User-Defined Controls FAQs

Can I import controls from XML?

What is a registry key?

Tell me about control IDs

What do I enter for registry value name?

Tell me about scan parameters?

Regular expression for a Unix File Content Check

Tell me about controls with duplicate scan parameters

Are system variables supported on Windows?

Tell me about the data types

Tell me about remediation information

What is a hash type?

Digest calculation for empty file (Integrity Checks)

What is a registry hive?

Control status Pass returned from 1st scan (Integrity Checks)


Can I import controls from XML?

Yes, you can import and export user defined controls in XML format. Learn more

Tell me about control IDs

We automatically assign a unique control ID (CID) to each user-defined control, starting at 100000. For example, if you added 2 user-defined controls they would have the CIDs 100000 and 100001.

Tell me about controls with duplicate scan parameters

Creating controls using the UI: If a control exists in your account with the same scan parameters as a control you are adding, you'll be prompted to either assign the description in the existing control to the new control or to overwrite it. If you overwrite it, all controls with the same scan parameters will be updated with the new description.

Importing controls from XML: If a control exists in your account with the same scan parameters as control(s) being imported, we assign the DESCRIPTION parameter of the existing control to the DESCRIPTION parameter of all imported controls with the same scan parameters.

Tell me about scan parameters

The scan parameters are used to gather data needed for compliance evaluation at scan time. Scan parameters differ for each control type. Learn more

Tell me about the data types

The data type is the type of data that's returned by scans for a control, These data types vary by control type:

Boolean - Returns a True or False value.

String - Returns a string value.

String List - Returns a  list of string values

Line List - Returns a list of line values

Integer - Returns an integer (whole number) value.

What is a hash type?

For File and Directory Integrity Checks, the hash type identifies the algorithm to be used for computing the file hash. The supported hash types are: MD5 (insecure  competitive matching only) 16-byte digest, SHA1 (insecure competitive matching only) 20-byte digest, and SHA256 (Secure) 32-byte digest.

What is a registry hive?

A registry hive is a top level registry key predefined by the Windows system to store registry keys, subkeys and values for specific objectives. All registry hives begin with HKEY and appear as file folders at the top level on the left hand side of the Registry Editor window.

These common hives are supported:

HKEY_CLASSES_ROOT (HKCR)

HKEY_CURRENT_USER (HKCU)

HKEY_USERS (HKU)

HKEY_LOCAL_MACHINE (HKLM)

What is a registry key?

A registry key appears as a file folder on the left side of the Windows Registry Editor window. Registry keys may contain registry sub-keys, which are keys within a key.

What do I enter for registry value name?

A registry value is a string of data that appears on the right side of the Windows Registry Editor window for a selected key. A value entry has three parts: name, data type and the value itself. The name of the registry value is the part you want to enter in the Scan Parameters section. Note that you'll enter the expected value associated with the name in the Control Technologies section (after you've saved the scan parameters). A different expected value may be entered for each technology the control applies to.

The registry value name is optional when defining scan parameters for a registry value content check. If you do not specify a registry value name, then the service will check the content of the default value for the specified registry key. The default value appears as (Default) in the Name column in the Registry Editor window.

Regular expressions for a Unix File Content Check

A Unix File Content Check control includes 2 regular expressions:

- The first is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. This regular expressions must follow "Basic Regular Expression (BRE)" standard as supported by a "grep" command on specific Unix platforms.

In case you are scanning the same host using the scanner and the agent, you might get different compliance results.  Agent supports the regex match on multiline text, whereas the scanner supports single line regex match. To get the scan same results, you can modify the regular expression in the Scan Parameters section to support single line regex match only. For example, change the regular expression ^UsePAM to ^UsePAM.*

- The second is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. This regular expression must follow "Perl Compatible Regular Expressions (PCRE)" standard.

View sample controls

Are system variables supported on Windows?

Yes, these four system variables are supported:

%SystemRoot% %windir% %ProgramFiles% %CommonProgramFiles%

Tell me about remediation information

You can set the remediation information for each user-defined control. In order to view the remediation information in reports, you must enable the Remediation Info options in the policy compliance template. You'll see N/A in the reports when no remediation information is available.

Digest calculation for empty file

(Applicable to File Integrity Check, Directory Integrity Check)

There is a difference in how a digest of an empty file is calculated on Windows and Unix. On Windows the control does not return a digest on an empty file (calculates buffer size 0 and no digest is generated). On Unix a native digest command produces a digest on an empty file (i.e. digest of paddingblock).The difference between Windows and Unix means you’ll get different results when you change the digest algorithm in control settings (e.g. SHA-256 to MD5). Unix will return a Fail with a changed digest, and Windows will return Pass as no change is detected.

Control status Pass returned from 1st scan

(Applicable to File Integrity Check, Directory Integrity Check)

When "Use scan data as expected value" is enabled, the control returns Pass from the 1st scan of a target system. After that Pass/Fail status is calculated by comparing the expected and actual values (digest values).