Check Types

The syntax for the VMware .audit capability relies heavily on XPATH and XSL Transforms to perform the functionality.

The VMware audit supports three types of checks:

AUDIT_VM

This check type allows you to audit virtual machine settings (see Appendix C for more information):

<custom_item>

type: AUDIT_VM

description: "VM Setting - 'vmsafe.enable = False'"

xsl_stmt: "<xsl:template match=\"audit:returnval\">"

xsl_stmt: "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> : vmsafe.enable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key[text()='vmsafe.enable']]/audit:value\"/>."

xsl_stmt: "</xsl:template>"

expect: "vmsafe.enable : 0"

</custom_item>

AUDIT_ESX

This check type allows you to audit ESX/ESXi server settings:

<custom_item>

type: AUDIT_ESX

description : "ESX/ESXi Setting - Syslog.global.logDir"

xsl_stmt: "<xsl:template match=\"audit:returnval\">"

xsl_stmt: "Syslog.global.logDir = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:option[audit:key[text()='Syslog.global.logDir']]/audit:value\"/>"

xsl_stmt: "</xsl:template>"

expect: "Syslog.global.logDir : /foo/bar"

</custom_item>

AUDIT_VCENTER

This check type allows you to audit vCenter settings:

<custom_item>

type: AUDIT_VCENTER

description: "VMware vCenter Setting - config.vpxd.hostPasswordLength"

xsl_stmt: "<xsl:template match=\"audit:returnval\">"

xsl_stmt: "config.vpxd.hostPasswordLength = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='ArrayOfOptionValue']/audit:OptionValue[audit:key[text()='config.vpxd.hostPasswordLength']]/audit:value\"/>"

xsl_stmt: "</xsl:template>"

expect: "config.vpxd.hostPasswordLength : 30"

</custom_item>