custom_item Checks

The custom_item check, using expect, analyzes the configuration for regular expressions to identify whether a configuration is set.

The not_expect gives the opposite result as expect, and analyzes the configuration to identify whether a regular expression is not present, which indicates the configuration is not set or set incorrectly.

Usage

<custom_item>

description : ["description"]

expect/not_expect : ["regular expression of text that needs to be found"]

(optional) context : ["regular expression to filter contexts"]

(optional) regex : ["regular expression to reduce config options"]

(optional) cmd : ["a command to run against the target. Only 'display' commands are supported."]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

(optional) min_occurrences : ["numerical value"]

(optional) max_occurrences : ["numerical value"]

</custom_item>

Keywords

Keyword Description
expect and not_expect

The custom_item evaluation is based on expect or not_expect.

  • For expect, if the regular expression in the expect matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.

  • For not_expect, if the regular expression in the not_expect matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

Note: Expect and not_expect are mutually exclusive. You may only use one of the two keywords per check.

not_expect example:

<custom_item>

description : "Verify tlsv1.1"

not_expect : "protocol tlsv1.1"

</custom_item>

See context below for an example of expect.
context

(Optional) The context item is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down the searchable configuration.

Contexts are evaluated independently and if one context FAILS, the entire check evaluation FAILS.

A context is defined as code formatted like the following:

context1; mode

line item 1

line item 2

exit

context2; mode

line item 1

line item 2

exit

context and expect example:

<custom_item> description : "Ensure a dns server is set"

context : "dns-forwarding ;mode"

expect : "add server 192.168.1.1"

</custom_item>

regex (Optional) regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order of that they are listed in the check.
cmd

The cmd is a command that should be run on the target. Only show commands are supported. Any cmd entry in an audit that is run as an offline scan will be skipped.

Example:

<custom_item> type : CMD_EXEC description : "Ensure 'client limits enabled' is true" cmd : "show attack-detection configuration" regex : "client limits enabled"

expect : "client limits enabled:[\s]*true"

</custom_item>

match_all (Optional) Setting match_all to YES requires the expectation to match all lines of text, and not just a single line of text. If match_all is set to the default of NO, only one line must match for the check to pass.
match_case (Optional) Setting match_case to YES makes the comparison case-sensitive. If match_case is set to the default of NO, the comparison is case-insensitive.
min_occurences

(Optional) The min_occurrences keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. This is useful in cases where a minimum number of servers (NTP, DNS, etc.) should be present.

Example:

<custom_item> description : "Verify three 'attribute' entries are present"

expect : "attribute (early-intercept|detect-protocol) enable" min_occurrences : "3"

</custom_item>

max_occurences

(Optional) The max_occurrences keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. This is useful in cases when checking items such as a single local account should exist (account of last resort).

Example: max_occurrences: "1"