No announcement yet.

DUMPSEC - audit policy titles

  • Filter
  • Time
  • Show
Clear All
new posts

  • DUMPSEC - audit policy titles

    When looking at the LOCAL security settings on a server (AUDIT) I see the following policies listed:
    Account log-on events
    Account management events
    Log-on events
    Object access
    Policy change
    Privilege use
    System events

    When I run a report (command line) from DUMPSEC I get the following policies listed:
    Restart and Shutdown
    Logon and Logoff
    File/Object Access
    Use of User Right
    Process Tracking
    Security Policy Changes
    User/Group Management
    Directory Service Access
    Privileged Account Logon

    I'm trying to make a one to one comparison so I can properly report the audit settings.

    I came up with:

    File/Object Access >>>> Object access
    Security Policy Changes >>>> Policy change
    Privileged Account Logon >>>> Privilege use
    User/Group Management >>>> Account management events

    So, if the above is correct, what do;
    Account log-on events
    System events
    Log-on events
    map to from DUMPSEC?


  • #2
    Re: DUMPSEC - audit policy titles

    There are nine (9) audit settings, which you can see in Hyena when you right click on a computer and select the Policy... properties dialog. I don't know what other utility you are looking at but DumpSec reports the same policy settings as Hyena. If you are looking at another GUI, you would have to enable/disable the settings to determine for sure which setting the output is referring to, but the descriptions should make this fairly easy to map out.

    The results of the Microsoft function used is here:
    Kevin Stanush
    SystemTools Software Inc.


    • #3
      Re: DUMPSEC - audit policy titles

      Thank you. Based on that MSDN article I wa able tp map the DumpSec report to the Local Security Policy as shown in the MMC.

      [This message has been edited by cmor1701d (edited 01-09-2007).]


      • #4
        Re: DUMPSEC - audit policy titles

        I think you might have a couple switched. Here is the DumpSec mapping to the Microsoft function results:

        case AuditCategoryLogon = Logon and Logoff
        case AuditCategoryObjectAccess = File/Object Access
        case AuditCategoryPrivilegeUse = Use of User Right
        case AuditCategoryAccountManagement = User/Group Management
        case AuditCategoryPolicyChange = Security Policy Changes
        case AuditCategorySystem = Restart and Shutdown
        case AuditCategoryDetailedTracking = Process Tracking
        case AuditCategoryDirectoryServiceAccess = Directory Service Access
        case AuditCategoryAccountLogon : pszName = Privileged Account Logon
        Kevin Stanush
        SystemTools Software Inc.