(See previous post about Search Expressions)
Files under “/proc/” on a Linux systems aren’t really files at all. They’re dynamically generated by the kernel when they’re read and allow you to read the contents of internal kernel data structures. In some cases they can also be written to, allowing you to effect a change in a kernel setting.
For example, when I read /proc/version, the kernel creates the string and hands it back to me as if it had been a file on disk:
# cat /proc/version Linux version 3.3.7-1.fc17.x86_64 (email@example.com) (gcc version 4.7.0 20120507 (Red Hat 4.7.0-5) (GCC) ) #1 SMP Mon May 21 22:32:19 UTC 2012
This kernel is out of date; the latest version for this system is 3.5.1 . Could we provide an alert if the running kernel is too old?
In your configuration policy, add a new rule under “Software Configuration” called “Out of date kernel”. In it, add the following 2 checks, both of type “File String Presence”:
/proc/version Does not contain ^Linux version 2.[0-9] /proc/version Does not contain ^Linux version 3.
While I won’t provide Remediation suggestions for these examples, that box is your chance to tell the person reading the configuration report how to fix the problem. In this case, something like “The running kernel is out of date. It should be updated with yum or apt-get, and the system must be rebooted.”
So what about “^Linux version 2.[0-9]”? Well, the “Linux version 2” part of that is matched verbatim. Like our first example, the “^” (caret) at the beginning of the line means that we only look for this string at the beginning of lines in the file as well. That tells Halo to only look at the start of a line; if we find the offending string somewhere in the middle, ignore those.
In Search Expressions, the “.” (period) matches any character (we’ll use that later in the article as a placeholder). To actually look for just a period, we’ll tell Halo to stop treating “.” as a wildcard by putting a backslash in front of it (the backslash has that effect in front of any character that has special meaning in search expressions; it returns that character to it’s original meaning). Since we literally want to match on just a period, we use “.”.
The last interesting parts are the character sets or ranges. These are placed inside square brackets to say “I want to match any of these characters”. In the first, I want to match any digit, so I use “[0-9]”. Halo knows that that will match 0, 1, 2, 3, etc. up to 9, but won’t match a, b, c, #, H, !, or any other character. In the second, I don’t want to match any digit, just the 0, 1, 2, 3, or 4.
Those two checks will respectively alert on any kernel version that starts with “2.”, or any kernel version that starts with 3.0, 3.1, 3.2, 3.3, or 3.4. Since the running kernel on our example system is 3.3.7, that policy will come back with a warning that we need to upgrade it. If we had patched that system and rebooted it, /proc/version would have returned “Linux version 3.5.1” and neither check would have complained.