Hi, I don't think you can use that kind of regular expressions in OSSEC, the regex engine being used by OSSEC is OSRegex (created specially for OSSEC), and it is limited in terms of complex regex patterns. Find more information about how can you use OSRegex: http://ossec-docs.readthedocs.io/en/latest/syntax/regex.html
Maybe you can write some work work around: f:$login_defs -> r:^PASS_MAX_DAYS && r:6\d+; > f:$login_defs -> r:^PASS_MAX_DAYS && r:7\d+; > f:$login_defs -> r:^PASS_MAX_DAYS&& r:8\d+; > f:$login_defs -> r:^PASS_MAX_DAYS&& r:9\d+; That will work for numbers starting from 6XXX.. 7XXX.. then you will need to add another one for numbers starting on 1XX with more than three ciphers: 1\d\d+. Hope it helps, best regards, Pedro S. On Mon, Jun 27, 2016 at 6:55 AM, <[email protected]> wrote: > Hi, > > > I'm working on creating a custom 'system_audit' check with 'rootcheck' and > need a way to either match on a regex pattern or to match on 'greater than' > or 'less than' operators. > > > > *This works for anything not matching '60':* > > > $login_defs=/etc/login.defs; > > > [RHEL Password Complexity Configuration: Password Expiration is greater > than 60 days] [any] [1] > > f:$login_defs -> r:^PASS_MAX_DAYS && !r:60; > > > > *This regex does not work:* > > > $login_defs=/etc/login.defs; > > > [RHEL Password Complexity Configuration: Password Expiration is greater > than 60 days] [any] [1] > > f:$login_defs -> r:^PASS_MAX_DAYS && r:(([6-9][1-9])|([0-9]{3,7})); > > > Any help would be appreciated. > > > > Thanks, > > Patrick > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
