Trying to audit with a rule that must iterate through all user profiles who have logged in to Windows?
Here's a tip that should make your day.
Version: 3.4, 4.0
Recently when customizing a .sif file to create a Windows Server 2003 security baseline audit, I spent hours trying to figure out why a particular rule would not iterate all NTUSER.DAT files. I followed the instructions in the User Guide with Documentation Date of February 28, 2007 on page 315 in section "Use an Iterator to Audit all Registry Profiles on Remote Systems" and in the Altiris Knowledgebase BUT the audit would not "iterate over all the NTUSER.DAT files that exist on the system" (Altiris, Inc., 2007) as documented. The audit only found the .default Windows user profile.
I stumbled upon a solution playing when editing the rule with various parameter changes such as IterateKey, IterateType, and Expand. Then just happened to remove the asterisk(*) in the USERS parameter.
I found leaving the USERS parameter blank with no asterisk solved the issue perfectly and the rule iterated over all users that had logged on to that server. The final result: leave the parameter as USERS=
Here is a modified example Rule that allowed my audit to iterate all accounts:
[Rule:Account Iterator] Description=All profiles iterator IterateType=ProfileList ( Iterate over all the NTUSER.DAT files that exist on the system) IterateKey=Account (On each Iteration, set the Account key in the Registry rule to the account name that has a profile) Expand=Iteration (For each loop produce one result from all the rules executed that contain the consolidated output for the user profile Users= (NO ASTERISK as the guide instructs) Rules=Policy Perms (A comma-separated list of rules to execute for each iteration) Check=List
There doesn't seem to be a great deal of discussion around modifying or even creating .sif files in the SecurityExpressions product.
Hopefully this quick Tech Tip will allow you to Iterate to your hearts content.
References: Altiris, Inc. (2007). SecurityExpressions Console User's Guide. Retrieved on March 11, 2008 from http://www.altiris.com/upload/securityexpressions_...