Check Point GAiA Keywords

The following table indicates how each keyword in the GAiA compliance checks can be used:

Keyword

Example Use and Supported Settings

type

“CHECK_CONFIG” determines if the specified config item exists in the GAiA “show configuration” output.

description

The “description” keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and that no distinct checks have the same description field. SecurityCenter uses this field to automatically generate a unique plugin ID number based on the description field.

Example:

description: "1.0 Require strong Password Controls - 'min-password-length >= 8'"

info

The “info” keyword is used to add a more detailed description to the check that is being performed. Rationale for the check could be a regulation, URL with more information, corporate policy, and more. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Note: Each “info” tag must be written on a separate line with no line breaks. If more than one line is required (e.g., formatting reasons), add additional “info” tags.

Example:

info: "Enable palindrome-check on passwords"

severity

The “severity” keyword specifies the severity of the check being performed.

Example:

severity: MEDIUM

The severity can be set to HIGH, MEDIUM, or LOW.

regex

The “regex” keyword enables searching the configuration item setting to match for a particular regular expression.

Example:

regex: "set snmp .+"

The following meta-characters require special treatment: + \ * ( ) ^

Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " '

This has to do with the way that the compiler treats these characters.

If a check has “regex” tag set, but no “expect” or “not_expect” or “number_of_lines” tag is set, then the check simply reports all lines matching the regex.

expect

This keyword allows auditing the configuration item matched by the “regex” tag or if the “regex” tag is not used it looks for the “expect” string in the entire config.

The check passes as long as the config line found by “regex” matches the “expect” tag or in the case where “regex” is not set, it passes if the “expect” string is found in the config.

Example:

regex: "set password-controls complexity"

expect: "set password-controls complexity [1-4]"

In the above case, the “expect” tag ensures that the complexity is set to a value between 1 and 4.

not_expect

This keyword allows searching the configuration items that should not be in the configuration.

It acts as the opposite of “expect”. The check passes as the config line found by “regex” does not match the “not_expect” tag or if the “regex” tag is not set, it passes as long as “not_expect" string is not found in the config.

Example:

regex: "set password-controls password-expiration"

not_expect: "set password-controls password-expiration never"

In the above case, the “not_expect” tag ensures that the password-controls are not set to “never”.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.