ZTE Compliance Checks
All ZTE compliance checks must be bracketed with the check_type encapsulation with the ZTE_ROSNG designation:
<check_type:"ZTE_ROSNG">
...
</check_type>
This is required to differentiate ZTE .audit files from those intended for other platforms.
Checks
The following sections describe the checks you can add to a single audit file.
This policy item checks if the registry item or file content matches the content provided by normalizing the values to use common newline, escaping patterns, and stripping white space from the beginning and end of policy text.
Usage
<custom_item>
type: BANNER_CHECK
description: ["description"]
item: ["config item"]
content: ["banner content"]
(optional) is_substring: [YES|NO]
</custom_item>
content
The content is what the expected banner should be. New lines in the banner are automatically processed through functions that determine delimiters and context.
is_substring
An optional flag that supports the possibility of location specific information being placed in a banner. If set to YES, the expected banner can be a substring of the file content, and not require a full match.
Examples
<custom_item>
type : BANNER_CHECK
description : "Banner incoming is configured"
item : "banner incoming"
content : "** No Unauthorized Access **"
</custom_item>
<custom_item>
type : BANNER_CHECK
description : "Banner login is configured"
item : "banner login"
content : "All access is monitored and recorded."
</custom_item>
<custom_item>
type : BANNER_CHECK
description : "Banner login is configured"
item : "banner login"
content : "access is monitored"
is_substring : YES
</custom_item>
CONFIG_CHECK and CONFIG_CHECK_NOT
The CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.
The CONFIG_CHECK_NOT check gives the opposite result as CONFIG_CHECK, and analyzes the configuration to identify if a regular expression is not present, which indicates the configuration is not set.
Usage
<custom_item>
type : CONFIG_CHECK
description : ["description"]
(optional) section : ["regular expression to create sections"]
(optional) context : ["regular expression to create contexts"]
(optional) regex : ["regular expression to reduce config options"]
item : ["regular expression of text that needs to be found"]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
(optional) min_occurrences : ["numerical value"]
(optional) max_occurrences : ["numerical value"]
</custom_item>
section
(Optional) The section is a regular expression that will return one or more subsets of the configuration. When the section matches a line, it returns that line and any other lines directly below it until the section end is encountered.
A section is defined as any tag in the following format:
!<section-name>
...
!</section-name>
context
(Optional) The context is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down then searchable configuration.
Contexts are evaluated independently. If one context fails, the entire check evaluation fails.
Contexts are defined as code in the following format:
context-1
line item 1
line item 2
context-2
line item 1
line item 2
regex
(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.
item
The evaluation is based on item.
- For CONFIG_CHECK, if the regular expression in the item matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
- For CONFIG_CHECK_NOT, if the regular expression in the item matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.
To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.
match_all
(Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.
match_case
(Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.
min_occurrences
Specifies the minimum number of occurrences of the configuration item required to pass the audit.
This is useful in cases where a minimum number of servers (NTP, DNS, etc.) should be present.
Example:
min_occurrences: "3"
max_occurrences
Specifies the maximum number of occurrences of the configuration item allowed to pass the audit.
This is useful in cases when checking items such as a single local account should exist (account of last resort).
Example:
max_occurrences: "1"
Example
<custom_item>
type : CONFIG_CHECK
description : "Ensure '3ds-cbc' is disabled for SSH access"
regex : "ssh server encryption"
item : "ssh server encryption 3des-cbc disable"
</custom_item>
<custom_item>
type : CONFIG_CHECK
description : "Verify an expected hostname is set"
section : "system-config"
item : "hostname DeviceHostname"
</custom_item>
<custom_item>
type : CONFIG_CHECK
description : "Verify two ntp access-group lines are present"
item : "ntp access-group ipv(4|6)"
min_occurrences : "2"
</custom_item>
The CMD_EXEC check runs a command and analyze the output with regular expressions to identify if a command matches the expected output.
If CMD_EXEC is used in an offline scan, a warning states that the command is not able to run in offline mode.
Usage
<custom_item>
type : CMD_EXEC
description : ["description"]
cmd : ["command to run"]
(optional) regex : ["regular expression to reduce config options"]
expect : ["regular expression that passes if found"]
not_expect : ["regular expression that passes if not found"]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
</custom_item>
Keywords
cmd
The cmd is the command that should be run on the target.
regex
(Optional) (Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.
expect or not_expect
The evaluation is based on expect or not_expect. Use only one of these fields in a check.
- For expect, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
- For not_expect, if the regular expression matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.
To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.
match_all
(Optional) (Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.
match_case
(Optional) (Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.
Example
<custom_item>
type : CMD_EXEC
description : "Ensure 'TLS 1.0' is set for HTTPS access"
cmd : "show running-config all"
regex : "ssl cipher tlsv1 custom"
expect : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""
</custom_item>
The KB_VALUE check fetches data from the Knowldegebase (KB) and analyzes the output with regular expressions to identify whether the data associated with the provided path matches the expected output. Nessus creates a KB for each target during a Nessus scan. KBs record the information that is shared with other plugins.
Usage
<custom_item>
type : KB_VALUE
description : ["description"]
kb_path : ["kb path to check"]
(optional) regex : ["regular expression to reduce options"]
expect : ["regular expression that passes if found"]
(optional) kb_path_required : [YES|NO]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
</custom_item>
kb_path
The kb_path is the path to the KB value or values to be evaluated.
regex
(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.
expect
For expect, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.
kb_path_required
(Optional) The kb_path_required field can be set to specify if the audited kb_path is required to be present or not. If this option is not set, it is assumed it is required.
match_all
(Optional) (Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.
match_case
(Optional) (Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.
Example
<custom_item>
type : KB_VALUE
description : "Check port"
kb_path : "public/port*"
regex : "[0-9]+"
expect : "443"
</custom_item>