FILE_CONTENT_CHECK

Note: This check requires remote registry access for the remote Windows system to function properly.

This policy item checks if the file contains the regular expression regex and that this expression matches expect.

The check is performed by calling the function ReadFile on the file handle.

Note: The file is read over SMB into a memory buffer on the Nessus server, and then the buffer is processed to check for compliance/non-compliance. Files are not saved on the disk of the Nessus server, they are only copied to a memory buffer for analysis.

Usage

The allowed type is:

value_type: POLICY_TEXT

value_data: "PATH\Filename"

regex: "regex"

expect: "regex"

The following predefined paths can be used in the file/folder name:

%allusersprofile%

%windir%

%systemroot%

%commonfiles%

%programfiles%

%systemdrive%

When using this audit type, please note the following:

• The value_data field must include the full path to the file or folder name (e.g., C:\WINDOWS\SYSTEM32) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values.
• The regex field checks that an item is present in the file.
• The expect field checks that the item matches the regular expression.
• The file_option field can be set to CAN_BE_NULL to force a success if the file does not exist.
• The file_option field can be set to CAN_NOT_BE_NULL to force an error if the file exists and is empty.
• The avoid_floppy_access field can be set to direct the audit not to perform a check that would result in accessing the floppy drive. This should be used if an audit is causing the floppy drive to be accessed when there is no disc in the drive.

Example