Rules

The Basics

The Rule is the fundamental building block for the AuditShark Policies. Each Rule is intended to provide a boolean result for a very specific question and has one of four possible Result values.

  • Ok - The rule evaluated successfully and the Desired Value matches the Actual Value.
  • Not Ok - The rule evaluated successfully and the Desired Value did not match the Actual Value.
  • Info - There is not a "right" or "wrong" answer to this question. The value is informational.
  • Error - Something went wrong during the evaluation of the Rule.

You implement a Rule for each question you want your server to answer. For example, on a Windows server, you might ask "Is the World Wide Web Publishing Service installed?", which is essentially the same as asking if the Microsoft web server is installed.

If the service exists on the target computer, the Result of that Rule is "Ok", or a boolean true. If the service does not exist, then the Result of that Rule is "Not Ok", which is a boolean false.

Combining Rules

Rules can be combined to provide a boolean answer to more complex questions or to check prerequisites for a given Rule. As an example, if you want to validate that a service is turned on, then theoretically you should check to see if that service is installed first. Otherwise your Rule could provide a Result of "Error". If you want to check the permissions on a file or directory, then you should first validate that it exists.

There are often multiple ways of asking or answering the same question. Sometimes, you may need to check multiple pieces of information to determine the answer to a question.

For example, assume you want to identify whether Windows 2008 computers are running the latest Service Pack. You must validate the following prerequisites:

  • Evaluate the Windows Kernel to make sure the target is running Windows Kernel 6.1.
    This is found in the registry at: HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion
  • Evaluate whether the operating system type is "Server", since Windows 7 and Windows 2008 share the same kernel
    This is found in the registry at: HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallationType

Finally, once these have been validated, you can check the registry key at: HKLM\Software\Microsoft\Windows NT\CurrentVersion\CSDVersion to determine which Service Pack is currently installed. If that matches the expected value, then the Result is "Ok" for this Rule.

Rule Keys

Every Rule consists of a set of key/value pairs called RuleKeys. The most important RuleKey is RuleType, which indicates the purpose of the Rule, and what other RuleKeys are required, recommended, or optional.

Rule Types

Every Rule has a "RuleType" and it must match an expected value. The RuleType

© 2011-2019 Moon River Software Inc. All rights reserved.
@AuditShark stay in touch