FILE_CONTENT_CHECK
As with testing the existence and settings of a file, the content of text files can also be analyzed. Regular expressions can be used to search one or more locations for existing content. Use the “ignore” keyword to ignore one or more files from the specified search location or locations.
The string_required field can be set to specify if the audited string being searched for is required to be present or not. If this option is not set, it is assumed it is required. The file_required field can be set to specify if the audited file is required to be present or not. If this option is not set, it is assumed it is required. Use the "json_transform" tag to evaluate specific JSON-formatted data within a file.
Tip: For information about the parameters commonly found in Unix custom items, see Unix Configuration Keywords.
Examples
<custom_item>
system: "Linux"
type: FILE_CONTENT_CHECK
description: "This check reports a problem when the log level setting in the sendmail.cf file is less than the value set in your security policy."
file: "sendmail.cf"
regex: ".*LogLevel=.*$"
expect: ".*LogLevel=9"
</custom_item>
<custom_item>
system: "Linux"
type: FILE_CONTENT_CHECK
file: "sendmail.cf"
search_locations: "/etc:/etc/mail:/usr/local/etc/mail/"
regex: ".*PrivacyOptions=".*"
expect: ".*PrivacyOptions=.*,novrfy,.*"
</custom_item>
<custom_item>
#System: "Linux"
type: FILE_CONTENT_CHECK
description: "FILE_CONTENT_CHECK"
file: "/root/test2/foo*"
# ignore single file
ignore: "/root/test/2"
# ignore all files in a directory
ignore: "/root/test/*"
#ignore certain files from a directory
ignore: "/root/test/foo*"
regex: "FOO"
expect: "FOO1"
file_required: NO
string_required: NO
</custom_item>
Add a “~” to a file parameter to configure FILE_CONTENT_CHECK to scan a user’s home directories for non-compliant content.
<custom_item>
system: "Linux"
type: FILE_CONTENT_CHECK
description: "Check all user home directories"
file: "~/.rhosts"
ignore: "/.foo"
regex: "\\+"
expect: "\\+"
</custom_item>