On November 9, 2011, Oracle announced the launch of Oracle Solaris 11 as the first fully virtualized operating system providing customers with comprehensive, built-in virtualization capabilities for OS, network and storage resources. Solaris 11 is designed to meet the security, performance and scalability requirements of cloud-based deployments allowing customers to run their enterprise applications in private, hybrid, or public clouds.
Working closely with Oracle during development and testing, Qualys is pleased to be the first vendor to add support for Oracle Solaris 11 within QualysGuard Policy Compliance. The new compliance checks includes configuration checks based on the Oracle Solaris 11 hardening guideline, such as service checks, sshd_config checks, file permission and ownership checks. This content is immediately available within QualysGuard Poilicy Compliance for all subscribers.
To enable support for Oracle Solaris 11, simply add your Oracle Solaris 11 IP addresses to a valid Unix authentication record. QualysGuard Scanner Appliances support Oracle Solaris 11 authentication as of ML 5.18. Once successfully authenticated, QualysGuard Policy Compliance will scan Oracle Solaris 11 configurations and report results in a valid Oracle Solaris 11 policy.
For more information regarding QualysGuard Policy Compliance or how to configure QualysGuard Policy Compliance, please visit the Policy Compliance Community.
With the release of the new QualysGuard UI, Policy Compliance can now stand alone as it own module within QualysGuard. This focused approach to modules in the new UI makes it easier to consolidate compliance reporting and provide additional capabilities specific to Policy Compliance. A perfect example of this is the new Dashboard and Policy Summary Report released in QualysGuard 6.22.
Policy Compliance Dashboard
By enabling the new UI in QualysGuard 6.22, Policy Compliance gets its own dedicated Dashboard.
This new dashboard summarizes the compliance status across all policies in the subscription in one single view, identifying your top failing technologies that need attention. In addition, view and access your last scans, upcoming scheduled scans, and latest reports directly from the dashboard. For more information, drill down into your top failing and passing policies, which opens the new Policy Summary Report.
Policy Summary Report
The new UI also exposes a new tab under Reports called Policy Summary. This new tab provides a summary of your policy without running template based reports, as required in previous versions of Policy Compliance. To see the summary, simply select a policy and a trend duration.
This new summary report provides trending of your pass/fail status, controls, and hosts by policy. In addition, drill down into your top failing hosts and controls, which opens an interactive report with detailed results.
These new features in QualysGuard 6.22 enhance the reporting capabilities of Policy Compliance and provide a global view of compliance. To try these new features, simply switch over to the new UI in your subscription. To see a demo of these new features, please visit the Dashboard video in the QualysGuard Policy Compliance Video Series.
Have you ever wanted to export a policy from Policy Compliance and import it into another subscription? Customers with multiple subscriptions and partners have been requesting this capability and with the release of QualysGuard 6.22, their requests have been answered. With this release, policies can be exported and imported freely.
Why importing and exporting is important?
Policy creation is a key component of Policy Compliance. It is the policy that sets the expected values to determine overall compliance. Once a policy is created in a subscription with QualysGuard 6.22, the policy can be easily transported to another subscription and used there. This makes it easier for partners and customers with multiple subscriptions to fully adopt Policy Compliance.
How to transport policies?
With QualysGuard 6.22, you can now export a policy as an XML file from one subscription and import the policy into another subscription in four easy steps:
Select a policy and click export.
Save the XML file to your computer.
In another subscription, select New, Import Compliance Policy, Import from XML file.
Select the XML file on your computer.
New possibilities for sharing policies
In addition to transporting policies for partners and customers with multiple subscriptions, this new capability provides new possibilities for customers to share policies with each other. It also allows Qualys to share new policies with customers and prospects quickly before they become available in the import library. Adding policies to the import library requires thorough testing prior to upload. However, this new feature will allow us to share these policies prior to upload, allowing customers to get a head start on policy creation.
Understanding overall security and compliance risk is an integral part of a risk management program. The integration of security and compliance solutions has provided some insight to understanding this risk, but lack true security risk as organizations are challenged with hundreds or even thousands of vulnerability detections every day.
Integrating QualysGuard and Modulo
Modulo provides a simple mechanism for importing asset and vulnerability data into Modulo Risk Manager. With Modulo Risk Manager, QualysGuard Vulnerability Management data is tightly integrated into the risk management program, allowing vulnerability risk to be correlated with other risks, controls, and assets providing a holistic management perspective of the most important risks.
