FILE_CHECK

Unix compliance audits typically test for the existence and settings of a given file. The “FILE_CHECK” audit uses four or more keywords to allow the specification of these checks. The keywords type, description, and file are mandatory and are followed by one or more checks. Current syntax supports checking for owner, group and file permissions.

It is possible to use globs in FILE_CHECK (e.g., /var/log/*). However, note that globs will only be expanded to files, not to directories. If a glob is specified and one or more matched files must be ignored from the search, use the “ignore” keyword to specify the files to ignore.

The allowed keywords are:

  • uid: Numeric User ID (e.g., 0)
  • gid: Numeric Group ID (e.g., 500)
  • check_uneveness: YES
  • system: System type (e.g., Linux)
  • description: Text description of the file check
  • file: Full path and file to check (e.g., /etc/sysconfig/sendmail)
  • owner: Owner of the file (e.g., root)
  • group: Group owner of the file (e.g., bin)
  • mode: Permission mode (e.g., 644)
  • mask: File umask (e.g., 133)
  • md5: The MD5 hash of a file (e.g., 88d3dbe3760775a00b900a850b170fcd)
  • ignore: A file to ignore (e.g., /var/log/secure)
  • attr: A file attribute (e.g., ----i--------)

File permissions are considered uneven if the “group” or “other” have additional permissions than “owner” or if “other” has additional permissions than “group”.

Here are some examples:

<custom_item>

system: "Linux"

type: FILE_CHECK

description: "Permission and ownership check for /etc/default/cron"

file: "/etc/default/cron"

owner: "bin"

group: "bin"

mode: "-r--r--r--"

</custom_item>

<custom_item>

system: "Linux"

type: FILE_CHECK

description: "Permission and ownership check for /etc/default/cron"

file: "/etc/default/cron"

owner: "bin"

group: "bin"

mode: "444"

</custom_item>

<custom_item>

system: "Linux"

type: FILE_CHECK

description: "Make sure /tmp has its sticky bit set"

file: "/tmp"

mode: "1000"

</custom_item>

<custom_item>

type: FILE_CHECK

description: "/etc/passwd has the proper md5 set"

required: YES

file: "/etc/passwd"

md5: "ce35dc081fd848763cab2cfd442f8c22"

</custom_item>

<custom_item>

type: FILE_CHECK

description: "Ignore maillog in the file mode check"

required: YES

file: "/var/log/m*"

mode: "1000"

ignore: "/var/log/maillog"

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.