Snowflake Audit Items

Each check in an audit area is defined using a couple of foundational audit items: custom_item and report.

A custom_item is the base of all functional checks inside an audit. It is the wrapper that manages the definition of each audit item.

A report is a method in the audit file to report a static result that does not change regardless of how a target is configured. It is commonly used in reporting of conditional checks, reporting audit items that are not technically possible to retrieve data, or high level information on the audit that is being evaluated.

Usage

Copy
<custom_item>
  type: [TYPE_OF_CHECK]
  description: ["description"]
  (optional) info: ["information regarding the audit item"]
  (optional) solution: ["information on how to remediate the audit item"]
  (optional) see_also: ["url reference for audit"]
  (optional) reference: ["standard|control,standard|control,..."]
  (optional) severity: [HIGH|MEDIUM|LOW]
</custom_item>
Copy
<report type:"[PASSED|WARNING|FAILED]">
  description: ["description"]
  (optional) info: ["information regarding the audit item"]
  (optional) solution: ["information on how to remediate the audit item"]
  (optional) see_also: ["url reference for audit"]
  (optional) reference: ["standard|control,standard|control,..."]
  (optional) output : ["custom output other than report type"]
</report>

type

The type field in a custom_item is used to identify what other fields are required and how to gather, transform, and evaluate data from the target.

The type attribute in a report is used to provide the result for the audit item.

description

A description is required as it is the most common identifier of the audit items.

info

The info is general information about the audit item. It is commonly used to communicate what is being evaluated and why it is important.

solution

The solution is text that relays how an audit item can be remediated if it has FAILED.

see_also

The see_also is a URL that is used as a reference to the configuration guide or benchmark that is being audited. It is commonly used as a method to report on audit items that refer to the same benchmark.

reference

severity (custom_item only)

The severity is a method to "soften" a FAILED result that is posted by an audit item. The example of a softening is a result of FAILED would be reported as a WARNING when a severity of MEDIUM is used.

The following severities are defined:

  • HIGH has no change
  • MEDIUM to WARNING
  • LOW to PASSED

If there is a scenario in an audit file that a result should be moved from PASSED to a lower result, the method is to adjust the evaluation of the audit item to always fail, and then apply the desired severity.

output (report only)

The output field is a method to provide static content in the "output" of the result and attempts to keep all other informational fields the same between different reports for the same control. The best example of this is the use of a report in a "then" or "else" should maintain the same informational fields, but may need a differentiator for why the result changes.

Examples

Custom item examples are available in the documentation for each specific type.

Copy
<report type:"WARNING">
  description : "Audit file for Unix"
  output : "NOTE: This audit file does not support the OS that is identified on your target."
</custom_item>