Doug Nordwall wrote:
> lets take CIS check 5.1 - printers. the relevant part is:
> file : "/etc/syslog.conf"
> regex : "^ *[^#]*authpriv.*"
> expect : "authpriv.*/var/log/secure"
>
> when trying this manually I see...
>
> # grep "^ *[^#]*authpriv.*" /etc/syslog.conf
> *.info;cron.none;authpriv.none;local7.none /var/log/messages
> authpriv.* /var/log/secure
> authpriv.* @logginghost
>
> does FILE_CONTENT_CHECK handle multiple expects? if now, how might you
> handle a case like this?
>
If you want to be more restrictive and look for "authpriv.* /var/log/secure"
you can do something like this:
<custom_item>
#System : "Linux"
type : FILE_CONTENT_CHECK
description : "5.1 Capture Messages Sent To Syslog AUTHPRIV
Facility - should pass if 'authpriv' is set to '/var/log/secure'."
file : "/etc/syslog.conf"
regex : "^authpriv.*/var/log/secure"
expect : "authpriv.*/var/log/secure"
</custom_item>
The purpose of the regex/expect is so you can have the flexibility
to look for other "variable setting" combinations that might be
invalid.
Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
