MS_SQL Audit Containers
An audit file contains one or more containers that can control the flow of the audit that is executed. The containers are methods to encapsulate Audit Items or other containers.
-
check_type - The top level container that must exist in every audit.
-
if - The container to define conditional auditing.
-
condition - contains audit items to define the conditional requirements.
-
then - contains the checks that will be evaluated if the conditional audit items are PASSED.
-
else - contains the checks that will be evaluated if the conditional audit items are FAILED or WARNING.
-
check_type
All compliance checks must be bracketed with the check_type encapsulation. The value of the check_type is used to identify what plugins are used to evaluate the audit.
The audit content that is supported inside the check_type are Audit Items and if containers.
<check_type:"[Plugin_Designation]">
[audit content]
</check_type>
if
The if is a wrapper around the conditional containers. Based on the result of the condition.
If the condition passes, the audit content in the then will be evaluated. If the condition fails, the audit content in the else will be evaluated.
The audit content that is supported inside the if are condition, then, and else containers.
<if>
[condition]
[then]
[else]
</if>
condition
The condition defines the audit items to evaluate and if one or all must pass.
-
AND - all audit items must pass to evaluate the then.
-
OR - one audit items must pass to evaluate the then.
The audit content that is supported inside the condition are Audit Items.
<condition type:"[AND|OR]">
[audit content]
</condition>
then/else
The then and else are generic containers of other audit content, and are only differentiated in the context of an if.
The audit content that is supported inside the then and else are Audit Items and if containers.
<then>
[audit content]
</then>
<else>
[audit content]
</else>