Basic conditions are common building blocks of discovery signatures and compliance rules.
Basic conditions perform analyses on configuration objects. Using basic conditions, you can check for the presence, absence, or number of occurrences (the cardinality) of a configuration object. In addition, you can evaluate configuration object properties or component properties by comparing them with constant values or with other properties.
Basic conditions that analyze properties always consist of a left-hand side (LHS) operand, a comparison operator, and a right-hand side (RHS) operand. For example: ??TARGET.OS?? equals "Windows" (For the between operator, two RHS operands are required.) Certain types of cardinality conditions have only one operand and an operator, and do not have a right-hand side operand. For example: "File:/C/a.log" exists.
For a basic condition to be valid, the operands and operator must refer to the same data type, as discussed in Operand data types and operator compatibility. Each condition returns a logical value of either TRUE or FALSE. Conditions can be combined, nested, or used in conditional structures or loops to create complex expressions for evaluation.
The assign operator and the persist operator are special types of operators are also available for use within basic conditions. These operators enable you to assign a value to a property, so that you can then use the property as a variable in subsequent conditions in your rule.The remediate operator enables you to execute a shell command as a remediation action at the end of compliance analysis. This operator is typically used in a then statement within a conditional construct.
Define the LHS operand through the displayed selection box. The following table lists the top-level branches that appear in this selection box, and describes how you can use each of these branches to define the LHS operand.
Branch | How to use |
---|---|
Component Properties | Expand this branch to select a component property from a hierarchical list of component properties. If necessary, prepare an appropriate local property through the Local Properties tab. Note: When you prepare component property for use as a transient variable, add it as a local property to the component template and give it a name that begins with the VAR_ prefix (in uppercase). |
Configuration Objects 1 | To select a new configuration object, click New Configuration Object under this branch to open the Configuration Object Selection box. In this box, select a configuration object (such as a file or directory), either from a list of local template parts or from a tree-structure list of server objects, and then click OK to return to the initial selection box. Afterwards, do one of the following:
To select a configuration object or configuration object property that was recently used in the rule, either click the branch of the specific configuration object or expand that branch and click one of the properties listed below it. |
Loop Iterator Properties 2 | For a basic condition within a loop, expand this branch to select a property for the configuration object specified in thecurrent loop. For more about loops, see Defining a loop. Note that this branch appears only within a loop. |
Configuration Object Types 1 | Use this branch to specify a property of the configuration object based on its object type. First expand this branch and select an object type from the full list of object types. Then manually enter the full path to the configuration object directly into the LHS operand field, as described in step 3. |
1 Certain types of server objects cannot be included as configuration objects in compliance rules. Such server objects cannot be selected from the tree-structure list of server objects and they do not appear in the list of configuration object types. These object types include various lists and containers of multiple server objects, as represented by top-level Live nodes such as Configuration, Extended Objects, and System Info.
Before including a local configuration object from the component template in your rule, ensure that the component template was saved since the local configuration object was defined.
2 Loops are used in compliance rules but not in a discovery signature.
Your selection appears in the LHS operand field.
Use of the Command object type replaces the need to define a command or script during the creation of a configuration object through the Local Configuration Objects tab.The Command object can also be used in combination with the remediate operator to execute a shell command as a remediation action at the end of compliance analysis. To use the Command object in this manner, specify the shell command without appending a property to it. This combination of operand and operator is typically used in a then statement within a conditional construct.
Note
To support the execution of commands through Compliance rules, ensure that the ComponentTemplate.ExecuteCommand authorization is assigned to the template (through the Permissions panel during template creation or through the Permissions view).
A component property appears as a string with delimiting pairs of question marks both before and after the property name (for example: ??PATH??). For a nested property, the typical syntax for the property string is ??propertySubclass.propertyName?? (for example: ??GROUP.GROUP ID??).
Note
If the field already contained a textual string, the new component property is inserted at the current cursor point or replaces selected text,but does not replace the full textual string.
A component property can also be used to define a variable that you can use in subsequent conditions in the rule. To use a component property in this manner, associate it with one of the following operators:
In addition to, or instead of, defining the LHS operand through the selection box as described in step 2, you can edit or type directly into the LHS operand field. In this way, you can parameterize the configuration object path (for example: "File:??APP_DIR??/*.tmp"), or you can use the following wildcards in the configuration object path:
Wildcard | Explanation |
---|---|
* | Match multiple characters. This pattern does not match a path separator character, such as /. Consequently, a path using this wildcard does not recurse through lower directories. |
** | Match multiple characters, including path separator characters. Using this wildcard allows a path to recurse through lower directories. |
? | Match any single character |
[character sequence] | Match any single character if it is included in the bracketed characters. |
For a configuration object, only cardinality operators are available — exists, does not exist, and the various count operators.For a Command configuration object, the remediate operator is also available, enabling you to apply a shell command as a remediation action at the end of compliance analysis.
In the right-hand side (RHS) field, enter an operand in one of the following ways:
Notes
No RHS operand is required for the remediate operator, which can be used together with a Command configuration object that you specify in the LHS operand.