win_lgpo: read/write advanced audit policy via advapi32, not auditpol.exe

changelog/68354.fixed.md

@@ -0,0 +1 @@
+Windows LGPO / audit policy: Advanced audit policy is now read and applied through the Windows security API (AuditQuerySystemPolicy / AuditSetSystemPolicy) instead of parsing auditpol.exe output, so behavior no longer depends on the system locale.

salt/modules/win_auditpol.py

@@ -9,7 +9,12 @@
 .. versionadded:: 2019.2.1
 
 This module allows you to view and modify the audit settings as they are applied
-on the machine. The audit settings are broken down into nine categories:
+on the machine. Implementation uses the ``auditpol`` execution utility
+(``__utils__['auditpol']``), which reads and writes policy through Windows
+``advapi32`` audit APIs with English subcategory names, independent of the host
+display language.
+
+The audit settings are broken down into nine categories:
 
 - Account Logon
 - Account Management
@@ -95,11 +100,13 @@ def get_settings(category="All"):
 
     Returns:
         dict: A dictionary containing all subcategories for the specified
-            category along with their current configuration
+            category along with their current configuration (English names and
+            value labels).
 
     Raises:
         KeyError: On invalid category
         CommandExecutionError: If an error is encountered retrieving the settings
+            from the underlying Windows API.
 
     CLI Example:
 
@@ -128,6 +135,7 @@ def get_setting(name):
     Raises:
         KeyError: On invalid setting name
         CommandExecutionError: If an error is encountered retrieving the settings
+            from the underlying Windows API.
 
     CLI Example:
 
@@ -162,6 +170,7 @@ def set_setting(name, value):
     Raises:
         KeyError: On invalid ``name`` or ``value``
         CommandExecutionError: If an error is encountered modifying the setting
+            (for example insufficient privilege for ``AuditSetSystemPolicy``).
 
     CLI Example:
 

salt/modules/win_lgpo.py

@@ -318,9 +318,9 @@ class _policy_info:
     AdvAudit Mechanism
     ------------------
 
-    The Advanced Audit Policies are configured using a combination of the
-    auditpol command-line utility and modifying the audit.csv file in two
-    locations. The value of this key is a dict with the following make-up:
+    The Advanced Audit Policies are configured using the Windows security APIs
+    (via Salt's ``auditpol`` execution utility) and modifying the audit.csv file
+    in two locations. The value of this key is a dict with the following make-up:
 
     ======  ===================================
     Key     Value
@@ -5375,6 +5375,15 @@ def _get_advaudit_defaults(option=None):
     configurable policies as keys. The values are used to create/modify the
     ``audit.csv`` file. The first entry is `fieldnames` used to create the
     header for the csv file. The rest of the entries are the audit policy names.
+
+    Row templates are built from ``__utils__['auditpol.get_advaudit_policy_rows']()``,
+    which uses Windows ``AuditQuerySystemPolicy`` and English metadata (not
+    ``auditpol /backup``), so defaults stay consistent on non-English Windows.
+    Those templates are still used to **create or update** the machine's
+    ``audit.csv`` files (see ``_advaudit_check_csv`` / ``_set_advaudit_file_data``);
+    only the source of the default *content* changed, not LGPO's use of
+    ``audit.csv`` on disk.
+
     Sample data follows:
 
     {
@@ -5413,8 +5422,9 @@ def _get_advaudit_defaults(option=None):
     }
 
     .. note::
-        `Auditpol Name` designates the value to use when setting the value with
-        the auditpol command
+        ``Auditpol Name`` is the English subcategory string passed to
+        ``__utils__['auditpol.set_setting']``, which applies policy via
+        ``AuditSetSystemPolicy`` (not ``auditpol.exe``).
 
     Args:
         option (str): The item from the dictionary to return. If ``None`` the
@@ -5427,11 +5437,10 @@ def _get_advaudit_defaults(option=None):
     if "lgpo.audit_defaults" not in __context__:
         # Get available setting names and GUIDs
         # This is used to get the fieldnames and GUIDs for individual policies
-        log.debug("Loading auditpol defaults into __context__")
-        dump = __utils__["auditpol.get_auditpol_dump"]()
-        reader = csv.DictReader(dump)
-        audit_defaults = {"fieldnames": reader.fieldnames}
-        for row in reader:
+        log.debug("Loading advanced audit defaults into __context__")
+        rows = __utils__["auditpol.get_advaudit_policy_rows"]()
+        audit_defaults = {"fieldnames": list(rows[0].keys())}
+        for row in rows:
             row["Machine Name"] = ""
             row["Auditpol Name"] = row["Subcategory"]
             # Special handling for snowflake scenarios where the audit.csv names
@@ -5643,7 +5652,10 @@ def _set_advaudit_pol_data(option, value):
     """
     Helper function that updates the current applied settings to match what has
     just been set in the audit.csv files. We're doing it this way instead of
-    running `gpupdate`
+    running `gpupdate`.
+
+    Calls ``__utils__['auditpol.set_setting']``, which uses Windows
+    ``AuditSetSystemPolicy`` (not ``auditpol.exe``).
 
     Args:
         option (str): The name of the option to set
@@ -5673,7 +5685,8 @@ def _set_advaudit_value(option, value):
     C:\\Windows\\Security\\Audit\\audit.csv
     C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit\\audit.csv
 
-    Then it applies those settings using ``auditpol``
+    Then it applies those settings using ``__utils__['auditpol.set_setting']``
+    (native ``AuditSetSystemPolicy``).
 
     After that, it updates ``__context__`` with the new setting