Conditional Auto Else and Rollup

Auto Else

Audit files use condition tags to assess an if/then/else logical evaluation. See the following example:

"Service installed/enabled"

then

"Check for configuration"

else

"Report that the service isn’t installed, this check doesn’t apply."

If you omit the else section and the conditional fails, nothing is reported. As a result, many cases of content duplication occur in published audit content. This has traditionally been required to achieve full transparency and parity with industry guidance.

The following is an example of content duplication that might be found in a Unix configuration audit:

<if>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "NTP is installed"

cmd : "/bin/systemctl is-enabled ntp"

expect : "enabled"

</custom_item>

</condition>

<then>

description : "Ensure time synchronization is in use"

info : "Time should be synchronized"

</report>

</then>

<else>

description : "Ensure time synchronization is in use"

info : "Time should be synchronized"

</report>

</else>

</if>

The auto else functionality eliminates this need to duplicate content by automatically generating else content from the checks or reports provided in the then section of a conditional. See the following usage example:

<if>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "NTP is installed"

cmd : "/bin/systemctl is-enabled ntp"

expect : "enabled"

</custom_item>

</condition>

<then>

description : "Ensure time synchronization is in use"

info : "Time should be synchronized"

</report>

</then>

</if>

The auto attribute in the condition tag has a status of FAILED. If the conditional check for NTP fails, the report inside the <then> section converts to FAILED. This allows you to de-duplicate content and reduce the complexity of an audit.

The auto attribute accepts FAILED, PASSED, and WARNING. These are the same status results as existing audit checks. Both AND and OR condition types support auto else functionality.

Rollup

It is common within industry guidance, such as CIS benchmarks and DISA STIGs, to evaluate a single recommendation with multiple tests. Traditionally, to achieve parity with industry guidance, Tenable’s published audit files duplicate this recommendation content once per test and add a unique modifier to the description for each duplication. This modifier is used to show that a check is aligned with a specific recommendation, but is still a separate test. While this works from a functional standpoint, it can cause policy-related issues when you try to align assessed recommendations with a benchmark checklist or other external tools.

Consider the following example from the CIS Ubuntu 20.04 audit (some fields removed for brevity):

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe"

cmd : "/sbin/modprobe -n -v cramfs | /bin/grep -E '(cramfs|install)'"

expect : "install /bin/(true|false)"

</custom_item>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod"

cmd : "/sbin/lsmod | /bin/grep cramfs | /usr/bin/awk \'{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}\'"

expect : "pass"

</custom_item>

In this example, the two items are separate tests, but they relate to the same benchmark recommendation. The modifiers in this case are the description tags: - modprobe and - lsmod.

To improve achieving parity with industry guidance, conditionals can now return the output of multiple conditional tests in a single report.

Taking the previous example, you can combine these items to return a single report using a conditional:

<if>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "modprobe"

cmd : "/sbin/modprobe -n -v cramfs | /bin/grep -E '(cramfs|install)'"

expect : "install /bin/(true|false)"

</custom_item>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "lsmod"

cmd : "/sbin/lsmod | /bin/grep cramfs | /usr/bin/awk \'{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}\'"

expect : "pass"

</custom_item>

</condition>

<then>

description : "1.1.1.1 Ensure mounting of cramfs filesystems is disabled"

show_output : YES

</report>

</then>

<else>

description : "1.1.1.1 Ensure mounting of cramfs filesystems is disabled"

show_output : YES

</report>

</else>

</if>

The show_output tag within a report gathers the returned values from the checks inside the conditional section and shows them in a report’s output :

"1.1.1.1 Ensure mounting of cramfs filesystems is disabled" : [PASSED]

Policy Value:

PASSED

Actual Value:

All of the following must pass to satisfy this requirement:

-------------------------

PASSED - modprobe

Output of the command

-------------------------

PASSED - lsmod

Output of the command

This rollup functionality supports both AND and OR condition types. AND shows a message that "All" of the following must pass, and OR shows that "Any" of the following must pass.

Combining Both Features

You can combine these features or use them independently. The following is an example of combining the auto attribute and the show_output tag:

<if>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "modprobe"

cmd : "/sbin/modprobe -n -v cramfs | /bin/grep -E '(cramfs|install)'"

expect : "install /bin/(true|false)"

</custom_item>

<custom_item>

system : "Linux"

type : CMD_EXEC

description : "lsmod"

cmd : "/sbin/lsmod | /bin/grep cramfs | /usr/bin/awk \'{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}\'"

expect : "pass"

</custom_item>

</condition>

<then>

description : "1.1.1.1 Ensure mounting of cramfs filesystems is disabled"

show_output : YES

</report>

</then>

</if>

The result of this conditional is evaluated, and if both items pass (AND condition), a PASSED report returns containing the results of the conditional evaluation. Otherwise, an automatic else with a FAILED result returns with the results of the conditional evaluation.