Regex vs rope not working

vk.khurava 2023-11-03 07:36:11 UTC #1

Hi,

Characters are more than 512, therefore I have to use rope, but relevance does not match with that regex. I am trying to alter below relevance to have an extended check of the supplied values, but regex is not functioning.

Although values are cut here, there are actually more than 60K characters.

Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex (rope "^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan" &  "|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops" &  "|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop" &  "|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1" &  "|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|" &  "rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "regex" is not defined.

JasonWalker 2023-11-03 12:18:40 UTC #2

Probably better to put your exceptions in a string set, and then check for users not contained in the set.

JasonWalker 2023-11-03 13:22:19 UTC #3

I’d begin by finding the home directories of interest - which will be items 1 of it of this list…

Q: (item 0 of it, item 1 of it) of (/* username */ item 0 of item 0 of it, /* homedir */ item 1 of item 0 of it, /* exception set */ item 1 of it) whose ( /* remove users who are in the exceptions set */ item 0 of it is not contained by item 2 of it) of ((/* username field */ parenthesized parts 1 of it, /* homedir field */ parenthesized parts 6 of it) of (matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of it) of lines of files "/etc/passwd", it /* set of exceptions */) of set of ("root"; "halt"; "sync"; "shutdown"; "ebizrt"; "prod"; "bms"; "squid"; "release"; "tsgops"; "searchUser"; "snm"; "sync" /* add more exceptions here */)
A: bin, /bin
A: daemon, /sbin
A: adm, /var/adm
A: lp, /var/spool/lpd
A: mail, /var/spool/mail
A: operator, /root
A: games, /usr/games
A: ftp, /var/ftp
A: nobody, /
A: dbus, /
A: systemd-coredump, /
A: systemd-resolve, /
A: tss, /dev/null
A: polkitd, /
....

vk.khurava 2023-11-04 05:55:26 UTC #4

Thanks @JasonWalker ! But my question is in reg. of fixlet ID # 126441 Ensure users’ home directories permissions are 750 or more restrictive User and Group Settings CIS Checklist for RHEL 7

Wanted to increase highlighted scope below -

(not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by “:” of parenthesized part 6 of it) of ((matches (regex “^(.):(.):(.):(.):(.):(.):(.)$") whose (exist matches (regex "^.”) of parenthesized part 1 of it) of lines of (if exists file “/etc/passwd” then file “/etc/passwd” else error “no file: /etc/passwd”)) whose (not (exist matches (regex “^(root|halt|sync|shutdown)”) of parenthesized part 1 of it))) whose (not (exist matches (regex “(/sbin/nologin|/usr/sbin/nologin|/bin/false)”) of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)))

JasonWalker 2023-11-04 14:00:07 UTC #5

There are very few operations that can be done against a rope, I don’t know whether regex is one of them but apparently not. Open to other suggestions here and maybe I’ll get corrected @aram?

In the meantime if you want to keep the basic structure of that statement you could change the filter to something like

(Not exists matches(regex(“first exceptions”)) of it and not exists matches(regex(“second exceptions”)) of it ) of parenthesized parts 7 of it

atlauren 2023-11-04 18:47:26 UTC #6

TIL rope

(Heads to developer site)

Aram 2023-11-06 14:47:16 UTC #7

With rope, the closest available operator today would be contains:

<rope> contains <string> : boolean

vk.khurava 2023-11-17 08:42:51 UTC #8

Alright, so rope isn’t working for us. I attempted to move the 70K string value to a file as a workaround, but that didn’t work for regex, suggestions please.

Original Relevance -
(not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex "^(root|halt|sync|shutdown)") of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))

Modified -

Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex of (lines of file "/tmp/test.txt")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "regex" is not defined.

Content of “/tmp/test.txt”:
^(root|halt|sync|shutdown|XYC|WVC|asd)

vk.khurava 2023-11-17 14:56:10 UTC #9

vk.khurava:

Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by “:” of parenthesized part 6 of it) of ((matches (regex “^(.):(.):(.):(.):(.):(.):(.)$") whose (exist matches (regex "^.”) of parenthesized part 1 of it) of lines of (if exists file “/etc/passwd” then file “/etc/passwd” else error “no file: /etc/passwd”)) whose (not (exist matches (regex of (lines of file “/tmp/test.txt”)) of parenthesized part 1 of it))) whose (not (exist matches (regex “(/sbin/nologin|/usr/sbin/nologin|/bin/false)”) of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)))
E: The operator “regex” is not defined.

Although it appears that the regex portion got solved, the parenthesized part is still stuck after the regex value has been defined !!!

I believe parenthesized part 1 of it extracts the text matched by the first set of parentheses in the regex but seems still regex part creating problem & pieces are not right.

Q: (not exists 1 whose ((exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex "^") of (lines of file "/tmp/test.txt")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "parenthesized part" is not defined.

JasonWalker 2023-11-18 14:09:16 UTC #10

Ok, I still think this approach may be problematic in terms of performance, because this is doing a lot of regex as well as looping through the entire passwd file, but at least in my tests with a small passwd file it seems to work.

Doing a bit of reading on ‘rope’ at https://developer.bigfix.com/relevance/reference/rope.html , we find that internally a string can be any length at all; it’s only where we are inputing the string literally in Relevance that we are limited to 512 characters.

There’s also this cast available:

<rope> as string : string
Converts a rope into a string object. When converted, all the other string properties are available.

Which means we can use a ‘rope’ to create the large string - and once we build the rope, we can cast it back to a string to use all the normal string operations with it.
From your first example we can see that after creating the rope, we can cast it back to a string to see the whole value:

q: ((rope "^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan" &  "|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops" &  "|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop" &  "|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1" &  "|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|" &  "rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|") as string)
A: ^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|
T: 0.230 ms
I: singular string

So, we can take your whole original expression, wrap the rope in another set of parentheses and then cast it ‘as string’ before trying to select the regexes from it:

Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex ((rope "^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan" &  "|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops" &  "|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop" &  "|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1" &  "|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|" &  "rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|") as string)) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
A: False
T: 28812

vk.khurava 2023-11-20 03:19:09 UTC #11

Thanks Jason! Testing my whole 70K long string.

JasonWalker 2023-11-20 04:03:32 UTC #12

If you have 70k worth of exceptions, there’s little reason to bother trying to enforce the rule though.

vk.khurava 2023-11-20 06:58:52 UTC #13

70K characters ! but yes, the list is huge, this is what it is & the way customer wants