archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/base/lsa/server/adtp.h

585 lines
17 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  2. /*++
  4. Copyright (c) 1991 Microsoft Corporation
  6. Module Name:
  8. adtp.h
  10. Abstract:
  12. Local Security Authority - Audit Log Management - Private Defines,
  13. data and function prototypes.
  15. Functions, data and defines in this module are internal to the
  16. Auditing Subcomponent of the LSA Subsystem.
  18. Author:
  20. Scott Birrell (ScottBi) November 20, 1991
  22. Environment:
  24. Revision History:
  26. --*/
  28. #ifndef _LSAP_ADTP_
  29. #define _LSAP_ADTP_
  32. #include "ausrvp.h"
  35. //
  36. // Names of the registry keys where security event log information
  37. // is rooted and the object names are listed under an event source
  38. // module.
  39. //
  41. #define LSAP_ADT_AUDIT_MODULES_KEY_NAME L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\EventLog\\Security"
  42. #define LSAP_ADT_OBJECT_NAMES_KEY_NAME L"ObjectNames"
  46. //
  47. // Macros for setting fields in an SE_AUDIT_PARAMETERS array.
  48. //
  49. // These must be kept in sync with similar macros in se\sepaudit.c.
  50. //
  53. #define LsapSetParmTypeSid( AuditParameters, Index, Sid ) \
  54. { \
  55. if( Sid ) { \
  56. \
  57. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSid; \
  58. (AuditParameters).Parameters[(Index)].Length = RtlLengthSid( (Sid) ); \
  59. (AuditParameters).Parameters[(Index)].Address = (Sid); \
  60. \
  61. } else { \
  62. \
  63. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNone; \
  64. (AuditParameters).Parameters[(Index)].Length = 0; \
  65. (AuditParameters).Parameters[(Index)].Address = NULL; \
  66. \
  67. } \
  68. }
  71. #define LsapSetParmTypeAccessMask( AuditParameters, Index, AccessMask, ObjectTypeIndex ) \
  72. { \
  73. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeAccessMask; \
  74. (AuditParameters).Parameters[(Index)].Length = sizeof( ACCESS_MASK ); \
  75. (AuditParameters).Parameters[(Index)].Data[0] = (AccessMask); \
  76. (AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \
  77. }
  81. #define LsapSetParmTypeString( AuditParameters, Index, String ) \
  82. { \
  83. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeString; \
  84. (AuditParameters).Parameters[(Index)].Length = \
  85. sizeof(UNICODE_STRING)+(String)->Length; \
  86. (AuditParameters).Parameters[(Index)].Address = (String); \
  87. }
  91. #define LsapSetParmTypeUlong( AuditParameters, Index, Ulong ) \
  92. { \
  93. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUlong; \
  94. (AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
  95. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
  96. }
  98. #define LsapSetParmTypeHexUlong( AuditParameters, Index, Ulong ) \
  99. { \
  100. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexUlong; \
  101. (AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
  102. (AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
  103. }
  105. #define LsapSetParmTypeGuid( AuditParameters, Index, pGuid ) \
  106. { \
  107. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeGuid; \
  108. (AuditParameters).Parameters[(Index)].Length = sizeof( GUID ); \
  109. (AuditParameters).Parameters[(Index)].Address = pGuid; \
  110. }
  112. #define LsapSetParmTypeNoLogon( AuditParameters, Index ) \
  113. { \
  114. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoLogonId; \
  115. }
  119. #define LsapSetParmTypeLogonId( AuditParameters, Index, LogonId ) \
  120. { \
  121. PLUID TmpLuid; \
  122. \
  123. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeLogonId; \
  124. (AuditParameters).Parameters[(Index)].Length = sizeof( (LogonId) ); \
  125. TmpLuid = (PLUID)(&(AuditParameters).Parameters[(Index)].Data[0]); \
  126. *TmpLuid = (LogonId); \
  127. }
  130. #define LsapSetParmTypePrivileges( AuditParameters, Index, Privileges ) \
  131. { \
  132. (AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePrivs; \
  133. (AuditParameters).Parameters[(Index)].Length = LsapPrivilegeSetSize( (Privileges) ); \
  134. (AuditParameters).Parameters[(Index)].Address = (Privileges); \
  135. }
  138. #define IsInRange(item,min_val,max_val) \
  139. (((item) >= min_val) && ((item) <= max_val))
  141. //
  142. // see msaudite.mc for def. of valid category-id
  143. //
  144. #define IsValidCategoryId(c) \
  145. (IsInRange((c), SE_ADT_MIN_CATEGORY_ID, SE_ADT_MAX_CATEGORY_ID))
  147. //
  148. // see msaudite.mc for def. of valid audit-id
  149. //
  151. #define IsValidAuditId(a) \
  152. (IsInRange((a), SE_ADT_MIN_AUDIT_ID, SE_ADT_MAX_AUDIT_ID))
  154. //
  155. // check for reasonable value of parameter count. we must have atleast
  156. // 2 parameters in the audit-params array. Thus the min limit is 3.
