windows-xp/Source/XPSP1/NT/base/ntos/se/adtp.h

/*++

Copyright (c) 1991  Microsoft Corporation

Module Name:

    adtp.h

Abstract:

    Auditing - Private Defines, Fuction Prototypes and Macro Functions

Author:

    Scott Birrell       (ScottBi)       November 6, 1991

Environment:

Revision History:

--*/

#ifndef _ADTP_H_
#define _ADTP_H_

#include "tokenp.h"

//
// Audit Log Information
//

POLICY_AUDIT_LOG_INFO SepAdtLogInformation;

extern BOOLEAN SepAdtAuditingEnabled;

//
// High and low water marks to control the length of the audit queue
//

extern ULONG SepAdtMaxListLength;
extern ULONG SepAdtMinListLength;
//
// Set when LSA has died.
//
extern PKEVENT SepAdtLsaDeadEvent;
//
// Structure used to query the above values from the registry
//

typedef struct _SEP_AUDIT_BOUNDS {

    ULONG UpperBound;
    ULONG LowerBound;

} SEP_AUDIT_BOUNDS, *PSEP_AUDIT_BOUNDS;


//
// Number of events discarded
//

extern ULONG SepAdtCountEventsDiscarded;


//
// Number of events on the queue
//

extern ULONG SepAdtCurrentListLength;


//
// Flag to tell us that we're discarding audits
//

extern BOOLEAN SepAdtDiscardingAudits;

//
// Flag to tell us that we should crash if we miss an audit.
//

extern BOOLEAN SepCrashOnAuditFail;

//
// Value name for verbose privilege auditing
//

#define FULL_PRIVILEGE_AUDITING   L"FullPrivilegeAuditing"

//
// security descriptor to be used for adding a SACL on system processes
//

extern PSECURITY_DESCRIPTOR SepProcessAuditSd;

//
// security descriptor to check if a given token has any one of
// following sids in it:
// -- SeLocalSystemSid
// -- SeLocalServiceSid
// -- SeNetworkServiceSid
//

extern PSECURITY_DESCRIPTOR SepImportantProcessSd;

//
// pseudo access bit used in each ACE of SepImportantProcessSd
//

#define SEP_QUERY_MEMBERSHIP 1

//
// used with SepImportantProcessSd
//

extern GENERIC_MAPPING GenericMappingForMembershipCheck;

VOID
SepAdtSetAuditEventInformation(
    IN OPTIONAL PBOOLEAN AuditingMode,
    IN OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions
    );

VOID
SepAdtGetAuditEventInformation(
    OUT OPTIONAL PBOOLEAN AuditingMode,
    OUT OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions
    );

VOID
SepAdtSetAuditLogInformation(
    IN PPOLICY_AUDIT_LOG_INFO AuditLogInformation
    );

NTSTATUS
SepAdtMarshallAuditRecord(
    IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
    OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters,
    OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType
    );


BOOLEAN
SepAdtPrivilegeObjectAuditAlarm (
    IN PUNICODE_STRING CapturedSubsystemName OPTIONAL,
    IN PVOID HandleId,
    IN PTOKEN ClientToken OPTIONAL,
    IN PTOKEN PrimaryToken,
    IN PVOID ProcessId,
    IN ACCESS_MASK DesiredAccess,
    IN PPRIVILEGE_SET CapturedPrivileges,
    IN BOOLEAN AccessGranted
    );

VOID
SepAdtTraverseAuditAlarm(
    IN PLUID OperationID,
    IN PVOID DirectoryObject,
    IN PSID UserSid,
    IN LUID AuthenticationId,
    IN ACCESS_MASK DesiredAccess,
    IN PPRIVILEGE_SET Privileges OPTIONAL,
    IN BOOLEAN AccessGranted,
    IN BOOLEAN GenerateAudit,
    IN BOOLEAN GenerateAlarm
    );

VOID
SepAdtCreateInstanceAuditAlarm(
    IN PLUID OperationID,
    IN PVOID Object,
    IN PSID UserSid,
    IN LUID AuthenticationId,
    IN ACCESS_MASK DesiredAccess,
    IN PPRIVILEGE_SET Privileges OPTIONAL,
    IN BOOLEAN AccessGranted,
    IN BOOLEAN GenerateAudit,
    IN BOOLEAN GenerateAlarm
    );

VOID
SepAdtCreateObjectAuditAlarm(
    IN PLUID OperationID,
    IN PUNICODE_STRING DirectoryName,
    IN PUNICODE_STRING ComponentName,
    IN PSID UserSid,
    IN LUID AuthenticationId,
    IN ACCESS_MASK DesiredAccess,
    IN BOOLEAN AccessGranted,
    IN BOOLEAN GenerateAudit,
    IN BOOLEAN GenerateAlarm
    );

VOID
SepAdtPrivilegedServiceAuditAlarm (
    IN PUNICODE_STRING CapturedSubsystemName,
    IN PUNICODE_STRING CapturedServiceName,
    IN PTOKEN ClientToken OPTIONAL,
    IN PTOKEN PrimaryToken,
    IN PPRIVILEGE_SET CapturedPrivileges,
    IN BOOLEAN AccessGranted
    );


VOID
SepAdtCloseObjectAuditAlarm(
    IN PUNICODE_STRING CapturedSubsystemName,
    IN PVOID HandleId,
    IN PSID UserSid
    );

VOID
SepAdtDeleteObjectAuditAlarm(
    IN PUNICODE_STRING CapturedSubsystemName,
    IN PVOID HandleId,
    IN PSID UserSid
    );

BOOLEAN
SepAdtOpenObjectAuditAlarm (
    IN PUNICODE_STRING CapturedSubsystemName,
    IN PVOID *HandleId OPTIONAL,
    IN PUNICODE_STRING CapturedObjectTypeName,
    IN PUNICODE_STRING CapturedObjectName OPTIONAL,
    IN PTOKEN ClientToken OPTIONAL,
    IN PTOKEN PrimaryToken,
    IN ACCESS_MASK DesiredAccess,
    IN ACCESS_MASK GrantedAccess,
    IN PLUID OperationId,
    IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
    IN BOOLEAN AccessGranted,
    IN HANDLE ProcessID,
    IN POLICY_AUDIT_EVENT_TYPE AuditType,
    IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
    IN ULONG ObjectTypeListLength,
    IN PACCESS_MASK GrantedAccessArray OPTIONAL
    );

BOOLEAN
SepAdtOpenObjectForDeleteAuditAlarm(
    IN PUNICODE_STRING CapturedSubsystemName,
    IN PVOID *HandleId,
    IN PUNICODE_STRING CapturedObjectTypeName,
    IN PUNICODE_STRING CapturedObjectName,
    IN PTOKEN ClientToken OPTIONAL,
    IN PTOKEN PrimaryToken,
    IN ACCESS_MASK DesiredAccess,
    IN ACCESS_MASK GrantedAccess,
    IN PLUID OperationId,
    IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
    IN BOOLEAN AccessGranted,
    IN HANDLE ProcessID
    );

VOID
SepAdtObjectReferenceAuditAlarm(
    IN PVOID Object,
    IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
    IN ACCESS_MASK DesiredAccess,
    IN BOOLEAN AccessGranted
    );

//
// BOOLEAN
// SepAdtAuditThisEvent(
//    IN POLICY_AUDIT_EVENT_TYPE AuditType,
//    IN PBOOLEAN AccessGranted
// );
//

#define SepAdtAuditThisEvent(AuditType, AccessGranted)                  \
    (SepAdtAuditingEnabled &&                                           \
    ((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) ||   \
    (SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted))))

#define SepAdtAuditThisEventEx(AuditType, AccessGranted, AccessDenied ) \
    (SepAdtAuditingEnabled &&                                           \
    ((SeAuditingState[AuditType].AuditOnSuccess && AccessGranted) ||    \
     (SeAuditingState[AuditType].AuditOnFailure && AccessDenied)))

VOID
SepAdtInitializeBounds(
    VOID
    );

VOID
SepAuditFailed(
    VOID
    );

NTSTATUS
SepAdtInitializeCrashOnFail(
    VOID
    );

BOOLEAN
SepInitializePrivilegeFilter(
    BOOLEAN Verbose
    );

BOOLEAN
SepAdtInitializePrivilegeAuditing(
    VOID
    );

// ----------------------------------------------------------------------
// The following is used only temporarily for NT5.
//
// NT5 does not provide any facility to enable/disable auditing at
// audit-event level. It only supports it at audit category level.
// This creates problems if one wants to audit only certain specific
// audit events of a category. The current design gives you all or none for
// each category.
//
// Post NT5 auditing will provide a better/flexible design that wil address
// this issue. For now, to delight some valuable customers, we provide this
// hack / registry based solution. This solution will be removed post NT5.
//

VOID
SepAdtInitializeAuditingOptions(
    VOID
    );

typedef struct _SEP_AUDIT_OPTIONS
{
    BOOLEAN DoNotAuditCloseObjectEvents;
} SEP_AUDIT_OPTIONS;

extern SEP_AUDIT_OPTIONS SepAuditOptions;

// ----------------------------------------------------------------------

#endif // _ADTP_H_