TOC & Recently Viewed

Recently Viewed Topics


The following is an example of a Palo Alto AUDIT_XML check:



description: "Palo Alto Security Settings - 'fips-mode = on'"

info: "Fips-mode should be enabled."

api_request_type: "op"

request: "<show><fips-mode></fips-mode></show>"

xsl_stmt: "<xsl:template match=\"/\">"

xsl_stmt: " <xsl:apply-templates select=\"//result\"/>"

xsl_stmt: "</xsl:template>"

xsl_stmt: "<xsl:template match=\"//result\">"

xsl_stmt: "fips-mode: <xsl:value-of select=\"text()\"/>"

regex: "fips-mode:[\\s\\t]+"

expect : "fips-mode:[\\s\\t]+on"


There are four basic parts to this audit:

  • The type describes the type of audit (in this case it audits the XML) and a description of the audit. The info keyword provides a way to include relevant text in the report.
  • The api_request_type describes the type of request (op == operational config), and the request is the actual request we end up running. Currently, this is the only type of request supported.
  • The xsl_stmt keyword gives us a way to define the XSL Transform we are going to apply on the XML returned after running the API request.
  • Finally, the regex and expect keywords allow us to do compliance/configuration auditing.

The example check above will generate the following report in Nessus:

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.