1 2 Previous Next 15 Replies Latest reply on Mar 12, 2014 2:46 PM by richard mcleod

    BSA Component Template Compliance escape characters

    richard mcleod

      Having some trouble with items showing as non-compliant, pretty sure I've narrowed it down to an issue with the chars im looking to match...

       

      Here is an example of something I'm trying to match

       

      "Configuration File Entry:/etc/syslog.conf//*.emerg" exists AND

      "Configuration File Entry:/etc/syslog.conf//*.emerg"."Value1 as String (All OS) = "*"

       

      however something like this works properly

       

      "Configuration File Entry:/etc/syslog.conf//mail.*" exists AND

      "Configuration File Entry:/etc/syslog.conf//mail.*"."Value1 as String (All OS) = "@servername.fqdn"

       

      I've confirmed that the syslog.gm breaks up the values into "Name" and "Value1" and it parses correctly

       

      "*.emerg" is a specific Name I am looking for but it fails everytime. Am I missing escape characters?

        • 1. Re: BSA Component Template Compliance escape characters
          Joe Piotrowski

          Try ** but I'm not sure if the first rule will function the way you want. I'm actually surprised you got the bottom rule to work. I usually have to use a loop to get the desired results.

          1 of 1 people found this helpful
          • 2. Re: BSA Component Template Compliance escape characters
            richard mcleod

            Just got it working by adding a '*' at the end of the name. Now the rule looks like this

             

               "Configuration File Entry:/etc/syslog.conf//*.emerg*" exists  AND

               "Configuration File Entry:/etc/syslog.conf//*.emerg*"."Value1 as String (All OS)" = "*"  AND

             

            What seems to be happening is when the rule runs it goes out an checks for a whole line, so in this case it was bringing back: "Configuration File Entry:/etc/syslog.conf/*.emerg-@servername.fqdn"

             

            This seems to make sense also because the first rule is not checking against a child like the second rule is with the ."Value1 as String (All OS)"

             

            By adding the wildcard after '*.emerg*' it will now match whole lines that contain '*.emerg' and I use the next rule to check for the actual content of Value1.

             

            Certainly not the best way to go about this... Anyone have any other examples/ideas?

             

            Here is an example of why this is bad

             

            Rule:    "Configuration File Entry:/etc/syslog.conf//authpriv.*"."Value1 as String (All OS)" = "@server01.fqdn"

             

            Output: (Red - Not Compliant, Green - Compliant)

             

            "Configuration File Entry:/etc/syslog.conf//authpriv.info-@server02.fqdn"."Value1 as String (All OS)" ["@server02.fqdn"] = "@server01.fqdn"

            "Configuration File Entry:/etc/syslog.conf//authpriv.*-@server01.fqdn"."Value1 as String (All OS)" ["@server01.fqdn"] = "@server01.fqdn"

             

            However I also have a rule for the authpriv.info in my check which works


            Rule:     "Configuration File Entry:/etc/syslog.conf//authpriv.info*"."Value1 as String (All OS)" = "@server02.fqdn"

            • 3. Re: BSA Component Template Compliance escape characters
              Joe Piotrowski

              I'm still leery of this working, only because I've not had success doing it this way. One problem I've seen is, if the Name value is the same for multiple lines, this may give you unexpected results or false positives.

               

              So instead of the rule operations, can you tell me the conditions you're specifically looking for?

              • 4. Re: BSA Component Template Compliance escape characters
                richard mcleod

                Yup, I agree don't believe the wildcard after the name is the proper way to implement.

                 

                Essentially I am looking to check /etc/syslog.conf that each Name below exists and then check if the value1 of that line = a string

                 

                Here is a the syslog configuration i am checking for

                 

                Name                                                       Value1

                *.info;mail.none;authpriv.none;cron.none                @server01.fqdn

                authpriv.*                                              @server01.fqdn

                mail.*                                                  @server01.fqdn

                cron.*                                                  @server01.fqdn

                *.emerg                                                 *

                uucp,news.crit                                          @server01.fqdn

                local7.*                                                @server01.fqdn

                authpriv.info                                           @server02.fqdn

                local2.debug                                            @server02.fqdn

                 

                Here is what the /etc/syslog.conf configurtion file output looks like

                Capture.PNG.png

                • 5. Re: BSA Component Template Compliance escape characters
                  Joe Piotrowski

                  Oh, I misunderstood. I thought you were looking for any Name value that ended in *.emerg

                   

                  So, you had it (possibly) right earlier:

                  "Configuration File Entry:/etc/syslog.conf//*.emerg"."Value1 as String (All OS)" = "*"


                  This doesn't work? If not try using '*' "*" or [*] around the text.


                  You can also try an Exists Loop:

                  exists "Configuration File Entry:/etc/syslog.conf//*.emerg" where

                       "Value1 as String (All OS)" = "*"

                  end


                  I figured this out a couple of years ago but don't remember what I did to resolve it.

                  1 of 1 people found this helpful
                  • 6. Re: BSA Component Template Compliance escape characters
                    richard mcleod

                    The problem I'm have right now is getting the left hand value to match unless I add the wildcard at the end of the string

                     

                    Does not find anything matching this: "Configuration File Entry:/etc/syslog.conf//*.emerg"

                     

                    Does find line matching this: "Configuration File Entry:/etc/syslog.conf//*.emerg*"


                    Here is an example of what it finds with the ending *


                    "Configuration File Entry:/etc/syslog.conf//*.emerg-@server01.fqdn"."Value1 as String (All OS)" ["@server01.fqdn"] = "*"


                    I have to think the leading * is causing this condition

                    • 7. Re: BSA Component Template Compliance escape characters
                      Joe Piotrowski

                      Exactly. There's a way to have it take it as a string character and not a wildcard character, but I can't remember what the syntax was. Let me check some old posts here.

                      • 8. Re: BSA Component Template Compliance escape characters
                        richard mcleod

                        Im reading through the 8.2 documentation on wildcards in compliance rules and don't see anything about escaping but they do give an example using a trailing -*

                         

                        Going to implement that and see where that leaves me, else back to reading.

                         

                        Thanks for the help Joe.

                        • 9. Re: BSA Component Template Compliance escape characters
                          richard mcleod

                          Didn't find anything definitive about escaping wildcard characters in the documentation but I came up with this instead. Replace all of the '*' where I am looking to match that actual char with a '?', Still not perfect because it will match any one character but a little safer than before

                           

                          "Configuration File Entry:/etc/syslog.conf//?.emerg-*" exists

                          "Configuration File Entry:/etc/syslog.conf//?.emerg-*"."Value1 as String (All OS)" = "*"

                           

                          This will work so long as I trust that the config actualy contains a line like

                           

                          *.emerg

                           

                          and not

                           

                          X.emerg

                          • 10. Re: BSA Component Template Compliance escape characters
                            Joe Piotrowski

                            Here's a post from 2007 that was never answered.

                            Re: compliance job not finding config file entry

                             

                            I would also test the = "*" part so it needs to literally check for * and not just anything.

                            • 11. Re: BSA Component Template Compliance escape characters
                              richard mcleod

                              missing link

                               

                              Also, oddly enough the right side evaluation is exact. tested it against a syslog.conf file where the right hand side was something other than * and it failed the check

                              • 13. Re: BSA Component Template Compliance escape characters
                                Joe Piotrowski

                                How about:

                                 

                                exists "Configuration File Entry:/etc/syslog.conf//**" where

                                     Name = "*.emerg" AND

                                     "Value1 as String (All OS)" = "*"

                                end


                                Maybe the literal = on the Name will help.

                                • 14. Re: BSA Component Template Compliance escape characters
                                  richard mcleod

                                  Don't have access to this page... tried the below suggestion, worked great for 1 entry, trying to figure out how implement for all entries without additional loops thanks

                                  1 2 Previous Next