Sample Unix File Content Checks

This section provides a few examples of user defined Unix File Content Check controls.

A Unix File Content Check control includes 2 regular expressions:

- The first is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. This regular expressions must follow "Basic Regular Expression (BRE)" standard as supported by a "grep" command on specific Unix platforms. When using cloud agents (if Agent UDC Support is available for your account), this regular expression should follow "Perl Compatible Regular Expressions (PCRE)" standard.

- The second is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. This regular expression must follow "Perl Compatible Regular Expressions (PCRE)" standard.

Sample 1

This sample can be used to find lines in the /etc/passwd file that end with /bin/bash.

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/passwd file that have at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if none of the lines end with /bin/bash. If at least one line in the file ends with /bin/bash then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/passwd

Scan Parameters

Regular expression

.

Scan Parameters

Data Type

Line List

Control Technologies

Cardinality

match none

Control Technologies

Operator

regular expression

Control Technologies

Default Value

/bin/bash$

Sample 2

This sample can be used to find any line in the /etc/profile file that starts with "alias rm".

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /etc/profile file that start with the word "alias". The settings in the Control Technologies section instruct the scanning engine to pass the control if at least one line returned starts with "alias rm". If no lines start with "alias rm" then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/profile

Scan Parameters

Regular expression

^alias

Scan Parameters

Data Type

Line List

Control Technologies

Cardinality

match any

Control Technologies

Operator

regular expression

Control Technologies

Default Value

^alias rm

Sample 3

This sample can be used to determine whether the /etc/sudoers file has lines that are not comment-only lines. Comment-only lines start with a number sign (#).

The settings in the Scan Parameters section instruct the scanning engine to first return all lines from the /etc/sudoers file that do not start with #. The settings in the Control Technologies section instruct the scanning engine to pass the control if the returned list is not empty, meaning that at least one line is returned because it does not start with #. If the list is empty, then the control will fail. Note that when you select the cardinality "not empty" or the cardinality "empty" then no value is entered for the default value.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/etc/sudoers

Scan Parameters

Regular expression

^\s*[^#]

Scan Parameters

Data Type

Line List

Control Technologies

Cardinality

not empty

Control Technologies

Operator

regular expression

Control Technologies

Default Value

 

Sample 4

This sample can be used to identify general users who are trying to gain superuser (root) privileges. The control instructs the scanning engine to read the /var/adm/sulog file and list attempts by unauthorized users and ignore attempts by authorized administrators. In the /var/adm/sulog file, unsuccessful attempts are indicated by a minus sign (-) and successful attempts are indicated by a plus sign (+).

The settings in the Scan Parameters section instruct the scanning engine to first return all lines in the /var/adm/sulog file with at least one character. The settings in the Control Technologies section instruct the scanning engine to pass the control if any line has a minus sign (-) indicating an unsuccessful attempt. If all lines have a plus sign (+) then the control will fail.

Section

Field

Enter the following

Scan Parameters

File/Directory path

/var/adm/sulog

Scan Parameters

Regular expression

.

Scan Parameters

Data Type

Line List

Control Technologies

Cardinality

match any

Control Technologies

Operator

regular expression

Control Technologies

Default Value

\s*-\s*

 

Sample 5 - File Content Check (Agent Only)

This sample is for the Unix File Content Check (Agent Only) control. This control type is supported by Cloud Agents only, meaning this control will only be evaluated using agent scan data. 

The settings in the Scan Parameters section instruct the agent scan to return all files that contain the word "Qualys". The search will start at the /root directory and go 3 levels deep within the directory. The search will stop if we meet the time limit of 300 seconds or the match limit of 50 files, whichever comes first. 

The settings in the Control Technologies section instruct the agent scan to pass the control if at least one string returned contains "Qualys". If no lines contain "Qualys" then the control will fail.

Section

Field

Enter the following

Scan Parameters

Base directory

/root

Scan Parameters

Maximum Depth

3

Scan Parameters

Regular Expression

Qualys

Scan Parameters

File Name Include

*

Scan Parameters

Directory Name Include

*

Scan Parameters

Time Limit

300 seconds

Scan Parameters

Match Limit

50 files

Scan Parameters

Data Type

String List

Control Technologies

Cardinality

contains

Control Technologies

Operator

string list

Control Technologies

Default Value

Qualys