Sample Unix File Content Checks

This section provides a few examples of user defined Unix File Content Check controls.

A Unix File Content Check control includes 2 regular expressions:

- The first is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. This regular expressions must follow "Basic Regular Expression (BRE)" standard as supported by a "grep" command on specific Unix platforms. When using cloud agents (if Agent UDC Support is available for your account), this regular expression should follow "Perl Compatible Regular Expressions (PCRE)" standard.

- The second is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. This regular expression must follow "Perl Compatible Regular Expressions (PCRE)" standard.

Sample 1

This sample control can be used to find lines in the /etc/passwd file that end with /bin/bash.

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/passwd file that have at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if none of the lines end with /bin/bash. If at least one line in the file ends with /bin/bash then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/passwd

Scan Parameters

Regular expression

.

Control Technologies

Cardinality

match none

Control Technologies

Operator

regular expression (set by default)

Control Technologies

Default Value

/bin/bash$

Sample 2

This sample control can be used to find any line in the /etc/profile file that starts with "alias rm".

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/profile file that start with the word "alias". The settings in the Control Technologies section instruct the scanning engine to pass the control if at least one line returned starts with "alias rm". If no lines start with "alias rm" then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/profile

Scan Parameters

Regular expression

^alias

Control Technologies

Cardinality

match any

Control Technologies

Operator

regular expression (set by default)

Control Technologies

Default Value

^alias rm

Sample 3

This sample control can be used to determine whether the /etc/sudoers file has lines that are not comment-only lines. Comment-only lines start with a number sign (#).

The settings in the Scan Parameters section instruct the scanning engine to first return all lines from the /etc/sudoers file that do not start with #. The settings in the Control Technologies section instruct the scanning engine to pass the control if the returned list is not empty, meaning that at least one line is returned because it does not start with #. If the list is empty, then the control will fail. Note that when you select the cardinality "not empty" or the cardinality "empty" then no value is entered for the default value.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/sudoers

Scan Parameters

Regular expression

^\s*[^#]

Control Technologies

Cardinality

not empty

Control Technologies

Operator

regular expression (set by default)

Control Technologies

Default Value

 

Sample 4

This sample control can be used to identify general users who are trying to gain superuser (root) privileges. The control instructs the scanning engine to read the /var/adm/sulog file and list attempts by unauthorized users and ignore attempts by authorized administrators. In the /var/adm/sulog file, unsuccessful attempts are indicated by a minus sign (-) and successful attempts are indicated by a plus sign (+).

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /var/adm/sulog file with at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if any line has a minus sign (-) indicating an unsuccessful attempt. If all lines have a plus sign (+) then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/var/adm/sulog

Scan Parameters

Regular expression

.

Control Technologies

Cardinality

match any

Control Technologies

Operator

regular expression (set by default)

Control Technologies

Default Value

\s*-\s*