Audit File Syntax
Here is an example of an Amazon AWS configuration check:
<custom_item>
type: CONFIG_CHECK
description: "Verify login authentication"
info: "Verifies login authentication configuration"
reference: "PCI|2.2.3,SANS-CSC|1"
context: "line .*"
item: "login authentication"
</custom_item>
Here is an example of an EC2 check:
<custom_item>
type: EC2
description: "EC2: DescribeRegions"
info: "Lists all available AWS regions"
aws_action: "DescribeRegions"
xsl_stmt: "<xsl:template match=\"/\">"
xsl_stmt: "<xsl:for-each select=\"//ec2:item\">"
xsl_stmt: "Region: <xsl:value-of select=\"ec2:regionName\"/><xsl:text> </xsl:text>"
xsl_stmt: "</xsl:for-each>"
xsl_stmt: "</xsl:template>"
</custom_item>
Here is an example of an S3 check:
<custom_item>
type: S3
description: "S3: Check bucket ACL configuration"
info: "Verifies S3 bucket access control lists are properly configured"
aws_action: "GetBucketACL"
xsl_stmt: "<xsl:template match=\"/\">"
xsl_stmt: "<xsl:for-each select=\"//s3:Grant\">"
xsl_stmt: "Grantee: <xsl:value-of select=\"s3:Grantee/s3:DisplayName\"/> Permission: <xsl:value-of select=\"s3:Permission\"/><xsl:text> </xsl:text>"
xsl_stmt: "</xsl:for-each>"
xsl_stmt: "</xsl:template>"
</custom_item>
The keywords description, info, reference, and solution keywords can contain any text. It allows users to include metadata related to a check within an .audit. With the exception of the description keyword, all other keywords are optional.