Skip to Content

Compliance Rule Examples

You can use the following examples as reference when you create your own rules. Rules present in any template can normally be classified into following groups:

Variable and command support is needed for most of the groups.

Permission- and ownership-related rules

Rules in this group check for any or all of the following items: group ownership, user ownership rights, file and folder permissions under the group.

These rules require User Owner NameGroup Owner Name, and permission attributes available in Live Browse.

Rule Title: All network services daemon files must have mode 0755 or less permissive

If
   "Directory:/usr/lbin" exists
then
   foreach "File:/usr/lbin/**"
        ??VAR_FILE_PATH_VALUE?? := @Path@ AND   
           if
                "File:??VAR_FILE_PATH_VALUE??" exists
           then      
               "File:??VAR_FILE_PATH_VALUE??"."Permissions (Unix)(Unix)" does not have any flag ["Group Write", "World Write", "SetUID", "SetGID", "Sticky Bit"]
           end
   end
end

This rule performs the following checks:

  • Checks for the existence of /usr/lbin directory. If the directory exists, all the files inside the directory iterate through the for loop.
  • Checks that the file path is stored in a transient variable "??VAR_FILE_PATH_VALUE??".
    The Loop Iterator cannot be used directly in the rule evaluation, as only property references are supported. It should be assigned to a variable using the ':=' assign operator and then referenced in the rule. Therefore, @Path@ is assigned to the transient variable ??VAR_PATH_VALUE?? and then this variable is used in the rule. For information about assigning operator and transient variables, see Defining-a-basic-condition.
  • Checks that if the file exists, the permission of the file does not contain the Group WriteWorld WriteSetUIDSetGID, and Sticky Bit flags.

Rule Title: The /etc/shadow (or equivalent) file must be owned by root

if
  "Command:/usr/lbin/getprdef -r 2> /dev/null >/dev/null ; echo $?".Int = 0
then
  "File:/etc/shadow" does not exist  AND
  "Directory:/tcb"."User Owner Name" = (case sensitive) "root" AND
  "Directory:/tcb/files"."User Owner Name" = (case sensitive) "root"  AND
  "Directory:/tcb/files/auth"."User Owner Name" = (case sensitive) "root"  AND
   foreach "File:/tcb/files/auth/*/*"
     @"User Owner Name"@ = (case sensitive) "root"
   end
else
  if
     "File:/etc/shadow" exists
   then
     "File:/etc/shadow"."User Owner Name" = (case sensitive) "root"
   end
end

This rule performs the following checks:

  • Checks if /usr/lbin/getprdef -r 2> /dev/null >/dev/null ; echo $? command that is executed on the target, results in 0 output. If the output of the command is zero, the target system is in trusted mode.

    Warning

    Note

    No data is available in Live Browse for determining whether the target is in trusted mode. The only option is to use a command directive.

  • If the system is in trusted mode, the rule checks the following:
    • /etc/shadow file does not exist on the system.
    • /tcb, /tcb/files and /tcb/files/auth directories are owned by root.
    • All files inside multiple levels of /tcb/files/auth directory are owned by root.
  • If the system is not in trusted mode, the rule checks whether /etc/shadow file is owned by root.

Configuration files-related rules

Configuration files have grammar files associated with them. Rules in this category check the configuration files for syntax, content, properties, and so on.

Rule Title: Set Password Expiring Warning Days

if
  ??CONFIGURATION_LEVELS?? equals "ALL"  OR
  ??CONFIGURATION_LEVELS?? equals "LEVEL-I"
then
"Configuration File:/etc/login.defs" exists  AND
foreach "Configuration File Entry:/etc/login.defs//**"
  if
      @Name@ equals (case sensitive) "PASS_WARN_AGE"
   then
     @"Value1 as String (All OS)"@ does not equal null  AND
     @"Value1 as Integer (All OS)"@ equals 7  AND
     @"Value2 as String (All OS)"@ equals null  AND
     ??VAR_SHADOW_PASSWD_CONFIG_PARAM?? assign @Name@
   end
end  AND
count "Configuration File Entry:/etc/login.defs//**" equals 1 where
  @"Name (UI)"@ equals (case sensitive) "PASS_WARN_AGE"
end  AND
if
  ??VAR_SHADOW_PASSWD_CONFIG_PARAM?? equals null
then
  ??TARGET.Remediation Properties.7_1_3?? persist "PASS_WARN_AGE"
else
  ??TARGET.Remediation Properties.7_1_3?? persist "??VAR_SHADOW_PASSWD_CONFIG_PARAM??"
end
end

This rule performs the following checks:

  • Checks if the value of ??CONFIGURATION_LEVELS?? variable is ALL or LEVEL-I.
    If the /etc/login.defs configuration file exists, all the entries in the configuration file iterate through the for loop.
  • The for loop checks if the PASS_WARN_AGE parameter exists in the configuration file with a value equal to 7. If it exists, the parameter name is assigned to VAR_SHADOW_PASSWD_CONFIG_PARAM variable.
  • Count checks that no duplicate entry exists for the PASS_WARN_AGE parameter.
  • The if construct checks if the parameter is present in configuration file:
    • If the parameter is present, the target property persists the parameter name in the configuration file.
    • If the parameter is not present, the target property persists the PASS_WARN_AGE value. 

