TOC & Recently Viewed

Recently Viewed Topics

CONFIG_CHECK and CONFIG_CHECK_NOT Checks

The CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.

The CONFIG_CHECK_NOT check gives the opposite result as CONFIG_CHECK, and analyzes the configuration to identify if a regular expression is not present, which indicates the configuration is not set.

Usage

<custom_item>

type : CONFIG_CHECK

description : ["description"]

(optional) context : ["regular expression to create contexts"]

(optional) regex : ["regular expression to reduce config options"]

item : ["regular expression of text that needs to be found"]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

</custom_item>

Keywords

context

(Optional) The context is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. Multiple contexts can be used to narrow down then searchable configuration.

regex

(Optional) The regex is used to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. Multiple regex can be used to narrow down the searchable configuration, and they are applied in the order that they are listed in the check.

item

The evaluation is based on item.

  • For CONFIG_CHECK, if the regular expression in the item matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
  • For CONFIG_CHECK_NOT, if the regular expression in the item matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) Setting match_all to YES requires the item to match all lines of text, and not just a single line of text. If match_all is set to the default NO, only one line must match for the check to pass.

match_case

(Optional) Setting match_case to YES makes the comparison case sensitive. If match_case is set to the default NO, the comparison is case insensitve.

Example

<custom_item>

type : CONFIG_CHECK

description : "Ensure 'TLS 1.0' is set for HTTPS access"

regex : "ssl cipher tlsv1 custom"

item : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""

</custom_item>

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.