OFFLINE_CONFIG_CHECK

The OFFLINE_CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.

Usage

<custom_item>

type : OFFLINE_CONFIG_CHECK

description : ["description"]

context : ["regular expression to create contexts"]

regex : ["regular expression to reduce config options"]

expect : ["regular expression of text that needs to be found"]

not_expect : ["regular expression of text that needs to not be found"]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

</custom_item>

context

The context is a regular expression that will return one or more subsets of the configuration. When the context matches a line, it will return that line and any other lines directly below it that are within curly brackets {}. Multiple contexts can be used to narrow down the searchable configuration.

A context is defined as code formatted like the following:

auth password-policy {

description DESC

expiration-warning 7

max-duration 99999

max-login-failures 0

min-duration 0

minimum-length 6

password-memory 0

policy-enforcement enabled

required-lowercase 0

required-numeric 0

required-special 0

required-uppercase 0

}

regex

The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression.

expect and not_expect

The evaluation is based on expect or not_expect. These fields are mutually exclusive and only one can be used at a time.

  • If the regular expression in the expect matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.

  • If the regular expression in the not_expect matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) Setting match_all to YES requires the expectation to match all lines of text, and not just a single line of text. If match_all is set to the default of NO, only one line must match for the check to pass.

match_case

(Optional) Setting match_case to YES makes the comparison to be case sensitive. If match_case is set to the default of NO, the comparison is case insensitive.

Example

<custom_item>

type : OFFLINE_CONFIG_CHECK

description : "Check offline config for password-policy"

context : "auth password-policy"

regex : "policy-enforcement"

expect : "policy-enforcement enabled"

</custom_item>