Dell OS10 CONFIG_CHECK and CONFIG_CHECK_NOT

The CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.

The CONFIG_CHECK_NOT effectively gives the opposite result as CONFIG_CHECK, and analyzes the configuration to identify if a regular expression is _not_ present, which indicates the configuration is not set.

Usage

context

(Optional) The context is a regular expression that will return one or more subsets of the configuration. When the context matches a line, it will return that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down the searchable configuration. It is an optional transformation.

Contexts are evaluated independently and if one context FAILS, the entire check evaluation FAILS.

A context is defined as code formatted like the following:

Example

This will:

1. Find lines matching "ssh server."

2. Extract all indented child lines.

3. Search child lines for "encryption 3des-cbc disable."

regex

(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order they are listed in the check. It is an optional transformation.

item

The evaluation is based on item.

• For a CONFIG_CHECK, if the regular expression in the item matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.

• For a CONFIG_CHECK_NOT, if the regular expression in the item matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) Setting match_all to YES requires the expectation to match all lines of text, and not just a single line of text. If match_all is set to the default of NO, only one line must match for the check to pass.

Example

match_case

(Optional) Setting match_case to YES makes the comparison to be case sensitive. If match_case is set to the default of NO, the comparison is case insensitive.

Example

min_occurrences

(Optional) The min_occurrences keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. This is useful in cases where a minimum number of servers (for example NTP, DNS) should be present.

Note: This keyword is not supported for CONFIG_CHECK_NOT.

Example

max_occurrences

(Optional) The max_occurrences keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. This is useful in cases when checking items such as a single local account should exist (account of last resort).

Note: This keyword is not supported for CONFIG_CHECK_NOT.

Example

required

A value of NO allows a check to pass if the item is not found. Defaults to YES if not specified.

Note: This keyword is not supported for CONFIG_CHECK_NOT.