You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
934 lines
31 KiB
934 lines
31 KiB
|
|
/*++
|
|
|
|
Copyright (c) 1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
adtp.h
|
|
|
|
Abstract:
|
|
|
|
Local Security Authority - Audit Log Management - Private Defines,
|
|
data and function prototypes.
|
|
|
|
Functions, data and defines in this module are internal to the
|
|
Auditing Subcomponent of the LSA Subsystem.
|
|
|
|
Author:
|
|
|
|
Scott Birrell (ScottBi) November 20, 1991
|
|
|
|
Environment:
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#ifndef _LSAP_ADTP_
|
|
#define _LSAP_ADTP_
|
|
|
|
|
|
#include "ausrvp.h"
|
|
#include "cfiles\adtdebug.h"
|
|
|
|
//
|
|
// Names of the registry keys where security event log information
|
|
// is rooted and the object names are listed under an event source
|
|
// module.
|
|
//
|
|
|
|
#define LSAP_ADT_AUDIT_MODULES_KEY_NAME L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\EventLog\\Security"
|
|
#define LSAP_ADT_OBJECT_NAMES_KEY_NAME L"ObjectNames"
|
|
|
|
#define MAX_OBJECT_TYPES 32
|
|
|
|
|
|
//
|
|
// Macros for setting fields in an SE_AUDIT_PARAMETERS array.
|
|
//
|
|
// These must be kept in sync with similar macros in se\sepaudit.c.
|
|
//
|
|
|
|
|
|
#define LsapSetParmTypeSid( AuditParameters, Index, Sid ) \
|
|
{ \
|
|
if( Sid ) { \
|
|
\
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSid; \
|
|
(AuditParameters).Parameters[(Index)].Length = RtlLengthSid( (Sid) ); \
|
|
(AuditParameters).Parameters[(Index)].Address = (Sid); \
|
|
\
|
|
} else { \
|
|
\
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNone; \
|
|
(AuditParameters).Parameters[(Index)].Length = 0; \
|
|
(AuditParameters).Parameters[(Index)].Address = NULL; \
|
|
\
|
|
} \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeAccessMask( AuditParameters, Index, AccessMask, ObjectTypeIndex ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeAccessMask; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( ACCESS_MASK ); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (AccessMask); \
|
|
(AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \
|
|
}
|
|
|
|
|
|
|
|
#define LsapSetParmTypeString( AuditParameters, Index, String ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeString; \
|
|
(AuditParameters).Parameters[(Index)].Length = \
|
|
sizeof(UNICODE_STRING)+(String)->Length; \
|
|
(AuditParameters).Parameters[(Index)].Address = (String); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeUlong( AuditParameters, Index, Ulong ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUlong; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeHexUlong( AuditParameters, Index, Ulong ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexUlong; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeHexInt64( AuditParameters, Index, Qword ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexInt64; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( (Qword) ); \
|
|
*(PULONGLONG)((AuditParameters).Parameters[(Index)].Data) = (Qword); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeTime( AuditParameters, Index, Time ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeTime; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
|
|
*(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Time); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeDateTime( AuditParameters, Index, Time ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeDateTime; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
|
|
*(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Time); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeDuration( AuditParameters, Index, Duration ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeDuration; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( LARGE_INTEGER ); \
|
|
*(PLARGE_INTEGER)((AuditParameters).Parameters[(Index)].Data) = (Duration); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeGuid( AuditParameters, Index, pGuid ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeGuid; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( GUID ); \
