Conditions

It is possible to define if/then/else logic in the Unix policy. This allows the end-user to use a single file that is able to handle multiple configurations. For instance, the same policy file can check the settings for Postfix and Sendmail by using the proper if/then/else syntax.

The syntax to perform conditions is the following:

<if>

<condition type: "or">

<Insert your audit here>

</condition>

<then>

<Insert your audit here>

</then>

<else>

<Insert your audit here>

</else>

</if>

Example

<if>

<condition type: "or">

<custom_item>

type: FILE_CHECK

description: "Make sure /etc/passwd contains root"

file: "/etc/passwd"

owner: "root"

</custom_item>

</condition>

 

<then>

<custom_item>

type: FILE_CONTENT_CHECK

description: "Make sure /etc/passwd contains root (then)"

file: "/etc/passwd"

regex: "^root"

expect: "^root"

</custom_item>

</then>

 

<else>

<custom_item>

type: FILE_CONTENT_CHECK

description: "Make sure /etc/passwd contains root (else)"

file: "/etc/passwd"

regex: "^root"

expect: "^root"

</custom_item>

</else>

</if>

Whether the condition fails or passes never shows up in the report because it is a “silent” check.

Conditions can be of type and or or.