Today we discussed a subtle new feature that allows users to audit a result against a
"known good" value in a .audit file. If used correctly, this feature in the hands of the
auditors could prove incredibly useful, and hence deserves a separate post.
Compliance is all about consistency, conformance to a good standard, and then being able to
prove it over and over again. So if a system deviates from a known good value its good to
know about it, and by how much. Until now, we dealt with this issue with a combination of
regex, expect, not_expect and other similar type of compliance checking keywords in a .audit
file. But there was no good way to compare two blobs of texts, no matter how good we got with
our regular expression skills.
Starting with Amazon AWS plugin, we are introducing a new feature that would allow users to
compare the output of a check against a “known_good” value. If value doesn’t match, it will
produce a diff style report (patience diff specifically) on what changed. Users can also
specify more than one known_good values.
Here’s an example
For the feature to work, the user has to copy an acceptable value to a 'known_good' keyword
in a .audit check. More than one good values need to separated by a comma.
description : "EC2: DescribeRegions - 'Regions that are currently available'"
type : EC2
aws_action : "DescribeRegions"
xsl_stmt : "<xsl:template match=\"/\">"
xsl_stmt : "<xsl:for-each select=\"//ec2:item\">"
xsl_stmt : "Region: <xsl:value-of select=\"ec2:regionName\"/> End-Point: <xsl:value-of select=\"ec2:regionEndpoint\"/><xsl:text> </xsl:text>"
xsl_stmt : "</xsl:for-each>"
xsl_stmt : "</xsl:template>"
known_good : 'us-east-1:
Region: eu-west-1 End-Point: ec2.eu-west-1.amazonaws.com
Region: sa-east-1 End-Point: ec2.sa-east-1.amazonaws.com
Region: us-east-1 End-Point: ec2.us-east-1.amazonaws.com
Region: ap-northeast-1 End-Point: ec2.ap-northeast-1.amazonaws.com
Region: ap-northeast-2 End-Point: ec2.ap-northeast-1.amazonaws.com
Region: us-west-2 End-Point: ec2.us-west-2.amazonaws.com
Region: us-west-1 End-Point: ec2.us-west-1.amazonaws.com
Region: ap-southeast-2 End-Point: ec2.ap-southeast-2.amazonaws.com'
Sample Output :
Notice, the diff report in the above screenshot. You need to scroll down in the 'Output'
section of the result to find the 'diff' report.
One of the most useful use cases of this feature is to create a “Gold Standard” .audit with
all known good values. So for e.g. users should be able to run a scan against a target configured
as per their requirement, grab “known_good” values from a nessus report, update the .audit,
run the scan again to get a all pass result. Any deviations from the known good value from
here on will be displayed in diff format.
- known_good overrides, expect, and not_expect. but it does take into account regex. So if
a regex is specified the output will be compared against the regex filtered data.
- More than one known_good can be specified, and need to be separated by a comma.
- Note : This feature is only available in Amazon AWS plugin, and will be added to other plugins