|
|
(AuditParameters).Parameters[(Index)].Address = (pGuid); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeNoLogon( AuditParameters, Index ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoLogonId; \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeLogonId( AuditParameters, Index, LogonId ) \
|
|
{ \
|
|
PLUID TmpLuid; \
|
|
\
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeLogonId; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof( (LogonId) ); \
|
|
TmpLuid = (PLUID)(&(AuditParameters).Parameters[(Index)].Data[0]); \
|
|
*TmpLuid = (LogonId); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypePrivileges( AuditParameters, Index, Privileges ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePrivs; \
|
|
(AuditParameters).Parameters[(Index)].Length = LsapPrivilegeSetSize( (Privileges) ); \
|
|
(AuditParameters).Parameters[(Index)].Address = (Privileges); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeStringList( AuditParameters, Index, StringList ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeStringList; \
|
|
(AuditParameters).Parameters[(Index)].Length = LsapStringListSize( (StringList) ); \
|
|
(AuditParameters).Parameters[(Index)].Address = (StringList); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeSidList( AuditParameters, Index, SidList ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSidList; \
|
|
(AuditParameters).Parameters[(Index)].Length = LsapSidListSize( (SidList) ); \
|
|
(AuditParameters).Parameters[(Index)].Address = (SidList); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeUac( AuditParameters, Index, OldUac, NewUac ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUserAccountControl; \
|
|
(AuditParameters).Parameters[(Index)].Length = 2 * sizeof(ULONG); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (OldUac); \
|
|
(AuditParameters).Parameters[(Index)].Data[1] = (ULONG_PTR) (NewUac); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeNoUac( AuditParameters, Index ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoUac; \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypePtr( AuditParameters, Index, Ptr ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePtr; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof(ULONG_PTR); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (Ptr); \
|
|
}
|
|
|
|
|
|
#define LsapSetParmTypeMessage( AuditParameters, Index, MessageId ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeMessage; \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof(ULONG); \
|
|
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG_PTR) (MessageId); \
|
|
}
|
|
|
|
#define LsapSetParmTypeSockAddr( AuditParameters, Index, pSockAddr ) \
|
|
{ \
|
|
USHORT sa_family = ((SOCKADDR*) pSockAddr)->sa_family; \
|
|
\
|
|
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSockAddr;\
|
|
if ( sa_family == AF_INET6 ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR_IN6);\
|
|
} \
|
|
else if ( sa_family == AF_INET ) \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR_IN);\
|
|
} \
|
|
else \
|
|
{ \
|
|
(AuditParameters).Parameters[(Index)].Length = sizeof(SOCKADDR);\
|
|
if ( sa_family != 0 ) \
|
|
{ \
|
|
AdtAssert(FALSE, ("LsapSetParmTypeSockAddr: invalid sa_family: %d",sa_family)); \
|
|
} \
|
|
} \
|
|
(AuditParameters).Parameters[(Index)].Address = (pSockAddr); \
|
|
}
|
|
|
|
|
|
|
|
#define IsInRange(item,min_val,max_val) \
|
|
(((item) >= min_val) && ((item) <= max_val))
|
|
|
|
//
|
|
// see msaudite.mc for def. of valid category-id
|
|
//
|
|
#define IsValidCategoryId(c) \
|
|
(IsInRange((c), SE_ADT_MIN_CATEGORY_ID, SE_ADT_MAX_CATEGORY_ID))
|
|
|
|
//
|
|
// see msaudite.mc for def. of valid audit-id
|
|
//
|
|
|
|
#define IsValidAuditId(a) \
|
|
(IsInRange((a), SE_ADT_MIN_AUDIT_ID, SE_ADT_MAX_AUDIT_ID))
|
|
|
|
//
|
|
// check for reasonable value of parameter count. we must have atleast
|
|
// 2 parameters in the audit-params array. Thus the min limit is 3.
