A new check algorithm class ListFieldPermissionsRegex is added in SCU 2014-2. This algorithm can be used for all the list fields in Windows checks to enable the use of regular expressions in the parameters of a check to evaluate collected data based on required patterns.
To edit an existing complex check to allow using regular expressions:
Go to any complex check from any of the Windows standards in CCS Standard Manager that uses List fields in that check's logic.
For example, User Right for Replacing Process Level Tokens Restricted? Check from “User Rights” section of “US Federal Desktop Core Configuration Standard (FDCC) V1.0.1 for Windows Vista” standard.
Copy this check and paste it into a new custom standard in Standard Manager.
Export the custom Standard to an XML file to a known location on CCS Console machine.
Open the XML in an editor and locate the Procedure Reference tag for this specific check in the XML file. Change the procedure value to: Symantec.CSM.WindowsPlatformContent.ListFieldChecks.dll;Symantec.CSM.WindowsPlatformContent.ListFieldChecks.ListFieldPermissionsRegex from existing..... Symantec.CSM.WindowsPlatformContent.ListFieldChecks.dll;Symantec.CSM.WindowsPlatformContent.ListFieldChecks.ListFieldPermissions
Save the XML and then import the newly changed standard back into CCS Standards manager.
In the GUI, select the check in the newly imported standard. In the bottom panel on the parameters tab you can now modify the Key field to consist of a regular expression rather than just delimited values. You must specify the data in the Key field in regular expression format once this change is made to the XML file.
You can also change the values for the other parameters based on need but those are normal fields.
Note: Regular expression provided should ideally recognize a unique data record from collected data for scoped target. Using a regular expression to identify generic patterns resulting in multiple string matches may result in unpredictable and inaccurate check evaluation outcome.
Invalid regular expressions will result in failure in check evaluation and the check will be evaluated as Unknown. The evidence generated in this case will specify the syntax errors in used regular expression.
Regular expressions can be used only in checks which are using above mentioned procedure reference. Without manual manipulation of the XML file this feature is not enabled. Hence all the predefined checks in various standards in Standard manager are unaffected.
Imported Document ID: HOWTO101491
Subscribing will provide email updates when this Article is updated. Login is required.