You are here: Compliance Check Types > Unix Configuration > Keywords

TOC & Recently Viewed

Recently Viewed Topics

Unix Configuration Keywords

The following table indicates how each keyword in the Unix compliance checks can be used.

Keyword

Example Usage and Supported Settings

attr

This keyword is used in conjunction with FILE_CHECK and FILE_CHECK_NOT to audit the file attributes associated with a file. Please refer to the chattr(1) man page for details on configuring the file attributes of a file.

comment

This field is used to add any additional information that does not fit into the description field.

Example:

comment: (CWD - Current working directory)

description

This keyword provides a brief description of the check that is being performed. It is required that the description field is unique and no two checks should have the same description field. Tenable’s SecurityCenter uses this field to automatically generate a unique plugin ID number based on the description field.

Example:

description: "Permission and ownership check for /etc/at.allow"

dont_echo_cmd

This keyword is used with “CMD_EXEC” Unix compliance check audits and tells the audit to omit the actual command run by the check from the output. Only the command’s results are displayed.

Example:

dont_echo_cmd: YES

except

This keyword is used to exclude certain users, services and files from the check.

Example:

except: "guest"

Multiple user accounts can be piped together.

Example:

except: "guest" | "guest1" | "guest2"

expect

This keyword is used in combination with regex. It provides the ability to look for specific values within files.

Example:

<custom_item>

system: "Linux"

type: FILE_CONTENT_CHECK

description: "This check reports a problem when the log level setting in the sendmail.cf file is less than the value set in your security policy."

file: "sendmail.cf"

regex: ".*LogLevel=.*"

expect: ".*LogLevel=9"

</custom_item>

file

This keyword is used to describe the absolute or relative path of a file to be checked for permissions and ownership settings.

Examples:

file: "/etc/inet/inetd.conf"

file: "~/inetd.conf"

The file value can also be a glob.

Example:

file: "/var/log/*"

This feature is particularly useful when all the files within a given directory need to be audited for permissions or contents using FILE_CHECK, FILE_CONTENT_CHECK, FILE_CHECK_NOT, or FILE_CONTENT_CHECK_NOT.

file_type

This keyword describes the type of file that is searched for. The following is the list of supported file types.

  • b - block (buffered) special
  • c - character (unbuffered) special
  • d - directory
  • p - named pipe (FIFO)
  • f - regular file

Example:

file_type: "f"

One or more types of file types can be piped together in the same string.

Example:

file_type: "c|b"

group

This keyword is used to specify the group of a file; it is always used in conjunction with file keyword. The group keyword can have a value of “none” that helps with searching for files with no owner.

Example:

group: "root"

Group can also be specified with a logical “OR” condition using the following syntax:

group: "root" || "bin" || "sys"

ignore

This keyword tells the check to ignore designated files from the search. This keyword is available for the FILE_CHECK, FILE_CHECK_NOT, FILE_CONTENT_CHECK, and FILE_CONTENT_CHECK_NOT check types.

Examples:

# ignore single file

ignore: "/root/test/2"

 

# ignore certain files from a directory

ignore: "/root/test/foo*"

 

# ignore all files in a directory

ignore: "/root/test/*"

info

This keyword is used to add a more detailed description to the check that is being performed such as a regulation, URL, corporate policy or a reason why the setting is required. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Example:

info: "ref. CIS_AIX_Benchmark_v1.0.1.pdf ch 1, pg 28-29."

levels

This keyword is used in conjunction with CHKCONFIG and is used to specify the runlevels for which a service is required to be running. All the runlevels must be described in a single string. For example, if service “sendmail” is required to be running at run level 1, 2 and 3, then the corresponding levels value in the CHKCONFIG check would be:

levels: "123"

mask

This keyword is the opposite of mode where one can specify permissions that should not be available for a particular user, group or other member. Unlike mode that checks for an exact permission value, mask audits are broader and will check if a file or directory is at a level that is equal to, or more secure than, what is specified by the mask. (Where mode may fail a file with a permission of 640 as not matching an audit expecting a value of 644, mask will see that 640 is “more secure” and will pass the audit as successful.)

Example:

mask: 022

This would specify any permission is OK for owner and no write permissions for group and other member. A mask value of “7” would mean no permissions for that particular owner, group or other member.

md5

This keyword is used in FILE_CHECK and FILE_CHECK_NOT to make sure the MD5 of a file is actually set to whatever the policy sets.

