This section provides a few examples of user defined Unix File Content Check controls.
A Unix File Content Check control includes 2 regular expressions:
- The first is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. This regular expressions must follow "Basic Regular Expression (BRE)" standard as supported by a "grep" command on specific Unix platforms. When using cloud agents (if Agent UDC Support is available for your account), this regular expression should follow "Perl Compatible Regular Expressions (PCRE)" standard.
- The second is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. This regular expression must follow "Perl Compatible Regular Expressions (PCRE)" standard.
This sample can be used to find lines in the /etc/passwd file that end with /bin/bash.
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/passwd file that have at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if none of the lines end with /bin/bash. If at least one line in the file ends with /bin/bash then the control will fail.
|
Section |
Field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/passwd |
|
Scan Parameters |
Regular expression |
. |
|
Scan Parameters |
Data Type |
Line List |
|
Control Technologies |
Cardinality |
match none |
|
Control Technologies |
Operator |
regular expression |
|
Control Technologies |
Default Value |
/bin/bash$ |
This sample can be used to find any line in the /etc/profile file that starts with "alias rm".
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/profile file that start with the word "alias". The settings in the Control Technologies section instruct the scanning engine to pass the control if at least one line returned starts with "alias rm". If no lines start with "alias rm" then the control will fail.
|
Section |
Field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/profile |
|
Scan Parameters |
Regular expression |
^alias |
|
Scan Parameters |
Data Type |
Line List |
|
Control Technologies |
Cardinality |
match any |
|
Control Technologies |
Operator |
regular expression |
|
Control Technologies |
Default Value |
^alias rm |
This sample can be used to determine whether the /etc/sudoers file has lines that are not comment-only lines. Comment-only lines start with a number sign (#).
The settings in the Scan Parameters section instruct the scanning engine to first return all lines from the /etc/sudoers file that do not start with #. The settings in the Control Technologies section instruct the scanning engine to pass the control if the returned list is not empty, meaning that at least one line is returned because it does not start with #. If the list is empty, then the control will fail. Note that when you select the cardinality "not empty" or the cardinality "empty" then no value is entered for the default value.
|
Section |
Field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/etc/sudoers |
|
Scan Parameters |
Regular expression |
^\s*[^#] |
|
Scan Parameters |
Data Type |
Line List |
|
Control Technologies |
Cardinality |
not empty |
|
Control Technologies |
Operator |
regular expression |
|
Control Technologies |
Default Value |
|
This sample can be used to identify general users who are trying to gain superuser (root) privileges. The control instructs the scanning engine to read the /var/adm/sulog file and list attempts by unauthorized users and ignore attempts by authorized administrators. In the /var/adm/sulog file, unsuccessful attempts are indicated by a minus sign (-) and successful attempts are indicated by a plus sign (+).
The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /var/adm/sulog file with at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if any line has a minus sign (-) indicating an unsuccessful attempt. If all lines have a plus sign (+) then the control will fail.
|
Section |
Field |
Enter the following |
|
Scan Parameters |
File/Directory path |
/var/adm/sulog |
|
Scan Parameters |
Regular expression |
. |
|
Scan Parameters |
Data Type |
Line List |
|
Control Technologies |
Cardinality |
match any |
|
Control Technologies |
Operator |
regular expression |
|
Control Technologies |
Default Value |
\s*-\s* |
This sample is for the Unix File Content Check (Agent Only) control. This control type is supported by Cloud Agents only, meaning this control will only be evaluated using agent scan data.
The settings in the Scan Parameters section instruct the agent scan to return all files that contain the word "Qualys". The search will start at the /root directory and go 3 levels deep within the directory. The search will stop if we meet the time limit of 300 seconds or the match limit of 50 files, whichever comes first.
The settings in the Control Technologies section instruct the agent scan to pass the control if at least one string returned contains "Qualys". If no lines contain "Qualys" then the control will fail.
|
Section |
Field |
Enter the following |
|
Scan Parameters |
Base directory |
/root |
|
Scan Parameters |
Maximum Depth |
3 |
|
Scan Parameters |
Regular Expression |
Qualys |
|
Scan Parameters |
File Name Include |
* |
|
Scan Parameters |
Directory Name Include |
* |
|
Scan Parameters |
Time Limit |
300 seconds |
|
Scan Parameters |
Match Limit |
50 files |
|
Scan Parameters |
Data Type |
String List |
|
Control Technologies |
Cardinality |
contains |
|
Control Technologies |
Operator |
string list |
|
Control Technologies |
Default Value |
Qualys |