To get to this page: Select Controls from the left menu. Go to New > Control. Click the Unix Control Types tab. Click Get Started for the File/Directory Permission control type. (Or click edit for any control of this type you want to change.)
The Unix File/Directory Permission control type checks permissions that are set on a Unix file.
In the General Information section, provide basic information for the control, including a control statement and category. See General Information for details.
In the Scan Parameters section, specify the scan parameters that the scanning engine will use to gather data for the control (data point). Click Add Parameters and add scan parameters for the control in the Scan Parameters pop-up:
File/Directory path. Enter the absolute path to the file/directory on your Unix system that will be evaluated.
Data Type. (View only) The data type of the value returned by the scanning engine. For a file/directory permission control this is set to "String" by default.
Description. Enter a description for the custom control which will appear in compliance policies and reports.
Click Add to add parameters and close the Scan Parameters window. You will notice the Edit Parameters button is available. Click this button to edit parameters before saving the control.
See also:
Add/Edit Scan Parameters in a New Control
Update the Data Point Description in an Existing Control
In the Control Technologies section, identify the technologies applicable to the control. For each technology, provide a rationale statement, select an operator, and set the default control value.
Enter a rationale statement describing how the control should be implemented for each technology.
(View only) The operator "regular expression" is used to compare the results to the default value, which is specified as a regular expression.
Enter the expected value for each technology as a regular expression. The scanning engine returns a single string literal with permissions information in this format:
OWNER:GROUP:PERMISSIONS:ABSOLUTEPATH
For information on this format, see File/Directory Permissions (Unix).
Knowing the format of the permissions information returned, you can write a regular expression that will match your pass/fail conditions.
Select the Lock Value option to lock the default value. When locked, users cannot change the default value in the Policy Editor.
^jim:.+:.rw.r-.r-.:.+$
If you entered this regular expression, the control will pass compliance when:
The file is owned by Jim
Jim has read and write permission to the file (execute permission is optional)
The group has read permission (execute permission is optional)
Other users have read permission and not write permission (execute permission is optional)
See Regular Expression Symbols for standard symbols and their meanings.
PCRE standard: The compliance module implements Perl Compatible Regular Expressions (PCRE) following the PCRE standard. For information on this standard, go to http://www.pcre.org/. For information on building proper regular expressions for controls using this standard, go to http://perldoc.perl.org/perlre.html. Note that users should escape special characters in PCRE regular expressions for string matching to occur correctly:
( ) [ ] | ^ $ -
For example, to match the string "(cs" you must enter "\(cs" (add backslash before the special character).
In the References section, add or remove references to internal policies and documents. See References for details.