Using wildcards in compliance rules
The compliance rules editor supports wildcards for matching objects. Wildcards can apply to asset path names, extended object values, and configuration file entries. See the following sections for more information about wildcards:
Wildcard Summary
Wildcard | Explanation |
|---|---|
* | Matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching. For more information, see Using the * wildcard. |
** | Matches multiple characters, including path separator characters, recursing through:
|
? | Matches any single character. For more information, see Using the ? wildcard. |
[ character sequence ] | Matches any single character included in the bracketed characters. For more information, see the Using the [] wildcard. |
Using the * wildcard
The * wildcard matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching.
In path names
In a path name, * does not recurse through lower directories.
For example:
finds:
/usr/foo/rab
but not:
In extended objects
In the output of an external object, * does not recurse in the values list.
For example:
finds:
foo1 value1 value2
but not
The following compliance rule matches all objects beginning with the phrase "discard":
<notes>Insecure and unnecessary services, unless required for business purpose, should be disabled to reduce the risk of system compromise using these services. These service may pose risk to system due to inherent risks associated with such services.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:Unix Services//discard*"
"Value1 as String (All OS)" equals "disabled"
end
]]>
</expression>
In configuration files
In configuration files, * does not recurse through the entries in the file.
For example:
finds the following entries inside somefile.conf:
xabcx=FOO1
xabc=FOO1
but not:
def/abc/x=FOO
The following compliance rule searches a configuration file for specific settings:
foreach "Configuration File Entry:/etc/inet/inetd.conf//ftp-*"
"Value6 as String (All OS)" equals "in.ftpd" AND
"Value8 as String (All OS)" equals "-d" AND
"Value9 as String (All OS)" equals "-l"
end
Using the ** wildcard
The ** wildcard matches multiple characters, including path separator characters.
In path names
In a path name, the ** wildcard recurses through lower directories.
For example:
finds:
/usr/foo/bar/foo1
/usr/foo/rab
In extended objects
In the output of an external object, the ** wildcard recurses in the values list.
For example:
finds:
foo/foo1 value1 value2
bar value1 value2
The following compliance rule recurses to match multiple tty entries:
<notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:BL-LXO Disable login: prompts on serial ports//tty**"
"Value3 as String (All OS)" contains "x"
end
]]>
</expression>
In configuration files
In configuration files, the ** wildcard recurses through the entries in the file.
For example:
finds the following entries inside somefile.conf:
xabcx=FOO1
xabc=FOO1
def/abc=FOO
def/abc/x=FOO
but not:
efg=FOO1
The following compliance rule searches a configuration file for an unwanted string:
<notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Configuration File Entry:/etc/pam.conf//**"
"Value3 as String (All OS)" does not contain "rhosts_auth"
end
]]>
Using the ? wildcard
The ? wildcard matches any single character.
For example:
finds
/usr/org2/john
but not
Using the [ ] wildcard
The [ ] wildcard matches any single character included in the bracketed characters.
For example:
matches:
logJanuary52012
but not: