1 Reply Latest reply on May 18, 2010 3:05 PM by arocker

    Policy Auditor - Creating a new check using check builder

      I am trying to create a new check that would verify if a specific registry key exists.

       

      when i click on new check, the check builder appears, i enter the name for the check, specify the platform (windows) and the labels (registrysettings), on the select primitives page i select windows registry key existence check, on the following page i enter the information for the key i want to verify:

      Hive equals: HKEY_LOCAL_MACHINE

      Parameter equals: SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash

      SSLCertificateSHA1Hash is the key i want to verify if exist.

       

      when i run my check, regardless if the key is present or not on a system, i get a failed result

       

      any ideas on what i am doing wrong?

       

      any help would be greatly appreciated

       

      Yves

       

       

       

       

       

       

        • 1. Re: Policy Auditor - Creating a new check using check builder

          Hello Yves,

           

          I've used this primitive several times, and followed the same process you outlined below. It has always seemed to work, unless I used a bad RegEx or misspelled the name of the key.

           

          If you look in the System Rules - Failed section of the Audit results, and then click on the link labeled "failed" under Results, it may provide a bit more information. You may also try creating the check but not specifying a platform or label.

           

          One last suggestion would be to export the check, then run the Check.xml you've exported using the Policy Auditor CLI. i.e. engineMain.exe –m oval –i Check.xml –f –o results.xml

           

          Enginemain is found in the ..\Policy Auditor Agent\Engine directory. The results.xml will provide some debug-level output on the execution of the check, which may help you figure out which part of the check is causing the 'fail' result.

           

          Hope that helps!