New Rule Check – Search Expressions

Halo has had the ability to look for key-value pairs in any file ever since its first public release.  This check handles many common cases, but is limited:  to look for a particular word, you essentially need to know all the characters on the line before it, and even when you do, this can be a very brittle check.

To provide more flexibility we’ve added the new File String Presence Check that leverages powerful Search Expressions opening up new possibilities for creative new rules.

Introduction to Search Expressions

When your search needs are simple, the existing “Configuration File Setting” check works fine.  Let’s say you need to make sure that the file /etc/ShoppingCart.conf has the line:


You could set up a new “Configuration File Setting” check that looks like,

Configuration File Path: /etc/ShoppingCart.conf
 Configuration Item: Debug
 Configuration Item/value delimiter: =
 Desired value: false

and that would warn you if any systems using that policy still had Debug mode turned on.

The problem comes when you need to check lines where you’re literally looking for just a value with no key at all (for example, where the line is nothing more than the character 0 , like /proc/sys/net/ipv4/ip_forward), or lines that may have other text on them.  That Configuration File Setting check would not be able to handle lines like the following:


What we need is a more flexible way to describe the lines we require in a particular file, as well as the lines we can’t allow in a particular file.  This description language is called “Search Expressions”.

As a quick example of a required line, let’s say that the three Debug lines above are all acceptable ways of saying that Debug mode is turned off, and we want to make sure that at least one of them is in that file.  What we really want is to have “Debug=” at the beginning of the line, and the word “false” on that line as well, perhaps with some other stuff in between or following “false”.

Instead of using the limited “Configuration File check”, we’ll switch over to the “File String Presence” check and fill in its 3 fields like so:

 File(s): /etc/ShoppingCard.conf
 Contains: (checked the “Contains” radio button)
 The following pattern: ^Debug=.*false.*

We’ll discuss them in more detail below, but the “^” says “look for the following text only at the beginning of the line”, and “.*” means “allow any number of characters here”.  That satisfies our requirements, and is flexible enough to handle different forms of the Debug line as long as the word false appears on it somewhere.

If you’ve used Regular Expressions in the past, much of this will seem familiar.  While the expression features we use do not exactly match any specific regular expression implementation, there’s enough overlap that you should be quite comfortable using these.

We have a good summary of the configuration file check here.  At the bottom of this article is a summary table of the syntactical items available to you in searches.  I’d suggest as you work through this article that you leave a copy of that up in a second browser window for reference.


To demonstrate using Search Expressions, we’ll show you how to look for 1) strings that shouldn’t be in various files (and alert if they show up), and 2) strings that should be in various files (and alert if they’re missing).  We’ll try to use files that are likely on your system, such as common configuration files in /etc/ and virtual files in /proc/ .  You may or may not be interested in checking the actual things we check, but the concepts we present should carry over to other files you do need to check.

We’ll start with some simpler examples, and move into some more complex ones.

1. Kernel version out of date

2. Warn if a packet sniffer is running

3. Look for systems that share files over NFS

4. Look for errors in software raid arrays

5. Warn on sudoers configuration that doesn’t require a password

6. Warn if a revoked user account exists on any checked systems

7. Require at least one configured ntp server

8. Require remote logging

9. Operating system not forwarding packets (coming soon)

10. Checking that your default route is correct

11. Checking that there’s only one default gateway, first pass

12. Checking that there’s only one default gateway, second pass (coming soon)

13. Simplifying the checks (coming soon)

Closing thoughts

The above examples use the new Search Expression feature of Halo to allow more intricate checks of file content, both for actual files and for virtual files like the ones under /proc/.  While they can be complex to write, they provide a much richer and more flexible set of capabilities.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts