windows-nt/Source/XPSP1/NT/ds/security/base/lsa/server/adtp.h
2020-09-26 16:20:57 +08:00

586 lines
17 KiB
C

/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
adtp.h
Abstract:
Local Security Authority - Audit Log Management - Private Defines,
data and function prototypes.
Functions, data and defines in this module are internal to the
Auditing Subcomponent of the LSA Subsystem.
Author:
Scott Birrell (ScottBi) November 20, 1991
Environment:
Revision History:
--*/
#ifndef _LSAP_ADTP_
#define _LSAP_ADTP_
#include "ausrvp.h"
//
// Names of the registry keys where security event log information
// is rooted and the object names are listed under an event source
// module.
//
#define LSAP_ADT_AUDIT_MODULES_KEY_NAME L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\EventLog\\Security"
#define LSAP_ADT_OBJECT_NAMES_KEY_NAME L"ObjectNames"
//
// Macros for setting fields in an SE_AUDIT_PARAMETERS array.
//
// These must be kept in sync with similar macros in se\sepaudit.c.
//
#define LsapSetParmTypeSid( AuditParameters, Index, Sid ) \
{ \
if( Sid ) { \
\
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeSid; \
(AuditParameters).Parameters[(Index)].Length = RtlLengthSid( (Sid) ); \
(AuditParameters).Parameters[(Index)].Address = (Sid); \
\
} else { \
\
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNone; \
(AuditParameters).Parameters[(Index)].Length = 0; \
(AuditParameters).Parameters[(Index)].Address = NULL; \
\
} \
}
#define LsapSetParmTypeAccessMask( AuditParameters, Index, AccessMask, ObjectTypeIndex ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeAccessMask; \
(AuditParameters).Parameters[(Index)].Length = sizeof( ACCESS_MASK ); \
(AuditParameters).Parameters[(Index)].Data[0] = (AccessMask); \
(AuditParameters).Parameters[(Index)].Data[1] = (ObjectTypeIndex); \
}
#define LsapSetParmTypeString( AuditParameters, Index, String ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeString; \
(AuditParameters).Parameters[(Index)].Length = \
sizeof(UNICODE_STRING)+(String)->Length; \
(AuditParameters).Parameters[(Index)].Address = (String); \
}
#define LsapSetParmTypeUlong( AuditParameters, Index, Ulong ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeUlong; \
(AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
}
#define LsapSetParmTypeHexUlong( AuditParameters, Index, Ulong ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeHexUlong; \
(AuditParameters).Parameters[(Index)].Length = sizeof( (Ulong) ); \
(AuditParameters).Parameters[(Index)].Data[0] = (ULONG)(Ulong); \
}
#define LsapSetParmTypeGuid( AuditParameters, Index, pGuid ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeGuid; \
(AuditParameters).Parameters[(Index)].Length = sizeof( GUID ); \
(AuditParameters).Parameters[(Index)].Address = pGuid; \
}
#define LsapSetParmTypeNoLogon( AuditParameters, Index ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeNoLogonId; \
}
#define LsapSetParmTypeLogonId( AuditParameters, Index, LogonId ) \
{ \
PLUID TmpLuid; \
\
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypeLogonId; \
(AuditParameters).Parameters[(Index)].Length = sizeof( (LogonId) ); \
TmpLuid = (PLUID)(&(AuditParameters).Parameters[(Index)].Data[0]); \
*TmpLuid = (LogonId); \
}
#define LsapSetParmTypePrivileges( AuditParameters, Index, Privileges ) \
{ \
(AuditParameters).Parameters[(Index)].Type = SeAdtParmTypePrivs; \
(AuditParameters).Parameters[(Index)].Length = LsapPrivilegeSetSize( (Privileges) ); \
(AuditParameters).Parameters[(Index)].Address = (Privileges); \
}
#define IsInRange(item,min_val,max_val) \
(((item) >= min_val) && ((item) <= max_val))
//
// see msaudite.mc for def. of valid category-id
//
#define IsValidCategoryId(c) \
(IsInRange((c), SE_ADT_MIN_CATEGORY_ID, SE_ADT_MAX_CATEGORY_ID))
//
// see msaudite.mc for def. of valid audit-id
//
#define IsValidAuditId(a) \
(IsInRange((a), SE_ADT_MIN_AUDIT_ID, SE_ADT_MAX_AUDIT_ID))
//
// check for reasonable value of parameter count. we must have atleast
// 2 parameters in the audit-params array. Thus the min limit is 3.
