Auditing ACL (Windows)

Module: File Attributes

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports a problem if auditing settings (or System ACLs) do not match the values in their associated template records.

The following table lists the error messages for the check.

Table: Error messages for Auditing ACL

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESMT_DIFFERENT_SACL_ENTRY Category: Policy Compliance	Windows 2000 (105540) Windows 2003 (205540) Windows 2008 (248540) Windows Vista (228540) Windows XP (200540)	Title: Different SACL entry Description:The current audit setting for the file does not match the File template setting. If the current setting is correct, manually update the template. If the setting is incorrect, change the file's auditing settings to match the template.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESMT_MISSING_SACL_ENTRY Category: Policy Compliance	Windows 2000 (105541) Windows 2003 (205541) Windows 2008 (248541) Windows Vista (228541) Windows XP (200541)	Title: Missing SACL entry Description:The file is not audited for the account that is specified in the Information field. If auditing should not be performed for this account, manually update the template. If it should be performed, change the file's auditing settings to match the template.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESMT_ADDITIONAL_SACL_ENTRY Category: Policy Compliance	Windows 2000 (105542) Windows 2003 (205542) Windows 2008 (248542) Windows Vista (228542) Windows XP (200542)	Title: Additional SACL entry Description:The file is being audited for an account that is not specified in the template. If auditing should be performed for this account, add the account to the template. If it should not be performed, remove the account from the file's auditing settings.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESMT_EVENT_LOG_INFO Category: Policy Compliance	Windows 2000 (105559) Windows 2003 (205559) Windows 2008 (248559) Windows Vista (228559) Windows XP (200559)	Title: File or folder Event Log Entry Description:An entry in the Security Audit Event Log occurred for this file or folder.	Severity: green-0 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESMT_AUDIT_ACL_DISABLED_ACCOUNTS Category: Policy Compliance	Windows 2000 (105561) Windows 2003 (205561) Windows 2008 (248561) Windows Vista (228561) Windows XP (200561)	Title: Disabled Accounts in Auditing ACL Description:List of disabled accounts in Auditing ACL.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESMT_DIFFERENT_SACL_ENTRY

Category: Policy Compliance

Windows 2000 (105540)
Windows 2003 (205540)
Windows 2008 (248540)
Windows Vista (228540)
Windows XP (200540)

Title: Different SACL entry

Description:The current audit setting for the file does not match the File template setting. If the current setting is correct, manually update the template. If the setting is incorrect, change the file's auditing settings to match the template.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMT_MISSING_SACL_ENTRY

Category: Policy Compliance

Windows 2000 (105541)
Windows 2003 (205541)
Windows 2008 (248541)
Windows Vista (228541)
Windows XP (200541)

Title: Missing SACL entry

Description:The file is not audited for the account that is specified in the Information field. If auditing should not be performed for this account, manually update the template. If it should be performed, change the file's auditing settings to match the template.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMT_ADDITIONAL_SACL_ENTRY

Category: Policy Compliance

Windows 2000 (105542)
Windows 2003 (205542)
Windows 2008 (248542)
Windows Vista (228542)
Windows XP (200542)

Title: Additional SACL entry

Description:The file is being audited for an account that is not specified in the template. If auditing should be performed for this account, add the account to the template. If it should not be performed, remove the account from the file's auditing settings.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMT_EVENT_LOG_INFO

Category: Policy Compliance

Windows 2000 (105559)
Windows 2003 (205559)
Windows 2008 (248559)
Windows Vista (228559)
Windows XP (200559)

Title: File or folder Event Log Entry

Description:An entry in the Security Audit Event Log occurred for this file or folder.

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMT_AUDIT_ACL_DISABLED_ACCOUNTS

Category: Policy Compliance

Windows 2000 (105561)
Windows 2003 (205561)
Windows 2008 (248561)
Windows Vista (228561)
Windows XP (200561)

Title: Disabled Accounts in Auditing ACL

Description:List of disabled accounts in Auditing ACL.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]