TOC & Recently Viewed

Recently Viewed Topics

FireEye Keywords

The following table indicates how each keyword in the FireEye compliance checks can be used:

Keyword

Example

type

CONFIG_CHECK

CONFIG_CHECK_NOT

RANDOMNESS_CHECK

description

This keyword gives a brief description of the check that is being performed. It is required that description field be unique and no two checks should have the same description field. This is required because SecurityCenter uses this field to auto generate a plugin ID number based on the description field.

Example:

description: " Verify login authentication"

info

This keyword allows users to add a more detailed description to the check that is being performed. Multiple info fields are allowed with no preset limit. The info content must be enclosed in double-quotes.

Example:

info: "Verifies login authentication configuration."

see_also

This keyword allows users to include links that might provide helpful information about a check.

Example:

see_also: "http://www.fireeye.com/support/"

reference

This keyword allows including cross references for audit checks.

Example:

reference: "PCI|2.2.3,SANS-CSC|1"

solution

The keyword provides text to include solution text to fix a compliance failure.

Example:

solution: "Modify the configuration to add missing line"

severity

This keyword allows users to set the severity of the check. The severity can be set to HIGH, MEDIUM, or LOW.

Example:

severity: MEDIUM

regex

This keyword allows enumerating items that match a particular regex expression. If a check has “regex” keyword set, but no “expect” or “not_expect” keyword is set, then the check simply reports all items matching the regex.

Example:

regex: "power-state.+"

expect

This keyword allows searching within the lines found by regex. All lines found by regex must match the expect setting for the check to pass. If no regex was provided, all lines will be checked but only one needs to be found.

Example:

regex: "power"

not_expect

Similar to expect, but if any matches are found, the check fails. If both expect and not_expect are omitted, all applicable lines will be reported as an info message.

min_occurrences

This keyword allows setting a minimum number of occurrences of the check.

Example:

min_occurrences: 3

max_occurrences

Like min_occurrences, but a maximum value instead of a minimum.

required

This keyword allows specifying if a check match is required or not. The value of the required field can be YES, NO, ENABLED, or DISABLED.

Example:

required: YES

cmd

This allows users to run a show command.

Example:

cmd: "show version"

Only “show” commands are allowed.

<item>

type: CONFIG_CHECK

cmd: "show version"

description: "Show Product version"

regex: "Product model:"

expect: "1234"

</item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.