IBM Tivoli and Cisco User Manual page 193

There are some limitations on numeric context evaluations. The collector initially
receives all values from the underlying utilities as strings. For example, even
though the registry type might be REG_DWORD and the value is set to
0x00000630, the collector will receive this value as the string 1584. Numeric
checks are only run if both the value in the registry and the value in the rule can
be converted to a 32-bit integer. All operators require a rule value for comparison
except the two existence operators, * is set, and <> not set.
Rule results
All rules require a rule result. The rule result indicates what status should be set
for the registry value data element. The rule result should be one of the following:
PASS
WARN
FAIL
If the rule value is either WARN or FAIL, then the VALUE_DATA_WF workflow
will be associated with the check. If a value was detected, the current_values
attribute of the workflow will be set to the detected value. The workflow will also
have the attribute key set to the parameter value of the KEY parameter and the
attribute value set to the parameter value of the VALUE parameter. If the rule
result is set to something other than PASS, WARN or FAIL errors may occur. If
no rule result is provided, the parameter value of the DEFAULT_RULE
parameter is used. If the DEFAULT_RULE parameter is not set, the Registry
Value Data element defaults to PASS.
Rule format
The format of a rule is:
[operator][space][rule value][semicolon][{PASS | WARN | FAIL}]
For example:
= 100;PASS
Meaning that if the value of the key is equal numerically to 100, the status of the
check is passed.
Below we discuss a few examples.
Checking for ZoneAlarm installation directory
If you want to check if the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm has a specific
value InstallDirectory existing, provide the following parameters:
KEY equal to HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm.
Chapter 6. Compliance subsystem implementation
175