the /
  364. // corresponding device. The buffer in the unicode string is /
  365. // allocated from the LSA heap and is never freed. /
  366. // /
  367. ///////////////////////////////////////////////////////////////////////////////
  370. typedef struct _DRIVE_MAPPING {
  371. WCHAR DriveLetter;
  372. UNICODE_STRING DeviceName;
  373. } DRIVE_MAPPING, PDRIVE_MAPPING;
  376. ////////////////////////////////////////////////////////////////////////////////
  377. // /
  378. // We assume a maximum of 26 drive letters. Though no auditing /
  379. // will occur due to references to files on floppy (drives A and /
  380. // B), perform their name lookup anyway. This will then just /
  381. // work if somehow we start auditing files on floppies. /
  382. // /
  383. ////////////////////////////////////////////////////////////////////////////////
  385. #define MAX_DRIVE_MAPPING 26
  387. extern DRIVE_MAPPING DriveMappingArray[];
  389. //
  390. // This is a structure that contains all auditing information specific to a
  391. // monitored user. Currently this information is read from the registry.
  392. //
  394. typedef struct _PER_USER_AUDITING_ELEMENT {
  395. struct _PER_USER_AUDITING_ELEMENT * Next;
  396. PSID pSid;
  397. ULONGLONG RawPolicy;
  398. TOKEN_AUDIT_POLICY TokenAuditPolicy;
  399. TOKEN_AUDIT_POLICY_ELEMENT PolicyArray[POLICY_AUDIT_EVENT_TYPE_COUNT - 1];
  400. } PER_USER_AUDITING_ELEMENT, *PPER_USER_AUDITING_ELEMENT;
  402. //
  403. // This structure allows for the per user auditing settings for a user
  404. // to be queried by the logon ID.
  405. //
  407. typedef struct _PER_USER_AUDITING_LUID_QUERY_ELEMENT {
  408. struct _PER_USER_AUDITING_LUID_QUERY_ELEMENT * Next;
  409. LUID Luid;
  410. TOKEN_AUDIT_POLICY Policy;
  411. TOKEN_AUDIT_POLICY_ELEMENT PolicyArray[POLICY_AUDIT_EVENT_TYPE_COUNT - ANYSIZE_ARRAY];
  412. } PER_USER_AUDITING_LUID_QUERY_ELEMENT, *PPER_USER_AUDITING_LUID_QUERY_ELEMENT;
  414. #define PER_USER_AUDITING_POLICY_TABLE_SIZE 11
  415. #define PER_USER_AUDITING_LUID_TABLE_SIZE 16
  416. #define PER_USER_AUDITING_MAX_POLICY_SIZE (sizeof(TOKEN_AUDIT_POLICY) + (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * (POLICY_AUDIT_EVENT_TYPE_COUNT - ANYSIZE_ARRAY)))
  418. extern LONG LsapAdtPerUserAuditUserCount;
  419. extern LONG LsapAdtPerUserAuditLogonCount;
  420. extern LONG LsapAdtPerUserAuditHint[POLICY_AUDIT_EVENT_TYPE_COUNT];
  421. extern LONG LsapAdtPerUserPolicyCategoryCount[POLICY_AUDIT_EVENT_TYPE_COUNT];
  422. extern HKEY LsapAdtPerUserKey;
  423. extern HANDLE LsapAdtPerUserKeyEvent;
  424. extern HANDLE LsapAdtPerUserKeyTimer;
  425. extern RTL_RESOURCE LsapAdtPerUserPolicyTableResource;
  426. extern RTL_RESOURCE LsapAdtPerUserLuidTableResource;
  427. extern PPER_USER_AUDITING_ELEMENT LsapAdtPerUserAuditingTable[PER_USER_AUDITING_POLICY_TABLE_SIZE];
  429. //
  430. // macros to get the table locks for the per user settings.
