Using wildcards in compliance rules

The compliance rules editor supports wildcards for matching objects. Wildcards can apply to asset path names, extended object values, and configuration file entries. See the following sections for more information about wildcards:

Wildcard Summary

Wildcard

Explanation

*

Matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching. For more information, see Using the * wildcard.

**

Matches multiple characters, including path separator characters, recursing through:

  • Subfolders in asset path names
  • Entries in configuration files and extended objects

For more information, see Using the ** wildcard.

?

Matches any single character. For more information, see Using the ? wildcard.

[ character sequence ]

Matches any single character included in the bracketed characters. For more information, see the Using the [] wildcard.

Note

For optimal performance during the analysis of a compliance rule, it is strongly recommended to limit the use of wildcards to the ends of asset path strings. For example, in an asset path, use /test_ms/logs/** rather than /*_ms*/logs/*_ms*.log.

 Using the * wildcard

The * wildcard matches multiple characters, but not path separator characters, such as /. Consequently, this wildcard does not cause recursive matching.

In path names

In a path name, * does not search through lower child directories.
For example:

Rule

Searches for

Does not search for

/usr/foo/*
/usr/foo/bar
/usr/foo/rab
/usr/foo/bar/foo1

In extended objects 

In the output of an external object, * does not recurse in the values list.
For example:

Rule

Searches for

Does not search for

extobj//*
foo value1 value2
foo1 value1 value2
foo/foo1 value1 value2

The following compliance rule matches all objects beginning with the phrase "discard":

<description>Ensure that service Discard is disabled</description>
 <notes>Insecure and unnecessary services, unless required for business purpose, should be disabled to reduce the risk of system compromise using these services. These service may pose risk to system due to inherent risks associated with such services.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:Unix Services//discard*"
  "Value1 as String (All OS)" equals "disabled"
end


  ]]>
 </expression>

In configuration files 

In configuration files, * does not search through the entries in the file.
For example:

Rule

Searches inside somefile.conf

Does not search inside

somefile.conf//*ABC*
abc=FOO
xabcx=FOO1
xabc=FOO1
def/abc=FOO
def/abc/x=FOO

The following compliance rule searches a configuration file for specific settings:

"Configuration File Entry:/etc/inet/inetd.conf//ftp-*" exists  AND
  foreach "Configuration File Entry:/etc/inet/inetd.conf//ftp-*"
     "Value6 as String (All OS)" equals "in.ftpd"  AND
     "Value8 as String (All OS)" equals "-d"  AND
     "Value9 as String (All OS)" equals "-l"
  end

Using the ** wildcard

The ** wildcard matches multiple characters, including path separator characters.

In path names
In a path name, the ** wildcard recurses through lower directories.
For example:

Rule

Searches for

/usr/foo/**
/usr/foo/bar
/usr/foo/bar/foo1
/usr/foo/rab

In extended objects 

In the output of an external object, the ** wildcard recurses in the values list.

Rule

Searches for

extobj//**
foo value1 value2
foo/foo1 value1 value2
bar value1 value2

The following compliance rule recurses to match multiple tty entries:

<description>Ensure that login: prompts on serial ports are disabled.</description>
 <notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Extended Object Entry:BL-LXO Disable login: prompts on serial ports//tty**"
  "Value3 as String (All OS)" contains "x"
end


  ]]>
 </expression>

In configuration files 

In configuration files, the ** wildcard recurses through the entries in the file.
For example:

Rule

Searches for entries inside somefile.conf

Does not search for

somefile.conf//**ABC**
abc=FOO
xabcx=FOO1
xabc=FOO1
def/abc=FOO
def/abc/x=FOO
def=FOO1
efg=FOO1

The following compliance rule searches a configuration file for an unwanted string:

<description>Ensure .rhosts Support in /etc/pam.conf is disabled.</description>
 <notes>Make security-related technology resistant to tampering, and can not be compromised by unauthorized users.</notes>
- <expression>
- <![CDATA[
foreach "Configuration File Entry:/etc/pam.conf//**"
  "Value3 as String (All OS)" does not contain "rhosts_auth"
end

  ]]>

Using the ? wildcard

The ? wildcard matches any single character.
For example:

Rule

Searches for

Does not search for

/usr/org?/*
/usr/org1/mary
/usr/org2/john
/usr/org10/mary

Using the [ ] wildcard

The [ ] wildcard matches any single character included in the bracketed characters.

Rule

Searches for

Does not search for

log*201[12]
logJanuary52011
 logJanuary52012
logJanuary52010

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*