The "check_type" Field
This check type is different than the check_type
field specified in the Windows Configuration topic that is used at the beginning of each audit file to
denote the generic audit type (Windows, FileContent, Unix, Database, Cisco). It is optional and can be performed against
Windows value_data
values to determine the type of check to be performed. The following settings are available:
- CHECK_EQUAL: compare the remote value against the policy value (default if
check_type
is missing) - CHECK_EQUAL_ANY: checks that each element of
value_data
is at least present once in the system list - CHECK_NOT_EQUAL: checks that the remote value is different than the policy value
- CHECK_NOT_REGEX: checks that the remote value does not match the regex in the policy value (only works with POLICY_TEXT and POLICY_MULTI_TEXT)
- CHECK_GREATER_THAN: checks that the remote value is greater than the policy value
- CHECK_GREATER_THAN_OR_EQUAL: checks that the remote value is greater or equal than the policy value
- CHECK_LESS_THAN: checks that the remote value is less than the policy value
- CHECK_LESS_THAN_OR_EQUAL: checks that the remote value is less or equal than the policy value
- CHECK_REGEX: checks that the remote value match the regex in the policy value (only works with POLICY_TEXT and POLICY_MULTI_TEXT)
- CHECK_SUBSET: checks that the remote ACL is a subset of the policy ACL (only works with ACLs)
- CHECK_SUPERSET: checks that the remote ACL is a superset of the policy ACL (only works with deny rights ACLs)
Following is an example audit to check to make sure that the account name "Guest" does not exist for any Guest account.
<custom_item>
type: CHECK_ACCOUNT
description: "Accounts: Rename guest account"
value_type: POLICY_TEXT
value_data: "Guest"
account_type: GUEST_ACCOUNT
check_type: CHECK_NOT_EQUAL
</custom_item>
If any other value besides "Guest" is present, the test will pass. If "Guest" is found, the audit will fail.