Juniper SHOW_CONFIG_CHECK Keywords

The following table indicates how each keyword in the Junos compliance checks can be used. Note that the compliance of a check can be determined by comparing the output of the check to either “expect”, “not_expect”, or “number_of_lines” tag. There cannot be more than one compliance testing tags (i.e., either “expect”, “not_expect”, or “number_of_lines” can exist but not “expect” and “not_expect”).

Keyword	Example Use and Supported Settings
hierarchy	This keyword allows users to navigate to a specific hierarchy in the Junos configuration. Example: hierarchy: "interfaces" Internally the hierarchy keyword gets appended to the “show configuration” command in a SHOW_CONFIG_CHECK. For example: <custom_item> type: SHOW_CONFIG_CHECK description: "3.6 Forbid Multiple Loopback Addresses" hierarchy: "interfaces" </custom_item> The check above is the equivalent of running: show configuration interfaces
property	This keyword allows users to audit a specific `“property”` on the Junos device. By default the SHOW_CONFIG_CHECK audits the “show configuration” command followed by one or more keywords such as `match`, `except`, and `find`. In the case where `“property”` keyword is set, it audits the specific property. Example: property: "ospf" <custom_item> type: SHOW_CONFIG_CHECK description: "4.3.1 Require MD5 Neighbor Authentication (where OSPF is used)" info: "Level 2, Scorable" property: "ospf" hierarchy: "interface detail" match: "Auth type MD5" </custom_item> The check above is the equivalent of running: show ospf interface detail Note that the above example did not run “show configuration”, as was the case in other examples.
find	This keyword finds the appropriate config hierarchy in a SHOW_CONFIG_CHECK `.audit` check. find: "chap" The find keyword gets appended to the “show configuration” request. <custom_item> type: SHOW_CONFIG_CHECK description: "3.8.2 Require CHAP Authentication if Incoming Map is Used" hierarchy: "interfaces" find: "chap" match: "access-profile" </custom_item> The check above is the equivalent of running: show configuration interfaces \| find "chap" \| match "access-profile"
match	This keyword looks for matching lines in a SHOW_CONFIG_CHECK .audit check. match: "multihop" The `match` keyword gets appended to the “show configuration” request. <custom_item> type: SHOW_CONFIG_CHECK description: "3.6 Forbid Multiple Loopback Addresses" hierarchy: "interfaces" match: "lo[0-9]" </custom_item> The check above is the equivalent of running: show configuration interfaces \| match "lo[0-9]"
except	This keyword excludes certain lines from the config in a SHOW_CONFIG_CHECK .audit check. except: "multihop" The `except` keyword gets appended to the “show configuration” request. <custom_item> type: SHOW_CONFIG_CHECK description: "6.8.1 Require External Time Sources" hierarchy: "system ntp" match: "server" except: "boot-server" </custom_item> The check above is the equivalent of running: show configuration system ntp \| match "server" \| except "boot-server"
expect	This keyword allows auditing the config item matched by the `“regex”` tag or if the `“regex”` tag is not used it looks for the `“expect”` string in the entire config. The check passes as long as the config line found by `“regex”` matches the `“expect”` tag or in the case where `“regex”` is not set, it passes if the `“expect”` string is found in the config. regex: "syslog host [0-9\.]+" expect: "syslog host 1.2.4.5" In the above case, the `“expect”` tag ensures that the complexity is set to a value between 1 and 4. expect: "syslog host" In the case above, the `“expect”` tag ensures that the complexity is set to 4.
not_expect	This keyword allows searching the configuration items that should not be in the configuration. It acts as the opposite of `“expect”`. The check passes as the config line found by `“regex”` does not match the `“not_expect”` tag or if the `“regex”` tag is not set, it passes as long as `“not_expect”` string is not found in the config. regex: "syslog host [0-9\.]+" not_expect: "syslog host 1.2.3.4" not_expect: "syslog host"
number_of_lines	This keyword allows testing for compliance of a .audit check based on the number of matching lines returned by the config. <custom_item> type: CONFIG_CHECK description: "Syslog" regex: "syslog host [0-9\.]+" number_of_lines: "^1$" </custom_item> In the above case the check will pass as long as only one line is returned that matches the `“regex”`.