  431. //
  433. #define LsapAdtAcquirePerUserPolicyTableReadLock() RtlAcquireResourceShared(&LsapAdtPerUserPolicyTableResource, TRUE)
  434. #define LsapAdtAcquirePerUserPolicyTableWriteLock() RtlAcquireResourceExclusive(&LsapAdtPerUserPolicyTableResource, TRUE);
  435. #define LsapAdtReleasePerUserPolicyTableLock() RtlReleaseResource(&LsapAdtPerUserPolicyTableResource)
  437. #define LsapAdtAcquirePerUserLuidTableReadLock() RtlAcquireResourceShared(&LsapAdtPerUserLuidTableResource, TRUE)
  438. #define LsapAdtAcquirePerUserLuidTableWriteLock() RtlAcquireResourceExclusive(&LsapAdtPerUserLuidTableResource, TRUE);
  439. #define LsapAdtReleasePerUserLuidTableLock() RtlReleaseResource(&LsapAdtPerUserLuidTableResource)
  441. //
  442. // Special privilege values which are not normally audited,
  443. // but generate audits when assigned to a user. See
  444. // LsapAdtAuditSpecialPrivileges.
  445. //
  447. extern LUID ChangeNotifyPrivilege;
  448. extern LUID AuditPrivilege;
  449. extern LUID CreateTokenPrivilege;
  450. extern LUID AssignPrimaryTokenPrivilege;
  451. extern LUID BackupPrivilege;
  452. extern LUID RestorePrivilege;
  453. extern LUID DebugPrivilege;
  455. //
  456. // Global variable to indicate whether or not we're
  457. // supposed to crash when an audit fails.
  458. //
  460. extern BOOLEAN LsapCrashOnAuditFail;
  461. extern BOOLEAN LsapAllowAdminLogonsOnly;
  466. ////////////////////////////////////////////////////////////////////////////////
  467. // /
  468. // /
  469. ////////////////////////////////////////////////////////////////////////////////
  472. NTSTATUS
  473. LsapAdtWriteLog(
  474. IN OPTIONAL PSE_ADT_PARAMETER_ARRAY AuditRecord
  475. );
  477. NTSTATUS
  478. LsapAdtDemarshallAuditInfo(
  479. IN PSE_ADT_PARAMETER_ARRAY AuditParameters
  480. );
  482. VOID
  483. LsapAdtNormalizeAuditInfo(
  484. IN PSE_ADT_PARAMETER_ARRAY AuditParameters
  485. );
  487. NTSTATUS
  488. LsapAdtOpenLog(
  489. OUT PHANDLE AuditLogHandle
  490. );
  492. VOID
  493. LsapAdtAuditLogon(
  494. IN USHORT EventCategory,
  495. IN ULONG EventID,
  496. IN USHORT EventType,
  497. IN PUNICODE_STRING AccountName,
  498. IN PUNICODE_STRING AuthenticatingAuthority,
  499. IN PUNICODE_STRING Source,
  500. IN PUNICODE_STRING PackageName,
  501. IN SECURITY_LOGON_TYPE LogonType,
  502. IN PSID UserSid,
  503. IN LUID AuthenticationId,
  504. IN PUNICODE_STRING WorkstationName,
  505. IN NTSTATUS LogonStatus,
  506. IN NTSTATUS SubStatus,
  507. IN LPGUID LogonGuid, OPTIONAL
  508. IN PLUID CallerLogonId, OPTIONAL
  509. IN PHANDLE CallerProcessID, OPTIONAL
  510. IN PLSA_ADT_STRING_LIST TransittedServices, OPTIONAL
  511. IN SOCKADDR* pSockAddr OPTIONAL
  512. );
  514. VOID
  515. LsapAuditLogonHelper(
  516. IN NTSTATUS LogonStatus,
  517. IN NTSTATUS LogonSubStatus,
  518. IN PUNICODE_STRING AccountName,
  519. IN PUNICODE_STRING AuthenticatingAuthority,
  520. IN PUNICODE_STRING WorkstationName,
  521. IN PSID UserSid, OPTIONAL
  522. IN SECURITY_LOGON_TYPE LogonType,
  523. IN PTOKEN_SOURCE TokenSource,
  524. IN PLUID LogonId,
