The following is an example of a Palo Alto AUDIT_XML check:
description: "Palo Alto Security Settings - 'fips-mode = on'"
info: "Fips-mode should be enabled."
xsl_stmt: "<xsl:template match=\"/\">"
xsl_stmt: " <xsl:apply-templates select=\"//result\"/>"
xsl_stmt: "<xsl:template match=\"//result\">"
xsl_stmt: "fips-mode: <xsl:value-of select=\"text()\"/>"
expect : "fips-mode:[\\s\\t]+on"
There are four basic parts to this audit:
typedescribes the type of audit (in this case it audits the XML) and a description of the audit. The
infokeyword provides a way to include relevant text in the report.
api_request_typedescribes the type of request (op == operational config), and the request is the actual request we end up running. Currently, this is the only type of request supported.
xsl_stmtkeyword gives us a way to define the XSL Transform we are going to apply on the XML returned after running the API request.
- Finally, the
expectkeywords allow us to do compliance/configuration auditing.
The example check above will generate the following report in Nessus: