FILE_CONTENT_CHECK_NOT
This policy item checks if the file contains the regular expression regex and that this expression does not match expect. The
check is performed by calling the function ReadFile on the file handle.
Note: This check requires remote registry access for the remote Windows system to function properly
Usage
<custom_item>
type: FILE_CONTENT_CHECK_NOT
description: ["description"]
value_type: [value_type]
value_data: ["filename"]
(optional) check_type: [value]
regex: ["regex"]
expect: ["regex"]
(optional) file_option: [file_option]
</custom_item>
The allowed type is:
value_type: POLICY_TEXT
value_data: "PATH\Filename"
regex: "regex"
expect: "regex"
The following predefined paths can be used in the file/folder name:
%allusersprofile%
%windir%
%systemroot%
%commonfiles%
%programfiles%
%systemdrive%
When using this audit type, please note the following:
- The
value_datafield must include the full path to the file or folder name (e.g.,C:\WINDOWS\SYSTEM32) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values. - The
regexfield checks that an item is present in the file - The
expectfield checks that the item matches the regular expression. - The
file_optionfield can be set to CAN_BE_NULL to force a success if the file does not exist - The
file_optionfield can be set to CAN_NOT_BE_NULL to force an error if the file exists and is empty.
Example
<custom_item>
type: FILE_CONTENT_CHECK_NOT
description: "File content for C:\WINDOWS\win.ini"
value_type: POLICY_TEXT
value_data: "C:\WINDOWS\win.ini"
(optional) check_type: [value]
regex: "au=.*"
expect: "au=MPEGVideo2"
file_option: CAN_NOT_BE_NULL
</custom_item>