archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/published/inc/adtgen.w

377 lines
8.0 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A D T G E N . H
  8. //
  9. // Contents: definitions of types/functions required for
  10. // generating generic audits.
  11. //
  12. // !!!WARNING!!!
  13. // This file is included by lsarpc.idl, therefore, if you
  14. // change it, make sure to clean build the entire DS depot.
  15. //
  16. //
  17. // History:
  18. // 07-January-2000 kumarp created
  19. //
  20. //------------------------------------------------------------------------
  22. #ifndef _ADTGEN_H
  23. #define _ADTGEN_H
  25. //
  26. // type of audit
  27. //
  28. // AUDIT_TYPE_LEGACY
  29. // In this case the audit event schema is stored in a .mc file.
  30. //
  31. // AUDIT_TYPE_WMI
  32. // The schema is stored in WMI. (currently not supported)
  33. //
  35. #define AUDIT_TYPE_LEGACY 1
  36. #define AUDIT_TYPE_WMI 2
  38. //
  39. // Type of parameters passed in the AUDIT_PARAMS.Parameters array
  40. //
  41. // Use the AdtInitParams function to initialize and prepare
  42. // an array of audit parameters.
  43. //
  45. typedef enum _AUDIT_PARAM_TYPE
  46. {
  47. //
  48. // do we need this?
  49. //
  51. APT_None = 1,
  53. //
  54. // NULL terminated string
  55. //
  57. APT_String,
  59. //
  60. // unsigned long
  61. //
  63. APT_Ulong,
  65. //
  66. // a pointer. use for specifying handles/pointers
  67. // (32 bit on 32 bit systems and 64 bit on 64 bit systems)
  68. // Note that the memory to which the pointer points to
  69. // is not marshalled when using this type. Use this when you
  70. // are interested in the absolute value of the pointer.
  71. // A good example of this is when specifying HANDLE values.
  72. //
  74. APT_Pointer,
  76. //
  77. // SID
  78. //
  80. APT_Sid,
  82. //
  83. // Logon ID (LUID)
  84. //
  86. APT_LogonId,
  88. //
  89. // Object Type List
  90. //
  92. APT_ObjectTypeList,
  94. } AUDIT_PARAM_TYPE;
  96. //
  97. // There are two types of flags that can be used with a parameter.
  98. //
  99. // - formatting flag
  100. // This defines the appearance of a parameter when
  101. // written to the eventlog. Such flags may become obsolete
  102. // when we move to WMI auditing.
  103. //
  104. // - control flag
  105. // This causes a specified action to be taken that affects
  106. // a parameter value.
  107. //
  108. // For example:
  109. // If you use the AP_PrimaryLogonId/AP_ClientLogonId flag,
  110. // the system will capture the logon-id from the process/thread token.
  111. //
  113. #define AP_ParamTypeBits 8
  114. #define AP_ParamTypeMask 0x000000ffL
  116. //
  117. // the flags values below have overlapping values. this is ok since
  118. // the scope of each flag is limited to the type to which it applies.
  119. //
  121. //
  122. // APT_Ulong : format flag : causes a number to appear in hex
  123. //
  125. #define AP_FormatHex (0x0001L << AP_ParamTypeBits)
  127. //
  128. // APT_Ulong : format flag : causes a number to be treated as access-mask.
  129. // The meaning of each bit depends on the associated
  130. // object type.
  131. //
  133. #define AP_AccessMask (0x0002L << AP_ParamTypeBits)
  136. //
  137. // APT_String : format flag : causes a string to be treated as a file-path
  138. //
  140. #define AP_Filespec (0x0001L << AP_ParamTypeBits)
  142. //
  143. // APT_LogonId : control flag : logon-id is captured from the process token
  144. //
  146. #define AP_PrimaryLogonId (0x0001L << AP_ParamTypeBits)
  148. //
  149. // APT_LogonId : control flag : logon-id is captured from the thread token
  150. //
  152. #define AP_ClientLogonId (0x0002L << AP_ParamTypeBits)
  155. //
  156. // internal helper macros
  157. //
  159. #define ApExtractType(TypeFlags) ((AUDIT_PARAM_TYPE)(TypeFlags & AP_ParamTypeMask))
  160. #define ApExtractFlags(TypeFlags) ((TypeFlags & ~AP_ParamTypeMask))
  162. //
  163. // Element of an object-type-list
  164. //
  165. // The AUDIT_OBJECT_TYPES structure identifies an object type element
  166. // in a hierarchy of object types. The AccessCheckByType functions use
  167. // an array of such structures to define a hierarchy of an object and
  168. // its subobjects, such as property sets and properties.
  169. //
  171. typedef struct _AUDIT_OBJECT_TYPE
  172. {
  173. GUID ObjectType; // guid of the (sub)object
  174. USHORT Flags; // currently not defined
  175. USHORT Level; // level within the hierarchy.
  176. // 0 is the root level
  177. ACCESS_MASK AccessMask; // access-mask for this (sub)object
  178. } AUDIT_OBJECT_TYPE, *PAUDIT_OBJECT_TYPE;
  180. typedef struct _AUDIT_OBJECT_TYPES
  181. {
  182. USHORT Count; // number of object-types in pObjectTypes
  183. USHORT Flags; // currently not defined
  184. #ifdef MIDL_PASS
  185. [size_is(Count)]
  186. #endif
  187. AUDIT_OBJECT_TYPE* pObjectTypes; // array of object-types
  188. } AUDIT_OBJECT_TYPES, *PAUDIT_OBJECT_TYPES;
  191. //
  192. // Structure that defines a single audit parameter.
