Back to qualys.com
68 posts

Transporting Policies in Policy Compliance

Have you ever wanted to export a policy from Policy Compliance and import it into another subscription?  Customers with multiple subscriptions and partners have been requesting this capability and with the release of QualysGuard 6.22, their requests have been answered.  With this release, policies can be exported and imported freely.

Why importing and exporting is important?

Policy creation is a key component of Policy Compliance.  It is the policy that sets the expected values to determine overall compliance.  Once a policy is created in a subscription with QualysGuard 6.22, the policy can be easily transported to another subscription and used there.  This makes it easier for partners and customers with multiple subscriptions to fully adopt Policy Compliance.

How to transport policies?

With QualysGuard 6.22, you can now export a policy as an XML file from one subscription and import the policy into another subscription in four easy steps:

  1. Select a policy and click export.
    Policy Export - Large
  2. Save the XML file to your computer.
  3. In another subscription, select New, Import Compliance Policy, Import from XML file.
    Policy Import - Large
  4. Select the XML file on your computer.

New possibilities for sharing policies

In addition to transporting policies for partners and customers with multiple subscriptions, this new capability provides new possibilities for customers to share policies with each other.  It also allows Qualys to share new policies with customers and prospects quickly before they become available in the import library.  Adding policies to the import library requires thorough testing prior to upload.  However, this new feature will allow us to share these policies prior to upload, allowing customers to get a head start on policy creation.

To see a demo of this new feature, please vist the Policy Import and Export video in the QualysGuard Policy Compliance Video Series.

Windows Share Enumeration, Detailed Audit Settings, and ExploitKit Mapping

Sometimes it’s the little things that make your day run more smoothly.  The release of QualysGuard 6.19 includes highly-focused new features that add functionality for Windows systems. Also, an update to the Qualys KnowledgeBase identifies vulnerabilities that can be attacked via exploit kits, helping organizations better prioritize patching efforts and protect against vulnerabilities that could be abused via exploit kits.

Windows Share Enumeration: Find Windows shares that are readable by everyone, and report details like the number of files in the share and whether the files are writable. This is good for identifying groups of files that may need tighter access control.

Detailed Audit Settings: Verify auditing subcategory settings introduced in Windows Vista, Windows 7, and Windows Server 2008. You can now check all of the audit logging settings within Windows.

Both of the above features require the new dissolvable agent, which is configured via a new workflow for easier activation.  Details in the 6.19 Notification.

ExploitKit Mapping: If a vulnerability can be attacked via an exploit kit, it should be considered higher priority simply because of the larger number of people who can easily attempt to attack it via the exploit kit. The new ExploitKit Mapping in the KnowledgeBase makes it easier to identify these vulnerabilities and prioritize their remediation.

Improving Policy Editing and Reporting

Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy?  You’re not alone.  These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance.  The translation of these special values vary by technology and configuration.  With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values.  In addition, policy reports will no longer display these special values; only the translated values.

The Use of Pi and Golden Ratio

Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:

  1. 314159265358979 (the first 15 digits of PI)
  2. 161803399999999 (the first 15 digits of the "Golden Ratio")

These values are highly unique numbers which represent various conditions encountered during scanning.  The status values will have slightly different results according to which technology the control is using.  Valid examples of these special values include, but are not limited to, the following:

  1. Registry key path was not found.
  2. Registry key parameter was not found.
  3. File was not found.
  4. Setting was not found.

Previous Policy Editor and Reports

Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:

  1. The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition makes sure that the value is less then Golden Ratio.  Golden Ratio is returned when the setting is not found, and therefore not set.  This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found.
    Hybrid before Mask Pi-GR
    Figure 1: Complex Control using Golden Ratio
  2. The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service.  Notice both Pi and Golden Ratio are included in the regular expression.  Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed.  Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio.
    Fixed Values before Pi-GR
    Figure 2: Complex Regular Expression using Pi and Golden Ratio

These special values may also appear in your compliance reports.  We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.

