Characters are more than 512, therefore I have to use rope, but relevance does not match with that regex. I am trying to alter below relevance to have an extended check of the supplied values, but regex is not functioning.
Although values are cut here, there are actually more than 60K characters.
Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex (rope "^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan" & "|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops" & "|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop" & "|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1" & "|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|" & "rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "regex" is not defined.
Iâd begin by finding the home directories of interest - which will be items 1 of it of this listâŚ
Q: (item 0 of it, item 1 of it) of (/* username */ item 0 of item 0 of it, /* homedir */ item 1 of item 0 of it, /* exception set */ item 1 of it) whose ( /* remove users who are in the exceptions set */ item 0 of it is not contained by item 2 of it) of ((/* username field */ parenthesized parts 1 of it, /* homedir field */ parenthesized parts 6 of it) of (matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of it) of lines of files "/etc/passwd", it /* set of exceptions */) of set of ("root"; "halt"; "sync"; "shutdown"; "ebizrt"; "prod"; "bms"; "squid"; "release"; "tsgops"; "searchUser"; "snm"; "sync" /* add more exceptions here */)
A: bin, /bin
A: daemon, /sbin
A: adm, /var/adm
A: lp, /var/spool/lpd
A: mail, /var/spool/mail
A: operator, /root
A: games, /usr/games
A: ftp, /var/ftp
A: nobody, /
A: dbus, /
A: systemd-coredump, /
A: systemd-resolve, /
A: tss, /dev/null
A: polkitd, /
....
Thanks @JasonWalker ! But my question is in reg. of fixlet ID # 126441Ensure usersâ home directories permissions are 750 or more restrictive User and Group Settings CIS Checklist for RHEL 7
Wanted to increase highlighted scope below -
(not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by â:â of parenthesized part 6 of it) of ((matches (regex â^(.):(.):(.):(.):(.):(.):(.)$") whose (exist matches (regex "^.â) of parenthesized part 1 of it) of lines of (if exists file â/etc/passwdâ then file â/etc/passwdâ else error âno file: /etc/passwdâ)) whose (not (exist matches (regex â^(root|halt|sync|shutdown)â) of parenthesized part 1 of it))) whose (not (exist matches (regex â(/sbin/nologin|/usr/sbin/nologin|/bin/false)â) of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not ââ) whose (it as boolean is False) of it = 0)))
There are very few operations that can be done against a rope, I donât know whether regex is one of them but apparently not. Open to other suggestions here and maybe Iâll get corrected @aram?
In the meantime if you want to keep the basic structure of that statement you could change the filter to something like
(Not exists matches(regex(âfirst exceptionsâ)) of it and not exists matches(regex(âsecond exceptionsâ)) of it ) of parenthesized parts 7 of it
Alright, so rope isnât working for us. I attempted to move the 70K string value to a file as a workaround, but that didnât work for regex, suggestions please.
Original Relevance - (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex "^(root|halt|sync|shutdown)") of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
Modified -
Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex of (lines of file "/tmp/test.txt")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "regex" is not defined.
Content of â/tmp/test.txtâ: ^(root|halt|sync|shutdown|XYC|WVC|asd)
Although it appears that the regex portion got solved, the parenthesized part is still stuck after the regex value has been defined !!!
I believe parenthesized part 1 of it extracts the text matched by the first set of parentheses in the regex but seems still regex part creating problem & pieces are not right.
Q: (not exists 1 whose ((exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex "^") of (lines of file "/tmp/test.txt")) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
E: The operator "parenthesized part" is not defined.
Ok, I still think this approach may be problematic in terms of performance, because this is doing a lot of regex as well as looping through the entire passwd file, but at least in my tests with a small passwd file it seems to work.
Doing a bit of reading on âropeâ at https://developer.bigfix.com/relevance/reference/rope.html , we find that internally a string can be any length at all; itâs only where we are inputing the string literally in Relevance that we are limited to 512 characters.
Thereâs also this cast available:
<rope> as string : string Converts a rope into a string object. When converted, all the other string properties are available.
Which means we can use a âropeâ to create the large string - and once we build the rope, we can cast it back to a string to use all the normal string operations with it.
