|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 2000
//
// File: A D T G E N . H
//
// Contents: definitions of types/functions required for
// generating generic audits.
//
// !!!WARNING!!!
// This file is included by lsarpc.idl, therefore, if you
// change it, make sure to clean build the entire DS depot.
//
//
// History:
// 07-January-2000 kumarp created
//
//------------------------------------------------------------------------
#ifndef _ADTGEN_H
#define _ADTGEN_H
//
// type of audit
//
// AUDIT_TYPE_LEGACY
// In this case the audit event schema is stored in a .mc file.
//
// AUDIT_TYPE_WMI
// The schema is stored in WMI. (currently not supported)
//
#define AUDIT_TYPE_LEGACY 1
#define AUDIT_TYPE_WMI 2
//
// Type of parameters passed in the AUDIT_PARAMS.Parameters array
//
// Use the AdtInitParams function to initialize and prepare
// an array of audit parameters.
//
typedef enum _AUDIT_PARAM_TYPE { //
// do we need this?
//
APT_None = 1,
//
// NULL terminated string
//
APT_String,
//
// unsigned long
//
APT_Ulong,
//
// a pointer. use for specifying handles/pointers
// (32 bit on 32 bit systems and 64 bit on 64 bit systems)
// Note that the memory to which the pointer points to
// is not marshalled when using this type. Use this when you
// are interested in the absolute value of the pointer.
// A good example of this is when specifying HANDLE values.
//
APT_Pointer,
//
// SID
//
APT_Sid,
//
// Logon ID (LUID)
//
APT_LogonId,
//
// Object Type List
//
APT_ObjectTypeList, } AUDIT_PARAM_TYPE;
//
// There are two types of flags that can be used with a parameter.
//
// - formatting flag
// This defines the appearance of a parameter when
// written to the eventlog. Such flags may become obsolete
// when we move to WMI auditing.
//
// - control flag
// This causes a specified action to be taken that affects
// a parameter value.
//
// For example:
// If you use the AP_PrimaryLogonId/AP_ClientLogonId flag,
// the system will capture the logon-id from the process/thread token.
//
#define AP_ParamTypeBits 8
#define AP_ParamTypeMask 0x000000ffL
//
// the flags values below have overlapping values. this is ok since
// the scope of each flag is limited to the type to which it applies.
//
//
// APT_Ulong : format flag : causes a number to appear in hex
//
#define AP_FormatHex (0x0001L << AP_ParamTypeBits)
//
// APT_Ulong : format flag : causes a number to be treated as access-mask.
// The meaning of each bit depends on the associated
// object type.
//
#define AP_AccessMask (0x0002L << AP_ParamTypeBits)
//
// APT_String : format flag : causes a string to be treated as a file-path
//
#define AP_Filespec (0x0001L << AP_ParamTypeBits)
//
// APT_LogonId : control flag : logon-id is captured from the process token
//
#define AP_PrimaryLogonId (0x0001L << AP_ParamTypeBits)
//
// APT_LogonId : control flag : logon-id is captured from the thread token
//
#define AP_ClientLogonId (0x0002L << AP_ParamTypeBits)
//
// internal helper macros
//
#define ApExtractType(TypeFlags) ((AUDIT_PARAM_TYPE)(TypeFlags & AP_ParamTypeMask))
#define ApExtractFlags(TypeFlags) ((TypeFlags & ~AP_ParamTypeMask))
//
// Element of an object-type-list
//
// The AUDIT_OBJECT_TYPES structure identifies an object type element
// in a hierarchy of object types. The AccessCheckByType functions use
// an array of such structures to define a hierarchy of an object and
// its subobjects, such as property sets and properties.
//
typedef struct _AUDIT_OBJECT_TYPE { GUID ObjectType; // guid of the (sub)object
USHORT Flags; // currently not defined
USHORT Level; // level within the hierarchy.
// 0 is the root level
ACCESS_MASK AccessMask; // access-mask for this (sub)object
} AUDIT_OBJECT_TYPE, *PAUDIT_OBJECT_TYPE;
typedef struct _AUDIT_OBJECT_TYPES { USHORT Count; // number of object-types in pObjectTypes
USHORT Flags; // currently not defined
#ifdef MIDL_PASS
[size_is(Count)] #endif
AUDIT_OBJECT_TYPE* pObjectTypes; // array of object-types
} AUDIT_OBJECT_TYPES, *PAUDIT_OBJECT_TYPES;
//
// Structure that defines a single audit parameter.
