Keywords

The following table indicates how each keyword in the VMware compliance checks can be used:

Keyword	Example Use and Supported Settings
type	This keyword describes the type of check that is being performed by a given item in an audit file. VMware audits can be performed with the following three types of audit checks: AUDIT_VM AUDIT_ESX AUDIT_VCENTER
description	This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the `description` field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field. Example: description: "Disconnect unauthorized devices - 'floppyX.present = false'"
info	This keyword allows users to add a more detailed description to the check that is being performed. Multiple `info` fields are allowed with no preset limit. The info content must be enclosed in double-quotes. Example: info: "Make sure floppy drive is not attached"
regex	This keyword allows searching items that match a particular regex expression. Example: regex: "floppy([Xx]\|[0-9]+)\\.present :"

The compliance of a check can be determined by comparing the output of the check to either the expect or not_expect keyword. You cannot use more than one compliance testing tag in a given check.

Keyword	Example Use and Supported Settings
expect	This keyword allows auditing the config item matched by the `regex` keyword, or if the `regex` keyword is not used, looks for the `expect` string in the entire config. The check passes as long as the config line found by `regex` matches the `expect` string or in the case where `regex` is not set, it passes if the `expect` string is found in the config. Example: regex: "floppy([Xx]\|[0-9]+)\\.present :" expect: "floppy([Xx]\|[0-9]+)\\.present : false" Or: expect: "floppy([Xx]\|[0-9]+)\\.present : false" In the above cases, the `expect` keyword ensures that the floppy drive is not present.
not_expect	This keyword allows searching the configuration items that should not be in the configuration. It acts as the opposite of `expect`. The check passes as long as the config line found by `regex` does not match the `not_expect` string or if the `regex` keyword is not set, it passes as long as `not_expect` string is not found in the config. Example: regex: "floppy([Xx]\|[0-9]+)\\.present :" not_expect: "floppy([Xx]\|[0-9]+)\\.present : false" Or: not_expect: "floppy([Xx]\|[0-9]+)\\.present : false" In the above cases, the `not_expect` keyword ensures that the floppy drive is not present.

Keyword

Example Use and Supported Settings

expect

This keyword allows auditing the config item matched by the regex keyword, or if the regex keyword is not used, looks for the expect string in the entire config.

The check passes as long as the config line found by regex matches the expect string or in the case where regex is not set, it passes if the expect string is found in the config.

Example:

regex: "floppy([Xx]|[0-9]+)\\.present :"

expect: "floppy([Xx]|[0-9]+)\\.present : false"

Or:

expect: "floppy([Xx]|[0-9]+)\\.present : false"

In the above cases, the expect keyword ensures that the floppy drive is not present.

not_expect

This keyword allows searching the configuration items that should not be in the configuration.

It acts as the opposite of expect. The check passes as long as the config line found by regex does not match the not_expect string or if the regex keyword is not set, it passes as long as not_expect string is not found in the config.

Example:

regex: "floppy([Xx]|[0-9]+)\\.present :"

not_expect: "floppy([Xx]|[0-9]+)\\.present : false"

Or:

not_expect: "floppy([Xx]|[0-9]+)\\.present : false"

In the above cases, the not_expect keyword ensures that the floppy drive is not present.