Secure Configuration Manager -- Enhanced Unix Regular Expression Check for multiple files

0 Likes

Introduction:


 
Recently I had the opportunity to collaborate with a customer and NetIQ development in enhancing a regular expression check that allows multiple expressions against multiple files. The check also allows the ability to confirm if a file is present or not, and allow the logic of deciding if the check will have a violation or not based on the file existing or not.

This check is well worth the time to investigate as it may simplify your existing checks and allow policy compliance for complex environments.

Parameters:


 
Comparator: The AND/OR logic for evaluating the expressions. Or is represented by double pipes "||" and the AND is represented by double and ampersands "&&".

Regular Expression: List of expressions preceded by the file path with a colon separating the file from the expression. Each expression separated by a coma.

Regular expression evaluating the existence of a file:



  • FileName:SizeEqualZero: This will pass is File size is 0 or the file is not present on the host. If File is there and has size greater than 0, this will fail


  • FileName:SizeNotEqualZero: This will pass if File is present and has size greater than 0. If file is not present or has size equal to 0, the check will fail.


 

Example 1:


 
1_1

You see that the above screen shot shows a comparator. This defines the logic of the expressions order of operation. Each expression is represented by a preceding "$E" and followed by a number. $E0 represents the first regular expression in the list, "/etc/1.txt:Hello". It lists the file and then a ":" divides the file from the expression.

The first expression is looking at the 1.txt file for the word "Hello". The second expressions looks for the word "World" in the 2.txt file and the third expression is looking at the 3.txt for the text "aaa". Each expression statement is separated by a coma. The comparators are evaluating that Hello or World must exist, but that aaa must exist.

 

1 failed to match as h was lowercase in the file for Hello_1

 

Above shows the results of the report. Neither of the expressions E0 or E1 were present, so the check fails in the above example.

 

Example 2:


 
  1. FileName:SizeEqualZero: This will pass is File size is 0 or the file is not present on the host. If File is there and has size greater than 0, this will fail

  • FileName:SizeNotEqualZero: This will pass if File is present and has size greater than 0. If file is not present or has size equal to 0, the check will fail.


Example of the parameter settings:

REGULAR_EXPRESSION:
/etc/1.txt:Hello
/etc/2.txt:World
/etc/3.txt:aaaa
/etc/3.txt:SizeNotEqualZero
/etc/2.txt:SizeEqualZero


COMPARATOR:
($E0 && $E1) || $E2 || ($E3 && $E4)


Syntax Notes:



  • As a colon ":" is used to as a separator, make sure that you don't use it in your expression. If you need to find a string a colon in the string, use a dot "." in it's place.

  • If you choose to modify the default parameters, the & character must be represented as "&amp". '&' should be passed as &amp. This should only be done when you are modifying COMPARATOR parameter in the check file. Modifying COMPARATOR parameter from SCM GUI does not require this.

  • When wanting to look for any white space, substitute the expression "\s*" with the expression "[ \t | \s]*".



Install:


 
Extract the check and import it into the Secure Configuration Manager. You should be able to find it under My Checks. Include the same check multiple times into an existing template by giving it an alias name, such as [<policy number> <Check Name>]. Modify the parameters as needed in the template.

 

Labels:

Collateral
How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended