A few ways you can do this:
1. Include the /etc/ftpusers file as a part. In the rule, use the content value and contains "root". I would also include another rule like does not contain "#root" and other users (does not exist) if doing this way in case there is a # in front of root or other users present in the file. No extended object required.
(edit: a rule that checks the contents is equal to "root" should give you what you need without other rules checking for other users)
2. write an extended object command to find out if user exists such as grep -i "^root" /etc/ftuser and create a compliance rule that looks for the name root as an entry. Or cat the contents to check the entire file and compliant for only the root entry in the rule (ie root exits, //** no others exists).
Also on a different note .. if you are using AIX CIS benchmarks, things will get interesting on 2.11.2 that audits for additional users in the /etc/ftpusers files. You will know to do it, but it may require some input from whoever dictates policy as the rules sort of contradict each other.
Thank you Inigo for your time and effort; however, I founf that /etc/ftpusers file is already a part on the compliance template and I have tried to build different rules,one sample mentioned below, but I am not getting it right.
foreach "Configuration File Entry:/etc/ftpusers//**"
I always get a "compliant" result although I have changed the file to different entries other than root.
AFAIK, for /etc/ftpusers out of box Configuration File Definition is not provided. So you just need to add it.
Go to "Configuration"->"Custom Object Dictionary View". And add a new entry for /etc/ftpusers as shown bellow. Select the OS as per your requirement, my target was Solaris, so I had selected "Solaris" :
Save your rule and the template. Execute the rule again.
I am not sure if we need to re-add the part in the Template after the Configuration File Definition is added. So if the above rule execution doesn't provide the correct results, remove the /etc/ftpusers parts from template and re-add it.
Hope this help...
I am thinking your rule should work as you expect as long you are pulling the name entry from the pulldown after you select the configuration file in the rule. The //** will act in the same manner of a "for each" where it will report non compliant if any of the values do not equal root. I cant really tell from your text but it looks like you might have 2 rules from the way you wrote it. If you post a screen shot, it would be helpful.
it is already included /etc/ftpusers as a "file" in the part and I am using a copy of SOX template and I created a rule with the below syntax:
"File:/etc/ftpusers".Contents equals root
however, when I run it, it give non-compliant although "root" is the only entry in the file
The /etc/ftpusers file is already in the config object dictionary on the AIX systems
thanks to all
Forget to mention that the built-in config object dictionary for /etc/ftpusers uses the grammer file /etc/auto_* (auto.gm) is that correct?
if I uses "contains" it will work, but if I added another entry below "root" entry, such as another user, it will go complaint but it will show you in the result "rootxxx" which xxx is the other user !!!
I got it to work using the below syntax; however, when I add an entry in /etc/ftpusers "#root", the rule cannot detect this entry and it does not check its line !!!
The grammar's probably treating # as a comment. In this case, does # not indicate a comment?
That what I have noticed, it does not treat an entry that start with "#" as something worth checking; however, I would like to check it because I would like to make sure that no one is trying something funny on the file.
Any suggestions how to make the rule check also for "#" sign and not ignore it completely?
Regarding the file in question /etc/ftpusers, as per the man page (man ftpusers) on Solaris 11,
Lines that begin with # are treated as comment lines and are ignored.
So there can be some comments in this file which are going to be ignored by the application (ftpd in this case). If you do NOT want to ignore #, those entries will be marked as non-compliant in rule result. so it would be a false alarm.
Here is a sample file from my target machine:
Solaris11:# head /etc/ftpusers
# List of users denied access to the FTP server, see ftpusers(4).
So please decide if you really want to consider/ignore the commented entries.