CONFIG_CHECK and CONFIG_CHECK_NOT Checks

The CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.

The CONFIG_CHECK_NOT check gives the opposite result as CONFIG_CHECK, and analyzes the configuration to identify if a regular expression is not present, which indicates the configuration is not set.

Usage

<custom_item>

type : CONFIG_CHECK

description : ["description"]

(optional) context : ["regular expression to create contexts"]

(optional) regex : ["regular expression to reduce config options"]

item : ["regular expression of text that needs to be found"]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

</custom_item>

Keywords

context

(Optional) The context is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down then searchable configuration.

Contexts are evaluated independently. If one context fails, the entire check evaluation fails.

Contexts are evaluated independently. If one context fails, the entire check evaluation fails.

regex

(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.

item

The evaluation is based on item.

  • For CONFIG_CHECK, if the regular expression in the item matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
  • For CONFIG_CHECK_NOT, if the regular expression in the item matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.

match_case

(Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.

Example

<custom_item>

type : CONFIG_CHECK

description : "Ensure 'TLS 1.0' is set for HTTPS access"

regex : "ssl cipher tlsv1 custom"

item : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""

</custom_item>