Conditions
It is possible to define if/then/else logic in the Cisco audit policy. This allows the end-user to return a warning message rather than pass/fail in case an audit passes.
The syntax to perform conditions is the following:
<if>
<condition type: "or">
<Insert your audit here>
</condition>
<then>
<Insert your audit here>
</then>
<else>
<Insert your audit here>
</else>
</if>
Example
<if>
<condition type: "AND">
<item>
type: CONFIG_CHECK
description: "Forbid Auxiliary Port"
info: "Verify the EXEC process is disabled on the auxiliary (aux) port."
context: "line aux "
item: "no exec"
</item>
<item>
type: CONFIG_CHECK_NOT
description: "Forbid Auxiliary Port"
info: "Verify the EXEC process is disabled on the auxiliary (aux) port."
context: "line aux "
item: "transport input [^n][^o]?[^n]?[^e]?$"
</item>
</condition>
<then>
<report type: "PASSED">
description: "Forbid Auxiliary Port"
info: "Verify the EXEC process is disabled on the auxiliary (aux) port."
</report>
</then>
<else>
<report type: "FAILED">
description: "Forbid Auxiliary Port"
info: "Verify the EXEC process is disabled on the auxiliary (aux) port."
</report>
</else>
</if>
Whether the condition fails or passes never shows up in the report because it is a “silent” check.
Conditions can be of type “and” or “or”.