//+----------------------------------------------------------------------- // // Microsoft Windows // // Copyright (c) Microsoft Corporation 2000 // // File: A D T G E N . C // // Contents: definitions of types/functions required for // generating generic audits. // // // History: // 07-January-2000 kumarp created // //------------------------------------------------------------------------ #include "pch.h" #pragma hdrstop #include "authz.h" //------------------------------------------------------------------------ // // internal routines // NTSTATUS LsapApiReturnResult( ULONG ExceptionCode ); //------------------------------------------------------------------------ BOOL AuthzpRegisterAuditEvent( IN PAUTHZ_AUDIT_EVENT_TYPE_OLD pAuditEventType, OUT AUDIT_HANDLE* phAuditContext ) /*++ Routine Description: Register the specified event with LSA. This causes LSA to generate and return an audit context. This context handle is required to publish event of the specified type. Arguments: pAuditEventType - pointer to audit event info structure that defines which event to register. phAuditContext - pointer to audit context handle returned Return Value: NTSTATUS - Standard Nt Result Code Notes: Note that this function does NOT register the schema of an event. It is assumed that the schema has been registered *before* calling this function. The schema of legacy audit events is stored in a .mc file. --*/ { DWORD dwStatus; // // since we use the same var to store NTSTATUS and win32 error // make sure that this is not a problem // ASSERT( sizeof(NTSTATUS) == sizeof(DWORD) ); // // we generate a unique ID and store it in the audit handle // the server will copy this into the corresponding structure // on the server side. This ID allows us to track which server side // audit-context corresponds to which client side event handle. // This is very useful in debugging. // NtAllocateLocallyUniqueId( &pAuditEventType->LinkId ); RpcTryExcept { dwStatus = LsarRegisterAuditEvent( pAuditEventType, phAuditContext ); } RpcExcept( EXCEPTION_EXECUTE_HANDLER ) { dwStatus = LsapApiReturnResult(I_RpcMapWin32Status(RpcExceptionCode())); } RpcEndExcept; if (!NT_SUCCESS(dwStatus)) { dwStatus = RtlNtStatusToDosError( dwStatus ); SetLastError( dwStatus ); return FALSE; } return TRUE; } BOOL AuthzpSendAuditToLsa( IN AUDIT_HANDLE hAuditContext, IN DWORD dwFlags, IN AUDIT_PARAMS* pAuditParams, IN PVOID pReserved ) /*++ Routine Description: Send an event to LSA for publishing. Arguments: hAuditContext - handle of audit-context previously obtained by calling LsaRegisterAuditEvent dwFlags - TBD pAuditParams - pointer to audit event parameters pReserved - reserved for future enhancements Return Value: STATUS_SUCCESS -- if all is well NTSTATUS error code otherwise. Notes: --*/ { DWORD dwStatus; UNREFERENCED_PARAMETER(pReserved); // // since we use the same var to store NTSTATUS and win32 error // make sure that this is not a problem // ASSERT( sizeof(NTSTATUS) == sizeof(DWORD) ); RpcTryExcept { dwStatus = LsarGenAuditEvent( hAuditContext, dwFlags, pAuditParams ); } RpcExcept( EXCEPTION_EXECUTE_HANDLER ) { dwStatus = LsapApiReturnResult(I_RpcMapWin32Status(RpcExceptionCode())); } RpcEndExcept; if (!NT_SUCCESS(dwStatus)) { dwStatus = RtlNtStatusToDosError( dwStatus ); SetLastError( dwStatus ); return FALSE; } return TRUE; } BOOL AuthzpUnregisterAuditEvent( IN OUT AUDIT_HANDLE* phAuditContext ) /*++ Routine Description: Unregister the specified event. This causes LSA to free resources associated with the context. Arguments: hAuditContext - handle to the audit context to unregister Return Value: NTSTATUS - Standard Nt Result Code Notes: --*/ { DWORD dwStatus; // // since we use the same var to store NTSTATUS and win32 error // make sure that this is not a problem // ASSERT( sizeof(NTSTATUS) == sizeof(DWORD) ); RpcTryExcept { dwStatus = LsarUnregisterAuditEvent( phAuditContext ); } RpcExcept( EXCEPTION_EXECUTE_HANDLER ) { dwStatus = LsapApiReturnResult(I_RpcMapWin32Status(RpcExceptionCode())); } RpcEndExcept; if (!NT_SUCCESS(dwStatus)) { dwStatus = RtlNtStatusToDosError( dwStatus ); SetLastError( dwStatus ); return FALSE; } return TRUE; }