TOC & Recently Viewed

Recently Viewed Topics

FILE_CHECK_NOT

The “FILE_CHECK_NOT” audit consists of three or more keywords. The keywords type, description, and file are mandatory and are followed by one or more checks. Current syntax supports checking for owner, group and file permissions. Similar to the FILE_CHECK audit, the “ignore” keyword can be used to ignore one or more files if a file glob is specified.

This function is the opposite of FILE_CHECK. A policy fails if a file does not exist or if its mode is the same as the one defined in the check itself.

It is possible to use globs in FILE_CHECK_NOT (e.g., /var/log/*). However, note that globs will only be expanded to files, not to directories

The allowed keywords are:

  • uid: Numeric User ID (e.g., 0)
  • gid: Numeric Group ID (e.g., 500)
  • check_uneveness: YES
  • system: System type (e.g., Linux)
  • description: Text description of the file check
  • file: Full path and file to check (e.g., /etc/sysconfig/sendmail)
  • file_required: File is required to be present or not. If this option is not set, it is assumed it is required.
  • owner: Owner of the file (e.g., root)
  • group: Group owner of the file (e.g., bin)
  • mode: Permission mode (e.g., 644)
  • mask: File umask (e.g., 133)
  • md5: The MD5 hash of a file (e.g., 88d3dbe3760775a00b900a850b170fcd)
  • ignore: A file to ignore (e.g., /var/log/secure)
  • attr: A file attribute (e.g., ----i--------)

File permissions are considered uneven if the “group” or “other” have additional permissions than “owner” or if “other” has additional permissions than “group”.

Examples

<custom_item>

type: FILE_CHECK_NOT

description: "Make sure /bin/bash does NOT belong to root"

file: "/bin/bash"

owner: "root"

</custom_item>

<custom_item>

type: FILE_CHECK_NOT

description: "Make sure that /usr/bin/ssh does NOT exist"

file: "/usr/bin/ssh"

</custom_item>

<custom_item>

type: FILE_CHECK_NOT

description: "Make sure /root is NOT world writeable"

file: "/root"

mode: "0777"

</custom_item>

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.