archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/public/sdk/inc/adtgen.h

403 lines
8.6 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A D T G E N . H
  8. //
  9. // Contents: definitions of types/functions required for
  10. // generating generic audits.
  11. //
  12. // !!!WARNING!!!
  13. // This file is included by lsarpc.idl, therefore, if you
  14. // change it, make sure to clean build the entire DS depot.
  15. //
  16. //
  17. // History:
  18. // 07-January-2000 kumarp created
  19. //
  20. //------------------------------------------------------------------------
  22. #ifndef _ADTGEN_H
  23. #define _ADTGEN_H
  25. //
  26. // type of audit
  27. //
  28. // AUDIT_TYPE_LEGACY
  29. // In this case the audit event schema is stored in a .mc file.
  30. //
  31. // AUDIT_TYPE_WMI
  32. // The schema is stored in WMI. (currently not supported)
  33. //
  35. #define AUDIT_TYPE_LEGACY 1
  36. #define AUDIT_TYPE_WMI 2
  38. //
  39. // Type of parameters passed in the AUDIT_PARAMS.Parameters array
  40. //
  41. // Use the AdtInitParams function to initialize and prepare
  42. // an array of audit parameters.
  43. //
  45. typedef enum _AUDIT_PARAM_TYPE
  46. {
  47. //
  48. // do we need this?
  49. //
  51. APT_None = 1,
  53. //
  54. // NULL terminated string
  55. //
  57. APT_String,
  59. //
  60. // unsigned long
  61. //
  63. APT_Ulong,
  65. //
  66. // a pointer. use for specifying handles/pointers
  67. // (32 bit on 32 bit systems and 64 bit on 64 bit systems)
  68. // Note that the memory to which the pointer points to
  69. // is not marshalled when using this type. Use this when you
  70. // are interested in the absolute value of the pointer.
  71. // A good example of this is when specifying HANDLE values.
  72. //
  74. APT_Pointer,
  76. //
  77. // SID
  78. //
  80. APT_Sid,
  82. //
  83. // Logon ID (LUID)
  84. //
  86. APT_LogonId,
  88. //
  89. // Object Type List
  90. //
  92. APT_ObjectTypeList,
  94. //
  95. // Luid (not translated to LogonId)
  96. //
  98. APT_Luid,
  100. //
  101. // Guid
  102. //
  104. APT_Guid,
  106. //
  107. // Time (FILETIME)
  108. //
  110. APT_Time,
  112. //
  113. // ULONGLONG
  114. //
  116. APT_Int64
  118. } AUDIT_PARAM_TYPE;
  120. //
  121. // There are two types of flags that can be used with a parameter.
  122. //
  123. // - formatting flag
  124. // This defines the appearance of a parameter when
  125. // written to the eventlog. Such flags may become obsolete
  126. // when we move to WMI auditing.
  127. //
  128. // - control flag
  129. // This causes a specified action to be taken that affects
  130. // a parameter value.
  131. //
  132. // For example:
  133. // If you use the AP_PrimaryLogonId/AP_ClientLogonId flag,
  134. // the system will capture the logon-id from the process/thread token.
  135. //
  137. #define AP_ParamTypeBits 8
  138. #define AP_ParamTypeMask 0x000000ffL
  140. //
  141. // the flags values below have overlapping values. this is ok since
  142. // the scope of each flag is limited to the type to which it applies.
  143. //
  145. //
  146. // APT_Ulong : format flag : causes a number to appear in hex
  147. //
  149. #define AP_FormatHex (0x0001L << AP_ParamTypeBits)
  151. //
  152. // APT_Ulong : format flag : causes a number to be treated as access-mask.
  153. // The meaning of each bit depends on the associated
  154. // object type.
  155. //
  157. #define AP_AccessMask (0x0002L << AP_ParamTypeBits)
  160. //
  161. // APT_String : format flag : causes a string to be treated as a file-path
  162. //
  164. #define AP_Filespec (0x0001L << AP_ParamTypeBits)
  166. //
  167. // APT_LogonId : control flag : logon-id is captured from the process token
  168. //
  170. #define AP_PrimaryLogonId (0x0001L << AP_ParamTypeBits)
  172. //
  173. // APT_LogonId : control flag : logon-id is captured from the thread token
  174. //
  176. #define AP_ClientLogonId (0x0002L << AP_ParamTypeBits)
  179. //
  180. // internal helper macros
  181. //
  183. #define ApExtractType(TypeFlags) ((AUDIT_PARAM_TYPE)(TypeFlags & AP_ParamTypeMask))
  184. #define ApExtractFlags(TypeFlags) ((TypeFlags & ~AP_ParamTypeMask))
  186. //
  187. // Element of an object-type-list
  188. //
  189. // The AUDIT_OBJECT_TYPES structure identifies an object type element
  190. // in a hierarchy of object types. The AccessCheckByType functions use
  191. // an array of such structures to define a hierarchy of an object and
  192. // its subobjects, such as property sets and properties.
  193. //
  195. typedef struct _AUDIT_OBJECT_TYPE
  196. {
  197. GUID ObjectType; // guid of the (sub)object
  198. USHORT Flags; // currently not defined
  199. USHORT Level; // level within the hierarchy.
  200. // 0 is the root level
  201. ACCESS_MASK AccessMask; // access-mask for this (sub)object
  202. } AUDIT_OBJECT_TYPE, *PAUDIT_OBJECT_TYPE;
  204. typedef struct _AUDIT_OBJECT_TYPES
  205. {
  206. USHORT Count; // number of object-types in pObjectTypes
  207. USHORT Flags; // currently not defined
  208. #ifdef MIDL_PASS
  209. [size_is(Count)]
  210. #endif
  211. AUDIT_OBJECT_TYPE* pObjectTypes; // array of object-types
  212. } AUDIT_OBJECT_TYPES, *PAUDIT_OBJECT_TYPES;
  215. //
  216. // Structure that defines a single audit parameter.
  217. //
  218. // LsaGenAuditEvent accepts an array of such elements to
  219. // represent the parameters of the audit to be generated.
  220. //
  221. // It is best to initialize this structure using AdtInitParams function.
  222. // This will ensure compatibility with any future changes to this
  223. // structure.
  224. //
  226. typedef struct _AUDIT_PARAM
  227. {
  228. AUDIT_PARAM_TYPE Type; // type
  229. ULONG Length; // currently unused
  230. DWORD Flags; // currently unused
  232. #ifdef MIDL_PASS
  233. [switch_type(AUDIT_PARAM_TYPE),switch_is(Type)]
  234. #endif
  235. union
  236. {
  237. #ifdef MIDL_PASS
  238. [default]
  239. #endif
  240. ULONG_PTR Data0;
  242. #ifdef MIDL_PASS
  243. [case(APT_String)]
  244. [string]
  245. #endif
  246. PWSTR String;
  249. #ifdef MIDL_PASS
  250. [case(APT_Ulong,
  251. APT_Pointer)]
  252. #endif
  253. ULONG_PTR u;
  255. #ifdef MIDL_PASS
  256. [case(APT_Sid)]
  257. #endif
  258. SID* psid;
  260. #ifdef MIDL_PASS
  261. [case(APT_Guid)]
  262. #endif
  263. GUID* pguid;
  265. #ifdef MIDL_PASS
  266. [case(APT_LogonId)]
  267. #endif
  268. ULONG LogonId_LowPart;
  270. #ifdef MIDL_PASS
  271. [case(APT_ObjectTypeList)]
  272. #endif
  273. AUDIT_OBJECT_TYPES* pObjectTypes;
  274. };
  276. #ifdef MIDL_PASS
  277. [switch_type(AUDIT_PARAM_TYPE),switch_is(Type)]
  278. #endif
  279. union
  280. {
  281. #ifdef MIDL_PASS
  282. [default]
  283. #endif
  284. ULONG_PTR Data1;
  286. #ifdef MIDL_PASS
  287. [case(APT_LogonId)]
  288. #endif
  289. LONG LogonId_HighPart;
  290. };
  292. } AUDIT_PARAM, *PAUDIT_PARAM;
  295. //
  296. // Audit control flags. To be used with AUDIT_PARAMS.Flags
  297. //
  299. #define APF_AuditFailure 0x00000000 // generate a failure audit
  300. #define APF_AuditSuccess 0x00000001 // generate a success audit when set,
  301. // a failure audit otherwise.
