Custom Inventory Rule Question
I've just upgraded our SMA to 9.0.270 and have started to get more in-depth into our KACE products (also just upgraded our SDA to 6.0.425). So, the background: I'm looking to create a custom inventory rule that will check to see if the registry values to disable SMB1, and to require security signatures exist within the registry and to return the values. I understand if another CIR to return the values is necessary and that's not an issue.
The reason for this is that I recently pushed out a script domain-wide after testing on a couple groups of servers and workstations for these changes. In case we get audited, I need to be able to create a report that shows these values exist within the registry. I technically have two CIRs since the registry keys are different for servers and workstations. Below is what I have so far, please correct my syntax if it is wrong.
RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,SMB1,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,RequireSecuritySignature,NUMBER)
RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation,DependOnService,TEXT) AND
RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters,RequireSecuritySignature,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10,Start,NUMBER)
I believe I already have the reports created to show the values of the registry entries via the report wizard, so I just need to be sure these CIRs will return the values.
Thanks for your time!
OK you are on the right track.
I would create 2 CIRS and not use the AND, that gives you 2 columns in your report that are separate for each entry. Easier to filter the report that way also.
Put a space after your commas.
See if the keys are in the 32 bit or 64 bit area of the registry. If they are in the 32 bit you are good, if they are in the 64 bit you need to use a trick.
Here is an example on how to retrieve 64 bit values:(CIR check intel me vunerabilty)
RegistryValueReturn(HKLM64\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status, System Risk, text)
Please review this:
Also I'm not sure if 'RegistryValueReturn' is compatible with AND.... I don't recall seeing it returning several values at once.
I would use AND for something like:
FileVersionGreaterThan(C:\Program Files\Adobe\Acrobat\7.0\Acrobat\Acrobat.exe, 6.99)
Or to check for a registry key and a registry entry value on a Windows device use AND to combine the rules as
RegistryValueEquals(registryPath, valueName, value)
What I'm saying is, AND is use to test conditions, not to return multiple values.
The Administrators guide says:
"AND operator: All the rules must return true in order for the results to return true and report the application
as an Installed Program\Registry Value Present."