  525. IN LPGUID LogonGuid, OPTIONAL
  526. IN PLUID CallerLogonId, OPTIONAL
  527. IN PHANDLE CallerProcessID, OPTIONAL
  528. IN PLSA_ADT_STRING_LIST TransittedServices OPTIONAL
  529. );
  531. VOID
  532. LsapAdtSystemRestart(
  533. PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo
  534. );
  536. VOID
  537. LsapAdtAuditLogonProcessRegistration(
  538. IN PLSAP_AU_REGISTER_CONNECT_INFO_EX ConnectInfo
  539. );
  542. NTSTATUS
  543. LsapAdtInitializeLogQueue(
  544. VOID
  545. );
  547. NTSTATUS
  548. LsapAdtQueueRecord(
  549. IN PSE_ADT_PARAMETER_ARRAY AuditRecord
  550. );
  552. #define LsapAdtAcquireLogFullLock() RtlEnterCriticalSection(&LsapAdtLogFullLock)
  553. #define LsapAdtReleaseLogFullLock() RtlLeaveCriticalSection(&LsapAdtLogFullLock)
  556. NTSTATUS
  557. LsapAdtObjsInitialize(
  558. );
  562. NTSTATUS
  563. LsapAdtBuildDashString(
  564. OUT PUNICODE_STRING ResultantString,
  565. OUT PBOOLEAN FreeWhenDone
  566. );
  568. NTSTATUS
  569. LsapAdtBuildUlongString(
  570. IN ULONG Value,
  571. OUT PUNICODE_STRING ResultantString,
  572. OUT PBOOLEAN FreeWhenDone
  573. );
  575. NTSTATUS
  576. LsapAdtBuildHexUlongString(
  577. IN ULONG Value,
  578. OUT PUNICODE_STRING ResultantString,
  579. OUT PBOOLEAN FreeWhenDone
  580. );
  582. NTSTATUS
  583. LsapAdtBuildHexInt64String(
  584. IN PULONGLONG Value,
  585. OUT PUNICODE_STRING ResultantString,
  586. OUT PBOOLEAN FreeWhenDone
  587. );
  589. NTSTATUS
  590. LsapAdtBuildPtrString(
  591. IN PVOID Value,
  592. OUT PUNICODE_STRING ResultantString,
  593. OUT PBOOLEAN FreeWhenDone
  594. );
  596. NTSTATUS
  597. LsapAdtBuildLuidString(
  598. IN PLUID Value,
  599. OUT PUNICODE_STRING ResultantString,
  600. OUT PBOOLEAN FreeWhenDone
  601. );
  604. NTSTATUS
  605. LsapAdtBuildSidString(
  606. IN PSID Value,
  607. OUT PUNICODE_STRING ResultantString,
  608. OUT PBOOLEAN FreeWhenDone
  609. );
  611. NTSTATUS
  612. LsapAdtBuildObjectTypeStrings(
  613. IN PUNICODE_STRING SourceModule,
  614. IN PUNICODE_STRING ObjectTypeName,
  615. IN PSE_ADT_OBJECT_TYPE ObjectTypeList,
  616. IN ULONG ObjectTypeCount,
  617. OUT PUNICODE_STRING ResultantString,
  618. OUT PBOOLEAN FreeWhenDone,
  619. OUT PUNICODE_STRING NewObjectTypeName
  620. );
  622. NTSTATUS
  623. LsapAdtBuildAccessesString(
  624. IN PUNICODE_STRING SourceModule,
  625. IN PUNICODE_STRING ObjectTypeName,
  626. IN ACCESS_MASK Accesses,
  627. IN BOOLEAN Indent,
  628. OUT PUNICODE_STRING ResultantString,
  629. OUT PBOOLEAN FreeWhenDone
  630. );
  632. NTSTATUS
  633. LsapAdtBuildFilePathString(
  634. IN PUNICODE_STRING Value,
  635. OUT PUNICODE_STRING ResultantString,
  636. OUT PBOOLEAN FreeWhenDone
  637. );
  639. NTSTATUS
  640. LsapAdtBuildLogonIdStrings(
  641. IN PLUID LogonId,
  642. OUT PUNICODE_STRING ResultantString1,
  643. OUT PBOOLEAN FreeWhenDone1,
  644. OUT PUNICODE_STRING ResultantString2,
  645. OUT PBOOLEAN FreeWhenDone2,
  646. OUT PUNICODE_STRING ResultantString3,
  647. OUT PBOOLEAN FreeWhenDone3
  648. );
  650. NTSTATUS
  651. LsapBuildPrivilegeAuditString(
  652. IN PPRIVILEGE_SET PrivilegeSet,
