paul's regex actually worked pretty well. thanks! On Wed, Jun 4, 2008 at 12:57 PM, Ron Gula <[EMAIL PROTECTED]> wrote:
> Doug Nordwall wrote: > > lets take CIS check 5.1 - printers. the relevant part is: > > file : "/etc/syslog.conf" > > regex : "^ *[^#]*authpriv.*" > > expect : "authpriv.*/var/log/secure" > > > > when trying this manually I see... > > > > # grep "^ *[^#]*authpriv.*" /etc/syslog.conf > > *.info;cron.none;authpriv.none;local7.none /var/log/messages > > authpriv.* /var/log/secure > > authpriv.* @logginghost > > > > does FILE_CONTENT_CHECK handle multiple expects? if now, how might you > > handle a case like this? > > > > If you want to be more restrictive and look for "authpriv.* > /var/log/secure" > you can do something like this: > > <custom_item> > #System : "Linux" > type : FILE_CONTENT_CHECK > description : "5.1 Capture Messages Sent To Syslog AUTHPRIV > Facility - should pass if 'authpriv' is set to '/var/log/secure'." > file : "/etc/syslog.conf" > regex : "^authpriv.*/var/log/secure" > expect : "authpriv.*/var/log/secure" > </custom_item> > > The purpose of the regex/expect is so you can have the flexibility > to look for other "variable setting" combinations that might be > invalid. > > Ron Gula > Tenable Network Security > > > > > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > -- Doug Nordwall Unix, Network, and Security Administrator You mean the vision is subject to low subscription rates?!!? - Scott Stone, on MMORPGs
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
