Unix Configuration Keywords

This keyword is used in conjunction with FILE_CHECK and FILE_CHECK_NOT to audit the file attributes associated with a file. Please refer to the chattr(1) man page for details on configuring the file attributes of a file.

This keyword is used to allow a response to be NULL and still pass. Example: check_option: CAN_BE_NULL

This keyword is required for use with CMD_EXEC to execute remote commands for the purpose of auditing a wide variety of items.

This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.

Example:

description: "Permission and ownership check for /etc/at.allow"

This keyword is used with “CMD_EXEC” Unix compliance check audits and tells the audit to omit the actual command run by the check from the output. Only the command’s results are displayed.

Example:

dont_echo_cmd: YES

This keyword is used to exclude certain users, services and files from the check.

Example:

except: "guest"

Multiple user accounts can be piped together.

Example:

except: "guest" | "guest1" | "guest2"

This keyword is used in combination with regex. It provides the ability to look for specific values within files.

Example:

This keyword is used to describe the absolute or relative path of a file to be checked for permissions and ownership settings.

Examples:

file: "/etc/inet/inetd.conf"

file: "~/inetd.conf"

The file value can also be a glob.

Example:

file: "/var/log/*"

This feature is particularly useful when all the files within a given directory need to be audited for permissions or contents using FILE_CHECK, FILE_CONTENT_CHECK, FILE_CHECK_NOT, or FILE_CONTENT_CHECK_NOT.

This keyword describes the type of file that is searched for. The following is the list of supported file types.

• b - block (buffered) special
• c - character (unbuffered) special
• d - directory
• p - named pipe (FIFO)
• f - regular file

Example:

file_type: "f"

One or more types of file types can be piped together in the same string.

Example:

file_type: "c|b"

This keyword is used to specify the group of a file; it is always used in conjunction with file keyword. The group keyword can have a value of “none” that helps with searching for files with no owner.

Example:

group: "root"

Group can also be specified with a logical “OR” condition using the following syntax:

group: "root" || "bin" || "sys"

This keyword tells the check to ignore designated files from the search. This keyword is available for the FILE_CHECK, FILE_CHECK_NOT, FILE_CONTENT_CHECK, and FILE_CONTENT_CHECK_NOT check types.

Examples:

# ignore single file

ignore: "/root/test/2"

# ignore certain files from a directory

ignore: "/root/test/foo*"

# ignore all files in a directory

ignore: "/root/test/*"

This keyword is used to add a more detailed description to the check that is being performed such as a regulation, URL, corporate policy or a reason why the setting is required. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Example:

info: "ref. CIS_AIX_Benchmark_v1.0.1.pdf ch 1, pg 28-29."

This keyword is used in conjunction with CHKCONFIG and is used to specify the run levels for which a service is required to be running. All the run levels must be described in a single string. For example, if service “sendmail” is required to be running at run level 1, 2 and 3, then the corresponding levels value in the CHKCONFIG check would be:

levels: "123"

This keyword is the opposite of mode where one can specify permissions that should not be available for a particular user, group or other member. Unlike mode that checks for an exact permission value, mask audits are broader and will check if a file or directory is at a level that is equal to, or more secure than, what is specified by the mask. (Where mode may fail a file with a permission of 640 as not matching an audit expecting a value of 644, mask will see that 640 is “more secure” and will pass the audit as successful.)

Example:

mask: 022

This would specify any permission is OK for owner and no write permissions for group and other member. A mask value of “7” would mean no permissions for that particular owner, group or other member.

This keyword is used in FILE_CHECK and FILE_CHECK_NOT to make sure the MD5 of a file is actually set to whatever the policy sets.

Example:

This keyword specifies the minimum number of specific values in FILE_CONTENT_CHECK files.

Example:

min_occurrences: "3"

This keyword describes the set of permissions for a file/folder under consideration. The mode keyword can be represented in string or octal format.

Examples:

mode: "-rw-r--r--"

mode: "644"

mode: "7644"

This keyword is used to identify process name in PROCESS_CHECK.

Example:

name: "syslogd"

This keyword is used in conjunction with RPM_CHECK and PKG_CHECK to specify the condition to pass or fail a check based on the version of the installed RPM package. It can take the following values:

• lt (less than)
• lte (less than or equal)
• gte (greater than equal)
• gt (greater than)
• eq (equal)

Example:

operator: "lt"

This keyword is used to specify the owner of a file; it is always used in conjunction with file keyword. The owner keyword can have a value of “none” that helps with searching for files with no owner.

Example:

owner: "root"

Ownership can also be specified with a logical “OR” condition using the following syntax:

owner: "root" || "bin" || "adm"

This keyword provides a way to include cross-references in the .audit. The format is “ref|ref-id1,ref|ref-id2”.

Example:

reference: "CAT|CAT II,800-53|IA-5,8500.2|IAIA-1,8500.2|IAIA-2,8500.2|IATS-1,8500.2|IATS-2"

This keyword enables searching a file to match for a particular regex expression.

Example:

regex: ".*LogLevel=9$"

The following meta-characters require special treatment: + \ * ( ) ^

Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " '

This has to do with the way that the compiler treats these characters.

This keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if required is set to “NO” and the check type is “FILE_CHECK”, then the check will pass if the file exists and permissions are as specified in the .audit file or if the file does not exist. On the other hand, if required was set to “YES”, the above check would fail.

This keyword is used to specify the RPM to look for when used in conjunction with RPM_CHECK.

Example:

This keyword can be used to specify searchable locations within a file system.

Example:

search_locations: "/bin"

Multiple search locations can be piped together.

Example:

search_locations: "/bin" | "/etc/init.d" | "/etc/rc0.d"

This keyword allows to include links to a reference.

Example:

see_also: "https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf"

This keyword is used in conjunction with CHKCONFIG, XINETD_SVC and SVC_PROP and is used to specify the service that is being audited.

Example:

In any test, <item> or <custom_item>, a “severity” flag can be added and set to “LOW”, “MEDIUM”, or “HIGH”. By default, non-compliant results show up as “high”.

Example:

severity: MEDIUM

This keyword provides a way to include “Solution” text if available.

Example:

solution: "Remove this file, if its not required"

This keyword is used in PROCESS_CHECK, CHKCONFIG and XINETD_SVC to determine if a service that is running on a given host should be running or disabled. The status keyword can take 2 values: “ON” or “OFF”.

Example:

status: ON

status: OFF

This keyword specifies the type of system the check is to be performed on.

Note: The “system” keyword is only applicable to “custom_item” checks, not built-in “item” checks.

The available values are the ones returned by the “uname” command on the target OS. For example, on Solaris the value is “SunOS”, on macOS it is “Darwin”, on FreeBSD it is “FreeBSD”, etc.

Example:

system: "SunOS"

This keyword is used in conjunction with CMD_EXEC and specifies, in seconds, the amount of time that the specified command will be allowed to run before it times out. This keyword is useful in cases where a particular command, such as the Unix “find” command, requires extended periods of time to complete. If this keyword is not specified, the default timeout for CMD_EXEC audits is five minutes.

Example:

timeout: "600"

CHKCONFIG

CMD_EXEC

FILE_CHECK

FILE_CHECK_NOT

FILE_CONTENT_CHECK

FILE_CONTENT_CHECK_NOT

GRAMMAR_CHECK

PKG_CHECK

PROCESS_CHECK

RPM_CHECK

SVC_PROP

XINETD_SVC

The value keyword is useful to check if a setting on the system confirms to the policy value.

Example:

value: "90..max"

The value keyword can be specified as a range [number..max]. If the value lies between the specified number and “max”, the check will pass.