Using wildcards in compliance rules

The compliance rules editor supports wildcards for matching objects. Wildcards can apply to asset path names, extended object values, and configuration file entries. See the following sections for more information about wildcards:

Wildcard Summary

Wildcard

Explanation

*

Matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching. For more information, see Using the * wildcard.

**

Matches multiple characters, including path separator characters, recursing through:

  • Subfolders in asset path names
  • Entries in configuration files and extended objects

    For more information, see Using the ** wildcard.

?

Matches any single character. For more information, see Using the ? wildcard.

[ character sequence ]

Matches any single character included in the bracketed characters. For more information, see the Using the [] wildcard.

Note

For optimal performance during the analysis of a compliance rule, it is recommended to limit the use of wildcards to the ends of strings. For example, in an asset path, use /test_ms*/logs/** rather than /*_ms*/logs/*_ms*.log.

Using the * wildcard


The * wildcard matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching.

In path names
In a path name, * does not recurse through lower directories.
For example:

/usr/foo/*


finds:

/usr/foo/bar
 /usr/foo/rab


but not:

/usr/foo/bar/foo1

In extended objects
In the output of an external object, * does not recurse in the values list.
For example:

extobj//*


finds:

foo value1 value2
foo1 value1 value2


but not

foo/foo1 value1 value2


The following compliance rule matches all objects beginning with the phrase "discard":

<description>Ensure that service Discard is disabled</description>
  <notes>Insecure and unnecessary services, unless required for business purpose, should be disabled to reduce the risk of system compromise using these services. These service may pose risk to system due to inherent risks associated with such services.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:Unix Services//discard*"
   "Value1 as String (All OS)" equals "disabled"
end


  ]]>
  </expression>

In configuration files
In configuration files, * does not recurse through the entries in the file.
For example:

somefile.conf//*ABC*


finds the following entries inside somefile.conf:

abc=FOO
xabcx=FOO1
xabc=FOO1


but not:

def/abc=FOO
def/abc/x=FOO


The following compliance rule searches a configuration file for specific settings:

"Configuration File Entry:/etc/inet/inetd.conf//ftp-*" exists  AND
   foreach "Configuration File Entry:/etc/inet/inetd.conf//ftp-*"
      "Value6 as String (All OS)" equals "in.ftpd"  AND
      "Value8 as String (All OS)" equals "-d"  AND
      "Value9 as String (All OS)" equals "-l"
   end

Using the ** wildcard


The ** wildcard matches multiple characters, including path separator characters.

In path names
In a path name, the ** wildcard recurses through lower directories.
For example:

/usr/foo/**


finds:

/usr/foo/bar
/usr/foo/bar/foo1
 /usr/foo/rab

In extended objects
In the output of an external object, the ** wildcard recurses in the values list.
For example:

extobj//**


finds:

foo value1 value2
foo/foo1 value1 value2
bar value1 value2


The following compliance rule recurses to match multiple tty entries:

<description>Ensure that login: prompts on serial ports are disabled.</description>
  <notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:BL-LXO Disable login: prompts on serial ports//tty**"
   "Value3 as String (All OS)" contains "x"
end


  ]]>
  </expression>

In configuration files
In configuration files, the ** wildcard recurses through the entries in the file.
For example:

somefile.conf//**ABC**


finds the following entries inside somefile.conf:

abc=FOO
xabcx=FOO1
xabc=FOO1
def/abc=FOO
def/abc/x=FOO


but not:

def=FOO1
efg=FOO1


The following compliance rule searches a configuration file for an unwanted string:

<description>Ensure .rhosts Support in /etc/pam.conf is disabled.</description>
  <notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Configuration File Entry:/etc/pam.conf//**"
   "Value3 as String (All OS)" does not contain "rhosts_auth"
end

  ]]>

Using the ? wildcard


The ? wildcard matches any single character.
For example:

/usr/org?/*

finds

/usr/org1/mary
 /usr/org2/john


but not

/usr/org10/mary

Using the [ ] wildcard


The [ ] wildcard matches any single character included in the bracketed characters.
For example:

log*201[12]


matches:

logJanuary52011
 logJanuary52012


but not:

logJanuary52010
Was this page helpful? Yes No Submitting... Thank you

Comments