|
|
// The max limit is determined by the value in ntlsa.h
|
|
//
|
|
|
|
#define IsValidParameterCount(p) \
|
|
(IsInRange((p), 2, SE_MAX_AUDIT_PARAMETERS))
|
|
|
|
|
|
//
|
|
// macro used by LsapAdtDemarshallAuditInfo and LsapAuditFailed
|
|
// to decide when not to assert in DBG build
|
|
//
|
|
|
|
#define LsapAdtNeedToAssert( Status ) \
|
|
(( Status != STATUS_LOG_FILE_FULL ) && \
|
|
( Status != STATUS_DISK_FULL ) && \
|
|
( Status != STATUS_INSUFFICIENT_RESOURCES ) && \
|
|
( Status != STATUS_NO_MEMORY ) && \
|
|
( Status != STATUS_COMMITMENT_LIMIT ))
|
|
|
|
|
|
#define SEP_MAX_PRIVILEGE_COUNT (SE_MAX_WELL_KNOWN_PRIVILEGE-SE_MIN_WELL_KNOWN_PRIVILEGE+32)
|
|
|
|
#define IsValidPrivilegeCount( count ) ((count == 0) || \
|
|
((count > 0) && \
|
|
(count <= SEP_MAX_PRIVILEGE_COUNT)))
|
|
|
|
|
|
|
|
///////////////////////////////////////////////////////////////////////////
|
|
// //
|
|
// Private data for Audit Log Management //
|
|
// //
|
|
///////////////////////////////////////////////////////////////////////////
|
|
|
|
#define LSAP_ADT_LOG_FULL_SHUTDOWN_TIMEOUT (ULONG) 0x0000012cL
|
|
|
|
extern RTL_CRITICAL_SECTION LsapAdtLogFullLock;
|
|
|
|
//
|
|
// Structure describing a queued audit record
|
|
//
|
|
|
|
typedef struct _LSAP_ADT_QUEUED_RECORD {
|
|
|
|
LIST_ENTRY Link;
|
|
SE_ADT_PARAMETER_ARRAY Buffer;
|
|
|
|
} LSAP_ADT_QUEUED_RECORD, *PLSAP_ADT_QUEUED_RECORD;
|
|
|
|
//
|
|
// Audit Log Queue Header. The queue is maintained in chronological
|
|
// (FIFO) order. New records are appended to the back of the queue.
|
|
//
|
|
|
|
typedef struct _LSAP_ADT_LOG_QUEUE_HEAD {
|
|
|
|
PLSAP_ADT_QUEUED_RECORD FirstQueuedRecord;
|
|
PLSAP_ADT_QUEUED_RECORD LastQueuedRecord;
|
|
|
|
} LSAP_ADT_LOG_QUEUE_HEAD, *PLSAP_ADT_LOG_QUEUE_HEAD;
|
|
|
|
//
|
|
// String that will be passed in for SubsystemName for audits generated
|
|
// by LSA (eg, logon, logoff, restart, etc).
|
|
//
|
|
|
|
extern UNICODE_STRING LsapSubsystemName;
|
|
|
|
//
|
|
// String that will be passed in for SubsystemName for some audits generated
|
|
// by LSA for LSA objects (PolicyObject, SecretObject, TrustedDomainObject, UserAccountObject).
|
|
//
|
|
|
|
extern UNICODE_STRING LsapLsaName;
|
|
|
|
//
|
|
// max number of replacement string params that we support in
|
|
// eventlog audit record.
|
|
//
|
|
#define SE_MAX_AUDIT_PARAM_STRINGS 48
|
|
|
|
//
|
|
// Maximum number of strings used to represent an ObjectTypeList.
|
|
//
|
|
|
|
#define LSAP_ADT_OBJECT_TYPE_STRINGS 1
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
// /
|
|
// The following structures and data are used by LSA to contain /
|
|
// drive letter-device name mapping information. LSA obtains this /
|
|
// information once during initialization and saves it for use /
|
|
// by auditing code. /
|
|
// /
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
// /
|
|
// The DRIVE_MAPPING structure contains the drive letter (without /
|
|
// the colon) and a unicode string containing the name of the /
|
|
// corresponding device. The buffer in the unicode string is /
|
|
// allocated from the LSA heap and is never freed. /
|
|
// /
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
typedef struct _DRIVE_MAPPING {
|
|
WCHAR DriveLetter;
|
|
UNICODE_STRING DeviceName;
|
|
} DRIVE_MAPPING, PDRIVE_MAPPING;
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// /
|
|
// We assume a maximum of 26 drive letters. Though no auditing /
|
|
// will occur due to references to files on floppy (drives A and /
|
|
// B), perform their name lookup anyway. This will then just /
|
|
// work if somehow we start auditing files on floppies. /
|
|
// /
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
#define MAX_DRIVE_MAPPING 26
|
|
|
|
extern DRIVE_MAPPING DriveMappingArray[];
|
|
|
|
//
|
|
// This is a structure that contains all auditing information specific to a
|
|
// monitored user. Currently this information is read from the registry.