  303. //
  304. // set of valid audit control flags
  305. //
  307. #define APF_ValidFlags (APF_AuditSuccess)
  309. //
  310. // Audit parameters passed to LsaGenAuditEvent
  311. //
  313. typedef struct _AUDIT_PARAMS
  314. {
  315. ULONG Length; // size in bytes
  316. DWORD Flags; // currently unused
  317. USHORT Count; // number of parameters
  318. #ifdef MIDL_PASS
  319. [size_is(Count)]
  320. #endif
  321. AUDIT_PARAM* Parameters; // array of parameters
  322. } AUDIT_PARAMS, *PAUDIT_PARAMS;
  324. //
  325. // Defines the elements of a legacy audit event.
  326. //
  328. typedef struct _AUTHZ_AUDIT_EVENT_TYPE_LEGACY
  329. {
  330. //
  331. // Audit category ID
  332. //
  334. USHORT CategoryId;
  336. //
  337. // Audit event ID
  338. //
  340. USHORT AuditId;
  342. //
  343. // Parameter count
  344. //
  346. USHORT ParameterCount;
  348. } AUTHZ_AUDIT_EVENT_TYPE_LEGACY, *PAUTHZ_AUDIT_EVENT_TYPE_LEGACY;
  350. typedef
  351. #ifdef MIDL_PASS
  352. [switch_type(BYTE)]
  353. #endif
  354. union _AUTHZ_AUDIT_EVENT_TYPE_UNION
  355. {
  356. #ifdef MIDL_PASS
  357. [case(AUDIT_TYPE_LEGACY)]
  358. #endif
  359. AUTHZ_AUDIT_EVENT_TYPE_LEGACY Legacy;
  360. } AUTHZ_AUDIT_EVENT_TYPE_UNION, *PAUTHZ_AUDIT_EVENT_TYPE_UNION;
  362. //
  363. // description of an audit event
  364. //
  366. typedef
  367. struct _AUTHZ_AUDIT_EVENT_TYPE_OLD
  368. {
  369. // version number
  371. ULONG Version;
  372. DWORD dwFlags;
  373. LONG RefCount;
  374. ULONG_PTR hAudit;
  375. LUID LinkId;
  376. #ifdef MIDL_PASS
  377. [switch_is(Version)]
  378. #endif
  379. AUTHZ_AUDIT_EVENT_TYPE_UNION u;
  381. } AUTHZ_AUDIT_EVENT_TYPE_OLD;
  383. typedef
  384. #ifdef MIDL_PASS
  385. [handle]
  386. #endif
  387. AUTHZ_AUDIT_EVENT_TYPE_OLD* PAUTHZ_AUDIT_EVENT_TYPE_OLD;
  389. typedef
  390. #ifdef MIDL_PASS
  391. [context_handle]
  392. #endif
  393. PVOID AUDIT_HANDLE, *PAUDIT_HANDLE;
  395. //
  396. // Begin support for extensible auditing.
  397. //
  399. #define AUTHZ_ALLOW_MULTIPLE_SOURCE_INSTANCES 0x1
  401. #define AUTHZ_AUDIT_INSTANCE_INFORMATION 0x2
  403. #endif //_ADTGEN_H