Hey Folks,
root account need to be excluded from /etc/shadow file for password expiry relevance check. I tried to tweak regex by adding ^(?!root)(.*): but its not giving me desired results. Any clue?
at:!:17929:0:90:7:::
bin:!:17929:0:90:7:::
daemon:!:17929:0:90:7:::
games:!:17929:0:90:7:::
root:$1$KikVZm4D$R2.:17980:0:99999:7:::
sshd:!:17929:0:90:7:::
adminroot:!*:17929:0:90:7:::
sys_disco:!:17929:0:90:7:::
not exists 1 whose ((0 < number of ((it, (if exists it then concatenation β,β of substrings separated by β<!comma>β of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by β<!plural>β of concatenation β<!comma>β of substrings separated by β,β of concatenation β<!plural>β of (if exist matches (regex β<!comma>|<!plural>β) of it then error βDelimiter in string: <!comma>|<!plural>β else it) of lines whose (exist matches (regex β^\sPASS_MAX_DAYS\s+(90|[1-8][0-9]|[1-9])\s(\s+#.)?$") of it) of it, "^\sPASS_MAX_DAYS\s+(90|[1-8][0-9]|[1-9])\s*(\s+#.)?$", 1) of it) of files β/etc/login.defsβ and exists (concatenation ", " of (it as string) of (exist matches (regex "^[^!]β) of item 1 of it and (((if it != ββ then it as integer else 9223372036854775807) of item 4 of it) of it > 90)) of (parenthesized part 1 of it, parenthesized part 2 of it, parenthesized part 3 of it, parenthesized part 4 of it, parenthesized part 5 of it, parenthesized part 6 of it, parenthesized part 7 of it, parenthesized part 8 of it, parenthesized part 9 of it) of (matches (regex β^(?!root)(.):(.):(.):(.):(.):(.):(.):(.):(.)$") of it) of lines whose (exist matches (regex β.+β) of parenthesized part 1 of matches (regex "^(?!root)([^:]):β) of it) of file β/home/ad_erengasa/shadowβ) whose (number of substrings separated by ", " whose (it is not ββ) whose (it as boolean) of it = 0)))
I would use the βchageβ to get the password expiry of the user via script and redirect the output in the log and read the log via relevance.
Actually this relevance is part of one of the SCA CIS check so i need to go with this method only.
I am not good enough at regex to decode if the (?!root) will take care of your desired filter.
Example fragment:
q: (lines whose (exist matches (regex ".+") of parenthesized part 1 of matches (regex "^(.*)([^:]):") of it) of file "C:\QNA\QNA9.5.12.68\Shadow.txt")
A: at:!:17929:0:90:7:::
A: bin:!:17929:0:90:7:::
A: daemon:!:17929:0:90:7:::
A: games:!:17929:0:90:7:::
A: root:$1$KikVZm4D$R2.:17980:0:99999:7:::
A: sshd:!:17929:0:90:7:::
A: adminroot:!*:17929:0:90:7:::
A: sys_disco:!:17929:0:90:7:::
vs with a root filter
q: (lines whose (not exists match (regex "^root:") of it AND exist matches (regex ".+") of parenthesized part 1 of matches (regex "^(.*)([^:]):") of it) of file "C:\QNA\QNA9.5.12.68\Shadow.txt")
A: at:!:17929:0:90:7:::
A: bin:!:17929:0:90:7:::
A: daemon:!:17929:0:90:7:::
A: games:!:17929:0:90:7:::
A: sshd:!:17929:0:90:7:::
A: adminroot:!*:17929:0:90:7:::
A: sys_disco:!:17929:0:90:7:::
To perhaps be a little clearer, The fragment I posted above is a sample of where you would make the adjustment to the larger statement. Since I am below average at RegEx, I chose to use a whose filter instead.
try:
q: not exists 1 whose ((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^\sPASS_MAX_DAYS\s+(90|[1-8][0-9]|[1-9])\s(\s+#.)?$") of it) of it, "^\sPASS_MAX_DAYS\s+(90|[1-8][0-9]|[1-9])\s*(\s+#.)?$", 1) of it) of files "/etc/login.defs" and exists (concatenation ", " of (it as string) of (exist matches (regex "^[^!]") of item 1 of it and (((if it != "" then it as integer else 9223372036854775807) of item 4 of it) of it > 90)) of (parenthesized part 1 of it, parenthesized part 2 of it, parenthesized part 3 of it, parenthesized part 4 of it, parenthesized part 5 of it, parenthesized part 6 of it, parenthesized part 7 of it, parenthesized part 8 of it, parenthesized part 9 of it) of (matches (regex "^(?!root)(.):(.):(.):(.):(.):(.):(.):(.):(.)$") of it) of lines whose (not exists match (regex "^root:") of it AND exist matches (regex ".+") of parenthesized part 1 of matches (regex "^(?!root)([^:]):") of it) of file "/home/ad_erengasa/shadow") whose (number of substrings separated by ", " whose (it is not "") whose (it as boolean) of it = 0)))
Thanks for your great helping hand. i did try with updated relevance shared by you but its not working as expected. iβll contact support team for further assistance.
Instead of messing with the regular expression, try filtering out the line in the query with string relevance - changing
of lines whose (exist matches (regex β.+β) of parenthesized part 1 of matches (regex "^(?!root)([^:]):β) of it) of file β/home/ad_erengasa/shadowβ) whose (number of substrings separated by ", " whose (it is not ββ) whose (it as boolean) of it = 0)))
to
of lines whose (it as string does not start with "root:" and exist matches (regex β.+β) of parenthesized part 1 of matches (regex "([^:]):β) of it) of file β/home/ad_erengasa/shadowβ) whose (number of substrings separated by ", " whose (it is not ββ) whose (it as boolean) of it = 0)))
1 Like