Item Format

Each of these items is used to audit a wide variety of file formats, with a wide variety of data types. The following table provides a list of supported data types. In the next section are numerous examples of how these keywords can be used together to audit various types of file content.

Keyword	Required	Description
type	yes	This must always be set to FILE_CONTENT_CHECK.
description	yes	This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the `description` field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.
file_extension	yes	This lists all desired extensions to be searched for by Nessus. The extensions are listed without their “.”, in quotations and separated by pipes. When additional options such as `regex` and `expect` are not included in the audit, files with the file_extension specified are displayed in the audit output.
regex	no	This keyword holds the regular expression used to search for complex types of data. If the regular expression matches, the first matched content will be displayed in the vulnerability report. Note: The `regex` keyword must be run with the `expect` keyword described below. Unlike Compliance Checks, File Content Compliance Check `regex` and `expect` do not have to match the same data string(s) within the searched file. File Content checks simply require that both the `regex` and `expect` statements match data within the `<max_size>` bytes of the file searched.
expect	no	The `expect` statement is used to list one or more simple patterns that must be in the document in order for it to match. For example, when searching for Social Security numbers, the word “SSN”, “SS#”, or “Social” could be required. Multiple patterns are listed in quotes and separated with pipe characters. Simple pattern matching is also supported in this keyword with the period. When matching the string “C.T”, the `expect` statement would match “CAT”, “CaT”, “COT”, “C T” and so on. Note: The `expect` keyword may be run standalone for single pattern matching, however, if the `regex` keyword is used, `expect` is required. Unlike Compliance Checks, File Content Compliance Check `regex` and expect do not have to match the same data string(s) within the searched file. File Content checks simply require that both the `regex` and `expect` statements match data within the `<max_size>` bytes of the file searched.
file_name	no	Whereas the `file_extension` keyword is required, this keyword can further refine the list of files to be analyzed. By providing a list of patterns, files can be discarded or matched. For example, this makes it very easy to search for any type of file name that has terms in its name such as “employee”, “customer”, or “salary".
max_size	no	For performance, an audit may only want to look at the first part of each file. This can be specified in bytes with this keyword. The number of bytes can be used as an argument. Also supported is an extension of “K” or “M” for kilobytes or megabytes respectively.
only_show	no	This keyword supports revealing a specific number of characters specified by policy. When matching sensitive data such as credit card numbers, your organization may require that only a limited number of digits be made visible in the report. The default is 4 or half of the matched string, whichever is smaller. For example, if a matched string is 10 characters long and only_show is set to 4, only the last 4 characters are shown. If the matched string is 6 characters long, only 3 characters will be shown. Note: When you match against US Social Security numbers (SSNs), the specified number of digits are revealed in front of the string (for example, 123-XX-XXXX).
regex_replace	no	This keyword controls which pattern in the regular expression is shown in the report. When searching for complex data patterns, such as credit card numbers, it is not always possible to get the first match to be the desired data. This keyword provides more flexibility to capture the desired data with greater accuracy.
include_paths	no	This keyword allows for directory or drive inclusion within the search results. This keyword may be used in conjunction with, or independently of the `exclude_paths` keyword. This is particularly helpful for cases where only certain drives or folders must be searched on a multi-drive system. Paths are double-quoted and separated by the pipe symbol where multiple paths are required. Only drive letters or folder names can be specified with the `include_paths` keyword. File names cannot be included in the `include_paths` value string.
exclude_paths	no	This keyword allows for drive, directory, or file exclusion from search results. This keyword may be used either in conjunction with, or independently of the `include_paths` keyword. This is particularly helpful in cases where a particular drive, directory, or file must be excluded from search results. Paths are double-quoted and separated by the pipe symbol where multiple paths are required.
see_also	no	This keyword allows to include links to a reference. Example: see_also: "example.com"
solution	no	This keyword provides a way to include “Solution” text if available. Example: solution: "Remove this file if it's not required"
reference	no	This keyword provides a way to include cross-references in the `.audit`. The format is “ref\|ref-id1,ref\|ref-id2”. Example: reference: "CAT\|CAT II,800-53\|IA-5,8500.2\|IAIA-1,8500.2\|IAIA-2,8500.2\|IATS-1,8500.2\|IATS-2"
luhn	no	Setting `luhn` to YES forces the plugin to only report credit card numbers that are Luhn algorithm verified.

Usage

<item>

type: FILE_CONTENT_CHECK

description: ["value data"]

file_extension: ["value data"]

(optional) regex: ["value data"]

(optional) expect: ["value data"]

(optional) file_name: ["value data"]

(optional) max_size: ["value data"]

(optional) only_show: ["value data"]

(optional) regex_replace: ["value data"]

(optional) luhn: ["value data"]

</item>