/build/static/layout/Breadcrumb_cap_w.png

Custom Inventory Rule Question

Good morning!


I've just upgraded our SMA to 9.0.270 and have started to get more in-depth into our KACE products (also just upgraded our SDA to 6.0.425). So, the background: I'm looking to create a custom inventory rule that will check to see if the registry values to disable SMB1, and to require security signatures exist within the registry and to return the values. I understand if another CIR to return the values is necessary and that's not an issue.

The reason for this is that I recently pushed out a script domain-wide after testing on a couple groups of servers and workstations for these changes. In case we get audited, I need to be able to create a report that shows these values exist within the registry.  I technically have two CIRs since the registry keys are different for servers and workstations. Below is what I have so far, please correct my syntax if it is wrong.


Server CIR:

RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,SMB1,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,RequireSecuritySignature,NUMBER)


Workstation CIR:

RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation,DependOnService,TEXT) AND
RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters,RequireSecuritySignature,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10,Start,NUMBER)


I believe I already have the reports created to show the values of the registry entries via the report wizard, so I just need to be sure these CIRs will return the values.


Thanks for your time!


0 Comments   [ + ] Show comments

Answers (2)

Answer Summary:
Posted by: SMal.tmcc 5 years ago
Red Belt
2

Top Answer

OK you are on  the right track.

I would create 2 CIRS and not use the AND, that gives you 2 columns in your report that are separate for each entry.  Easier to filter the report that way also.

Put a space after your commas.

See if the keys are in the 32 bit or 64 bit area of the registry.  If they are in the 32 bit you are good, if they are in the 64 bit you need to use a trick.

Here is an example on how to retrieve 64 bit values:(CIR check intel me vunerabilty)

RegistryValueReturn(HKLM64\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status, System Risk, text)



Comments:
  • Thank you, SMal! Now, another quick question, would there be a way to get the CIRs to say "true" or "false" instead of the registry value?
    For example, I'd like the report to have the "CIR - Server - SMB1 Disabled" column read true or false for each server. - zmarkel 5 years ago
    • Yes

      RegistryValueEquals(registryPath, valueName,
      value)

      Please review page 466:
      "Evaluating device settings (Equals rules)" of the 9.0 Administrator's guide.

      Source:
      https://support.quest.com/download/downloads?id=6089094 - Channeler 5 years ago
Posted by: Channeler 5 years ago
Red Belt
1

Please review this:

https://support.quest.com/kace-systems-management-appliance/kb/118892/scripts-or-custom-inventory-rules-not-running-as-expected-on-x64-64-bit-clients

Also I'm not sure if 'RegistryValueReturn' is compatible with AND.... I don't recall seeing it returning several values at once.

I would use AND for something like:

FileVersionGreaterThan  AND

FileVersionLessThan


e.g.

FileVersionGreaterThan(C:\Program Files\Adobe\Acrobat\7.0\Acrobat\Acrobat.exe, 6.99)

AND 

FileVersionLessThan(C:\Program Files\Adobe\Acrobat\7.0\

Acrobat\Acrobat.exe, 8.00)


Or to check for a registry key and a registry entry value on a Windows device use AND to combine the rules as

follows:

RegistryKeyExists(registryPath) 

AND 

RegistryValueEquals(registryPath, valueName, value)


What I'm saying is, AND is use to test conditions, not to return multiple values.

The Administrators guide says:

"AND operator: All the rules must return true in order for the results to return true and report the application

as an Installed Program\Registry Value Present."

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