Splunk Audit Items
Each check in an audit area defined using a couple of foundational audit items: custom_item and report.
-
A custom_item is the base of all functional checks inside an audit. It is the wrapper that manages the definition of each audit item.
-
A report is a method in the audit file to report a static result that does not change regardless of how a target is configured. It is commonly used in reporting of conditional checks, reporting audit items that are not possible to retrieve data, or high-level information on the audit that is being evaluated.
Usage
<custom_item>
type: [TYPE_OF_CHECK]
description: [description]
(optional) info: [audit item information]
(optional) solution: [information on how to remediate the audit item]
(optional) see_also: [url reference for audit]
(optional) reference: [standard|control,standard|control,...]
(optional) severity: [HIGH|MEDIUM|LOW]
</custom_item>
<report type:"[PASSED|WARNING|FAILED]">
description: [description]
(optional) info: [audit item information]
(optional) solution: [information on how to remediate the audit item]
(optional) see_also: [url reference for audit]
(optional) reference: [standard|control,standard|control,...]
(optional) output: [custom output other than report type]
</report>
type
Use the type field in a custom_item to identify what other fields are required and how to gather, transform, and evaluate data from the target.
Use the type field in a report item to provide the result for the audit item.
description
A description is required as it is the most common identifier of the audit items.
info
Use the info item to provide general information about the audit item. It is commonly used to communicate what is being evaluated and the importance.
solution
The solution item is text that relays how an audit item can be remediated if it has FAILED.
see_also
The see_also item is a URL that references the configuration guide or benchmark that is being audited. It is commonly used as a method to report on audit items that refer to the same benchmark.
reference
The reference item is text that maps the audit check to control framework assignments.
severity (custom_item only)
You can use the severity item to "soften" a FAILED result. The example of a softening is a result of FAILED would be reported as a WARNING when a severity of MEDIUM is designated.
The following severities are defined:
-
HIGH does not change the FAILED result.
-
MEDIUM changes the FAILED result to WARNING.
-
LOW changes the FAILED result to PASSED.
If there is a scenario in an audit file where a result should be moved from PASSED to a lower result, adjust the evaluation of the audit item to fail always, and then apply the desired severity.
output (report only)
Use the output item to provide static content in the output of the result and keep all other informational fields the same between different reports for the same control. The best example of this is to use a report item within a then or else item to maintain the same informational fields.
Example
<report type:"WARNING">
description: "Audit file for Unix"
output : "NOTE: This audit file does not support the OS that is identified on your target."
</custom_item>