  157. // The max limit is determined by the value in ntlsa.h
  158. //
  160. #define IsValidParameterCount(p) \
  161. (IsInRange((p), 2, SE_MAX_AUDIT_PARAMETERS))
  166. ///////////////////////////////////////////////////////////////////////////
  167. // //
  168. // Private data for Audit Log Management //
  169. // //
  170. ///////////////////////////////////////////////////////////////////////////
  172. #define LSAP_ADT_LOG_FULL_SHUTDOWN_TIMEOUT (ULONG) 0x0000012cL
  174. extern RTL_CRITICAL_SECTION LsapAdtQueueLock;
  175. extern RTL_CRITICAL_SECTION LsapAdtLogFullLock;
  177. extern BOOLEAN LsapAuditSuccessfulLogons;
  179. extern BOOLEAN LsapAuditFailedLogons;
  181. //
  182. // Options for LsapAdtWriteLog
  183. //
  185. #define LSAP_ADT_LOG_QUEUE_PREPEND ((ULONG) 0x00000001L)
  187. //
  188. // Structure describing a queued audit record
  189. //
  191. typedef struct _LSAP_ADT_QUEUED_RECORD {
  193. LIST_ENTRY Link;
  194. SE_ADT_PARAMETER_ARRAY Buffer;
  196. } LSAP_ADT_QUEUED_RECORD, *PLSAP_ADT_QUEUED_RECORD;
  198. //
  199. // Audit Log Queue Header. The queue is maintained in chronological
  200. // (FIFO) order. New records are appended to the back of the queue.
  201. //
  203. typedef struct _LSAP_ADT_LOG_QUEUE_HEAD {
  205. PLSAP_ADT_QUEUED_RECORD FirstQueuedRecord;
  206. PLSAP_ADT_QUEUED_RECORD LastQueuedRecord;
  208. } LSAP_ADT_LOG_QUEUE_HEAD, *PLSAP_ADT_LOG_QUEUE_HEAD;
  210. //
  211. // Lsa Global flag to indicate if we are auditing logon events.
  212. //
  214. extern BOOLEAN LsapAdtLogonEvents;
  216. //
  217. // String that will be passed in for SubsystemName for audits generated
  218. // by LSA (eg, logon, logoff, restart, etc).
  219. //
  221. extern UNICODE_STRING LsapSubsystemName;
  223. //
  224. // max number of replacement string params that we support in
  225. // eventlog audit record.