Improved Policy Editor and Reports

With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings.  Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time.  However, new controls will be created using this new feature. 

After QualysGuard 6.18, all controls will fall into one of the following categories:

  • Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
  • Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
  • Hybrid: The control allows a combination of user-customized criteria and fixed value selections.

Below are the same samples from above using the new feature in QualysGuard 6.18:

  1. The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition has been removed and replaced with check boxes.  These check boxes will allow you to pass the control if the setting is not found.
    Hybrid after Mask Pi-GR
    Figure 3: Hybrid Control using Value and Fixed Values
  2. The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service.  Notice that all values, including Pi and Golden Ratio, have been converted to check boxes.  By checking the appropriate check boxes, we can now check all conditions of the service.
    Fixed Values after Mask Pi-GR
    Figure 4: Fixed Values Control

Updated compliance reports will now display the translated values for the 'Expected' column.  A sample report for the Fixed Values example above is provided below:

Fixed Values Report after Pi-GR

Figure 5: Fixed Values Report

In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports.  We added shading to both the policy editor and reports to highlight the values associated with each control.  We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.

Demo

To see a demo of this new feature, please view the Improved Policy Editor and Reporting Demo.

Configuration Scanning of Cisco IOS

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.

Demo

To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

Integrating Qualys Data with RSA Archer

Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from Qualys? RSA Archer integrates with both Qualys Vulnerability Management (VM) through the Qualys XML APIs.

Why RSA Archer?

RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on-demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.

Vulnerability Management

Using the Qualys VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.

RSA Archer’s integration leverages the Qualys XML API frameworks.

Integration Details

For full integration details with RSA Archer, please see Qualys / RSA Archer integration.

Filtering Frameworks within Policy Compliance

Do you ever want to see the control mappings in a report without doubling or tripling the size of the report? What about excluding certain control mappings from the control API to limit data exported? With the release of QualysGuard 6.17, users can now filter the frameworks at the subscription and/or report level within Policy Compliance.

The Need for Framework Filtering

The current control knowledgebase includes over 6,700 configuration checks mapped to dozens of frameworks, including the Center for Internet Security (CIS) benchmarks, the Control Objectives for Information and related Technology (CObIT) 4.0 and 4.1, the Health Insurance Portability and Accountability Act (HIPAA), etc.  These extensive mappings create a large number on control/mapping pairs available in the subscription.  For the majority of organizations that require only a subset of this data, the current data is too large to consume.

Filtering Frameworks with Policy Compliance

In order to limit the number of control/mapping pairs, QualysGuard 6.17 introduces the capability to limit which frameworks are displayed in the subscription and/or reports.  Each filter is described in detail below:

Subscription Filter

A subscription level filter will reduce the number of frameworks available for view in the subscription, which includes control search, reports, and the control API. Applying this filter will not filter the Controls knowledgebase, just the framework mappings visible in the subscription.

All available frameworks are enabled by default in the subscription. Change which frameworks are visible by selecting Setup/Frameworks… from the menu. Once the frameworks have been filtered, the following areas of the subscription will be affected:

  1. The Control API will limit the framework mappings in the output when the parameter “details=All” is set.
  2. The Search dialog within the Controls knowledgebase will limit the framework mappings based on the subscription settings.
  3. The Report Templates will limit the framework mappings based on the subscription settings if the Glossary or External Mappings sections are selected.

Report Template Filter

Frameworks are filtered in reports based on the subscription settings, but this feature also allows additional filtering in reports. The report level filter will reduce the number of frameworks available in the reports only.

All available frameworks in the subscription are enabled by default in reports. Change which frameworks are visible by selecting the new tab, Frameworks, in the report template.  Once the frameworks have been filtered, reports using this template will only show the selected frameworks in the Glossary or External Mappings sections, if selected.

