Item Format

Usage

<item>

type: FILE_CONTENT_CHECK

description: ["value data"]

file_extension: ["value data"]

(optional) regex: ["value data"]

(optional) expect: ["value data"]

(optional) file_name: ["value data"]

(optional) max_size: ["value data"]

(optional) only_show: ["value data"]

(optional) regex_replace: ["value data"]

</item>

Each of these items is used to audit a wide variety of file formats, with a wide variety of data types. The following table provides a list of supported data types. In the next section are numerous examples of how these keywords can be used together to audit various types of file content.

Keyword

Description

type

This must always be set to FILE_CONTENT_CHECK

description

This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.

file_extension

This lists all desired extensions to be searched for by Nessus. The extensions are listed without their “.”, in quotations and separated by pipes. When additional options such as regex and expect are not included in the audit, files with the file_extension specified are displayed in the audit output.

regex

This keyword holds the regular expression used to search for complex types of data. If the regular expression matches, the first matched content will be displayed in the vulnerability report.

Note: The regex keyword must be run with the expect keyword described below.

Note: Unlike Windows Compliance Checks, Windows File Content Compliance Check regex and expect do not have to match the same data string(s) within the searched file. Windows File Content checks simply require that both the regex and expect statements match data within the <max_size> bytes of the file searched.

expect

The expect statement is used to list one or more simple patterns that must be in the document in order for it to match. For example, when searching for Social Security numbers, the word “SSN”, “SS#”, or “Social” could be required.

Multiple patterns are listed in quotes and separated with pipe characters.

Simple pattern matching is also supported in this keyword with the period. When matching the string “C.T”, the expect statement would match “CAT”, “CaT”, “COT”, “C T” and so on.

Note: The expect keyword may be run standalone for single pattern matching, however, if the regex keyword is used, expect is required.

Note: Unlike Windows Compliance Checks, Windows File Content Compliance Check regex and expect do not have to match the same data string(s) within the searched file. Windows File Content checks simply require that both the regex and expect statements match data within the <max_size> bytes of the file searched.

file_name

Whereas the file_extension keyword is required, this keyword can further refine the list of files to be analyzed. By providing a list of patterns, files can be discarded or matched.

For example, this makes it very easy to search for any type of file name that has terms in its name such as “employee”, “customer” or “salary”.

max_size

For performance, an audit may only want to look at the first part of each file. This can be specified in bytes with this keyword. The number of bytes can be used as an argument. Also supported is an extension of “K” or “M” for kilobytes or megabytes respectively. Only values up to 5M will be honored and any files found over 5M will be skipped in the resulting scan.

only_show

This keyword supports revealing a specific number of characters specified by policy. When matching sensitive data such as credit card numbers, your organization may require that only a limited number of digits be made visible in the report. The default is 4 or half of the matched string, whichever is smaller. For example, if a matched string is 10 characters long and only_show is set to 4, only the last 4 characters are shown. If the matched string is 6 characters long, only 3 characters will be shown.

Note: When you match against US Social Security numbers (SSNs), the specified number of digits are revealed in front of the string (for example, 123-XX-XXXX).

regex_replace

This keyword controls which pattern in the regular expression is shown in the report. When searching for complex data patterns, such as credit card numbers, it is not always possible to get the first match to be the desired data. This keyword provides more flexibility to capture the desired data with greater accuracy.

include_paths

This keyword allows for directory or drive inclusion within the search results. This keyword may be used in conjunction with, or independently of the “exclude_paths” keyword. This is particularly helpful for cases where only certain drives or folders must be searched on a multi-drive system.

Paths are double-quoted and separated by the pipe symbol where multiple paths are required. You can only specify the top-level directory of a drive (for example, E:\<top-level directory>). Using more than one directory level (for example, E:\<top-level directory>\<directory>) returns an error.

Note: Only drive letters or folder names can be specified with the “include_paths” keyword. File names cannot be included in the “include_paths” value string.

exclude_paths

This keyword allows for drive, directory or file exclusion from search results. This keyword may be used either in conjunction with, or independently of the “include_paths” keyword. This is particularly helpful in cases where a particular drive, directory or file must be excluded from search results. Paths are double-quoted and separated by the pipe symbol where multiple paths are required.

see_also

This keyword allows to include links to a reference.

Example:

see_also: "https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf"

solution

This keyword provides a way to include “Solution” text if available.

Example:

solution : "Remove this file if it is not required"

reference

This keyword provides a way to include cross-references in the .audit. The format is “ref|ref-id1,ref|ref-id2”.

Example:

reference : "CAT|CAT II,800-53|IA-5,8500.2|IAIA-1,8500.2|IAIA-2,8500.2|IATS-1,8500.2|IATS-2"