// The max limit is determined by the value in ntlsa.h
//
#define IsValidParameterCount(p) \
(IsInRange((p), 2, SE_MAX_AUDIT_PARAMETERS))
///////////////////////////////////////////////////////////////////////////
// //
// Private data for Audit Log Management //
// //
///////////////////////////////////////////////////////////////////////////
#define LSAP_ADT_LOG_FULL_SHUTDOWN_TIMEOUT (ULONG) 0x0000012cL
extern RTL_CRITICAL_SECTION LsapAdtQueueLock;
extern RTL_CRITICAL_SECTION LsapAdtLogFullLock;
extern BOOLEAN LsapAuditSuccessfulLogons;
extern BOOLEAN LsapAuditFailedLogons;
//
// Options for LsapAdtWriteLog
//
#define LSAP_ADT_LOG_QUEUE_PREPEND ((ULONG) 0x00000001L)
//
// Structure describing a queued audit record
//
typedef struct _LSAP_ADT_QUEUED_RECORD {
LIST_ENTRY Link;
SE_ADT_PARAMETER_ARRAY Buffer;
} LSAP_ADT_QUEUED_RECORD, *PLSAP_ADT_QUEUED_RECORD;
//
// Audit Log Queue Header. The queue is maintained in chronological
// (FIFO) order. New records are appended to the back of the queue.
//
typedef struct _LSAP_ADT_LOG_QUEUE_HEAD {
PLSAP_ADT_QUEUED_RECORD FirstQueuedRecord;
PLSAP_ADT_QUEUED_RECORD LastQueuedRecord;
} LSAP_ADT_LOG_QUEUE_HEAD, *PLSAP_ADT_LOG_QUEUE_HEAD;
//
// Lsa Global flag to indicate if we are auditing logon events.
//
extern BOOLEAN LsapAdtLogonEvents;
//
// String that will be passed in for SubsystemName for audits generated
// by LSA (eg, logon, logoff, restart, etc).
//
extern UNICODE_STRING LsapSubsystemName;
//
// max number of replacement string params that we support in
// eventlog audit record.
//
#define SE_MAX_AUDIT_PARAM_STRINGS 32
///////////////////////////////////////////////////////////////////////////////
// /
// The following structures and data are used by LSA to contain /
// drive letter-device name mapping information. LSA obtains this /
// information once during initialization and saves it for use /
// by auditing code. /
// /
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
// /
// The DRIVE_MAPPING structure contains the drive letter (without /
// the colon) and a unicode string containing the name of the /
// corresponding device. The buffer in the unicode string is /
// allocated from the LSA heap and is never freed. /
// /
///////////////////////////////////////////////////////////////////////////////
typedef struct _DRIVE_MAPPING {
WCHAR DriveLetter;
UNICODE_STRING DeviceName;
} DRIVE_MAPPING, PDRIVE_MAPPING;
////////////////////////////////////////////////////////////////////////////////
// /
// We assume a maximum of 26 drive letters. Though no auditing /
// will occur due to references to files on floppy (drives A and /
// B), perform their name lookup anyway. This will then just /
// work if somehow we start auditing files on floppies. /
// /
////////////////////////////////////////////////////////////////////////////////
#define MAX_DRIVE_MAPPING 26
extern DRIVE_MAPPING DriveMappingArray[];
//
// Special privilege values which are not normally audited,
// but generate audits when assigned to a user. See
// LsapAdtAuditSpecialPrivileges.
//
extern LUID ChangeNotifyPrivilege;
extern LUID AuditPrivilege;
extern LUID CreateTokenPrivilege;
extern LUID AssignPrimaryTokenPrivilege;
extern LUID BackupPrivilege;
extern LUID RestorePrivilege;
extern LUID DebugPrivilege;
//
// Global variable to indicate whether or not we're
// supposed to crash when an audit fails.
//
extern BOOLEAN LsapCrashOnAuditFail;
extern BOOLEAN LsapAllowAdminLogonsOnly;
////////////////////////////////////////////////////////////////////////////////
// /
// /
////////////////////////////////////////////////////////////////////////////////
NTSTATUS
LsapAdtWriteLog(
IN OPTIONAL PSE_ADT_PARAMETER_ARRAY AuditRecord,
IN ULONG Options
);
NTSTATUS
LsapAdtDemarshallAuditInfo(
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
);
VOID
LsapAdtNormalizeAuditInfo(
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
);
NTSTATUS
LsapAdtOpenLog(
OUT PHANDLE AuditLogHandle
);
VOID
LsapAdtAuditLogon(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING AuthenticatingAuthority,
IN PUNICODE_STRING Source,
IN PUNICODE_STRING PackageName,
IN SECURITY_LOGON_TYPE LogonType,
IN PSID UserSid,
IN LUID AuthenticationId,
IN PUNICODE_STRING WorkstationName,
IN NTSTATUS LogonStatus,
IN NTSTATUS SubStatus,
IN LPGUID LogonGuid OPTIONAL
);
VOID
LsapAuditLogonHelper(
IN NTSTATUS LogonStatus,
IN NTSTATUS LogonSubStatus,
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING AuthenticatingAuthority,
IN PUNICODE_STRING WorkstationName,
IN PSID UserSid, OPTIONAL
IN SECURITY_LOGON_TYPE LogonType,
IN PTOKEN_SOURCE TokenSource,
IN PLUID LogonId,
IN LPGUID LogonGuid OPTIONAL
);
#define LSAP_ADT_LOG_QUEUE_DISCARD ((ULONG) 0x00000001L)
#define LSAP_ADT_LOG_QUEUE_WRITEOUT ((ULONG) 0x00000002L)
VOID
LsapAdtSystemRestart(
PLSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo
);
VOID
LsapAdtAuditLogonProcessRegistration(
IN PLSAP_AU_REGISTER_CONNECT_INFO_EX ConnectInfo
);
NTSTATUS
LsapAdtInitializeLogQueue(
VOID
);
NTSTATUS
LsapAdtQueueRecord(
IN PSE_ADT_PARAMETER_ARRAY AuditRecord,
IN ULONG Options
);
#define LsapAdtAcquireLogFullLock() RtlEnterCriticalSection(&LsapAdtLogFullLock)
#define LsapAdtReleaseLogFullLock() RtlLeaveCriticalSection(&LsapAdtLogFullLock)
NTSTATUS
LsapAdtObjsInitialize(
);
NTSTATUS
LsapAdtBuildDashString(
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildUlongString(
IN ULONG Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildHexUlongString(
IN ULONG Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildPtrString(
IN PVOID Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildLuidString(
IN PLUID Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildSidString(
IN PSID Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildObjectTypeStrings(
IN PUNICODE_STRING SourceModule,
IN PUNICODE_STRING ObjectTypeName,
IN PSE_ADT_OBJECT_TYPE ObjectTypeList,
IN ULONG ObjectTypeCount,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone,
OUT PUNICODE_STRING NewObjectTypeName
);
NTSTATUS
LsapAdtBuildAccessesString(
IN PUNICODE_STRING SourceModule,
IN PUNICODE_STRING ObjectTypeName,
IN ACCESS_MASK Accesses,
IN BOOLEAN Indent,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildFilePathString(
IN PUNICODE_STRING Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildLogonIdStrings(
IN PLUID LogonId,
OUT PUNICODE_STRING ResultantString1,
OUT PBOOLEAN FreeWhenDone1,
OUT PUNICODE_STRING ResultantString2,
OUT PBOOLEAN FreeWhenDone2,
OUT PUNICODE_STRING ResultantString3,
OUT PBOOLEAN FreeWhenDone3
);
NTSTATUS
LsapBuildPrivilegeAuditString(
IN PPRIVILEGE_SET PrivilegeSet,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildTimeString(
IN PLARGE_INTEGER Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildDateString(
IN PLARGE_INTEGER Value,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtBuildGuidString(
IN LPGUID pGuid,
OUT PUNICODE_STRING ResultantString,
OUT PBOOLEAN FreeWhenDone
);
NTSTATUS
LsapAdtMarshallAuditRecord(
IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
OUT PSE_ADT_PARAMETER_ARRAY *MarshalledAuditParameters
);
NTSTATUS
LsapAdtInitializeDriveLetters(
VOID
);
BOOLEAN
LsapAdtLookupDriveLetter(
IN PUNICODE_STRING FileName,
OUT PUSHORT DeviceNameLength,
OUT PWCHAR DriveLetter
);
VOID
LsapAdtSubstituteDriveLetter(
IN PUNICODE_STRING FileName
);
VOID
LsapAdtUserRightAssigned(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID UserSid,
IN LUID CallerAuthenticationId,
IN PSID ClientSid,
IN PPRIVILEGE_SET Privileges
);
VOID
LsapAdtTrustedDomain(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID ClientSid,
IN LUID CallerAuthenticationId,
IN PSID TargetSid,
IN PUNICODE_STRING DomainName
);
VOID
LsapAdtAuditLogoff(
PLSAP_LOGON_SESSION Session
);
VOID
LsapAdtPolicyChange(
IN USHORT EventCategory,
IN ULONG EventID,
IN USHORT EventType,
IN PSID ClientSid,
IN LUID CallerAuthenticationId,
IN PLSARM_POLICY_AUDIT_EVENTS_INFO LsapAdtEventsInformation
);
VOID
LsapAdtAuditSpecialPrivileges(
PPRIVILEGE_SET Privileges,
LUID LogonId,
PSID UserSid
);
VOID
LsapAuditFailed(
IN NTSTATUS AuditStatus
);
VOID
LsapAdtInitParametersArray(
IN SE_ADT_PARAMETER_ARRAY* AuditParameters,
IN ULONG AuditCategoryId,
IN ULONG AuditId,
IN USHORT AuditEventType,
IN USHORT ParameterCount,
...);
NTSTATUS
LsapAdtInitGenericAudits( VOID );
#endif // _LSAP_ADTP_