  193. //
  194. // LsaGenAuditEvent accepts an array of such elements to
  195. // represent the parameters of the audit to be generated.
  196. //
  197. // It is best to initialize this structure using AdtInitParams function.
  198. // This will ensure compatibility with any future changes to this
  199. // structure.
  200. //
  202. typedef struct _AUDIT_PARAM
  203. {
  204. AUDIT_PARAM_TYPE Type; // type
  205. ULONG Length; // currently unused
  206. DWORD Flags; // currently unused
  208. #ifdef MIDL_PASS
  209. [switch_type(AUDIT_PARAM_TYPE),switch_is(Type)]
  210. #endif
  211. union
  212. {
  213. #ifdef MIDL_PASS
  214. [default]
  215. #endif
  216. ULONG_PTR Data0;
  218. #ifdef MIDL_PASS
  219. [case(APT_String)]
  220. [string]
  221. #endif
  222. PWSTR String;
  225. #ifdef MIDL_PASS
  226. [case(APT_Ulong,
  227. APT_Pointer)]
  228. #endif
  229. ULONG_PTR u;
  231. #ifdef MIDL_PASS
  232. [case(APT_Sid)]
  233. #endif
  234. SID* psid;
  236. #ifdef MIDL_PASS
  237. [case(APT_LogonId)]
  238. #endif
  239. ULONG LogonId_LowPart;
  241. #ifdef MIDL_PASS
  242. [case(APT_ObjectTypeList)]
  243. #endif
  244. AUDIT_OBJECT_TYPES* pObjectTypes;
  245. };
  247. #ifdef MIDL_PASS
  248. [switch_type(AUDIT_PARAM_TYPE),switch_is(Type)]
  249. #endif
  250. union
  251. {
  252. #ifdef MIDL_PASS
  253. [default]
  254. #endif
  255. ULONG_PTR Data1;
  257. #ifdef MIDL_PASS
  258. [case(APT_LogonId)]
  259. #endif
  260. LONG LogonId_HighPart;
  261. };
  263. } AUDIT_PARAM, *PAUDIT_PARAM;
  266. //
  267. // Audit control flags. To be used with AUDIT_PARAMS.Flags
  268. //
  270. #define APF_AuditFailure 0x00000000 // generate a failure audit
  271. #define APF_AuditSuccess 0x00000001 // generate a success audit when set,
  272. // a failure audit otherwise.
  274. //
  275. // set of valid audit control flags
  276. //
  278. #define APF_ValidFlags (APF_AuditSuccess)
  280. //
  281. // Audit parameters passed to LsaGenAuditEvent
  282. //
  284. typedef struct _AUDIT_PARAMS
  285. {
  286. ULONG Length; // size in bytes
  287. DWORD Flags; // currently unused
  288. USHORT Count; // number of parameters
  289. #ifdef MIDL_PASS
  290. [size_is(Count)]
  291. #endif
  292. AUDIT_PARAM* Parameters; // array of parameters
  293. } AUDIT_PARAMS, *PAUDIT_PARAMS;
  295. //
  296. // Defines the elements of a legacy audit event.
  297. //
  299. typedef struct _AUTHZ_AUDIT_EVENT_TYPE_LEGACY
  300. {
  301. //
  302. // Audit category ID
  303. //
  305. USHORT CategoryId;
  307. //
  308. // Audit event ID
  309. //
  311. USHORT AuditId;
  313. //
  314. // Parameter count
  315. //
  317. USHORT ParameterCount;
  319. } AUTHZ_AUDIT_EVENT_TYPE_LEGACY, *PAUTHZ_AUDIT_EVENT_TYPE_LEGACY;
  321. typedef
  322. #ifdef MIDL_PASS
  323. [switch_type(BYTE)]
  324. #endif
  325. union _AUTHZ_AUDIT_EVENT_TYPE_UNION
  326. {
  327. #ifdef MIDL_PASS
  328. [case(AUDIT_TYPE_LEGACY)]
  329. #endif
  330. AUTHZ_AUDIT_EVENT_TYPE_LEGACY Legacy;
  331. } AUTHZ_AUDIT_EVENT_TYPE_UNION, *PAUTHZ_AUDIT_EVENT_TYPE_UNION;
  333. //
  334. // description of an audit event
  335. //
  337. typedef
  338. struct _AUTHZ_AUDIT_EVENT_TYPE_OLD
  339. {
  340. // version number
  342. ULONG Version;
  343. DWORD dwFlags;
  344. LONG RefCount;
  345. ULONG_PTR hAudit;
  346. LUID LinkId;
  347. #ifdef MIDL_PASS
  348. [switch_is(Version)]
  349. #endif
  350. AUTHZ_AUDIT_EVENT_TYPE_UNION u;
  352. } AUTHZ_AUDIT_EVENT_TYPE_OLD;
  354. typedef
  355. #ifdef MIDL_PASS
  356. [handle]
  357. #endif
  358. AUTHZ_AUDIT_EVENT_TYPE_OLD* PAUTHZ_AUDIT_EVENT_TYPE_OLD;
  360. typedef
  361. #ifdef MIDL_PASS
  362. [context_handle]
  363. #endif
  364. PVOID AUDIT_HANDLE, *PAUDIT_HANDLE;
  366. BOOL
  367. AuthzpRegisterAuditEvent(
  368. IN PAUTHZ_AUDIT_EVENT_TYPE_OLD pAuditEventType,
  369. OUT PAUDIT_HANDLE phAuditContext
  370. );
  372. BOOL
  373. AuthzpUnregisterAuditEvent(
  374. IN OUT AUDIT_HANDLE* phAuditContext
  375. );
  377. #endif //_ADTGEN_H