First, "user_device_claims" subcategory has the same 0cce9247-69ae-11d9-bed3-505054503030 guid as "logon_claims". NTSecAPI.h doesn't contain any constants, which has "claims" in it's name.
Second, the rule of ordering elements in sequence has been broken. For example:
2) I'm not sure what you mean by ordering of elements. Do you mean the order in the XSD doesn't correspond with the order in NTSecAPI.h? If so, that's largely irrelevant. We simply added "new" GUIDs to the bottom of the existing enumeration.
3) Good catch! We should fix the schema documentation.
About the first, I meant "auditeventpolicysubcategories_item" has two entity with the same GUID at the same time. Why? May be for backward compatibility? I think it's a bug.
About the second, If you look at the XSD schema, you will see comments like this:
Why do they exist? As far as I understand they present 9 audit categories. And I think the "new" GUIDs should be contained into the corresponding blocks.
@nomba commented on Thu Mar 16 2017
Hello everyone.
I have found several problems with "auditeventpolicysubcategories" item: https://github.com/OVALProject/Language/blob/5.11.2/schemas/windows-system-characteristics-schema.xsd
First, "user_device_claims" subcategory has the same 0cce9247-69ae-11d9-bed3-505054503030 guid as "logon_claims". NTSecAPI.h doesn't contain any constants, which has "claims" in it's name.
Second, the rule of ordering elements in sequence has been broken. For example:
"group_membership" contained "Logon/Logoff Audit Policy Subcategories" not "System Audit Policy Subcategories" Similarly, "pnp_activity" & "audit_detailedtracking_tokenrightadjusted" contained "Detailed Tracking Audit Policy Subcategories" not "System Audit Policy Subcategories".
Third, there is typo of description of "security_system_extension".
Zero before this guid is missing.
@solind commented on Thu Mar 16 2017
Hi Sergey,
1) The name USER_DEVICE_CLAIMS comes from this page: https://msdn.microsoft.com/en-us/library/dd973928.aspx
2) I'm not sure what you mean by ordering of elements. Do you mean the order in the XSD doesn't correspond with the order in NTSecAPI.h? If so, that's largely irrelevant. We simply added "new" GUIDs to the bottom of the existing enumeration.
3) Good catch! We should fix the schema documentation.
@nomba commented on Thu Mar 16 2017
Thanks for the quick response.
About the first, I meant "auditeventpolicysubcategories_item" has two entity with the same GUID at the same time. Why? May be for backward compatibility? I think it's a bug.
About the second, If you look at the XSD schema, you will see comments like this:
Why do they exist? As far as I understand they present 9 audit categories. And I think the "new" GUIDs should be contained into the corresponding blocks.
@solind commented on Thu Mar 16 2017
Looks like @blakefrantz and I made a mistake adding a pre-existing GUID.