Defining a basic condition

Basic conditions are common building blocks of discovery signatures and compliance rules.

Basic conditions perform analyses on configuration objects. Using basic conditions, you can check for the presence, absence, or number of occurrences (the cardinality) of a configuration object. In addition, you can evaluate configuration object properties or component properties by comparing them with constant values or with other properties.

Basic conditions that analyze properties always consist of a left-hand side (LHS) operand, a comparison operator, and a right-hand side (RHS) operand. For example: ??TARGET.OS?? equals "Windows" (For the between operator, two RHS operands are required.) Certain types of cardinality conditions have only one operand and an operator, and do not have a right-hand side operand. For example: "File:/C/a.log" exists.

For a basic condition to be valid, the operands and operator must refer to the same data type, as discussed in Operand-data-types-and-operator-compatibility. Each condition returns a logical value of either TRUE or FALSE. Conditions can be combined, nested, or used in conditional structures or loops to create complex expressions for evaluation.

The assign operator and the persist operator are special types of operators are also available for use within basic conditions. These operators enable you to assign a value to a property, so that you can then use the property as a variable in subsequent conditions in your rule.The remediate operator enables you to execute a shell command as a remediation action at the end of compliance analysis. This operator is typically used in a then statement within a conditional construct.

To define a basic condition

  1. Within the basic condition line that you added (using the New Condition g_V95_AddIcon.gificon), click the Select (down arrow) icon of the LHS (left-hand side) field.

  2.  Define the LHS operand through the displayed selection box. The following table lists the top-level branches that appear in this selection box, and describes how you can use each of these branches to define the LHS operand.

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.

    1 Certain types of server objects cannot be included as configuration objects in compliance rules. Such server objects cannot be selected from the tree-structure list of server objects and they do not appear in the list of configuration object types. These object types include various lists and containers of multiple server objects, as represented by top-level Live nodes such as Configuration, Extended Objects, and System Info.
    Before including a local configuration object from the component template in your rule, ensure that the component template was saved since the local configuration object was defined.
    2 Loops are used in compliance rules but not in a discovery signature.
    Your selection appears in the LHS operand field.

    • A configuration object appears as a string with the following syntax: "objectType:objectPath" (for example: "File:/C/a.log"). A property of the configuration object is appended to this string after a period (for example: "File:/C/a.log"."size" or "Directory:/tmp"."User Owner Name").

      A noteworthy example of an object type is the Command configuration object. The Command object enables you to execute shell scripting commands and analyze their output. For example:

      • "Command:cat /etc/passwd|wc -l".int is an LHS operand for analyzing an integer-type command output.
      • "Command:which rpcinfo".Out_Put is an LHS operand for analyzing a textual output of a command.

      Use of the Command object type replaces the need to define a command or script during the creation of a configuration object through the Local Configuration Objects tab.The Command object can also be used in combination with the remediate operator to execute a shell command as a remediation action at the end of compliance analysis. To use the Command object in this manner, specify the shell command without appending a property to it. This combination of operand and operator is typically used in a then statement within a conditional construct.

      Note

      To support the execution of commands through Compliance rules, ensure that the ComponentTemplate.ExecuteCommand authorization is assigned to the template (through the Permissions panel during template creation or through the Permissions-view). 

    • A component property appears as a string with delimiting pairs of question marks both before and after the property name (for example: ??PATH??). For a nested property, the typical syntax for the property string is ??propertySubclass.propertyName?? (for example: ??GROUP.GROUP ID??).

      Note

      If the field already contained a textual string, the new component property is inserted at the current cursor point or replaces selected text,but does not replace the full textual string.

      A component property can also be used to define a variable that you can use in subsequent conditions in the rule. To use a component property in this manner, associate it with one of the following operators: 

      • The assign operator can be used to assign a transient value that is not saved to the database, but rather temporarily stored only for the duration of rule execution. Use this operator if you want to avoid unnecessary storage of data in the database and do not plan to perform remediation based on the results of the compliance rule analysis. Property Class type is not allowed (PSC). You can use String, Int, Boolean, etc as data types. It is recommended that you use only local properties of the component template for the rules under evaluation.
        For example, the statement ??VAR_List_String?? := "Command:ls -l".StringList assigns the string list output of a command to the ??VAR_List_String?? component property (:= represents the assign operator).
      • The persist operator can be used to assign a value that is persisted in the database. Use this operator if you plan to perform remediation based on the results of the compliance rule analysis. Create a PSC and Compliance Engine creates Property Set Instance (PSI) for you automatically. When you run the Compliance Job for the first time, the LHS value of the persist operator condition displays as NULL even if it is set in the property dictionary.
        For example, the statement ??VAR_test_prop.test_value?? persist Foobar assigns the Foobar to the VAR_test_prop component property with a test_value property class instance. Note that the you need to use the property class instance with the component property while using persist operator.

  3. In addition to, or instead of, defining the LHS operand through the selection box as described in step 2, you can edit or type directly into the LHS operand field. In this way, you can parameterize the configuration object path (for example: "File:??APP_DIR??/*.tmp"), or you can use the following wildcards in the configuration object path:

  4. In the next drop-down box to the right, select a comparison operator (such as contains or equals). Only relevant operators are available:
    • For a configuration object, only cardinality operators are available — exists, does not exist, and the various count operators.For a Command configuration object, the remediate operator is also available, enabling you to apply a shell command as a remediation action at the end of compliance analysis.
    • For a property, only those comparison operators that are relevant to the data type of the property specified in the LHS field are available for selection.
      For a full list of operators and the data types that support them, see Operand-data-types-and-operator-compatibility.
    • To define a value for a property, so that you can use the property as a variable in subsequent conditions in the rule, choose the assign operator or the persist operator.

  5. In the right-hand side (RHS) field, enter an operand in one of the following ways:

    Notes

    • No RHS operand is required for the exists and does not exist cardinality operators.
    • No RHS operand is required for the remediate operator, which can be used together with a Command configuration object that you specify in the LHS operand.
    • For certain Windows Security Setting policies, you must use the relevant pre-defined Windows value in the RHS field. For example, for  Security Settings\Local Policies\Audit Policy\Audit account logon events, compare the configuration object in the LHS field to an RHS value range of 0-3 (0=Audit No Auditing, 1=Audit Success, 2=Audit Failure, 3=Audit Success and Failure), rather than textual values.
    • Type in a configuration object property string, component property string, or a constant or parameterized value or range of values. How you specify a value, as well as what values are available, depends on your input in the LHS and operator fields.
    • Click the Select (down arrow) icon and select a configuration object property, a component property, or (within a loop) a loop variable property, as done in the LHS field.
  6. Click Apply Condition Value g_v95_success.gifat the end of the condition line to apply your changes to the condition (or, alternatively, leave the condition line by clicking outside of it).
    You can click Cancel Edit Operation g_v95_failure.gifto cancel any editing that you performed on the condition line as long as you have not yet applied your changes.

Related topic

Examples-for-creating-compliance-rules

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*