AUDIT_EXCHANGE

This policy item runs exchange cmdlets on the target Exchange server and returns the results. Results are evaluated with use of string or regular expression matching of the PowerShell output, similar to AUDIT_POWERSHELL.

Usage

<custom_item>

type: AUDIT_EXCHANGE

description: ["description"]

value_type: POLICY_TEXT

value_data: ["banner content"]

powershell_args: ["exchange powershell cmdlets"]

(optional) powershell_option: [CAN_BE_NULL]

(optional) secure_string: ["encrypted secure string"]

(optional) check_type: [CHECK_EQUAL|CHECK_REGEX|...]

(optional) only_show_cmd_output: [YES|NO]

</custom_item>

The following are descriptions of the keywords:

  • value_type: The value is POLICY_TEXT. If you use POLICY_MULTI_TEXT, the evaluation will work, but NULL will appear as the Remote value.

  • value_data: The content of the expected PowerShell output.

  • powershell_args: The value is the Exchange cmdlet with additional PowerShell formatting options. The output of this command will be returned, and should resemble what would be returned from the Exchange shell.

  • powershell_option: The value is CAN_BE_NULL, which allows the check to pass if there is no data returned from PowerShell.

  • secure_string: You can use this field to specify a secured string to run with the check. To create a secure string for this field, as the scanning user on the target being scanned, run the following commands and copy the output into the secure_string field.

    $secstr = 'clear text password' | ConvertTo-SecureString -AsPlainText -Force;

    $secstr | ConvertFrom-SecureString;

  • check_type: This field changes how the string is evaluated. By default, the evaluation checks that the output exactly matches the contents of value_data. You can change the evaluation with CHECK_NOT_EQUAL, CHECK_REGEX, or CHECK_NOT_REGEX.

  • only_show_cmd_output: If you set this field to YES, the check result will be INFO/LOW and will report the value that was returned from the PowerShell. If you set this field to NO, the evaluation will be defined by other fields in the check.

Note: The comparison that the check performs is not case sensitive.

Example

<custom_item>

type: AUDIT_EXCHANGE

description: "Exchange - Check Type Example"

value_type: POLICY_TEXT

value_data: ".*"

powershell_args: "get-exchangeserver | fl -Property ExchangeVersion"

secure_string: "bad_value"

check_type: CHECK_REGEX

</custom_item>