Using NOT Rules Within a Configuration Check

Sometimes when checking a particular configuration setting, you are more interested in what value is not set verses a wider range of acceptable values. For these situations Halo lets you use “NOT” as a qualifier within your “Configuration file setting” rules. When used properly, NOT can extend functionality as well as simplify your checks.

For example, when defining a password aging policy, it is common to set both a minimum and a maximum password age. The minimum setting ensures some period of time must go by between password changes. Without a minimum value being set, it would be possible for users to simply change their password multiple times in a single sitting. This would permit them to cycle the password history until they can again use the same password. This obviously defeats the purpose of forcing users to change their password.

When setting a minimum password age on Linux, the granularity is set in days. If the intent is to simply stop users from making multiple changes in a single sitting, any value of one day or higher will complete this task. If we tell Halo to look for a value of zero, the check will only pass when zero is set. So what we need to be able to do is ensure that any value but zero is used. This is an excellent use case for using a NOT rule.

Creating a New Rule

From the main screen of the Halo interface, click on “Policies” and then “Configuration Policies”. Either click the name of the current policy you wish to edit, or click the “Add New Configuration Policy” button to create a new one. From the main policy screen, click “System Configuration”, and then “Add a New Rule”. Your screen should now look similar to Figure 1.

Provide the rule with a descriptive name as well as a description. You can choose to tweak all of the other settings to your personal preference, or leave them as-is.

Creating a NOT Check

At the bottom of the New Rule Properties screen, click the Add New Check button. This will produce a list of the types of checks you can perform. Click the first listed check titled “Configuration File Setting”.

We now need to tell our check what to look for. Set the following values:

  • Configuration file path = /etc/login.defs
  • Configuration file section =
  • Configuration item = PASS_MIN_DAYS
  • Desired value = NOT:0
  • Configuration file comment character = #
  • Configuration item/value delimiter =

Your screen should now appear similar to Figure 2. Note that the background is yellow. This tells you your check has not yet been saved.

Once you have filled in all of the appropriate values, click the “Save All” button. You should see the background change from yellow to gray. You should also see a green banner appear at the bottom of the screen that states “Rule was successfully created”. Your rule is now saved and ready for use.

Implementing Your Rule

If you added your check to an existing policy that has already been applied to a group of servers, you are all set and the check will be performed the next time the groups using that policy are scanned. If you created a new policy however, we still have a few steps to go.

Return to the main Halo screen by clicking the “Servers” menu item. Decide which of your groups you wish to apply your new policy to, and click the name of the group. When the “Edit Details” option appears, click this link.

When the Edit Group Details screen appears, click on the Configuration Policies pull down option. Your screen should look similar to Figure 3. If you no longer wish to use the existing policy, click “remove” to the right of the name of the existing policy.

Click the “Save” button and you are done! Your check will now be implemented during the next scan.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts