CONFIG_CHECK and CONFIG_CHECK_NOT Checks

The CONFIG_CHECK check analyzes the configuration for regular expressions to identify if a configuration is set.

The CONFIG_CHECK_NOT effectively gives the opposite result as CONFIG_CHECK, and analyzes the configuration to identify if a regular expression is not present, which indicates the configuration is not set.

Usage

<custom_item>

type : CONFIG_CHECK

description : ["description"]

(optional) context : ["regular expression to create contexts"]

(optional) regex : ["regular expression to reduce config options"]

item : ["regular expression of text that needs to be found"]

(optional) match_all : [YES|NO]

(optional) match_case : [YES|NO]

(optional) min_occurrences : ["numerical value"]

(optional) max_occurrences : ["numerical value"]

(optional) required : [YES|NO]

</custom_item>

Keywords

context

(Optional) The context is a regular expression that returns one or more subsets of the configuration. When the context matches a line, it returns that line and any other lines directly below it that are indented more than the initial matching line. You can use multiple contexts to narrow down the searchable configuration.

Contexts are evaluated independently and if one context FAILS, the entire check evaluation FAILS.

A context is defined as code formatted like the following:

context-1

line item 1

line item 2

context-2

line item 1

line item 2

regex

(Optional) Use regex to filter the full configurations, or each of the context configurations, to a smaller set of lines of text based on the regular expression. You can use multiple regex to narrow down the searchable configuration, and they are applied in the order they are listed in the check.

item

The evaluation is based on item.

  • For a CONFIG_CHECK, if the regular expression in the item matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.

  • For a CONFIG_CHECK_NOT, if the regular expression in the item matches a line of text, the check results as FAILED. If there are no matches, the check results as PASSED.

To indicate if all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case.

match_all

(Optional) Setting match_all to YES requires the expectation to match all lines of text, and not just a single line of text. If match_all is set to the default of NO, only one line must match for the check to pass.

match_case

(Optional) Setting match_case to YES makes the comparison to be case-sensitive. If you set match_case to the default of NO, the comparison is case insensitive.

min_occurrences

(Optional) The min_occurrences keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. This is useful in cases where a minimum number of servers (NTP, DNS, etc.) should be present. This keyword is not supported for CONFIG_CHECK_NOT.

Example:

min_occurrences: "3"

max_occurrences

(Optional) The max_occurrences keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. This is useful in cases when checking items such as a single local account should exist (account of last resort). This keyword is not supported for CONFIG_CHECK_NOT.

Example:

max_occurrences: "1"

required

A value of NO allows a check to pass if the item is not found. Defaults to YES if not specified.

Examples

<custom_item>

type : CONFIG_CHECK

description : "Ensure '3ds-cbc' is disabled for SSH access"

regex : "ssh server encryption"

item : "ssh server encryption 3des-cbc disable"

</custom_item>

<custom_item>

type : CONFIG_CHECK

description : "Verify an expected hostname is set"

section : "system-config"

item : "hostname DeviceHostname"

</custom_item>

<custom_item>

type : CONFIG_CHECK

description : "Verify two ntp access-group lines are present"

item : "ntp access-group ipv(4|6)"

min_occurrences : "2"

</custom_item>