TOC & Recently Viewed

Recently Viewed Topics

Keywords

The following table indicates how each keyword in the VMware compliance checks can be used:

Keyword

Example Use and Supported Settings

type

This keyword describes the type of check that is being performed by a given item in an audit file. VMware audits can be performed with the following three types of audit checks:

  • AUDIT_VM
  • AUDIT_ESX
  • AUDIT_VCENTER

description

This keyword gives a brief description of the check that is being performed. It is required that description field be unique and no two checks should have the same description field. This is required because SecurityCenter uses this field to auto generate a plugin ID number based on the description field.

Example:

description: "Disconnect unauthorized devices - 'floppyX.present = false'"

info

This keyword allows users to add a more detailed description to the check that is being performed. Multiple info fields are allowed with no preset limit. The info content must be enclosed in double-quotes.

Example:

info: "Make sure floppy drive is not attached"

regex

This keyword allows searching items that match a particular regex expression.

Example:

regex: "floppy([Xx]|[0-9]+)\\.present :"

The compliance of a check can be determined by comparing the output of the check to either the expect or not_expect keyword. You cannot use more than one compliance testing tag in a given check.

Keyword

Example Use and Supported Settings

expect

This keyword allows auditing the config item matched by the regex keyword, or if the regex keyword is not used, looks for the expect string in the entire config.

The check passes as long as the config line found by regex matches the expect string or in the case where regex is not set, it passes if the expect string is found in the config.

Example:

regex: "floppy([Xx]|[0-9]+)\\.present :"

expect: floppy([Xx]|[0-9]+)\\.present : false"

Or:

expect: floppy([Xx]|[0-9]+)\\.present : false"

In the above cases, the expect keyword ensures that the floppy drive is not present.

not_expect

This keyword allows searching the configuration items that should not be in the configuration.

It acts as the opposite of expect. The check passes as long as the config line found by regex does not match the not_expect string or if the regex keyword is not set, it passes as long as not_expect string is not found in the config.

Example:

regex: floppy([Xx]|[0-9]+)\\.present : "

not_expect: floppy([Xx]|[0-9]+)\\.present : false"

Or:

not_expect: floppy([Xx]|[0-9]+)\\.present : false"

In the above cases, the expect keyword ensures that the floppy drive is not present.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.