190 lines
3.8 KiB
C
190 lines
3.8 KiB
C
/*++
|
|
|
|
Copyright (c) 1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
adt.h
|
|
|
|
Abstract:
|
|
|
|
Auditing - Defines, Fuction Prototypes and Macro Functions.
|
|
These are public to the Security Component only.
|
|
|
|
Author:
|
|
|
|
Scott Birrell (ScottBi) January 17, 1991
|
|
|
|
Environment:
|
|
|
|
Revision History:
|
|
|
|
*/
|
|
|
|
#include <ntlsa.h>
|
|
|
|
|
|
|
|
// //
|
|
// Auditing Routines visible to rest of Security Component outside Auditing //
|
|
// subcomponent. //
|
|
// //
|
|
|
|
|
|
|
|
/*++
|
|
|
|
BOOLEAN
|
|
SepAdtEventOnSuccess(
|
|
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
|
|
)
|
|
|
|
Routine Description:
|
|
|
|
This macro function checks if a given Audit Event Type is enabled for
|
|
Auditing of successful occurrences of the Event.
|
|
|
|
Arguments:
|
|
|
|
AuditEventType - Specifies the type of the Audit Event to be checked.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if the event type is enabled for auditing of successful
|
|
occurrences of the event, else FALSE
|
|
*/
|
|
|
|
#define SepAdtEventOnSuccess(AuditEventType) \
|
|
(SepAdtState.EventAuditingOptions[AuditEventType] & \
|
|
POLICY_AUDIT_EVENT_SUCCESS)
|
|
|
|
|
|
/*++
|
|
|
|
BOOLEAN
|
|
SepAdtEventOnFailure(
|
|
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
|
|
)
|
|
|
|
Routine Description:
|
|
|
|
This macro function checks if a given Audit Event Type is enabled for
|
|
Auditing of unsuccessful attempts to cause an event of the given type
|
|
to occur.
|
|
|
|
Arguments:
|
|
|
|
AuditEventType - Specifies the type of the Audit Event to be checked.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if the event type is enabled for auditing of unsuccessful
|
|
attempts to make the event type occur, else FALSE
|
|
*/
|
|
|
|
#define SepAdtEventOnFailure(AuditEventType) \
|
|
(SepAdtState.EventAuditingOptions[AuditEventType] & \
|
|
POLICY_AUDIT_EVENT_FAILURE)
|
|
|
|
/*++
|
|
|
|
BOOLEAN
|
|
SepAdtAuditingEvent(
|
|
IN POLICY_AUDIT_EVENT_TYPE AuditEventType
|
|
)
|
|
|
|
Routine Description:
|
|
|
|
This macro function checks if a given Audit Event Type is enabled for
|
|
Auditing.
|
|
|
|
Arguments:
|
|
|
|
AuditEventType - Specifies the type of the Audit Event to be checked.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if the event type is enabled for auditing, else FALSE.
|
|
|
|
*/
|
|
|
|
#define SepAdtAuditingEvent(AuditEventType) \
|
|
(SepAdtEventOnSuccess(AuditEventType) || \
|
|
(SepAdtEventOnFailure(AuditEventType))
|
|
|
|
/*++
|
|
|
|
BOOLEAN
|
|
SepAdtAuditingEnabled()
|
|
|
|
Routine Description:
|
|
|
|
This macro function tests if auditing is enabled.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if auditing is enabled, else FALSE
|
|
|
|
*/
|
|
|
|
#define SepAdtAuditingEnabled() (SepAdtState.AuditingMode == TRUE)
|
|
|
|
|
|
/*++
|
|
|
|
BOOLEAN
|
|
SepAdtAuditingDisabled()
|
|
|
|
Routine Description:
|
|
|
|
This macro function tests if auditing is disabled.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if auditing is disabled, else FALSE
|
|
|
|
*/
|
|
|
|
#define SepAdtAuditingDisabled() (!SepAdtAuditingEnabled)
|
|
|
|
|
|
// Audit Event Information array. Although internal to the Auditing
|
|
// Subcomponent, this structure is exported to all of Security so that the
|
|
// above macro functions can be used to access it efficiently from there.
|
|
|
|
|
|
extern POLICY_AUDIT_EVENTS_INFO SepAdtState;
|
|
|
|
BOOLEAN
|
|
SepAdtInitializePhase0();
|
|
|
|
BOOLEAN
|
|
SepAdtInitializePhase1();
|
|
|
|
//VOID
|
|
//SepAdtLogAuditRecord(
|
|
// IN POLICY_AUDIT_EVENT_TYPE AuditEventType,
|
|
// IN PVOID AuditInformation
|
|
// );
|
|
|
|
VOID
|
|
SepAdtLogAuditRecord(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditParameters
|
|
);
|
|
|
|
NTSTATUS
|
|
SepAdtCopyToLsaSharedMemory(
|
|
IN HANDLE LsaProcessHandle,
|
|
IN PVOID Buffer,
|
|
IN ULONG BufferLength,
|
|
OUT PVOID *LsaBufferAddress
|
|
);
|