Find Files-related rules

Rules in this group check the contents of files within a whole file system or within a folder hierarchy and report the result as compliant or non-compliant.

Rule Title: Set Sticky Bit on All World-Writable Directories

if
   ??CONFIGURATION_LEVELS?? equals "ALL"  OR
   ??CONFIGURATION_LEVELS?? equals "LEVEL-I"
then
  "Extended Object Entry:2.17 Set Sticky Bit on All World-Writable Directories//UNIX_SRR_Result/status"."Value1 as String (All OS)" equals "Not a Finding"
end
           <extended-object id="2.17 Set Sticky Bit on All World-Writable Directories">
             <description>Set Sticky Bit on All World-Writable Directories</description>
             <grammar-data grammar-ref="xml.gm" os="Linux" encoding="Default"/>
             <command remote-execution="false">scriptutil -d "??TARGET.STAGING_DIR??" -h "??TARGET.NAME??" -s findFiles eo_common_code lib_filehandling lib_utils lib_user EO-Findfiles eo_executer -x -findtimeout "??FIND_FILES_TIMEOUT??" -maxdisplay "??MAX_DISPLAY??" -maxinfolines "??MAX_INFO_LINES??" -eotimeout "??EO_TIMEOUT??" -rscddir "??TARGET.RSCD_DIR??" -ruleid "2.17" -remdirprefix "CIS" -maxdiskpercentage "??TARGET.MAX_DISK_PERCENTAGE??" -cachehours "??TARGET.CACHE_HRS??" -tag fWwdir -prune "??TARGET.EXCLUDED_DIR??"</command>
          </extended-object>

This rule checks whether the value of ??CONFIGURATION_LEVELS?? variable is ALL or LEVEL-I.

The rule lists all the files that are world writable, but do not have a sticky bit set:

  • TARGET.STAGING_DIR – Staging directory on the target that contains all the files created as artifacts while EO is being executed.
  • TARGET.NAME – Name of target on which compliance rule are being executed.
  • FIND_FILES_TIMEOUT – Maximum time findfiles can run.
  • MAX_DISPLAY – Number of non-complaint entries to be displayed.
  • MAX_INFO_LINES – Number of information entries to be displayed.
  • EO_TIMEOUT – Maximum time for which EO can run.
  • RSCD_DIR – Directory location where agent is located. This directory is used to create backup files for running remediation.
  • TARGET.MAX_DISK_PERCENTAGE – Maximum disk percentage.
  • Cachehours – Cache is re-created after specified time.
  • Tag – Specified tag contain the non-compliant entries.
  • Prune – Specified directory is excluded from listing non-compliant entries.

Mount-related rules

Rules related to mount normally ask you to check mount options on /tmp,/home and /dev/shm partitions.

Rule Title: Set <<different option like nodev, nosuid, noexec etc.. >> option for /tmp Partition

 

if
  ??CONFIGURATION_LEVELS?? equals "ALL"  OR
  ??CONFIGURATION_LEVELS?? equals "LEVEL-I"
then
  "Configuration File:/etc/fstab" exists  AND
   count "Configuration File Entry:/etc/fstab//**" equals 1 where
     @"Value1 as String (All OS)"@ equals (case sensitive) "/dev/shm"
   end  AND
   exists "Configuration File Entry:/etc/fstab//**" where
     @"Value1 as String (All OS)"@ equals (case sensitive) "/dev/shm"  AND
     @"Value3 as String (All OS)"@ does not equal null  AND
     @"Value3 as String (All OS)"@ matches "^nodev$|^nodev,.*|.*,nodev,.*|.*,nodev$"  AND

     ??VAR_MOUNTING_OPTION_FSTAB?? assign @"Value3 as String (All OS)"@  AND
     ??VAR_MOUNTING_OPTION_FSTAB?? assign "Command:echo ??VAR_MOUNTING_OPTION_FSTAB?? | tr ',' '\n' | egrep 'dev|nodev' | tail -1 ".Out_Put
   end  AND
  "Command:mount|grep -c ' /dev/shm '".Int equals 1  AND
  ??VAR_MOUNTING_OPTION_COMMAND?? assign "Command:mount|grep ' /dev/shm '|cut -d' ' -f6".Out_Put  AND
  if
      count "Configuration File Entry:/etc/fstab//**" equals 1 where
        @"Value1 as String (All OS)"@ equals (case sensitive) "/dev/shm"
      end  AND
     "Command:mount|grep -c ' /dev/shm '".Int equals 1
   then
     if
         NOT (
           ??VAR_MOUNTING_OPTION_FSTAB?? equals (case sensitive) "nodev"  AND
           ??VAR_MOUNTING_OPTION_COMMAND?? matches "^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$"
         )
      then
        if
           "Directory:??TARGET.RSCD_DIR??/tmp/preCIS" does not exist
         then
           "Command:mkdir -p ??TARGET.RSCD_DIR??/tmp/preCIS".Out_Put equals null
         end  AND
        if
           ??VAR_MOUNTING_OPTION_FSTAB?? equals (case sensitive) "nodev"  AND
            NOT (??VAR_MOUNTING_OPTION_COMMAND?? matches "^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$")
         then
           "Command:'echo 2.14\|/etc/fstab\|/dev/shm\|\|1\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation'".Out_Put does not equal null
         elseif
            NOT (??VAR_MOUNTING_OPTION_FSTAB?? equals (case sensitive) "nodev")  AND
           ??VAR_MOUNTING_OPTION_COMMAND?? matches "^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$"
         then
           "Command:'echo 2.14\|/etc/fstab\|/dev/shm\|nodev\|0\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation'".Out_Put does not equal null
        else
           "Command:'echo 2.14\|/etc/fstab\|/dev/shm\|nodev\|1\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation'".Out_Put does not equal null
         end
      end
   end
end

This rule performs the following checks:

  • Checks if the value of ??CONFIGURATION_LEVELS?? variable is ALL or LEVEL-I.
  • Checks if the /etc/fstab configuration file exists. Count loop checks the /etc/fstab configuration file that only one field exits with /dev/shm name.
  • Checks if the /etc/fstab configuration file exists.
  • Checks that the parameter name in /etc/fstab configuration file is /dev/shm.
  • Checks that value 3 (as shown in live browse):
    • Is not null.
    • Matches ^nodev$|^nodev,.*|.*,nodev,.*|.*,nodev$
    • Is assigned to variable VAR_MOUNTING_OPTION_FSTAB, where value1 is /dev/shm.

  The value in variable VAR_MOUNTING_OPTION_FSTAB is trimmed. 

  The echo ??VAR_MOUNTING_OPTION_FSTAB?? | tr ',' '\n' | egrep 'dev|nodev' | tail -1 command is replaced by next line character.

  The mount|grep -c ' /dev/shm ' command performs a search on /dev/shm string in mount output and gives the count as result. The count should be equal to 1.

  The VAR_MOUNTING_OPTION_COMMAND variable is assigned with the value returned from the mount|grep ' /dev/shm '|cut -d' ' -f6 command fired on target. 
  This command return the sixth field of mount command output line containing /dev/shm string.

  • The if construct checks if the /etc/fstab configuration file exists with /dev/shm parameter name and the search results of mount|grep -c ' /dev/shm ' command is equal to 1.
  • Checks that the following conditions are not satisfied:
    • ??VAR_MOUNTING_OPTION_FSTAB?? variable is equal to nodev.
    • ??VAR_MOUNTING_OPTION_COMMAND?? variable matches ^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$.
  • Checks if the ??TARGET.RSCD_DIR??/tmp/preCIS directory does not exist. If the directory does not exist, then the mkdir -p ??TARGET.RSCD_DIR??/tmp/preCIS command creates a remediation directory on the target.
  • Checks if ??VAR_MOUNTING_OPTION_FSTAB?? variable equals nodev, and ??VAR_MOUNTING_OPTION_COMMAND?? variable does not match ^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$.
    • The 'echo 2.14\|/etc/fstab\|/dev/shm\|\|1\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation' command is executed if the above conditions are true. This command adds an entry to mount_remediation file so that remediation can be completed successfully. This entry is used during remediation.
  • Checks if ??VAR_MOUNTING_OPTION_FSTAB?? variable is not equal to nodev, and ??VAR_MOUNTING_OPTION_COMMAND?? variable matches ^\(nodev\)$|^\(nodev,.*|.*,nodev,.*|.*,nodev\)$.
    • The 'echo 2.14\|/etc/fstab\|/dev/shm\|nodev\|0\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation' command is executed if the above conditions are true. This command adds an entry to mount_remediation file so that remediation can be done successfully. This entry is used during remediation.
  • The 'echo 2.14\|/etc/fstab\|/dev/shm\|nodev\|1\|\| >??TARGET.RSCD_DIR??/tmp/preCIS/mount_remediation' command is executed if the above two conditions are not true. This command adds an entry to mount_remediation file so that remediation can be done successfully. This entry is used during remediation.
Warning

Note

In this example, entries are published to the mount_remediation file using the out_put command. You can alternatively use the message command, with the added benefit of receiving a message in the case of a problem.

User configuration-related rules

Rules in this group perform permission checks on user created files or configuration files, and security checks on user logins, so that all users have granted access to the system.

Rule Title: Set User/Group Owner on /etc/grub.conf

 

if
   ??CONFIGURATION_LEVELS?? equals "ALL"  OR
   ??CONFIGURATION_LEVELS?? equals "LEVEL-I"
then
  "Configuration File:/etc/grub.conf" exists  AND
  "File:/etc/grub.conf"."Group Owner Name" equals (case sensitive) "root"  AND
  "File:/etc/grub.conf"."User Owner Name" equals (case sensitive) "root"
End

This rule performs the following checks:

  • Checks if the value of ??CONFIGURATION_LEVELS?? variable is ALL or LEVEL-I.
  • Checks for existence of etc/grub.conf configuration file.
  • Verifies that the Group Owner Name and User Owner Name attributes of the configuration file are root. The rule is non-compliant if the attributes are not root.

PAM-related rules

Pluggable Authentication Modules (PAM) is a service that implements modular authentication modules on UNIX systems. PAM is implemented as a set of shared objects that are loaded and executed when a program needs to authenticate a user. Rules in this group check if PAM is configured to secure system authentication.

Rule Title: Set Lockout for Failed Password Attempts

"Configuration File:/etc/pam.d/system-auth" exists  AND
count "Configuration File Entry:/etc/pam.d/system-auth//**" equals 1 where
@"Name (UI)"@ equals (case sensitive and ignore extra white spaces) "auth"  AND
@"Value1 as String (All OS)"@ equals (case sensitive and ignore extra white spaces) "required"  AND
@"Value2 as String (All OS)"@ equals (case sensitive and ignore extra white spaces) "pam_tally2.so"

This rule performs the following checks:

  • Checks if /etc/pam.d/system-auth configuration file is present on the target.
  • Count checks for single existence of auth parameter with required and pam_tally2.so values in the /etc/pam.d/system-auth configuration file

Service-related rules

Rules in this group perform checks related to services/daemon with run level.

Rule Title: /etc/rc.tcpip -portmap

 

if
"Command: rpcinfo -p | grep -v service | grep -v portmapper".Out_Put equals "null"
then
"Command:cat /etc/rc.tcpip | tr '\t' ' ' |tr -s ' ' | egrep '^ *start +/usr/sbin/portmap +'".Out_Put equals "null"
end

This rule does the following:

  • rpcinfo -p | grep -v service | grep -v portmapper command checks if portmapper daemon is not running.
  • cat /etc/rc.tcpip | tr '\t' ' ' |tr -s ' ' | egrep '^ *start +/usr/sbin/portmap +' command verifies that if the daemon is not running then it does not also run in the background.

Package rules

Rules in this group check the packages that are installed or removed from the system.

Rule Title: NIS -de-install NIS client

"AIX Package:bos.net.nis.client" does not exist  AND
"Command:lssrc -g yp |grep 'active'|wc -l|sed 's% %%g'".Int equals 0

This rule performs the following checks:

  • Checks if bos.net.nis.client AIX package is installed.
  • If the package does not exist, it checks if yp service is not active on the target machine.

Process-related rules

Rules in this group check the process or service running on the target system.

Rule Title: Configuring syslog -remote messages

"Command:ps -ef | grep 'syslogd'".Out_Put contains "-r"

This rule performs the following actions:

  • Executes the ps -ef | grep 'syslogd' command to search for the syslogd  entry from the list of processes. If the output contains -r, the local syslogd daemon does not accept messages from other hosts on the network.

Specific rules

Rules that do not belong to any of the above categories fall under Specific Rules.

Rule Title: Daemons that are not defined in SELinux policy inherit the security context of their parent process

if
   ??EXCLUDE_DAEMONS_LIST?? != null
then
   ??VAR_EXCLUDE_DAEMONS_LIST_PARAM?? := "Command:echo '??EXCLUDE_DAEMONS_LIST??'|tr -s ',''|'|tr -d ''".Out_Put  
   AND
   "Command:ps -eZ|egrep 'initrc'|egrep -vw '??VAR_EXCLUDE_DAEMONS_LIST_PARAM??'|tr ':'''|awk'{ print $NF }'".Out_Put = null
end

This rule performs the following checks:

  • Checks that the EXCLUDE_DAEMONS_LIST is not null. The EXCLUDE_DAEMONS_LIST is a local property of the template with default value set as tr, ps, egrep, bash, awk, rscd.
    If the property is not null, the echo '??EXCLUDE_DAEMONS_LIST??'|tr -s ',''|'|tr -d '' command is executed, and the ',' comma is trimmed to '|' pipe and all unwanted spaces are removed. 
    The resultant value is stored in a transient variable VAR_EXCLUDE_DAEMONS_LIST_PARAM using the ':=' assign operator.

  • The ps -eZ|egrep 'initrc'|egrep -vw '??VAR_EXCLUDE_DAEMONS_LIST_PARAM??'|tr ':' ' '|awk '{ print $NF }' command checks if any unconfined daemons are running on the system.

    Warning

    Note

    The ps –eZ command lists all the process with their security context. If the security context for all processes results as initrc with the exception of tr|ps|egrep|bash|awk process then the rule is non-complaint.

    Few process are listed as exceptions since they can have elevated permissions. tr|ps|egrep|bash|awk process is stored in a transient variable.

Rule Title: Any Network Information System (NIS+) server must be operating at security level 2

if
  "Command:which niscat".Out_Put ends with "niscat"
then
  "Command:niscat cred.org_dir | awk -F':' '{print $2}'".Out_Put = "DES"
End

This rule performs the following checks:

  • Checks if the which niscat command that is executed on the target, ends with niscat output.

    Warning

    Note

    Network Information Service (NIS) is not installed by default on the target. You need to check the availability of the niscat command on the target.

    If the niscat executable is present on the target, the result must be as follows:

    # which niscat
    /usr/bin/niscat

    If the niscat executable is not present on the target, then the result must not end with niscat, as shown below:

    sles-comp2:~ # which niscat
    which: no niscat in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/usr/lib/mit/bin:/usr/lib/mit/sbin)

    If niscat is not available on the target, the rule must be compliant.

  • If output of the command ends with niscat, the rule checks if the niscat cred.org_dir | awk -F':' '{print $2}' command (executed on the target) results in the DES output.
  • Checks that Value 3 (as shown in live browse) matches "^nodev$|^nodev,.*|.*,nodev,.*|.*,nodev$"

Rule Title: Checks if all the users present in the password file are present in shadow file

??VAR_SHADOW_USER_LIST?? := "Command:awk -F: '$4 >= 0 {print $1}'/etc/shadow".StringList  AND
??VAR_PASSWD_SYS_USER_LIST?? := "Command:cat /etc/passwd | egrep -v '^$|^ *#' | awk -F: '$3 <= 99{print $1}'".StringList  AND
foreach ??VAR_SHADOW_USER_LIST??
    ??LOOP_ATTR_FOR_COMPLIANCE_STR?? is one of ??VAR_PASSWD_SYS_USER_LIST??
End

This rule checks whether all the users present in the password file are present in the shadow file.

 

Warning

Note

The output of the commands executed are stored in the ??VAR_SHADOW_USER_LIST?? and ??VAR_PASSWD_SYS_USER_LIST?? variables. These variables are of type Complex with value set as List[String].

??LOOP_ATTR_FOR_COMPLIANCE_STR?? is the default iterator for type String. It acts as a temporary variable used by foreach. Similarly, LOOP_ATTR_FOR_COMPLIANCE_INT is the iterator for type Int.

Decimal values in rules

You can use decimal values in rules for specifying details such as version numbers and file releases. 

Example

You want to obtain the package number for OpenSSH and print the result. This is the actual command:

sudo yum list installed openssh 2>&1 | awk  '{print $2}'| tail -1  | sed -r 's/^\s*([0-9\.]+)\s*.*$/\1/' | awk  '{ print ($1 >= "8.9") ? "YES" : "NO" }'

On the Compliance rule editor in the TrueSight Server Automation console, use the following command: 

"Command:sudo yum list installed openssh 2>&1 | awk  '{print $2}'| tail -1  | sed -r 's/^\s*(\[0-9\.\]+)\s*.*$/\1/' | awk  '{ print ($1 >= ""8.9"") ? ""YES"" : ""NO"" }'".Out_Put = "YES"


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 26.1