  653. OUT PUNICODE_STRING ResultantString,
  654. OUT PBOOLEAN FreeWhenDone
  655. );
  657. NTSTATUS
  658. LsapAdtBuildTimeString(
  659. IN PLARGE_INTEGER Value,
  660. OUT PUNICODE_STRING ResultantString,
  661. OUT PBOOLEAN FreeWhenDone
  662. );
  664. NTSTATUS
  665. LsapAdtBuildDateString(
  666. IN PLARGE_INTEGER Value,
  667. OUT PUNICODE_STRING ResultantString,
  668. OUT PBOOLEAN FreeWhenDone
  669. );
  671. NTSTATUS
  672. LsapAdtBuildDateTimeString(
  673. IN PLARGE_INTEGER Value,
  674. OUT PUNICODE_STRING ResultantString,
  675. OUT PBOOLEAN FreeWhenDone
  676. );
  678. NTSTATUS
  679. LsapAdtBuildDurationString(
  680. IN PLARGE_INTEGER Value,
  681. OUT PUNICODE_STRING ResultantString,
  682. OUT PBOOLEAN FreeWhenDone
  683. );
  685. NTSTATUS
  686. LsapAdtBuildGuidString(
  687. IN LPGUID pGuid,
  688. OUT PUNICODE_STRING ResultantString,
  689. OUT PBOOLEAN FreeWhenDone
  690. );
  692. NTSTATUS
  693. LsapAdtBuildStringListString(
  694. IN PLSA_ADT_STRING_LIST pList,
  695. OUT PUNICODE_STRING ResultantString,
  696. OUT PBOOLEAN FreeWhenDone
  697. );
  699. NTSTATUS
  700. LsapAdtBuildSidListString(
  701. IN PLSA_ADT_SID_LIST pList,
  702. OUT PUNICODE_STRING ResultantString,
  703. OUT PBOOLEAN FreeWhenDone
  704. );
  706. NTSTATUS
  707. LsapAdtBuildUserAccountControlString(
  708. IN ULONG UserAccountControlOld,
  709. IN ULONG UserAccountControlNew,
  710. OUT PUNICODE_STRING ResultantString1,
  711. OUT PBOOLEAN FreeWhenDone1,
  712. OUT PUNICODE_STRING ResultantString2,
  713. OUT PBOOLEAN FreeWhenDone2,
  714. OUT PUNICODE_STRING ResultantString3,
  715. OUT PBOOLEAN FreeWhenDone3
  716. );
  718. NTSTATUS
  719. LsapAdtBuildMessageString(
  720. IN ULONG MessageId,
  721. OUT PUNICODE_STRING ResultantString,
  722. OUT PBOOLEAN FreeWhenDone
  723. );
  725. NTSTATUS
  726. LsapAdtBuildSockAddrString(
  727. IN PSOCKADDR pSockAddr,
  728. OUT PUNICODE_STRING ResultantString1,
  729. OUT PBOOLEAN FreeWhenDone1,
  730. OUT PUNICODE_STRING ResultantString2,
  731. OUT PBOOLEAN FreeWhenDone2
  732. );
  734. NTSTATUS
  735. LsapAdtMarshallAuditRecord(
  736. IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
  737. OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters
  738. );
  740. NTSTATUS
  741. LsapAdtInitializePerUserAuditing(
  742. VOID
  743. );
  745. NTSTATUS
  746. LsapAdtInitializeDriveLetters(
  747. VOID
  748. );
  750. BOOLEAN
  751. LsapAdtLookupDriveLetter(
  752. IN PUNICODE_STRING FileName,
  753. OUT PUSHORT DeviceNameLength,
  754. OUT PWCHAR DriveLetter
  755. );
  757. VOID
  758. LsapAdtSubstituteDriveLetter(
  759. IN PUNICODE_STRING FileName
  760. );
  762. VOID
  763. LsapAdtUserRightAssigned(
  764. IN USHORT EventCategory,
  765. IN ULONG EventID,
  766. IN USHORT EventType,
  767. IN PSID UserSid,
  768. IN LUID CallerAuthenticationId,
  769. IN PSID ClientSid,
  770. IN PPRIVILEGE_SET Privileges
  771. );
  773. VOID
  774. LsapAdtTrustedDomain(
  775. IN USHORT EventCategory,
  776. IN ULONG EventID,
  777. IN USHORT EventType,
  778. IN PSID ClientSid,
  779. IN LUID CallerAuthenticationId,
