The custom_item check, using expect, analyzes the configuration for regular expressions to identify whether a configuration is set.
The not_expect gives the opposite result as expect, and analyzes the configuration to identify whether a regular expression is not present, which indicates the configuration is not set or set incorrectly.
description : ["description"]
expect/not_expect : ["regular expression of text that needs to be found"]
(optional) context : ["regular expression to filter contexts"]
(optional) regex : ["regular expression to reduce config options"]
(optional) cmd : ["a command to run against the target. Only 'display' commands are supported."]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
(optional) min_occurrences : ["numerical value"]
(optional) max_occurrences : ["numerical value"]
|expect and not_expect||
The custom_item evaluation is based on expect or not_expect.
To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.
Note: Expect and not_expect are mutually exclusive. You may only use one of the two keywords per check.
description : "Verify tlsv1.1"
not_expect : "protocol tlsv1.1"
(Optional) The context item is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down the searchable configuration.
Contexts are evaluated independently and if one context fails, the entire check evaluation fails.
A context is defined as code formatted like the following:
line item 1
line item 2
line item 1
line item 2
context and expect example:
<custom_item> description : "Ensure a dns server is set"
context : "dns-forwarding ;mode"
expect : "add server 192.168.1.1"
|regex||(Optional) regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order of that they are listed in the check.|
The cmd is a command that should be run on the target. Only show commands are supported. Any cmd entry in an audit that is run as an offline scan will be skipped.
<custom_item> type : CMD_EXEC description : "Ensure 'client limits enabled' is true" cmd : "show attack-detection configuration" regex : "client limits enabled"
expect : "client limits enabled:[\s]*true"
|match_all||(Optional) Setting match_all to "YES" requires the expectation to match all lines of text, and not just a single line of text. If match_all is set to the default of "NO", only one line must match for the check to pass.|
|match_case||(Optional) Setting match_case to "YES" makes the comparison case-sensitive. If match_case is set to the default of "NO", the comparison is case-insensitive.|
(Optional) The min_occurrences keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. This is useful in cases where a minimum number of servers (NTP, DNS, etc.) should be present.
<custom_item> description : "Verify three 'attribute' entries are present"
expect : "attribute (early-intercept|detect-protocol) enable" min_occurrences : "3"
(Optional) The max_occurrences keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. This is useful in cases when checking items such as a single local account should exist (account of last resort).
Example: max_occurrences: "1"