IBM Tivoli and Cisco Rule results, Rule format, Checking for ZoneAlarm installation directory

There are some limitations on numeric context evaluations. The collector initially receives all values from the underlying utilities as strings. For example, even though the registry type might be REG_DWORD and the value is set to 0x00000630, the collector will receive this value as the string 1584. Numeric checks are only run if both the value in the registry and the value in the rule can be converted to a 32-bit integer. All operators require a rule value for comparison except the two existence operators, * is set, and <> not set.

Rule results

All rules require a rule result. The rule result indicates what status should be set for the registry value data element. The rule result should be one of the following:

￿PASS

￿WARN

￿FAIL

If the rule value is either WARN or FAIL, then the VALUE_DATA_WF workflow will be associated with the check. If a value was detected, the current_values attribute of the workflow will be set to the detected value. The workflow will also have the attribute key set to the parameter value of the KEY parameter and the attribute value set to the parameter value of the VALUE parameter. If the rule result is set to something other than PASS, WARN or FAIL errors may occur. If no rule result is provided, the parameter value of the DEFAULT_RULE parameter is used. If the DEFAULT_RULE parameter is not set, the Registry Value Data element defaults to PASS.

Rule format

The format of a rule is:

[operator][space][rule value][semicolon][{PASS WARN FAIL}]

For example:

= 100;PASS

Meaning that if the value of the key is equal numerically to 100, the status of the check is passed.

Below we discuss a few examples.

Checking for ZoneAlarm installation directory

If you want to check if the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm has a specific value InstallDirectory existing, provide the following parameters:

￿KEY equal to HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm.