Cisco IOS Keywords

The following table indicates how each keyword in the Cisco compliance checks can be used:

Keyword	Example Use and Supported Settings
type	CONFIG_CHECK, CONFIG_CHECK_NOT and RANDOMNESS_CHECK “CONFIG_CHECK” determines if the specified item exists in the CISCO IOS “show config” output. In the same manner, “CONFIG_CHECK_NOT” determines if the specified item does not exist. “RANDOMNESS_CHECK” is used to perform string complexity checks (e.g., password checks). If you specify an item to look for (via a regex), it will tell you if the string is “random” enough (at least eight characters long, with upper case, lower case, at least a digit and at least one special character). Note: The randomness parameters are currently not configurable.
description	The “description” keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and that no distinct checks have the same description field. Tenable SecurityCenter uses this field to automatically generate a unique plugin ID number based on the description field. Example: description: "Forbid Remote Startup Configuration"
feature_set	The “`feature_set`” keyword, similar to the “`system`” keyword in Unix compliance checks, checks the Feature Set version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set. Example: <item> type: CONFIG_CHECK description: "Version Check" info: "SSH Access Control Check." feature_set: "K8" context:"line .*" item: "access-class [0-9]+ in" </item> The check above will only run the “item” check if the Feature Set version matches the specified regex: (K8) In the event of a Feature Set version check failure, an error similar to the one below is displayed: "Version Check" : [SKIPPED] Test defined for 12.[5-9] whereas we are running 12.4(15)T10
info	The “`info`” keyword is used to add a more detailed description to the check that is being performed. Rationale for the check could be a regulation, URL with more information, corporate policy and more. Multiple `info` fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of `info` fields that can be used. Note: Each “`info`” tag must be written on a separate line with no line breaks. If more than one line is required (e.g., formatting reasons), add additional “`info`” tags. Example: info: "Verify at least one local user exists and ensure" info: "all locally defined user passwords are protected" info: "by encryption."
item	The “`item`” keyword specifies the configuration item within the output of the “show config” output to be audited. Example: item: "transport input ssh" Regular expressions can be used within this keyword to filter the results of the match. Please see the `regex` keyword description for more details of the `regex` functionality.
regex	The “`regex`” keyword enables searching the configuration item setting to match for a particular regular expression. Example: regex: "snmp-server community ([^ ]) ." The following meta-characters require special treatment: + \ * ( ) ^ Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " ' This has to do with the way that the compiler treats these characters.
min_occurrences	The “`min_occurrences`” keyword specifies the minimum number of occurrences of the configuration item required to pass the audit. Example: min_occurrences: "3"
max_occurrences	The “`max_occurrences`” keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit. Example: max_occurrences: "1"
required	The “`required`” keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if `required` is set to “NO” and the check type is “CONFIG_CHECK”, then the check will pass if the configuration item exists or if the configuration item does not exist. On the other hand, if `required` was set to “YES”, the above check would fail. Example: required: NO
context	The “`context`” keyword is useful where more than one instance of a particular configuration item exists. For example, consider the following configuration: line con 0 no modem enable line aux 0 access-class 42 in exec-timeout 10 0 no exec line vty 0 4 exec-timeout 2 0 password 7 15010X1C142222362G transport input ssh If you want to test a value from a particular serial line, using the `item` keyword with “line” will not be sufficient as there is more than one “line” option. If you use “`context`”, you will only focus on the item you are interested in. For example: context: "con 0" You will only grep on the following configuration item: line con 0 no modem enable Regular expressions can be used within this keyword to filter the results of the match. Please see the `regex` keyword description for more details of the `regex` functionality.