  226. //
  227. #define SE_MAX_AUDIT_PARAM_STRINGS 32
  230. ///////////////////////////////////////////////////////////////////////////////
  231. // /
  232. // The following structures and data are used by LSA to contain /
  233. // drive letter-device name mapping information. LSA obtains this /
  234. // information once during initialization and saves it for use /
  235. // by auditing code. /
  236. // /
  237. ///////////////////////////////////////////////////////////////////////////////
  240. ///////////////////////////////////////////////////////////////////////////////
  241. // /
  242. // The DRIVE_MAPPING structure contains the drive letter (without /
  243. // the colon) and a unicode string containing the name of the /
  244. // corresponding device. The buffer in the unicode string is /
  245. // allocated from the LSA heap and is never freed. /
  246. // /
  247. ///////////////////////////////////////////////////////////////////////////////
  250. typedef struct _DRIVE_MAPPING {
  251. WCHAR DriveLetter;
  252. UNICODE_STRING DeviceName;
  253. } DRIVE_MAPPING, PDRIVE_MAPPING;
  256. ////////////////////////////////////////////////////////////////////////////////
  257. // /
  258. // We assume a maximum of 26 drive letters. Though no auditing /
  259. // will occur due to references to files on floppy (drives A and /
  260. // B), perform their name lookup anyway. This will then just /
  261. // work if somehow we start auditing files on floppies. /
  262. // /
  263. ////////////////////////////////////////////////////////////////////////////////
  265. #define MAX_DRIVE_MAPPING 26
  267. extern DRIVE_MAPPING DriveMappingArray[];
  269. //
  270. // Special privilege values which are not normally audited,
  271. // but generate audits when assigned to a user. See
  272. // LsapAdtAuditSpecialPrivileges.
  273. //
  275. extern LUID ChangeNotifyPrivilege;
  276. extern LUID AuditPrivilege;
  277. extern LUID CreateTokenPrivilege;
  278. extern LUID AssignPrimaryTokenPrivilege;
  279. extern LUID BackupPrivilege;
  280. extern LUID RestorePrivilege;
  281. extern LUID DebugPrivilege;
  283. //
  284. // Global variable to indicate whether or not we're
  285. // supposed to crash when an audit fails.
  286. //
  288. extern BOOLEAN LsapCrashOnAuditFail;
  289. extern BOOLEAN LsapAllowAdminLogonsOnly;
  294. ////////////////////////////////////////////////////////////////////////////////
  295. // /
  296. // /
  297. ////////////////////////////////////////////////////////////////////////////////
  300. NTSTATUS
  301. LsapAdtWriteLog(
  302. IN OPTIONAL PSE_ADT_PARAMETER_ARRAY AuditRecord,
  303. IN ULONG Options
  304. );
  306. NTSTATUS
  307. LsapAdtDemarshallAuditInfo(
  308. IN PSE_ADT_PARAMETER_ARRAY AuditParameters
  309. );
  311. VOID
  312. LsapAdtNormalizeAuditInfo(
  313. IN PSE_ADT_PARAMETER_ARRAY AuditParameters
  314. );
  316. NTSTATUS
  317. LsapAdtOpenLog(
  318. OUT PHANDLE AuditLogHandle
  319. );
  321. VOID
  322. LsapAdtAuditLogon(
  323. IN USHORT EventCategory,
  324. IN ULONG EventID,
  325. IN USHORT EventType,
