Cisco IOS Keywords

The following table indicates how each keyword in the Cisco compliance checks can be used:

Keyword	Example Use and Supported Settings
type	CONFIG_CHECK, CONFIG_CHECK_NOT and RANDOMNESS_CHECK “CONFIG_CHECK” determines if the specified item exists in the CISCO IOS “show config” output. In the same manner, “CONFIG_CHECK_NOT” determines if the specified item does not exist. “RANDOMNESS_CHECK” is used to perform string complexity checks (e.g., password checks). If you specify an item to look for (via a regex), it will tell you if the string is “random” enough (at least eight characters long, with upper case, lower case, at least a digit and at least one special character). Note: The randomness parameters are currently not configurable.
description	This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the `description` field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field. Example: description: "Forbid Remote Startup Configuration"
feature_set	The “`feature_set`” keyword, similar to the “`system`” keyword in Unix compliance checks, checks the Feature Set version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set. Example: <item> type: CONFIG_CHECK description: "Version Check" info: "SSH Access Control Check." feature_set: "K8" context:"line .*" item: "access-class [0-9]+ in" </item> The check above will only run the “item” check if the Feature Set version matches the specified regex: (K8) In the event of a Feature Set version check failure, an error similar to the one below is displayed: "Version Check" : [SKIPPED] Test defined for 12.[5-9] whereas we are running 12.4(15)T10
info	The “`info`” keyword is used to add a more detailed description to the check that is being performed. Rationale for the check could be a regulation, URL with more information, corporate policy and more. Multiple `info` fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of `info` fields that can be used. Note: Each “`info`” tag must be written on a separate line with no line breaks. If more than one line is required (e.g., formatting reasons), add additional “`info`” tags. Example: info: "Verify at least one local user exists and ensure" info: "all locally defined user passwords are protected" info: "by encryption."
item	The “`item`” keyword specifies the configuration item within the output of the “show config” output to be audited. Example: item: "transport input ssh" Regular expressions can be used within this keyword to filter the results of the match. Please see the `regex` keyword description for more details of the `regex` functionality.
regex	The “`regex`” keyword enables searching the configuration item setting to match for a particular regular expression. Example: regex: "snmp-server community ([^ ]) ." The following meta-characters require special treatment: + \ * ( ) ^ Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " ' This has to do with the way that the compiler treats these characters.
min_occurrences	The “`min_occurrences`” keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. Example: min_occurrences: "3"
max_occurrences	The “`max_occurrences`” keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. Example: max_occurrences: "1"
required	The “`required`” keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if `required` is set to “NO” and the check type is “CONFIG_CHECK”, then the check will pass if the configuration item exists or if the configuration item does not exist. On the other hand, if `required` was set to “YES”, the above check would fail. Example: required: NO
context	The “`context`” keyword is useful where more than one instance of a particular configuration item exists. For example, consider the following configuration: line con 0 no modem enable line aux 0 access-class 42 in exec-timeout 10 0 no exec line vty 0 4 exec-timeout 2 0 password 7 15010X1C142222362G transport input ssh If you want to test a value from a particular serial line, using the `item` keyword with “line” will not be sufficient as there is more than one “line” option. If you use “`context`”, you will only focus on the item you are interested in. For example: context: "con 0" You will only grep on the following configuration item: line con 0 no modem enable Regular expressions can be used within this keyword to filter the results of the match. Please see the `regex` keyword description for more details of the `regex` functionality.