Share via

3.2.5 Message Processing Events and Sequencing Rules

  • Article

The audit configuration protocol client-side extension MUST be invoked by the Group Policy framework whenever applicable GPOs need to be processed, as specified in [MS-GPOL] section 3.2.5.1. On such an event, the audit configuration protocol client-side plug-in MUST take the actions described in this section.

When invoked, the audit configuration protocol client-side plug-in expects a list of applicable GPOs in the "New or changed GPOs" parameter. It MUST then go through this list and, for each GPO, locate and retrieve the contained advanced audit policy. For each of those GPOs, one file with the format (as specified in section 2.2) MUST be copied from the Group Policy: Core Protocol server. If any file cannot be read, the plug-in MUST log information about the failure and continue to copy files for other GPOs.

For each GPO, the advanced audit policy configuration client-side plug-in MUST generate the following file access sequences to copy the file locally:

Sequence

Description

File Open from Client to Server

The plug-in MUST attempt to open the file specified by <scoped gpo path>\Microsoft\Windows NT\Audit\audit.csv.

File Read Sequences

One or more file reads MUST be done to read the entire content of the opened file or until an error occurs.

File Close

A file close operation MUST be performed.

The file MUST be parsed according to the format specified in section 2.2. If the file does not conform to that format, the entire configuration operation MUST be ignored. If the file does conform to that format, the settings MUST be applied to the corresponding audit parameters on the system.

After all the advanced audit policies are retrieved, each policy MUST be opened and the contained advanced audit policy settings MUST be extracted and applied for each ADM element corresponding to section 2.2.

When reading the advanced audit policy configuration file, the client-side extension follows the logical flow mentioned below.

If the "Policy Target" column value is empty AND if the "Subcategory" column value indicates FileGlobalSacl, process the "Setting Value" column value in the following way:

  • Convert the "Setting Value" column value into a security descriptor based on the format defined in [MSDN-SDDL].

  • For each Audit Access Control Entry (ACE) in the SACL of the security descriptor extracted in the previous step, add it to the FileGlobalSacl ADM variable if it doesn't already exist.

If the "Policy Target" column value is empty AND if the "Subcategory" column value indicates RegistryGlobalSacl, process the "Setting Value" column value in the following way:

  • Convert the "Setting Value" column value into a security descriptor based on the format defined in [MSDN-SDDL].

  • For each Audit Access Control Entry (ACE) in the SACL of the security descriptor extracted in the previous step, add it to the RegistryGlobalSacl ADM variable if it doesn't already exist.<7>

If the "Policy Target" column value is empty, then verify that the "Subcategory" column value is one of those specified in section 2.2.2.1, Audit Option Type. Once verified, store the "Setting Value" column value in the AuditOptionValue field of the corresponding AuditOptionType in the Audit Options ADM variable as specified in section 3.2.1.1.

If the "Exclusion Setting" column value is empty, then verify that the "Subcategory GUID" column value is one of those specified in Subcategory and SubcategoryGUID (section 2.2.1.2). Once verified, store the "Setting Value" column value in the audit setting value field of the corresponding subcategory GUID in the System Advanced Audit Policy ADM variable as specified in section 3.2.1.1.

If both the "Policy Target" and the "Exclusion Setting" column values are not empty, then verify that the "Subcategory GUID" column value is one of those specified in section Subcategory and SubcategoryGUID (section 2.2.1.2). Once verified, for the user identified by the "Policy Target" column value, store the "Setting Value" column value in the audit setting value field of the corresponding subcategory GUID in the Per-User Advanced Audit Policy ADM variable as specified in section 3.2.1.1.