Thanks Pedro! I was actually able to get it working with the below. Pretty much what you have but in one line.
[RHEL Password Complexity Configuration: Password Expiration is greater than 60 days] [any] [1] f:$login_defs -> r:^PASS_MAX_DAYS && r:61|62|63|64|65|66|67|68|69|7\d+|8\d+|9\d+|1\d\d+|2\d\d+|3\d\d+|4\d\d+|5\d\d+|6\d\d+; From: <[email protected]> on behalf of Pedro Sanchez <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Monday, June 27, 2016 at 3:08 PM To: "[email protected]" <[email protected]> Subject: Re: [ossec-list] Creating Custom System_Audit Checks for Password Complexity Hi, I don't think you can use that kind of regular expressions in OSSEC, the regex engine being used by OSSEC is OSRegex (created specially for OSSEC), and it is limited in terms of complex regex patterns. Find more information about how can you use OSRegex: http://ossec-docs.readthedocs.io/en/latest/syntax/regex.html Maybe you can write some work work around: f:$login_defs -> r:^PASS_MAX_DAYS && r:6\d+; f:$login_defs -> r:^PASS_MAX_DAYS && r:7\d+; f:$login_defs -> r:^PASS_MAX_DAYS&& r:8\d+; f:$login_defs -> r:^PASS_MAX_DAYS&& r:9\d+; That will work for numbers starting from 6XXX.. 7XXX.. then you will need to add another one for numbers starting on 1XX with more than three ciphers: 1\d\d+. Hope it helps, best regards, Pedro S. On Mon, Jun 27, 2016 at 6:55 AM, <[email protected]<mailto:[email protected]>> wrote: Hi, I'm working on creating a custom 'system_audit' check with 'rootcheck' and need a way to either match on a regex pattern or to match on 'greater than' or 'less than' operators. This works for anything not matching '60': $login_defs=/etc/login.defs; [RHEL Password Complexity Configuration: Password Expiration is greater than 60 days] [any] [1] f:$login_defs -> r:^PASS_MAX_DAYS && !r:60; This regex does not work: $login_defs=/etc/login.defs; [RHEL Password Complexity Configuration: Password Expiration is greater than 60 days] [any] [1] f:$login_defs -> r:^PASS_MAX_DAYS && r:(([6-9][1-9])|([0-9]{3,7})); Any help would be appreciated. Thanks, Patrick -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