//
// LsaGenAuditEvent accepts an array of such elements to
// represent the parameters of the audit to be generated.
//
// It is best to initialize this structure using AdtInitParams function.
// This will ensure compatibility with any future changes to this
// structure.
//
typedef struct _AUDIT_PARAM { AUDIT_PARAM_TYPE Type; // type
ULONG Length; // currently unused
DWORD Flags; // currently unused
#ifdef MIDL_PASS
[switch_type(AUDIT_PARAM_TYPE),switch_is(Type)] #endif
union { #ifdef MIDL_PASS
[default] #endif
ULONG_PTR Data0;
#ifdef MIDL_PASS
[case(APT_String)] [string] #endif
PWSTR String;
#ifdef MIDL_PASS
[case(APT_Ulong, APT_Pointer)] #endif
ULONG_PTR u; #ifdef MIDL_PASS
[case(APT_Sid)] #endif
SID* psid; #ifdef MIDL_PASS
[case(APT_LogonId)] #endif
ULONG LogonId_LowPart;
#ifdef MIDL_PASS
[case(APT_ObjectTypeList)] #endif
AUDIT_OBJECT_TYPES* pObjectTypes; }; #ifdef MIDL_PASS
[switch_type(AUDIT_PARAM_TYPE),switch_is(Type)] #endif
union { #ifdef MIDL_PASS
[default] #endif
ULONG_PTR Data1;
#ifdef MIDL_PASS
[case(APT_LogonId)] #endif
LONG LogonId_HighPart; }; } AUDIT_PARAM, *PAUDIT_PARAM;
//
// Audit control flags. To be used with AUDIT_PARAMS.Flags
//
#define APF_AuditFailure 0x00000000 // generate a failure audit
#define APF_AuditSuccess 0x00000001 // generate a success audit when set,
// a failure audit otherwise.
//
// set of valid audit control flags
//
#define APF_ValidFlags (APF_AuditSuccess)
//
// Audit parameters passed to LsaGenAuditEvent
//
typedef struct _AUDIT_PARAMS { ULONG Length; // size in bytes
DWORD Flags; // currently unused
USHORT Count; // number of parameters
#ifdef MIDL_PASS
[size_is(Count)] #endif
AUDIT_PARAM* Parameters; // array of parameters
} AUDIT_PARAMS, *PAUDIT_PARAMS;
//
// Defines the elements of a legacy audit event.
//
typedef struct _AUTHZ_AUDIT_EVENT_TYPE_LEGACY { //
// Audit category ID
//
USHORT CategoryId;
//
// Audit event ID
//
USHORT AuditId;
//
// Parameter count
//
USHORT ParameterCount; } AUTHZ_AUDIT_EVENT_TYPE_LEGACY, *PAUTHZ_AUDIT_EVENT_TYPE_LEGACY;
typedef #ifdef MIDL_PASS
[switch_type(BYTE)] #endif
union _AUTHZ_AUDIT_EVENT_TYPE_UNION { #ifdef MIDL_PASS
[case(AUDIT_TYPE_LEGACY)] #endif
AUTHZ_AUDIT_EVENT_TYPE_LEGACY Legacy; } AUTHZ_AUDIT_EVENT_TYPE_UNION, *PAUTHZ_AUDIT_EVENT_TYPE_UNION;
//
// description of an audit event
//
typedef struct _AUTHZ_AUDIT_EVENT_TYPE_OLD { // version number
ULONG Version; DWORD dwFlags; LONG RefCount; ULONG_PTR hAudit; LUID LinkId; #ifdef MIDL_PASS
[switch_is(Version)] #endif
AUTHZ_AUDIT_EVENT_TYPE_UNION u;
} AUTHZ_AUDIT_EVENT_TYPE_OLD;
typedef #ifdef MIDL_PASS
[handle] #endif
AUTHZ_AUDIT_EVENT_TYPE_OLD* PAUTHZ_AUDIT_EVENT_TYPE_OLD;
typedef #ifdef MIDL_PASS
[context_handle] #endif
PVOID AUDIT_HANDLE, *PAUDIT_HANDLE;
BOOL AuthzpRegisterAuditEvent( IN PAUTHZ_AUDIT_EVENT_TYPE_OLD pAuditEventType, OUT PAUDIT_HANDLE phAuditContext );
BOOL AuthzpUnregisterAuditEvent( IN OUT AUDIT_HANDLE* phAuditContext );
#endif //_ADTGEN_H
|