I need a problem when i want to check the order of values of a key in registry.
The key “Function” in registry has a few values :
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
etc…
For one control of CIS i need to check if the order its ok, how can i do that?
I have this query:
exists key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" whose (exists value "Functions" whose (it as string contains "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256") of it) of native registry
with that i cant check if those values exists, but i cant know if the order its correct. Can you help me with that?
This returns all of the REG_MULTI_SZ values concatenated together with the null character (%00) and terminated by two null characters (%00%00). So we can check that this string contains all three of your values, separated by %00, with
value "Functions" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of registry as string contains "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384%00TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256%00TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256"
If these can appear with other values in between, it’s a little more complicated, but I think this should do it
exists (values "Functions" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of registry as string) whose (it contains "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" and following text of first "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" of it contains "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" and following text of first "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" of it contains "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256")