|
|
//
|
|
|
|
typedef struct _PER_USER_AUDITING_ELEMENT {
|
|
struct _PER_USER_AUDITING_ELEMENT * Next;
|
|
PSID pSid;
|
|
ULONGLONG RawPolicy;
|
|
TOKEN_AUDIT_POLICY TokenAuditPolicy;
|
|
TOKEN_AUDIT_POLICY_ELEMENT PolicyArray[POLICY_AUDIT_EVENT_TYPE_COUNT - 1];
|
|
} PER_USER_AUDITING_ELEMENT, *PPER_USER_AUDITING_ELEMENT;
|
|
|
|
//
|
|
// This structure allows for the per user auditing settings for a user
|
|
// to be queried by the logon ID.
|
|
//
|
|
|
|
typedef struct _PER_USER_AUDITING_LUID_QUERY_ELEMENT {
|
|
struct _PER_USER_AUDITING_LUID_QUERY_ELEMENT * Next;
|
|
LUID Luid;
|
|
TOKEN_AUDIT_POLICY Policy;
|
|
TOKEN_AUDIT_POLICY_ELEMENT PolicyArray[POLICY_AUDIT_EVENT_TYPE_COUNT - ANYSIZE_ARRAY];
|
|
} PER_USER_AUDITING_LUID_QUERY_ELEMENT, *PPER_USER_AUDITING_LUID_QUERY_ELEMENT;
|
|
|
|
#define PER_USER_AUDITING_POLICY_TABLE_SIZE 11
|
|
#define PER_USER_AUDITING_LUID_TABLE_SIZE 16
|
|
#define PER_USER_AUDITING_MAX_POLICY_SIZE (sizeof(TOKEN_AUDIT_POLICY) + (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * (POLICY_AUDIT_EVENT_TYPE_COUNT - ANYSIZE_ARRAY)))
|
|
|
|
extern LONG LsapAdtPerUserAuditUserCount;
|
|
extern LONG LsapAdtPerUserAuditLogonCount;
|
|
extern LONG LsapAdtPerUserAuditHint[POLICY_AUDIT_EVENT_TYPE_COUNT];
|
|
extern LONG LsapAdtPerUserPolicyCategoryCount[POLICY_AUDIT_EVENT_TYPE_COUNT];
|
|
extern HKEY LsapAdtPerUserKey;
|
|
extern HANDLE LsapAdtPerUserKeyEvent;
|
|
extern HANDLE LsapAdtPerUserKeyTimer;
|
|
extern RTL_RESOURCE LsapAdtPerUserPolicyTableResource;
|
|
extern RTL_RESOURCE LsapAdtPerUserLuidTableResource;
|
|
extern PPER_USER_AUDITING_ELEMENT LsapAdtPerUserAuditingTable[PER_USER_AUDITING_POLICY_TABLE_SIZE];
|
|
|
|
//
|
|
// macros to get the table locks for the per user settings.
|
|
//
|
|
|
|
#define LsapAdtAcquirePerUserPolicyTableReadLock() RtlAcquireResourceShared(&LsapAdtPerUserPolicyTableResource, TRUE)
|
|
#define LsapAdtAcquirePerUserPolicyTableWriteLock() RtlAcquireResourceExclusive(&LsapAdtPerUserPolicyTableResource, TRUE);
|
|
#define LsapAdtReleasePerUserPolicyTableLock() RtlReleaseResource(&LsapAdtPerUserPolicyTableResource)
|
|
|
|
#define LsapAdtAcquirePerUserLuidTableReadLock() RtlAcquireResourceShared(&LsapAdtPerUserLuidTableResource, TRUE)
|
|
#define LsapAdtAcquirePerUserLuidTableWriteLock() RtlAcquireResourceExclusive(&LsapAdtPerUserLuidTableResource, TRUE);
|
|
#define LsapAdtReleasePerUserLuidTableLock() RtlReleaseResource(&LsapAdtPerUserLuidTableResource)
|
|
|
|
//
|
|
// Special privilege values which are not normally audited,
|
|
// but generate audits when assigned to a user. See
|
|
// LsapAdtAuditSpecialPrivileges.
|
|
//
|
|
|
|
extern LUID ChangeNotifyPrivilege;
|
|
extern LUID AuditPrivilege;
|
|
extern LUID CreateTokenPrivilege;
|
|
extern LUID AssignPrimaryTokenPrivilege;
|
|
extern LUID BackupPrivilege;
|
|
extern LUID RestorePrivilege;
|
|
extern LUID DebugPrivilege;
|
|
|
|
//
|
|
// Global variable to indicate whether or not we're
|
|
// supposed to crash when an audit fails.
|
|
//
|
|
|
|
extern BOOLEAN LsapCrashOnAuditFail;
|
|
extern BOOLEAN LsapAllowAdminLogonsOnly;
|
|
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// /
|
|
// /
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtWriteLog(
|
|
IN OPTIONAL PSE_ADT_PARAMETER_ARRAY AuditRecord
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtDemarshallAuditInfo(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
|
|
);
|
|
|
|
VOID
|
|
LsapAdtNormalizeAuditInfo(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtOpenLog(
|
|
OUT PHANDLE AuditLogHandle
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditLogon(
|
|
IN USHORT EventCategory,
|
|
IN ULONG EventID,
|
|
IN USHORT EventType,
|
|
IN PUNICODE_STRING AccountName,
|
|
IN PUNICODE_STRING AuthenticatingAuthority,
|
|
IN PUNICODE_STRING Source,
|
|
IN PUNICODE_STRING PackageName,
|
|
IN SECURITY_LOGON_TYPE LogonType,
|
|
IN PSID UserSid,
|
|
IN LUID AuthenticationId,
|
|
IN PUNICODE_STRING WorkstationName,
|
|
IN NTSTATUS LogonStatus,
|
|
IN NTSTATUS SubStatus,
|
|
IN LPGUID LogonGuid, OPTIONAL
|
|
IN PLUID CallerLogonId, OPTIONAL
|
|
IN PHANDLE CallerProcessID, OPTIONAL
|
|
IN PLSA_ADT_STRING_LIST TransittedServices, OPTIONAL
|
|
IN SOCKADDR* pSockAddr OPTIONAL
|
|
);
|
|
|
|
VOID
|
|
LsapAuditLogonHelper(
|
|
IN NTSTATUS LogonStatus,
|
|
IN NTSTATUS LogonSubStatus,
|
|
IN PUNICODE_STRING AccountName,
|
|
IN PUNICODE_STRING AuthenticatingAuthority,
|
|
IN PUNICODE_STRING WorkstationName,
|
|
IN PSID UserSid, OPTIONAL
|
|
IN SECURITY_LOGON_TYPE LogonType,
|
|
IN PTOKEN_SOURCE TokenSource,
|
|
IN PLUID LogonId,
|
|
IN LPGUID LogonGuid, OPTIONAL
|
|
IN PLUID CallerLogonId, OPTIONAL
|
|
IN PHANDLE CallerProcessID, OPTIONAL
|
|
IN PLSA_ADT_STRING_LIST TransittedServices OPTIONAL
|
|
);
|
|
|
|
VOID
|
|
LsapAdtSystemRestart(
|
|
PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditLogonProcessRegistration(
|
|
IN PLSAP_AU_REGISTER_CONNECT_INFO_EX ConnectInfo
|
|
);
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtInitializeLogQueue(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtQueueRecord(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditRecord
|
|
);
|
|
|
|
#define LsapAdtAcquireLogFullLock() RtlEnterCriticalSection(&LsapAdtLogFullLock)
|
|
#define LsapAdtReleaseLogFullLock() RtlLeaveCriticalSection(&LsapAdtLogFullLock)
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtObjsInitialize(
|
|
);
|
|
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildDashString(
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildUlongString(
|
|
IN ULONG Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildHexUlongString(
|
|
IN ULONG Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildHexInt64String(
|
|
IN PULONGLONG Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildPtrString(
|
|
IN PVOID Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildLuidString(
|
|
IN PLUID Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildSidString(