Example:

<custom_item>

type: FILE_CHECK

description: "/etc/passwd has the proper md5 set"

required: YES

file: "/etc/passwd"

md5: "ce35dc081fd848763cab2cfd442f8c22"

</custom_item>

mode

This keyword describes the set of permissions for a file/folder under consideration. The mode keyword can be represented in string or octal format.

Examples:

mode: "-rw-r--r--"

mode: "644"

mode: "7644"

name

This keyword is used to identify process name in PROCESS_CHECK.

Example:

name: "syslogd"

operator

This keyword is used in conjunction with RPM_CHECK and PKG_CHECK to specify the condition to pass or fail a check based on the version of the installed RPM package. It can take the following values:

  • lt (less than)
  • lte (less than or equal)
  • gte (greater than equal)
  • gt (greater than)
  • eq (equal)

Example:

operator: "lt"

owner

This keyword is used to specify the owner of a file; it is always used in conjunction with file keyword. The owner keyword can have a value of “none” that helps with searching for files with no owner.

Example:

owner: "root"

Ownership can also be specified with a logical “OR” condition using the following syntax:

owner: "root" || "bin" || "adm"

reference

This keyword provides a way to include cross-references in the .audit. The format is “ref|ref-id1,ref|ref-id2”.

Example:

reference: "CAT|CAT II,800-53|IA-5,8500.2|IAIA-1,8500.2|IAIA-2,8500.2|IATS-1,8500.2|IATS-2"

regex

This keyword enables searching a file to match for a particular regex expression.

Example:

regex: ".*LogLevel=9$"

The following meta-characters require special treatment: + \ * ( ) ^

Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " '

This has to do with the way that the compiler treats these characters.

required

This keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if required is set to “NO” and the check type is “FILE_CHECK”, then the check will pass if the file exists and permissions are as specified in the .audit file or if the file does not exist. On the other hand, if required was set to “YES”, the above check would fail.

rpm

This keyword is used to specify the RPM to look for when used in conjunction with RPM_CHECK.

Example:

<custom_item>

type: RPM_CHECK

description: "Make sure that the Linux kernel is BELOW version 2.6.0"

rpm: "kernel-2.6.0-0"

operator: "lt"

required: YES

</custom_item>

search_locations

This keyword can be used to specify searchable locations within a file system.

Example:

search_locations: "/bin"

Multiple search locations can be piped together.

Example:

search_locations: "/bin" | "/etc/init.d" | "/etc/rc0.d"

see_also

This keyword allows to include links to a reference.

Example:

see_also: "https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf"

service

This keyword is used in conjunction with CHKCONFIG, XINETD_SVC and SVC_PROP and is used to specify the service that is being audited.

Example:

<custom_item>

type: CHKCONFIG

description: "2.1 Disable Standard Services – Check if cups is disabled"

service: "cups"

levels: "123456"

status: OFF

</custom_item>

severity

In any test, <item> or <custom_item>, a “severity” flag can be added and set to “LOW”, “MEDIUM”, or “HIGH”. By default, non-compliant results show up as “high”.

Example:

severity: MEDIUM

solution

This keyword provides a way to include “Solution” text if available.

Example:

solution: "Remove this file, if its not required"

status

This keyword is used in PROCESS_CHECK, CHKCONFIG and XINETD_SVC to determine if a service that is running on a given host should be running or disabled. The status keyword can take 2 values: “ON” or “OFF”.

Example:

status: ON

status: OFF

system

This keyword specifies the type of system the check is to be performed on.

Note: The “system” keyword is only applicable to “custom_item” checks, not built-in “item” checks.

The available values are the ones returned by the “uname” command on the target OS. For example, on Solaris the value is “SunOS”, on Mac OS X it is “Darwin”, on FreeBSD it is “FreeBSD”, etc.

Example:

system: "SunOS"

timeout

This keyword is used in conjunction with CMD_EXEC and specifies, in seconds, the amount of time that the specified command will be allowed to run before it times out. This keyword is useful in cases where a particular command, such as the Unix “find” command, requires extended periods of time to complete. If this keyword is not specified, the default timeout for CMD_EXEC audits is five minutes.

Example:

timeout: "600"

type

CHKCONFIG

CMD_EXEC

FILE_CHECK

FILE_CHECK_NOT

FILE_CONTENT_CHECK

FILE_CONTENT_CHECK_NOT

GRAMMAR_CHECK

PKG_CHECK

PROCESS_CHECK

RPM_CHECK

SVC_PROP

XINETD_SVC

value

The value keyword is useful to check if a setting on the system confirms to the policy value.

Example:

value: "90..max"

The value keyword can be specified as a range [number..max]. If the value lies between the specified number and “max”, the check will pass.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.