1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
adt.h
Abstract:
Auditing - Defines, Fuction Prototypes and Macro Functions.
These are public to the Security Component only.
Author:
Scott Birrell (ScottBi) January 17, 1991
Environment:
Revision History:
--*/
#include <ntlsa.h>
//////////////////////////////////////////////////////////////////////////////
// //
// Auditing Routines visible to rest of Security Component outside Auditing //
// subcomponent. //
// //
//////////////////////////////////////////////////////////////////////////////
/*++
BOOLEAN
SepAdtEventOnSuccess(
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
)
Routine Description:
This macro function checks if a given Audit Event Type is enabled for
Auditing of successful occurrences of the Event.
Arguments:
AuditEventType - Specifies the type of the Audit Event to be checked.
Return Value:
BOOLEAN - TRUE if the event type is enabled for auditing of successful
occurrences of the event, else FALSE
--*/
#define SepAdtEventOnSuccess(AuditEventType) \
(SepAdtState.EventAuditingOptions[AuditEventType] & \
POLICY_AUDIT_EVENT_SUCCESS)
/*++
BOOLEAN
SepAdtEventOnFailure(
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
)
Routine Description:
This macro function checks if a given Audit Event Type is enabled for
Auditing of unsuccessful attempts to cause an event of the given type
to occur.
Arguments:
AuditEventType - Specifies the type of the Audit Event to be checked.
Return Value:
BOOLEAN - TRUE if the event type is enabled for auditing of unsuccessful
attempts to make the event type occur, else FALSE
--*/
#define SepAdtEventOnFailure(AuditEventType) \
(SepAdtState.EventAuditingOptions[AuditEventType] & \
POLICY_AUDIT_EVENT_FAILURE)
/*++
BOOLEAN
SepAdtAuditingEvent(
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
)
Routine Description:
This macro function checks if a given Audit Event Type is enabled for
Auditing.
Arguments:
AuditEventType - Specifies the type of the Audit Event to be checked.
Return Value:
BOOLEAN - TRUE if the event type is enabled for auditing, else FALSE.
--*/
#define SepAdtAuditingEvent(AuditEventType) \
(SepAdtEventOnSuccess(AuditEventType) || \
(SepAdtEventOnFailure(AuditEventType))
/*++
BOOLEAN
SepAdtAuditingEnabled()
Routine Description:
This macro function tests if auditing is enabled.
Arguments:
None.
Return Value:
BOOLEAN - TRUE if auditing is enabled, else FALSE
--*/
#define SepAdtAuditingEnabled() (SepAdtState.AuditingMode == TRUE)
/*++
BOOLEAN
SepAdtAuditingDisabled()
Routine Description:
This macro function tests if auditing is disabled.
Arguments:
None.
Return Value:
BOOLEAN - TRUE if auditing is disabled, else FALSE
--*/
#define SepAdtAuditingDisabled() (!SepAdtAuditingEnabled)
//
// Audit Event Information array. Although internal to the Auditing
// Subcomponent, this structure is exported to all of Security so that the
// above macro functions can be used to access it efficiently from there.
//
extern POLICY_AUDIT_EVENTS_INFO SepAdtState;
BOOLEAN
SepAdtInitializePhase0();
BOOLEAN
SepAdtInitializePhase1();
//VOID
//SepAdtLogAuditRecord(
// IN POLICY_AUDIT_EVENT_TYPE AuditEventType,
// IN PVOID AuditInformation
// );
VOID
SepAdtLogAuditRecord(
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
);
NTSTATUS
SepAdtCopyToLsaSharedMemory(
IN HANDLE LsaProcessHandle,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PVOID *LsaBufferAddress
);
|