|
|
IN PSID Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildObjectTypeStrings(
|
|
IN PUNICODE_STRING SourceModule,
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
IN PSE_ADT_OBJECT_TYPE ObjectTypeList,
|
|
IN ULONG ObjectTypeCount,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone,
|
|
OUT PUNICODE_STRING NewObjectTypeName
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildAccessesString(
|
|
IN PUNICODE_STRING SourceModule,
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
IN ACCESS_MASK Accesses,
|
|
IN BOOLEAN Indent,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildFilePathString(
|
|
IN PUNICODE_STRING Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildLogonIdStrings(
|
|
IN PLUID LogonId,
|
|
OUT PUNICODE_STRING ResultantString1,
|
|
OUT PBOOLEAN FreeWhenDone1,
|
|
OUT PUNICODE_STRING ResultantString2,
|
|
OUT PBOOLEAN FreeWhenDone2,
|
|
OUT PUNICODE_STRING ResultantString3,
|
|
OUT PBOOLEAN FreeWhenDone3
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapBuildPrivilegeAuditString(
|
|
IN PPRIVILEGE_SET PrivilegeSet,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildTimeString(
|
|
IN PLARGE_INTEGER Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildDateString(
|
|
IN PLARGE_INTEGER Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildDateTimeString(
|
|
IN PLARGE_INTEGER Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildDurationString(
|
|
IN PLARGE_INTEGER Value,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildGuidString(
|
|
IN LPGUID pGuid,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildStringListString(
|
|
IN PLSA_ADT_STRING_LIST pList,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildSidListString(
|
|
IN PLSA_ADT_SID_LIST pList,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildUserAccountControlString(
|
|
IN ULONG UserAccountControlOld,
|
|
IN ULONG UserAccountControlNew,
|
|
OUT PUNICODE_STRING ResultantString1,
|
|
OUT PBOOLEAN FreeWhenDone1,
|
|
OUT PUNICODE_STRING ResultantString2,
|
|
OUT PBOOLEAN FreeWhenDone2,
|
|
OUT PUNICODE_STRING ResultantString3,
|
|
OUT PBOOLEAN FreeWhenDone3
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildMessageString(
|
|
IN ULONG MessageId,
|
|
OUT PUNICODE_STRING ResultantString,
|
|
OUT PBOOLEAN FreeWhenDone
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtBuildSockAddrString(
|
|
IN PSOCKADDR pSockAddr,
|
|
OUT PUNICODE_STRING ResultantString1,
|
|
OUT PBOOLEAN FreeWhenDone1,
|
|
OUT PUNICODE_STRING ResultantString2,
|
|
OUT PBOOLEAN FreeWhenDone2
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtMarshallAuditRecord(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
|
|
OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitializePerUserAuditing(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitializeDriveLetters(
|
|
VOID
|
|
);
|
|
|
|
BOOLEAN
|
|
LsapAdtLookupDriveLetter(
|
|
IN PUNICODE_STRING FileName,
|
|
OUT PUSHORT DeviceNameLength,
|
|
OUT PWCHAR DriveLetter
|
|
);
|
|
|
|
VOID
|
|
LsapAdtSubstituteDriveLetter(
|
|
IN PUNICODE_STRING FileName
|
|
);
|
|
|
|
VOID
|
|
LsapAdtUserRightAssigned(
|
|
IN USHORT EventCategory,
|
|
IN ULONG EventID,
|
|
IN USHORT EventType,
|
|
IN PSID UserSid,
|
|
IN LUID CallerAuthenticationId,
|
|
IN PSID ClientSid,
|
|
IN PPRIVILEGE_SET Privileges
|
|
);
|
|
|
|
VOID
|
|
LsapAdtTrustedDomain(
|
|
IN USHORT EventCategory,
|
|
IN ULONG EventID,
|
|
IN USHORT EventType,
|
|
IN PSID ClientSid,
|
|
IN LUID CallerAuthenticationId,
|
|
IN PSID TargetSid,
|
|
IN PUNICODE_STRING DomainName
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditLogoff(
|
|
PLSAP_LOGON_SESSION Session
|
|
);
|
|
|
|
VOID
|
|
LsapAdtPolicyChange(
|
|
IN USHORT EventCategory,
|
|
IN ULONG EventID,
|
|
IN USHORT EventType,
|
|
IN PSID ClientSid,
|
|
IN LUID CallerAuthenticationId,
|
|
IN PLSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditSpecialPrivileges(
|
|
PPRIVILEGE_SET Privileges,
|
|
LUID LogonId,
|
|
PSID UserSid
|
|
);
|
|
|
|
VOID
|
|
LsapAuditFailed(
|
|
IN NTSTATUS AuditStatus
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitParametersArray(
|
|
IN SE_ADT_PARAMETER_ARRAY* AuditParameters,
|
|
IN ULONG AuditCategoryId,
|
|
IN ULONG AuditId,
|
|
IN USHORT AuditEventType,
|
|
IN USHORT ParameterCount,
|
|
...);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitGenericAudits(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtInitializeExtensibleAuditing(
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtConstructTablePerUserAuditing(
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
LsapAdtFreeTablePerUserAuditing(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtOpenPerUserAuditingKey(
|
|
VOID
|
|
);
|
|
|
|
ULONG
|
|
LsapAdtHashPerUserAuditing(
|
|
IN PSID pSid
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtConstructPolicyPerUserAuditing(
|
|
IN ULONGLONG RawPolicy,
|
|
OUT PTOKEN_AUDIT_POLICY pTokenPolicy,
|
|
IN OUT PULONG TokenPolicyLength
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtQueryPerUserAuditing(
|
|
IN PSID pInputSid,
|
|
OUT PTOKEN_AUDIT_POLICY pPolicy,
|
|
IN OUT PULONG pLength,
|
|
OUT PBOOLEAN bFound
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtFilterAdminPerUserAuditing(
|
|
IN HANDLE hToken,
|
|
IN OUT PTOKEN_AUDIT_POLICY pPolicy
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtStorePolicyByLuidPerUserAuditing(
|
|
IN PLUID pLogonId,
|
|
IN PTOKEN_AUDIT_POLICY pPolicy
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtQueryPolicyByLuidPerUserAuditing(
|
|
IN PLUID pLogonId,
|
|
OUT PTOKEN_AUDIT_POLICY pPolicy,
|
|
IN OUT PULONG pLength,
|
|
OUT PBOOLEAN bFound
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtRemoveLuidQueryPerUserAuditing(
|
|
IN PLUID pLogonId
|
|
);
|
|
|
|
DWORD
|
|
LsapAdtKeyNotifyFirePerUserAuditing(
|
|
IN LPVOID Ignore
|
|
);
|
|
|
|
DWORD
|
|
LsapAdtKeyNotifyStubPerUserAuditing(
|
|
IN LPVOID Ignore
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtLogonPerUserAuditing(
|
|
IN PSID pSid,
|
|
IN PLUID pLogonId,
|
|
IN HANDLE hToken
|
|
);
|
|
|
|
VOID
|
|
LsapAdtLogonCountersPerUserAuditing(
|
|
IN PTOKEN_AUDIT_POLICY pPolicy
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapAdtLogoffPerUserAuditing(
|
|
IN PLUID pLogonId
|
|
);
|
|
|
|
VOID
|
|
LsapAdtLogoffCountersPerUserAuditing(
|
|
IN PTOKEN_AUDIT_POLICY pPolicy
|
|
);
|
|
|
|
VOID
|
|
LsapAdtAuditPerUserTableCreation(
|
|
BOOLEAN bSuccess
|
|
);
|
|
|
|
VOID
|
|
LsapAdtLogAuditFailureEvent(
|
|
NTSTATUS AuditStatus
|
|
);
|
|
|
|
NTSTATUS
|
|
LsapFlushSecurityLog();
|
|
|
|
#endif // _LSAP_ADTP_
|