You are here: Compliance Check Types > Windows Content > Item Format

Item Format

Usage

<item>

type: FILE_CONTENT_CHECK

description: ["value data"]

file_extension: ["value data"]

(optional) regex: ["value data"]

(optional) expect: ["value data"]

(optional) file_name: ["value data"]

(optional) max_size: ["value data"]

(optional) only_show: ["value data"]

(optional) regex_replace: ["value data"]

</item>

Each of these items is used to audit a wide variety of file formats, with a wide variety of data types. The following table provides a list of supported data types. In the next section are numerous examples of how these keywords can be used together to audit various types of file content.

Keyword

Description

type

This must always be set to FILE_CONTENT_CHECK

description

This is the information that will be used as a title for unique compliance vulnerabilities in the SecurityCenter. It will also be the first set of data reported by Nessus.

file_extension

This lists all desired extensions to be searched for by Nessus. The extensions are listed without their “.”, in quotations and separated by pipes. When additional options such as regex and expect are not included in the audit, files with the file_extension specified are displayed in the audit output.

regex

This keyword holds the regular expression used to search for complex types of data. If the regular expression matches, the first matched content will be displayed in the vulnerability report.

Note: The regex keyword must be run with the expect keyword described below.

Note: Unlike Windows Compliance Checks, Windows File Content Compliance Check regex and expect do not have to match the same data string(s) within the searched file. Windows File Content checks simply require that both the regex and expect statements match data within the <max_size> bytes of the file searched.

expect

The expect statement is used to list one or more simple patterns that must be in the document in order for it to match. For example, when searching for Social Security numbers, the word “SSN”, “SS#”, or “Social” could be required.

Multiple patterns are listed in quotes and separated with pipe characters.

Simple pattern matching is also supported in this keyword with the period. When matching the string “C.T”, the expect statement would match “CAT”, “CaT”, “COT”, “C T” and so on.

Note: The expect keyword may be run standalone for single pattern matching, however, if the regex keyword is used, expect is required.

Note: Unlike Windows Compliance Checks, Windows File Content Compliance Check regex and expect do not have to match the same data string(s) within the searched file. Windows File Content checks simply require that both the regex and expect statements match data within the <max_size> bytes of the file searched.

file_name

Whereas the file_extension keyword is required, this keyword can further refine the list of files to be analyzed. By providing a list of patterns, files can be discarded or matched.

For example, this makes it very easy to search for any type of file name that has terms in its name such as “employee”, “customer” or “salary”.

max_size

For performance, an audit may only want to look at the first part of each file. This can be specified in bytes with this keyword. The number of bytes can be used as an argument. Also supported is an extension of “K” or “M” for kilobytes or megabytes respectively.

only_show

When matching sensitive data such as credit card numbers, your organization may require that only the last four digits be made visible in the report. This keyword supports revealing any number of bytes specified by policy.

regex_replace

This keyword controls which pattern in the regular expression is shown in the report. When searching for complex data patterns, such as credit card numbers, it is not always possible to get the first match to be the desired data. This keyword provides more flexibility to capture the desired data with greater accuracy.

include_paths

This keyword allows for directory or drive inclusion within the search results. This keyword may be used in conjunction with, or independently of the “exclude_paths” keyword. This is particularly helpful for cases where only certain drives or folders must be searched on a multi-drive system. Paths are double-quoted and separated by the pipe symbol where multiple paths are required.

Note: Only drive letters or folder names can be specified with the “include_paths” keyword. File names cannot be included in the “include_paths” value string.

exclude_paths

This keyword allows for drive, directory or file exclusion from search results. This keyword may be used either in conjunction with, or independently of the “include_paths” keyword. This is particularly helpful in cases where a particular drive, directory or file must be excluded from search results. Paths are double-quoted and separated by the pipe symbol where multiple paths are required.

see_also

This keyword allows to include links to a reference.

Example:

see_also: "https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf"

solution

This keyword provides a way to include “Solution” text if available.

Example:

solution : "Remove this file if it is not required"

reference

This keyword provides a way to include cross-references in the .audit. The format is “ref|ref-id1,ref|ref-id2”.

Example:

reference : "CAT|CAT II,800-53|IA-5,8500.2|IAIA-1,8500.2|IAIA-2,8500.2|IATS-1,8500.2|IATS-2"

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.