From your first example we can see that after creating the rope, we can cast it back to a string to see the whole value:
So, we can take your whole original expression, wrap the rope in another set of parentheses and then cast it âas stringâ before trying to select the regexes from it:
Q: (not exists 1 whose (exists (concatenation ", " of (it as string) of ((((group write of it = False) and (other read of it = False)) and (other write of it = False)) and (other execute of it = False)) of (folders (it)) of (substrings separated by ":" of parenthesized part 6 of it) of ((matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") whose (exist matches (regex "^.*") of parenthesized part 1 of it) of lines of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) whose (not (exist matches (regex ((rope "^(root|halt|sync|shutdown|ebizrt|prod|bms|squid|release|tsgops|searchUser|snm|sync|news|reboot|ftp|release|bfm1|smmsp|smadmin|smtp-reserved|guest|guest2|elic|pierson|srmidle|srmlost|srmother|srmapps|prod|product|sysadm|sshd|mlprepay|sybase|fame|mailfax|hyperion|oracle|tmpfin|apbch|sops|patrol01|patrol02|fdsftp|generic|mospdev|mospauto|mospread|mospprod|cashfax|ssblux|rt|rtadmin|demoit|deloitte|tmpbrs|ssbbostn|tmppmg|phontool|fastuser|dst_ftp|clguest|jobs|tmphr|ejv|hrjobs|fagreen|midasftp|ssbcan" & "|secmas00|corpsprd|bloom|gsmort|sbdata|dwhse00u|http|jboss|tmpamg|mlde000d|mlde000u|mlde000|publish|pncredit|pnceqres|pncalm|lexis|fedres|cont1|research|nagios|micromuse|pibsrdat|gmac|ssbftp|uegd|uegu|ueg|lbmail|bearmail|jpmail|bearftp|maxwin|prodmail|prcprdml|msftp|ndm|crdms00d|patrol00|crdms00|crdms00u|arcs00d|arcs00u|pasprod|gsfd|tmpops|fredster|mvsdnld|terschd|tersch|rbcdsftp|build|mlftp|mfrd|mfru|mfr|supermax|extserv|instsales|pimc|mdirect|datasvcd|datasvcu|webprod|tsgops|sybops|engops|piaops" & "|www|eqpacead|asdssdo|capd|capu|cap|lpsd|lps|eqpaceau|eqpacea|geftp|etph|pasnt|seg|lsgtemp|pp11553|ddsdwdou|eqstgdod|eqstgdou|webmail|mueller|delftp|phlftp|yieldbook|mistfr|trdtpd|arcs00au|gsflad|gsflau|gsfla|byne0|jasweblu|jaswebld|appadvtd|appadvtu|appadvtp|testPIMC|tsgtest|dsogsflp|freduser|freoas|sqlserv|mlprice|ssbndm|rm-www|tmpfin2|appprocd|appprocp|appismtd|appismtu|appismtp|sm2back|sm0mmcld|sm0mmclu|sm0mmclp|anthrtmp|tsgtmp|dsoctf1u|saraprod|iavebtch|dsopibsp|frebatch|appmcmou|appmcmop" & "|appmcutu|prodfund|dsodtusp|dsocpusp|apppmtwp|ftpuspcd|ftpuspcu|dsoctp1d|dsostp1d|dssautod|dssaut1u|dssaut2u|dssaut1p|dssaut2p|clarus|misadm|cisadm|mibld|sybfi|tmppmg2|instruct|lehcmbs|cfreendm|pncndm|ffunds|dtcndm|porthist|pmsuser|ats|ediftp|barra|brand|gsamresp|tmphr2|tools|tmpadm1|tmpadm2|tmpadm3|bfmuser|editemp|himbatch|tmpamg2|datamail|tmprech|tmpexec|ironmail|chsisitc|tmpreit|tickprod|coutts|sybqt|sybpsd|sybpsp|vldto1|vldto2|vldto3|vldpm1|vldpm2|vldpm3|vldco1|vldco2|vldco3|vldcmpl1|vlddig1" & "|vlddig2|vldrm1|vldrm2|complftp|dbmgrd|ctxsrvr|dbmgru|dbmgr|bgibatch|eqtysd|eqtysu|tmpadm4|lpsysdop|rsibatch|eqstauad|all_adm|all_usr|ddsdwdop|sybclntp|daddydop|mace|plumndou|plumndop|pleiadpd|tmpbrs2|bb|eqstgdop|factset|scdrlacc|scdrlprd|appmospp|applcsrd|as0lcsru|prubatch|pamsu|apppactu|apppactp|applpsfu|applpsfp|appddh0u|trdlst|ftpomr0d|ftpomr0p|scdrlst|nbuser|nbadmin|barrasvc|tmpgen1|tmpfund|tmpgen2|mgraffic|crplpd|tmpfac|purgeusr|audlpd|pwslst|tmpgen3|paslqa|appktekd|pwslpd|krkbatch|mtest1|" & "rovlqa|rovlpd|rovldv|cislpd|mislpd|trdldv|appbarad|otialbas|tialbs|flexlm|sstgoas|heatmail|appsiblp|icblpd|heattest|dsoweblu|dsoweblp|dtcsvc|heatbrm|mlpldv|mlplbd|mlplst|ostlldev|omgtldev|blpuser|omgtlprd|apppbsrd|heatext|dsosmapp|dsomldep|appeabpp|tmpusr01|tmpusr02|tmpusr03|appwiacd|heat|as0eabpu|dsopabld|dsopablu|dsopablp|apppinau|lfochtma|qrgprod|baresst|sm0mmsvd|sm0mmsvu|sm0mmsvp|redbatch|ftppacmd|ftppacmu|ftppacmp|appsrutd|ftpadm|blkpamus|pamrpt|tmpusr04|tmpusr05|benbatch|dsomaesp|apppiapd|") as string)) of parenthesized part 1 of it))) whose (not (exist matches (regex "(\/sbin\/nologin|\/usr\/sbin\/nologin|\/bin\/false)") of parenthesized part 7 of it))) whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)))
A: False
T: 28812