  326. IN PUNICODE_STRING AccountName,
  327. IN PUNICODE_STRING AuthenticatingAuthority,
  328. IN PUNICODE_STRING Source,
  329. IN PUNICODE_STRING PackageName,
  330. IN SECURITY_LOGON_TYPE LogonType,
  331. IN PSID UserSid,
  332. IN LUID AuthenticationId,
  333. IN PUNICODE_STRING WorkstationName,
  334. IN NTSTATUS LogonStatus,
  335. IN NTSTATUS SubStatus,
  336. IN LPGUID LogonGuid OPTIONAL
  337. );
  339. VOID
  340. LsapAuditLogonHelper(
  341. IN NTSTATUS LogonStatus,
  342. IN NTSTATUS LogonSubStatus,
  343. IN PUNICODE_STRING AccountName,
  344. IN PUNICODE_STRING AuthenticatingAuthority,
  345. IN PUNICODE_STRING WorkstationName,
  346. IN PSID UserSid, OPTIONAL
  347. IN SECURITY_LOGON_TYPE LogonType,
  348. IN PTOKEN_SOURCE TokenSource,
  349. IN PLUID LogonId,
  350. IN LPGUID LogonGuid OPTIONAL
  351. );
  353. #define LSAP_ADT_LOG_QUEUE_DISCARD ((ULONG) 0x00000001L)
  354. #define LSAP_ADT_LOG_QUEUE_WRITEOUT ((ULONG) 0x00000002L)
  357. VOID
  358. LsapAdtSystemRestart(
  359. PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo
  360. );
  362. VOID
  363. LsapAdtAuditLogonProcessRegistration(
  364. IN PLSAP_AU_REGISTER_CONNECT_INFO_EX ConnectInfo
  365. );
  368. NTSTATUS
  369. LsapAdtInitializeLogQueue(
  370. VOID
  371. );
  373. NTSTATUS
  374. LsapAdtQueueRecord(
  375. IN PSE_ADT_PARAMETER_ARRAY AuditRecord,
  376. IN ULONG Options
  377. );
  380. #define LsapAdtAcquireLogFullLock() RtlEnterCriticalSection(&LsapAdtLogFullLock)
  381. #define LsapAdtReleaseLogFullLock() RtlLeaveCriticalSection(&LsapAdtLogFullLock)
  384. NTSTATUS
  385. LsapAdtObjsInitialize(
  386. );
  390. NTSTATUS
  391. LsapAdtBuildDashString(
  392. OUT PUNICODE_STRING ResultantString,
  393. OUT PBOOLEAN FreeWhenDone
  394. );
  396. NTSTATUS
  397. LsapAdtBuildUlongString(
  398. IN ULONG Value,
  399. OUT PUNICODE_STRING ResultantString,
  400. OUT PBOOLEAN FreeWhenDone
  401. );
  403. NTSTATUS
  404. LsapAdtBuildHexUlongString(
  405. IN ULONG Value,
  406. OUT PUNICODE_STRING ResultantString,
  407. OUT PBOOLEAN FreeWhenDone
  408. );
  410. NTSTATUS
  411. LsapAdtBuildPtrString(
  412. IN PVOID Value,
  413. OUT PUNICODE_STRING ResultantString,
  414. OUT PBOOLEAN FreeWhenDone
  415. );
  417. NTSTATUS
  418. LsapAdtBuildLuidString(
  419. IN PLUID Value,
  420. OUT PUNICODE_STRING ResultantString,
  421. OUT PBOOLEAN FreeWhenDone
  422. );
  425. NTSTATUS
  426. LsapAdtBuildSidString(
  427. IN PSID Value,
  428. OUT PUNICODE_STRING ResultantString,
  429. OUT PBOOLEAN FreeWhenDone
  430. );
  432. NTSTATUS
  433. LsapAdtBuildObjectTypeStrings(
  434. IN PUNICODE_STRING SourceModule,
  435. IN PUNICODE_STRING ObjectTypeName,
  436. IN PSE_ADT_OBJECT_TYPE ObjectTypeList,
  437. IN ULONG ObjectTypeCount,
  438. OUT PUNICODE_STRING ResultantString,
  439. OUT PBOOLEAN FreeWhenDone,
  440. OUT PUNICODE_STRING NewObjectTypeName
  441. );
  443. NTSTATUS
  444. LsapAdtBuildAccessesString(
  445. IN PUNICODE_STRING SourceModule,
  446. IN PUNICODE_STRING ObjectTypeName,
  447. IN ACCESS_MASK Accesses,
  448. IN BOOLEAN Indent,
  449. OUT PUNICODE_STRING ResultantString,
  450. OUT PBOOLEAN FreeWhenDone
  451. );
  453. NTSTATUS
  454. LsapAdtBuildFilePathString(
  455. IN PUNICODE_STRING Value,
  456. OUT PUNICODE_STRING ResultantString,
  457. OUT PBOOLEAN FreeWhenDone
  458. );
  460. NTSTATUS
  461. LsapAdtBuildLogonIdStrings(
  462. IN PLUID LogonId,
  463. OUT PUNICODE_STRING ResultantString1,
  464. OUT PBOOLEAN FreeWhenDone1,
  465. OUT PUNICODE_STRING ResultantString2,
  466. OUT PBOOLEAN FreeWhenDone2,
  467. OUT PUNICODE_STRING ResultantString3,
  468. OUT PBOOLEAN FreeWhenDone3
  469. );
  471. NTSTATUS
  472. LsapBuildPrivilegeAuditString(
  473. IN PPRIVILEGE_SET PrivilegeSet,
  474. OUT PUNICODE_STRING ResultantString,
  475. OUT PBOOLEAN FreeWhenDone
  476. );
  478. NTSTATUS
  479. LsapAdtBuildTimeString(
  480. IN PLARGE_INTEGER Value,
  481. OUT PUNICODE_STRING ResultantString,
  482. OUT PBOOLEAN FreeWhenDone
  483. );
  485. NTSTATUS
  486. LsapAdtBuildDateString(
  487. IN PLARGE_INTEGER Value,
  488. OUT PUNICODE_STRING ResultantString,
  489. OUT PBOOLEAN FreeWhenDone
  490. );
  492. NTSTATUS
  493. LsapAdtBuildGuidString(
  494. IN LPGUID pGuid,
  495. OUT PUNICODE_STRING ResultantString,
  496. OUT PBOOLEAN FreeWhenDone
  497. );
  499. NTSTATUS
  500. LsapAdtMarshallAuditRecord(
  501. IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
  502. OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters
  503. );
  506. NTSTATUS
  507. LsapAdtInitializeDriveLetters(
  508. VOID
  509. );
  512. BOOLEAN
  513. LsapAdtLookupDriveLetter(
  514. IN PUNICODE_STRING FileName,
  515. OUT PUSHORT DeviceNameLength,
  516. OUT PWCHAR DriveLetter
  517. );
  519. VOID
  520. LsapAdtSubstituteDriveLetter(
  521. IN PUNICODE_STRING FileName
  522. );
  524. VOID
  525. LsapAdtUserRightAssigned(
  526. IN USHORT EventCategory,
  527. IN ULONG EventID,
  528. IN USHORT EventType,
  529. IN PSID UserSid,
  530. IN LUID CallerAuthenticationId,
  531. IN PSID ClientSid,
  532. IN PPRIVILEGE_SET Privileges
  533. );
  535. VOID
  536. LsapAdtTrustedDomain(
  537. IN USHORT EventCategory,
  538. IN ULONG EventID,
  539. IN USHORT EventType,
  540. IN PSID ClientSid,
  541. IN LUID CallerAuthenticationId,
  542. IN PSID TargetSid,
  543. IN PUNICODE_STRING DomainName
  544. );
  546. VOID
  547. LsapAdtAuditLogoff(
  548. PLSAP_LOGON_SESSION Session
  549. );
  551. VOID
  552. LsapAdtPolicyChange(
  553. IN USHORT EventCategory,
  554. IN ULONG EventID,
  555. IN USHORT EventType,
  556. IN PSID ClientSid,
  557. IN LUID CallerAuthenticationId,
  558. IN PLSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation
  559. );
  561. VOID
  562. LsapAdtAuditSpecialPrivileges(
  563. PPRIVILEGE_SET Privileges,
  564. LUID LogonId,
  565. PSID UserSid
  566. );
  568. VOID
  569. LsapAuditFailed(
  570. IN NTSTATUS AuditStatus
  571. );
  573. VOID
  574. LsapAdtInitParametersArray(
  575. IN SE_ADT_PARAMETER_ARRAY* AuditParameters,
  576. IN ULONG AuditCategoryId,
  577. IN ULONG AuditId,
  578. IN USHORT AuditEventType,
  579. IN USHORT ParameterCount,
  580. ...);
  582. NTSTATUS
  583. LsapAdtInitGenericAudits( VOID );
  585. #endif // _LSAP_ADTP_