Zoom Audit Items
Each check in an audit area defined using a couple of foundational audit items: custom_item and report.
-
A custom_item is the base of all functional checks inside an audit. It is the wrapper that manages the definition of each audit item.
-
A report is a method in the audit file to report a static result that does not change regardless of how a target is configured. It is commonly used in reporting of conditional checks, reporting audit items that are not technically possible to retrieve data, or high level information on the audit that is being evaluated.
Usage
<custom_item>
type: [TYPE_OF_CHECK]
description: ["description"]
(optional) info: ["information regarding the audit item"]
(optional) solution: ["information on how to remediate the audit item"]
(optional) see_also: ["url reference for audit"]
(optional) reference: ["standard|control,standard|control,..."]
(optional) severity: [HIGH|MEDIUM|LOW]
</custom_item>
<report type:"[PASSED|WARNING|FAILED]">
description: ["description"]
(optional) info: ["information regarding the audit item"]
(optional) solution: ["information on how to remediate the audit item"]
(optional) see_also: ["url reference for audit"]
(optional) reference: ["standard|control,standard|control,..."]
(optional) output : ["custom output other than report type"]
</report>
type
The type field in a custom_item is used to identify what other fields are required and how to gather, transform, and evaluate data from the target.
The type attribute in a report is used to provide the result for the audit item.
description
A description is required as it is the most common identifier of the audit items.
info
The info is general information about the audit item. It is commonly used to communicate what is being evaluated and why it is important.
solution
The solution is text that relays how an audit item can be remediated if it has FAILED.
see_also
The see_also is a URL that is used as a reference to the configuration guide or benchmark that is being audited. It is commonly used as a method to report on audit items that refer to the same benchmark.
severity (custom_item only)
The severity is a method to soften a FAILED result posted by an audit item. For example, a result of FAILED would be reported as a WARNING when a severity of MEDIUM is used.
The following severities are defined:
-
HIGH — Does not change the FAILED result.
-
MEDIUM — Updates FAILED to WARNING.
-
LOW — Updates FAILED to PASSED.
Tip: If there is a scenario in an audit file that a result should be moved from PASSED to a lower result, adjust the evaluation of the audit item to always fail, then apply the desired severity.
output (report only)
The output field is a method to provide static content in the output of the result and attempts to keep all other informational fields the same between different reports for the same control. The best example of this is the use of a report in a then or else should maintain the same informational fields, but may need a differentiator for why the result changes.
Examples
<report type:"WARNING">
description : "Audit file for Unix"
output : "NOTE: This audit file does not support the OS that is identified on your target."
</custom_item>