0 Replies Latest reply: May 15, 2014 1:52 PM by Mehul RSS

Known Good Auditing

Mehul Guru

Today we discussed a subtle new feature that allows users to audit a result against a

"known good" value in a .audit file. If used correctly, this feature in the hands of the

auditors could prove incredibly useful, and hence deserves a separate post.




Compliance is all about consistency, conformance to a good standard, and then being able to

prove it over and over again. So if a system deviates from a known good value its good to

know about it, and by how much. Until now, we dealt with this issue with a combination of

regex, expect, not_expect and other similar type of compliance checking keywords in a .audit

file. But there was no good way to compare two blobs of texts, no matter how good we got with

our regular expression skills.


Starting with Amazon AWS plugin, we are introducing a new feature that would allow users to

compare the output of a check against a “known_good” value. If value doesn’t match, it will

produce a diff style report (patience diff specifically) on what changed. Users can also

specify more than one known_good values.


Here’s an example


For the feature to work, the user has to copy an acceptable value to a 'known_good' keyword

in a .audit check. More than one good values need to separated by a comma.



description    : "EC2: DescribeRegions - 'Regions that are currently available'"

type            : EC2

aws_action        : "DescribeRegions"

xsl_stmt       : "<xsl:template match=\"/\">"

xsl_stmt       : "<xsl:for-each select=\"//ec2:item\">"

xsl_stmt       : "Region: <xsl:value-of select=\"ec2:regionName\"/> End-Point: <xsl:value-of select=\"ec2:regionEndpoint\"/><xsl:text>&#10;</xsl:text>"

xsl_stmt       : "</xsl:for-each>"

xsl_stmt       : "</xsl:template>"

known_good     : 'us-east-1:

Region: eu-west-1 End-Point: ec2.eu-west-1.amazonaws.com

Region: sa-east-1 End-Point: ec2.sa-east-1.amazonaws.com

Region: us-east-1 End-Point: ec2.us-east-1.amazonaws.com

Region: ap-northeast-1 End-Point: ec2.ap-northeast-1.amazonaws.com

Region: ap-northeast-2 End-Point: ec2.ap-northeast-1.amazonaws.com

Region: us-west-2 End-Point: ec2.us-west-2.amazonaws.com

Region: us-west-1 End-Point: ec2.us-west-1.amazonaws.com

Region: ap-southeast-2 End-Point: ec2.ap-southeast-2.amazonaws.com'



Sample Output :




Notice, the diff report in the above screenshot. You need to scroll down in the 'Output'

section of the result to find the 'diff' report.


Use Cases


One of the most useful use cases of this feature is to create a “Gold Standard” .audit with

all known good values. So for e.g. users should be able to run a scan against a target configured

as per their requirement, grab “known_good” values from a nessus report, update the .audit,

run the scan again to get a all pass result. Any deviations from the known good value from

here on will be displayed in diff format.




- known_good overrides, expect, and not_expect. but it does take into account regex. So if

  a regex is specified the output will be compared against the regex filtered data.

- More than one known_good can be specified, and need to be separated by a comma.

- Note : This feature is only available in Amazon AWS plugin, and will be added to other plugins

  over time.