Conditions
It is possible to define if/then/else logic in the Unix policy. This allows the end-user to use a single file that is able to handle multiple configurations. For instance, the same policy file can check the settings for Postfix and Sendmail by using the proper if/then/else syntax.
The syntax to perform conditions is the following:
<if>
<condition type: "or">
<Insert your audit here>
</condition>
<then>
<Insert your audit here>
</then>
<else>
<Insert your audit here>
</else>
</if>
Example
<if>
<condition type: "or">
<custom_item>
type: FILE_CHECK
description: "Make sure /etc/passwd contains root"
file: "/etc/passwd"
owner: "root"
</custom_item>
</condition>
<then>
<custom_item>
type: FILE_CONTENT_CHECK
description: "Make sure /etc/passwd contains root (then)"
file: "/etc/passwd"
regex: "^root"
expect: "^root"
</custom_item>
</then>
<else>
<custom_item>
type: FILE_CONTENT_CHECK
description: "Make sure /etc/passwd contains root (else)"
file: "/etc/passwd"
regex: "^root"
expect: "^root"
</custom_item>
</else>
</if>
Whether the condition fails or passes never shows up in the report because it is a “silent” check.
Conditions can be of type and or or.
Caveats
The Unix compliance plugin can use a system tag to control if a particular check applies to the target OS. Using a system tag inside the <condition></condition> block is not recommended as it can cause false logic flow. The check content is evaluated before the system tag; therefore, a conditional may pass to the <then> section and not actually apply.