Integration Benefits
Asset Synchronization and Correlation
Schedule import of assets from QualysGuard Vulnerability Management to constantly keep your asset management module updated with new assets and vulnerabilities. In addition, correlate these assets with other business assets in Modulo to understand business risk.
Holistic IT Risk Approach
QualysGuard Vulnerability Management data is automatically collected and integrated into the risk management program, allowing vulnerability risk to be correlated with other risks, controls, and assets, providing a holistic management perspective of the most important risks. In addition, the Risk Score, the formula used to calculate the risk score for vulnerabilities, can be customized using the following variables:
Asset Criticality
Asset Relevance
CVSS Score
Vulnerability Level
Vulnerability Type
Prioritized Remediation
This integration allows customers to prioritize not only compliance risks, but also security risks to manage remediation efforts across the organization, prioritize large amounts of vulnerability data using a mature and reliable approach, produce compliance documentation and make more accurate decisions.
With the growing adoption of the Security Content Automation Protocol (SCAP), the QualysGuard® FDCC service is committed to supporting the Federal Desktop Core Configuration (FDCC) and has added support for the United States Government Configuration Baseline (USGCB). Government agencies and industry should use the SCAP-validated QualysGuard® FDCC service to test and assess compliance with FDCC and USGCB standards.
FDCC
What is the Federal Desktop Core Configuration?
In March 2007, the Office of Management and Budget (OMB) Memorandum M-07-11 announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”, directing agencies who have Windows XP deployed and/or plan to upgrade to the Windows Vista operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations. On June 20, 2008, the National Institute of Standards and Technology (NIST) published the updated FDCC Major Version 1.0 settings release. FDCC is comprised of settings that can be checked using the updated Security Content Automation Protocol (SCAP) content and SCAP-validated tools with FDCC Scanning capability as specified by NIST.
USGCB
What is the United States Government Configuration Baseline? How does it differ from FDCC?
In May 2010, the Architecture and Infrastructure Committee of the CIO Council announced the United States Government Configuration Baseline (USGCB) settings for Windows 7 and Internet Explorer 8. The USGCB is a further clarification of the Federal Desktop Core Configuration (FDCC); specifically, the USGCB initiative falls within FDCC and comprises the configuration settings component of FDCC. To assist in implementation, NIST will release the supporting Security Content Automation Protocol (SCAP) content for all USGCB settings.
QualysGuard® FDCC Service
The QualysGuard® FDCC service is the first certified cloud based computing solution for FDCC compliance. It allows federal agencies to scan and report compliance with the FDCC and USGCB requirements through a centralized, integrated solution leveraging the QualysGuard® Software-as-a-Service (SaaS) architecture. The QualysGuard® Scanner Appliances support FDCC and USGCB scanning for internal systems on a global scale.
The QualysGuard® FDCC service is validated by NIST as conforming to SCAP and its component standards. The QualysGuard® FDCC service currently supports the following SCAP content:
Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy? You’re not alone. These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance. The translation of these special values vary by technology and configuration. With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values. In addition, policy reports will no longer display these special values; only the translated values.
The Use of Pi and Golden Ratio
Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:
314159265358979 (the first 15 digits of PI)
161803399999999 (the first 15 digits of the "Golden Ratio")
These values are highly unique numbers which represent various conditions encountered during scanning. The status values will have slightly different results according to which technology the control is using. Valid examples of these special values include, but are not limited to, the following:
Registry key path was not found.
Registry key parameter was not found.
File was not found.
Setting was not found.
Previous Policy Editor and Reports
Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:
The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'. Notice the AND condition makes sure that the value is less then Golden Ratio. Golden Ratio is returned when the setting is not found, and therefore not set. This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found. Figure 1: Complex Control using Golden Ratio
The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service. Notice both Pi and Golden Ratio are included in the regular expression. Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed. Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio. Figure 2: Complex Regular Expression using Pi and Golden Ratio
These special values may also appear in your compliance reports. We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.
Improved Policy Editor and Reports
With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings. Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time. However, new controls will be created using this new feature.
After QualysGuard 6.18, all controls will fall into one of the following categories:
Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
Hybrid: The control allows a combination of user-customized criteria and fixed value selections.
Below are the same samples from above using the new feature in QualysGuard 6.18:
The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'. Notice the AND condition has been removed and replaced with check boxes. These check boxes will allow you to pass the control if the setting is not found. Figure 3: Hybrid Control using Value and Fixed Values
The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service. Notice that all values, including Pi and Golden Ratio, have been converted to check boxes. By checking the appropriate check boxes, we can now check all conditions of the service. Figure 4: Fixed Values Control
Updated compliance reports will now display the translated values for the 'Expected' column. A sample report for the Fixed Values example above is provided below:
Figure 5: Fixed Values Report
In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports. We added shading to both the policy editor and reports to highlight the values associated with each control. We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.
If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered. With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.
Why Cisco IOS?
With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices. As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers. In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).
Scanning Cisco IOS
Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device. Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily. Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.
QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices. The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config. The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings. By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan. Once the signatures are completed, the XML file is deleted from memory.
Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from Qualys? RSA Archer integrates with both Qualys Vulnerability Management (VM) through the Qualys XML APIs.
Why RSA Archer?
RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on-demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.
Vulnerability Management
Using the Qualys VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.
RSA Archer’s integration leverages the Qualys XML API frameworks.
With the continued growth and adoption of the Security Content Automation Protocol (SCAP), the National Institutes of Standards and Technology (NIST) is publishing more content to support the new United States Government Configuration Baseline (USGCB). With the release of QualysGuard 6.17, users can now import NIST content and scan Windows 7, Windows 7 Firewall, and Internet Explorer 8 in the QualysGuard FDCC Module.
Importing NIST Content
Since NIST has not finalized the content for Windows 7 and Internet Explorer 8, the FDCC Module does not currently have the new content available for import. However, the current content from NIST can be uploaded as a custom policy in the FDCC Module. To access the NIST content, please visit http://web.nvd.nist.gov/view/ncp/repository. Once you have the files downloaded, you can upload the content by performing the following steps:
From the Tools section, select Policies
From the menu, select New, FDCC Policy…
Choose the following files downloaded from the NIST website.
XCCDF Content
CPE OVAL Definitions
CPE 2.0 Dictionary
OVAL Compliance Definitions
NOTE: Since the NIST content is still in draft, Schematron Validation is not currently supported for Windows 7 and Internet Explorer 8.
Figure 1: New FDCC Policy: Validate
Click Validate to create the policy.
Once validated, verify the Title, FDCC Profile, and Description. Click Save.
Figure 2: New FDCC Policy : Save
Add Asset Group(s) to the new FDCC policy.
Scanning Targets
Once the FDCC policy has been created, you are ready to scan targets by performing the following steps:
Do you ever want to see the control mappings in a report without doubling or tripling the size of the report? What about excluding certain control mappings from the control API to limit data exported? With the release of QualysGuard 6.17, users can now filter the frameworks at the subscription and/or report level within Policy Compliance.
The Need for Framework Filtering
The current control knowledgebase includes over 6,700 configuration checks mapped to dozens of frameworks, including the Center for Internet Security (CIS) benchmarks, the Control Objectives for Information and related Technology (CObIT) 4.0 and 4.1, the Health Insurance Portability and Accountability Act (HIPAA), etc. These extensive mappings create a large number on control/mapping pairs available in the subscription. For the majority of organizations that require only a subset of this data, the current data is too large to consume.
Filtering Frameworks with Policy Compliance
In order to limit the number of control/mapping pairs, QualysGuard 6.17 introduces the capability to limit which frameworks are displayed in the subscription and/or reports. Each filter is described in detail below:
Subscription Filter
A subscription level filter will reduce the number of frameworks available for view in the subscription, which includes control search, reports, and the control API. Applying this filter will not filter the Controls knowledgebase, just the framework mappings visible in the subscription.
All available frameworks are enabled by default in the subscription. Change which frameworks are visible by selecting Setup/Frameworks… from the menu. Once the frameworks have been filtered, the following areas of the subscription will be affected:
The Control API will limit the framework mappings in the output when the parameter “details=All” is set.
The Search dialog within the Controls knowledgebase will limit the framework mappings based on the subscription settings.
The Report Templates will limit the framework mappings based on the subscription settings if the Glossary or External Mappings sections are selected.
Report Template Filter
Frameworks are filtered in reports based on the subscription settings, but this feature also allows additional filtering in reports. The report level filter will reduce the number of frameworks available in the reports only.
All available frameworks in the subscription are enabled by default in reports. Change which frameworks are visible by selecting the new tab, Frameworks, in the report template. Once the frameworks have been filtered, reports using this template will only show the selected frameworks in the Glossary or External Mappings sections, if selected.
FDCC Scanner
