Skip to content

Add "Advanced Audit Policy" Rule Handling#1556

Open
FrederickGeek8 wants to merge 6 commits into
microsoft:devfrom
FrederickGeek8:fix-auditpol-advanced
Open

Add "Advanced Audit Policy" Rule Handling#1556
FrederickGeek8 wants to merge 6 commits into
microsoft:devfrom
FrederickGeek8:fix-auditpol-advanced

Conversation

@FrederickGeek8

@FrederickGeek8 FrederickGeek8 commented Jun 17, 2026

Copy link
Copy Markdown

Pull Request (PR) description:

This PR adds proper handling for "Advanced Audit Policy" rules that were not being applied (as was reported in #1533). These rules appear in Windows 10, 11, and Server STIGs are currently are no-ops. In essence, this PR is just changing the parsing logic of AuditPolicyRule to support the new language used by those items. Rather than overloading the parsing of AuditPolicyRuleConvert, I created & modified a copy of that file, introducing AuditPolicyRuleAdvancedConvert.

This Pull Request (PR) fixes the following issues:

This PR fixes #1533 (and other related STIGs like Win11 and WinServer). In doing so, 8-9 STIG items are now applied across Windows Client/Server STIGs.

# of rules now covered:

WindowsClient-10-3.5.xml: 9 Rules Added
WindowsClient-10-3.6.xml: 9 Rules Added
WindowsClient-11-2.6.xml: 9 Rules Added
WindowsClient-11-2.7.xml: 9 Rules Added
WindowsServer-2019-DC-3.7.xml: 8 Rules Added
WindowsServer-2019-DC-3.8.xml: 8 Rules Added
WindowsServer-2019-MS-3.7.xml: 8 Rules Added
WindowsServer-2019-MS-3.8.xml: 8 Rules Added
WindowsServer-2022-DC-2.7.xml: 8 Rules Added
WindowsServer-2022-DC-2.8.xml: 8 Rules Added
WindowsServer-2022-MS-2.7.xml: 8 Rules Added
WindowsServer-2022-MS-2.8.xml: 8 Rules Added
WindowsServer-2025-DC-1.1.xml: 8 Rules Added
WindowsServer-2025-MS-1.1.xml: 8 Rules Added

Task list:

  • Change details added to Unreleased section of CHANGELOG.md (Not required for Convert modules)?
  • Added/updated documentation, comment-based help and descriptions where appropriate?
  • Examples appropriately updated?
  • New/changed code adheres to Style Guidelines?
  • Unit and (optional) Integration tests created/updated where possible?

@FrederickGeek8

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree company="Full Spectrum Software LLC"

@FrederickGeek8

FrederickGeek8 commented Jun 22, 2026

Copy link
Copy Markdown
Author

@MrAutomater can you (or someone else) take a look at this and tell me if it's a reasonable approach for addressing #1533?

If I get a thumbs up for this general approach then I can work on adding tests, rebasing, and updating generated files.

Thanks!

@MrAutomater

MrAutomater commented Jun 22, 2026 via email

Copy link
Copy Markdown
Collaborator

No code has been changed. This new module will be modified for
"Advanced" audit policy parsing in another commit. Making a copy here
makes the changes in subsequent commits more obvious.
This assumes a certain stability in the RawString text, but the pattern
seems to hold for now.
@FrederickGeek8
FrederickGeek8 force-pushed the fix-auditpol-advanced branch from e7e264a to 18ad79a Compare July 7, 2026 16:42
@FrederickGeek8

Copy link
Copy Markdown
Author

I just rebased my branch, added tests, and updated processed files.

Unfortunately copying AuditPolicyRule was not as clean as I had hoped -- I wanted AuditPolicyRuleAdvancedConvert to inherit from AuditPolicyRule, but that breaks one test that checks the name of the Base class. To solve that failing test, I created a AuditPolicyRuleAdvanced class that inherits from AuditPolicyRule. Because of that, there is a <AuditPolicyRuleAdvanced> section that is generated in the XML. It works, but not as minimal a change as I had wanted.

Not sure if that changes whether you/we want to merge AuditPolicyRule and AuditPolicyRuleAdvanced's logic into one rule.

Based on the AuditPolicyRule tests. An `AuditPolicyRuleAdvanced` base
class had to be created, otherwise a Common Test would fail that checks
whether the base class matches the name of the child class.
Note that there is now a new "AuditPolicyRuleAdvanced" rule type
introduced in the XML. This is because of the new
AuditPolicyRuleAdvanced base class introduced in the previous commit.
These conversions were failing before but need to be manually set
@FrederickGeek8
FrederickGeek8 force-pushed the fix-auditpol-advanced branch from 18ad79a to acd2afb Compare July 13, 2026 15:49
@FrederickGeek8

Copy link
Copy Markdown
Author

I had to make some small tweaks to my implementation get the tests to pass (it turns out I was running them incorrectly locally). I also updated the "Unreleased" section of the Changelog. I did not bump the version number -- not sure if that's something you'd do.

This should be ready for review now!

@FrederickGeek8
FrederickGeek8 marked this pull request as ready for review July 13, 2026 16:20
@FrederickGeek8

FrederickGeek8 commented Jul 15, 2026

Copy link
Copy Markdown
Author

@MrAutomater I've rebased on dev, written (passing) tests, and updated the generated XML files. Any chance you or someone else has the bandwidth to review this PR? Thanks! Sorry to ping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Win10 "Advanced Audit Policy" Rules Not Applied

2 participants