/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
adtp.h
Abstract:
Auditing - Private Defines, Fuction Prototypes and Macro Functions
Author:
Scott Birrell (ScottBi) November 6, 1991
Environment:
Revision History:
--*/
#include "tokenp.h"
//
// Audit Log Information
//
POLICY_AUDIT_LOG_INFO SepAdtLogInformation;
extern BOOLEAN SepAdtAuditingEnabled;
//
// High and low water marks to control the length of the audit queue
//
extern ULONG SepAdtMaxListLength;
extern ULONG SepAdtMinListLength;
//
// Structure used to query the above values from the registry
//
typedef struct _SEP_AUDIT_BOUNDS {
ULONG UpperBound;
ULONG LowerBound;
} SEP_AUDIT_BOUNDS, *PSEP_AUDIT_BOUNDS;
//
// Number of events discarded
//
extern ULONG SepAdtCountEventsDiscarded;
//
// Number of events on the queue
//
extern ULONG SepAdtCurrentListLength;
//
// Flag to tell us that we're discarding audits
//
extern BOOLEAN SepAdtDiscardingAudits;
//
// Flag to tell us that we should crash if we miss
// and audit.
//
extern BOOLEAN SepCrashOnAuditFail;
//
// Value name for verbose privilege auditing
//
#define FULL_PRIVILEGE_AUDITING L"FullPrivilegeAuditing"
VOID
SepAdtSetAuditEventInformation(
IN OPTIONAL PBOOLEAN AuditingMode,
IN OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions
);
VOID
SepAdtGetAuditEventInformation(
OUT OPTIONAL PBOOLEAN AuditingMode,
OUT OPTIONAL PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions
);
VOID
SepAdtSetAuditLogInformation(
IN PPOLICY_AUDIT_LOG_INFO AuditLogInformation
);
NTSTATUS
SepAdtMarshallAuditRecord(
IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters,
OUT PSEP_RM_LSA_MEMORY_TYPE RecordMemoryType
);
BOOLEAN
SepAdtPrivilegeObjectAuditAlarm (
IN PUNICODE_STRING CapturedSubsystemName OPTIONAL,
IN PVOID HandleId,
IN PTOKEN ClientToken OPTIONAL,
IN PTOKEN PrimaryToken,
IN PVOID ProcessId,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET CapturedPrivileges,
IN BOOLEAN AccessGranted
);
VOID
SepAdtTraverseAuditAlarm(
IN PLUID OperationID,
IN PVOID DirectoryObject,
IN PSID UserSid,
IN LUID AuthenticationId,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges OPTIONAL,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm
);
VOID
SepAdtCreateInstanceAuditAlarm(
IN PLUID OperationID,
IN PVOID Object,
IN PSID UserSid,
IN LUID AuthenticationId,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges OPTIONAL,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm
);
VOID
SepAdtCreateObjectAuditAlarm(
IN PLUID OperationID,
IN PUNICODE_STRING DirectoryName,
IN PUNICODE_STRING ComponentName,
IN PSID UserSid,
IN LUID AuthenticationId,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm
);
VOID
SepAdtHandleAuditAlarm(
IN PUNICODE_STRING Source,
IN LUID OperationId,
IN HANDLE Handle,
IN PSID UserSid
);
VOID
SepAdtPrivilegedServiceAuditAlarm (
IN PUNICODE_STRING CapturedSubsystemName,
IN PUNICODE_STRING CapturedServiceName,
IN PTOKEN ClientToken OPTIONAL,
IN PTOKEN PrimaryToken,
IN PPRIVILEGE_SET CapturedPrivileges,
IN BOOLEAN AccessGranted
);
VOID
SepAdtCloseObjectAuditAlarm(
IN PUNICODE_STRING CapturedSubsystemName,
IN PVOID HandleId,
IN PVOID Object,
IN PSID UserSid,
IN LUID AuthenticationId
);
VOID
SepAdtDeleteObjectAuditAlarm(
IN PUNICODE_STRING CapturedSubsystemName,
IN PVOID HandleId,
IN PVOID Object,
IN PSID UserSid,
IN LUID AuthenticationId
);
BOOLEAN
SepAdtOpenObjectAuditAlarm(
IN PUNICODE_STRING CapturedSubsystemName,
IN PVOID *HandleId,
IN PUNICODE_STRING CapturedObjectTypeName,
IN PVOID Object,
IN PUNICODE_STRING CapturedObjectName,
IN PTOKEN ClientToken OPTIONAL,
IN PTOKEN PrimaryToken,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK GrantedAccess,
IN PLUID OperationId,
IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm,
IN HANDLE ProcessID
);
BOOLEAN
SepAdtOpenObjectForDeleteAuditAlarm(
IN PUNICODE_STRING CapturedSubsystemName,
IN PVOID *HandleId,
IN PUNICODE_STRING CapturedObjectTypeName,
IN PVOID Object,
IN PUNICODE_STRING CapturedObjectName,
IN PTOKEN ClientToken OPTIONAL,
IN PTOKEN PrimaryToken,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK GrantedAccess,
IN PLUID OperationId,
IN PPRIVILEGE_SET CapturedPrivileges OPTIONAL,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm,
IN HANDLE ProcessID
);
VOID
SepAdtObjectReferenceAuditAlarm(
IN PLUID OperationID OPTIONAL,
IN PVOID Object,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges OPTIONAL,
IN BOOLEAN AccessGranted,
IN BOOLEAN GenerateAudit,
IN BOOLEAN GenerateAlarm
);
//
// BOOLEAN
// SepAdtAuditThisEvent(
// IN POLICY_AUDIT_EVENT_TYPE AuditType,
// IN PBOOLEAN AccessGranted
// );
//
#define SepAdtAuditThisEvent(AuditType, AccessGranted) \
(SepAdtAuditingEnabled && \
((SeAuditingState[AuditType].AuditOnSuccess && *AccessGranted) || \
(SeAuditingState[AuditType].AuditOnFailure && !(*AccessGranted))))
VOID
SepAdtInitializeBounds(
VOID
);
VOID
SepAuditFailed(
VOID
);
NTSTATUS
SepAdtInitializeCrashOnFail(
VOID
);
BOOLEAN
SepInitializePrivilegeFilter(
BOOLEAN Verbose
);
BOOLEAN
SepAdtInitializePrivilegeAuditing(
VOID
);
