Recently Viewed Topics
The CMD_EXEC check runs a command and analyze the output with regular expressions to to identify if a command matches the expected output.
If CMD_EXEC is used in an offline scan, a warning states that the command is not able to run in offline mode.
type : CMD_EXEC
description : ["description"]
cmd : ["command to run"]
(optional) regex : ["regular expression to reduce config options"]
expect : ["regular expression that passes if found"]
not_expect : ["regular expression that passes if not found"]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
The cmd is the command that should be run on the target.
(Optional) The regex is used to filter the full configurations to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.
expect or not_expect
The evaluation is based on expect or not_expect. Use only one of these fields in a check.
- For expect, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
- For not_expect, if the regular expression matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.
To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.
Setting match_all to YES requires the item to match all lines of text, and not just a single line of text. If match_all is set to the default NO, only one line must match for the check to pass.
Setting match_case to YES makes the comparison case sensitive. If match_case is set to the default NO, the comparison is case insensitve.
type : CMD_EXEC
description : "Ensure 'TLS 1.0' is set for HTTPS access"
cmd : "show running-config all"
regex : "ssl cipher tlsv1 custom"
expect : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""