Recently Viewed Topics
Last updated: April 07, 2017
This document describes the syntax used to create custom
.audit files that can be used to audit the configuration of Unix,
Windows, database, SCADA, IBM iSeries, and Cisco systems against a compliance policy as well as search the contents of
various systems for sensitive content.
Please reference the Nessus Compliance Checks for a higher-level view of how Tenable compliance checks work.
Tip: Nessus supports SCADA system auditing; however, this functionality is outside of the scope of this document. Please reference the Tenable SCADA information page for more information.
This document assumes some level of knowledge about the Nessus vulnerability scanner along with a detailed understanding of the target systems being audited. For more information on how Nessus can be configured to perform local Unix and Windows patch audits, please refer to the Nessus User Guide available at https://docs.tenable.com/nessus/.
Tips on String Matching
As a general rule, where possible it’s best and the most accurate (along with being easier to write and troubleshoot) if you confine the matching to a single line of the message. Single quotes and double quotes are interchangeable when surrounding audit fields, except in the following cases:
In Windows compliance checks where special fields such as CRLF must be interpreted literally, use single quotes. Any embedded fields that are to be interpreted as strings must be escaped out. For example:
expect: 'First line\r\nSecond line\r\nJohn\'s Line'
Double quotes are required when using the FileContent "include_paths" and "exclude_paths"
If using strings in any field type (description, value_data, regex, etc.) that contain single or double quotes, there are two ways to handle them"
Use the opposite quote type for the outermost enclosing quotes. For example:
expect: "This is John's Line"
expect: 'We are looking for a double-quote-".*'
Escape out any embedded quotes with a backslash (double quotes only). For example:
expect: "\"Text to be searched\""
Escaping a single character can be done so it matches the literal character rather than the normal regex interpretation of any single character. For example:
expect: "Find this line\. Even if it has periods\."