Demo and Technical Paper

To see a demo of these steps, please view the Filter Framework Demo.

For full technical details on Filter Frameworks, please download the QualysGuard Tips and Techniques, Filter Frameworks Document.

Notifying Users of New Controls

Ever wonder when new controls are published for Policy Compliance?  You’re not alone.  With the rapid increase in Policy Compliance Control IDs (CIDs) over the past year, many customers wanted a more proactive notification of new content.  We have heard you loud and clear.  With the release of QualysGuard 6.16, users can now receive weekly or monthly email notifications for new and modified CIDs within Policy Compliance.

Setting Up Control Notification

Control Notification is not enabled by default. To receive email notifications for new and modified CIDs, perform the following steps:

  1. From the Tools section, select User Accounts
  2. Edit the User Account that wants to receive Control Notifications
  3. Click on Advanced
  4. Under Notification Options, select Weekly or Monthly for Latest Controls

Notification Options

Figure 1: Edit User: Latest Controls Notification

Receiving Control Notifications

After enabling Control Notifications, the user will receive an email summarizing the new and modified CIDs for Policy Compliance.

Control Notification Email

Figure 2: Control Notification: Email

In addition, a .CSV file is attached to the email with additional information.

Control Notification CSV

Figure 3: Control Notification: .CSV File

Demo

To see a demo of these steps, please view the Control Notification Demo.

Making Passwords More Secure

Even after you implement policy compliance checks to enforce best practices for strong passwords, your users can still create insecure passwords. They may not be able to create passwords with eight or fewer characters or with only alphabetical characters. But as long as their passwords conform to the policies you implement, your users can create passwords that match their user name or company name. And those passwords are among the easiest to guess.

To prevent this type of password vulnerability, your policy compliance scans need to check the actual passwords of your users, not just the rules governing the passwords they can create. Three of these password auditing checks are now available in QualysGuard 6.15 Update:

  1. CID 3893Empty passwords
    This control identifies user accounts with empty passwords.
  2. CID 3894 – Password matches user name
    This control identifies passwords that match the actual user name or the user name in upper- or lower-case.
  3. CID 3895 – Password matches an entry in the password dictionary
    This control identifies user accounts where the password is equal to an entry in the user-defined password dictionary.

To access your passwords, the scanning engine uses a dissolvable agent on Windows systems to collect user password information from target hosts. The dissolvable agent securely sends the passwords to the scanner for analysis and securely erases its copy of passwords after it completes the tests.

Using Password Auditing

Enable Password Auditing

Password Auditing is not enabled in compliance scans by default. To use this feature, create or edit a compliance profile with the following settin:

  1. Enable Password Auditing controls

    Password Auditing - Compliance Profile
    Figure 1: Compliance Profile : Enable Password Auditing

  2. Accept the dissolvable agent

    Password Auditing - MLDA
    Figure 2: Compliance Profile : Accept Dissolvable Agent

  3. Configure a password dictionary.

    Password Auditing - Custom Dictionary
    Figure 3: Compliance Profile : Configure Custom Dictionary

Run Compliance Scan

Launch or schedule a compliance scan on the hosts that you want to scan for password auditing controls. Select a compliance profile with Password Auditing enabled, and optionally a password dictionary defined.

Add Password Auditing Controls to Policy

Add the three new password auditing controls (Control IDs 3893, 3894 and 3895) to a new or existing compliance policy. These controls are supported for Windows and Unix technologies.

Run Compliance Report

Generate compliance reports to compare the data gathered on your hosts during your compliance scan to the expected values defined in your compliance policy. Each user account that violates a Password Auditing control appears in the Actual field of your report.

Password-Auditing-Report-2

Figure 4: Compliance Report with Password Auditing controls

Demo and Technical Paper

To see a demo of these steps, please view the Password Auditing Demo.

For full technical details on Password Auditing, please download the QualysGuard Tips and Techniques, Policy Compliance: Password Auditing Document.