Generic SSH Checks

The following sections describe the checks you can add to a single audit file.

CMD_EXEC

The CMD_EXEC check runs a command and analyze the output with regular expressions to identify if a command matches the expected output.

If CMD_EXEC is used in an offline scan, a warning states that the command is not able to run in offline mode.

Usage

<custom_item>

type : CMD_EXEC

description : ["description"]

cmd : ["command to run"]

(optional) regex : ["regular expression to reduce config options"]

expect : ["regular expression that passes if found"]

not_expect : ["regular expression that passes if not found"]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

</custom_item>

Keywords

cmd

The cmd is the command that should be run on the target.

regex

(Optional) (Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.

expect or not_expect

The evaluation is based on expect or not_expect. Use only one of these fields in a check.

  • For expect, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
  • For not_expect, if the regular expression matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) (Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.

match_case

(Optional) (Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.

Example

<custom_item>

type : CMD_EXEC

description : "Ensure 'TLS 1.0' is set for HTTPS access"

cmd : "show running-config all"

regex : "ssl cipher tlsv1 custom"

expect : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""

</custom_item>

KB_VALUE

The KB_VALUE check fetches data from the Knowldegebase (KB) and analyzes the output with regular expressions to identify whether the data associated with the provided path matches the expected output. Nessus creates a KB for each target during a Nessus scan. KBs record the information that is shared with other plugins.

Usage

<custom_item>

   type : KB_VALUE

   description : ["description"]

   kb_path : ["kb path to check"]

   (optional) regex : ["regular expression to reduce options"]

   expect : ["regular expression that passes if found"]

   (optional) kb_path_required : [YES|NO]

   (optional) match_all : [YES|NO]

   (optional) match_case : [YES|NO]

</custom_item>

kb_path

The kb_path is the path to the KB value or values to be evaluated.

regex

(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.

expect

For expect, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

kb_path_required

(Optional) The kb_path_required field can be set to specify if the audited kb_path is required to be present or not. If this option is not set, it is assumed it is required.

match_all

(Optional) (Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.

match_case

(Optional) (Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.

Example

<custom_item>

   type : KB_VALUE

   description : "Check port"

   kb_path : "public/port*"

   regex : "[0-9]+"

   expect : "443"

</custom_item>