This section provides a few examples of custom Unix File Content Check controls.
A Unix File Content Check control includes 2 regular expressions. The first regular expression is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. The second regular expression is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. See Regular Expression Symbols for a list of standard symbols and their meanings.
This sample control can be used to find lines in the /etc/passwd file that end with /bin/bash.
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/passwd file that have at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if none of the lines end with /bin/bash. If at least one line in the file ends with /bin/bash then the control will fail.
|
section |
field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/passwd |
|
Regular expression |
. |
|
|
Control Technologies |
Cardinality |
match none |
|
Operator |
regular expression (set by default) |
|
|
Default Value |
/bin/bash$ |
This sample control can be used to find any line in the /etc/profile file that starts with "alias rm".
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/profile file that start with the word "alias". The settings in the Control Technologies section instruct the scanning engine to pass the control if at least one line returned starts with "alias rm". If no lines start with "alias rm" then the control will fail.
|
section |
field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/profile |
|
Regular expression |
^alias |
|
|
Control Technologies |
Cardinality |
match any |
|
Operator |
regular expression (set by default) |
|
|
Default Value |
^alias rm |
This sample control can be used to identify whether the /etc/sudoers file has lines that are not comment-only lines. Comment-only lines start with a number sign (#).
The settings in the Scan Parameters section instruct the scanning engine to first return all lines from the /etc/sudoers file that do not start with #. The settings in the Control Technologies section instruct the scanning engine to pass the control if the returned list is not empty, meaning that at least one line is returned because it does not start with #. If the list is empty, then the control will fail. Note that when you select the cardinality "not empty" or the cardinality "empty" then no value is entered for the default value.
|
section |
field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/sudoers |
|
Regular expression |
^\s*[^#] |
|
|
Control Technologies |
Cardinality |
not empty |
|
Operator |
regular expression (set by default) |
|
|
Default Value |
|
This sample control can be used to identify general users who are trying to gain superuser (root) privileges. The control instructs the scanning engine to read the /var/adm/sulog file and list attempts by unauthorized users and ignore attempts by authorized administrators. In the /var/adm/sulog file, unsuccessful attempts are indicated by a minus sign (-) and successful attempts are indicated by a plus sign (+).
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /var/adm/sulog file with at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if any line has a minus sign (-) indicating an unsuccessful attempt. If all lines have a plus sign (+) then the control will fail.
|
section |
field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/var/adm/sulog |
|
Regular expression |
. |
|
|
Control Technologies |
Cardinality |
match any |
|
Operator |
regular expression (set by default) |
|
|
Default Value |
\s*-\s* |