OVAL-Community / OVAL

Official repository for the Open Vulnerability and Assessment Language
33 stars 26 forks source link

"logon_claims" vs "user_device_claims" #34

Open zport opened 5 years ago

zport commented 5 years ago

@nomba commented on Thu Mar 16 2017

Hello everyone.

I have found several problems with "auditeventpolicysubcategories" item: https://github.com/OVALProject/Language/blob/5.11.2/schemas/windows-system-characteristics-schema.xsd

First, "user_device_claims" subcategory has the same 0cce9247-69ae-11d9-bed3-505054503030 guid as "logon_claims". NTSecAPI.h doesn't contain any constants, which has "claims" in it's name.

Second, the rule of ordering elements in sequence has been broken. For example:

"group_membership" contained "Logon/Logoff Audit Policy Subcategories" not "System Audit Policy Subcategories" Similarly, "pnp_activity" & "audit_detailedtracking_tokenrightadjusted" contained "Detailed Tracking Audit Policy Subcategories" not "System Audit Policy Subcategories".

Third, there is typo of description of "security_system_extension".

"...specified in ntsecapi.h: cce9211-69ae-11d9-bed3-505054503030..."

Zero before this guid is missing.


@solind commented on Thu Mar 16 2017

Hi Sergey,

1) The name USER_DEVICE_CLAIMS comes from this page: https://msdn.microsoft.com/en-us/library/dd973928.aspx

2) I'm not sure what you mean by ordering of elements. Do you mean the order in the XSD doesn't correspond with the order in NTSecAPI.h? If so, that's largely irrelevant. We simply added "new" GUIDs to the bottom of the existing enumeration.

3) Good catch! We should fix the schema documentation.


@nomba commented on Thu Mar 16 2017

Thanks for the quick response.

About the first, I meant "auditeventpolicysubcategories_item" has two entity with the same GUID at the same time. Why? May be for backward compatibility? I think it's a bug.

About the second, If you look at the XSD schema, you will see comments like this:

<!-- Account Logon Audit Policy Subcategories -->
<!-- Account Management Audit Policy Subcategories -->
<!-- Detailed Tracking Audit Policy Subcategories -->
<!-- DS Access Audit Policy Subcategories -->
<!-- Logon/Logoff Audit Policy Subcategories -->
<!-- Object Access Audit Policy Subcategories -->
<!-- Policy Change Audit Policy Subcategories -->
<!-- Privilege Use Audit Policy Subcategories -->
<!-- System Audit Policy Subcategories -->

Why do they exist? As far as I understand they present 9 audit categories. And I think the "new" GUIDs should be contained into the corresponding blocks.


@solind commented on Thu Mar 16 2017

Looks like @blakefrantz and I made a mistake adding a pre-existing GUID.

solind commented 4 years ago

We should deprecate one of logon_claims or user_device_claims.