  780. IN PSID TargetSid,
  781. IN PUNICODE_STRING DomainName
  782. );
  784. VOID
  785. LsapAdtAuditLogoff(
  786. PLSAP_LOGON_SESSION Session
  787. );
  789. VOID
  790. LsapAdtPolicyChange(
  791. IN USHORT EventCategory,
  792. IN ULONG EventID,
  793. IN USHORT EventType,
  794. IN PSID ClientSid,
  795. IN LUID CallerAuthenticationId,
  796. IN PLSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation
  797. );
  799. VOID
  800. LsapAdtAuditSpecialPrivileges(
  801. PPRIVILEGE_SET Privileges,
  802. LUID LogonId,
  803. PSID UserSid
  804. );
  806. VOID
  807. LsapAuditFailed(
  808. IN NTSTATUS AuditStatus
  809. );
  811. NTSTATUS
  812. LsapAdtInitParametersArray(
  813. IN SE_ADT_PARAMETER_ARRAY* AuditParameters,
  814. IN ULONG AuditCategoryId,
  815. IN ULONG AuditId,
  816. IN USHORT AuditEventType,
  817. IN USHORT ParameterCount,
  818. ...);
  820. NTSTATUS
  821. LsapAdtInitGenericAudits(
  822. VOID
  823. );
  825. NTSTATUS
  826. LsapAdtInitializeExtensibleAuditing(
  827. );
  829. NTSTATUS
  830. LsapAdtConstructTablePerUserAuditing(
  831. VOID
  832. );
  834. VOID
  835. LsapAdtFreeTablePerUserAuditing(
  836. VOID
  837. );
  839. NTSTATUS
  840. LsapAdtOpenPerUserAuditingKey(
  841. VOID
  842. );
  844. ULONG
  845. LsapAdtHashPerUserAuditing(
  846. IN PSID pSid
  847. );
  849. NTSTATUS
  850. LsapAdtConstructPolicyPerUserAuditing(
  851. IN ULONGLONG RawPolicy,
  852. OUT PTOKEN_AUDIT_POLICY pTokenPolicy,
  853. IN OUT PULONG TokenPolicyLength
  854. );
  856. NTSTATUS
  857. LsapAdtQueryPerUserAuditing(
  858. IN PSID pInputSid,
  859. OUT PTOKEN_AUDIT_POLICY pPolicy,
  860. IN OUT PULONG pLength,
  861. OUT PBOOLEAN bFound
  862. );
  864. NTSTATUS
  865. LsapAdtFilterAdminPerUserAuditing(
  866. IN HANDLE hToken,
  867. IN OUT PTOKEN_AUDIT_POLICY pPolicy
  868. );
  870. NTSTATUS
  871. LsapAdtStorePolicyByLuidPerUserAuditing(
  872. IN PLUID pLogonId,
  873. IN PTOKEN_AUDIT_POLICY pPolicy
  874. );
  876. NTSTATUS
  877. LsapAdtQueryPolicyByLuidPerUserAuditing(
  878. IN PLUID pLogonId,
  879. OUT PTOKEN_AUDIT_POLICY pPolicy,
  880. IN OUT PULONG pLength,
  881. OUT PBOOLEAN bFound
  882. );
  884. NTSTATUS
  885. LsapAdtRemoveLuidQueryPerUserAuditing(
  886. IN PLUID pLogonId
  887. );
  889. DWORD
  890. LsapAdtKeyNotifyFirePerUserAuditing(
  891. IN LPVOID Ignore
  892. );
  894. DWORD
  895. LsapAdtKeyNotifyStubPerUserAuditing(
  896. IN LPVOID Ignore
  897. );
  899. NTSTATUS
  900. LsapAdtLogonPerUserAuditing(
  901. IN PSID pSid,
  902. IN PLUID pLogonId,
  903. IN HANDLE hToken
  904. );
  906. VOID
  907. LsapAdtLogonCountersPerUserAuditing(
  908. IN PTOKEN_AUDIT_POLICY pPolicy
  909. );
  911. NTSTATUS
  912. LsapAdtLogoffPerUserAuditing(
  913. IN PLUID pLogonId
  914. );
  916. VOID
  917. LsapAdtLogoffCountersPerUserAuditing(
  918. IN PTOKEN_AUDIT_POLICY pPolicy
  919. );
  921. VOID
  922. LsapAdtAuditPerUserTableCreation(
  923. BOOLEAN bSuccess
  924. );
  926. VOID
  927. LsapAdtLogAuditFailureEvent(
  928. NTSTATUS AuditStatus
  929. );
  931. NTSTATUS
  932. LsapFlushSecurityLog();
  934. #endif // _LSAP_ADTP_