On November 9, 2011, Oracle announced the launch of Oracle Solaris 11 as the first fully virtualized operating system providing customers with comprehensive, built-in virtualization capabilities for OS, network and storage resources. Solaris 11 is designed to meet the security, performance and scalability requirements of cloud-based deployments allowing customers to run their enterprise applications in private, hybrid, or public clouds.
Working closely with Oracle during development and testing, Qualys is pleased to be the first vendor to add support for Oracle Solaris 11 within QualysGuard Policy Compliance. The new compliance checks includes configuration checks based on the Oracle Solaris 11 hardening guideline, such as service checks, sshd_config checks, file permission and ownership checks. This content is immediately available within QualysGuard Poilicy Compliance for all subscribers.
To enable support for Oracle Solaris 11, simply add your Oracle Solaris 11 IP addresses to a valid Unix authentication record. QualysGuard Scanner Appliances support Oracle Solaris 11 authentication as of ML 5.18. Once successfully authenticated, QualysGuard Policy Compliance will scan Oracle Solaris 11 configurations and report results in a valid Oracle Solaris 11 policy.
For more information regarding QualysGuard Policy Compliance or how to configure QualysGuard Policy Compliance, please visit the Policy Compliance Community.
With the release of the new QualysGuard UI, Policy Compliance can now stand alone as it own module within QualysGuard. This focused approach to modules in the new UI makes it easier to consolidate compliance reporting and provide additional capabilities specific to Policy Compliance. A perfect example of this is the new Dashboard and Policy Summary Report released in QualysGuard 6.22.
Policy Compliance Dashboard
By enabling the new UI in QualysGuard 6.22, Policy Compliance gets its own dedicated Dashboard.
This new dashboard summarizes the compliance status across all policies in the subscription in one single view, identifying your top failing technologies that need attention. In addition, view and access your last scans, upcoming scheduled scans, and latest reports directly from the dashboard. For more information, drill down into your top failing and passing policies, which opens the new Policy Summary Report.
Policy Summary Report
The new UI also exposes a new tab under Reports called Policy Summary. This new tab provides a summary of your policy without running template based reports, as required in previous versions of Policy Compliance. To see the summary, simply select a policy and a trend duration.
This new summary report provides trending of your pass/fail status, controls, and hosts by policy. In addition, drill down into your top failing hosts and controls, which opens an interactive report with detailed results.
These new features in QualysGuard 6.22 enhance the reporting capabilities of Policy Compliance and provide a global view of compliance. To try these new features, simply switch over to the new UI in your subscription. To see a demo of these new features, please visit the Dashboard video in the QualysGuard Policy Compliance Video Series.
Have you ever wanted to export a policy from Policy Compliance and import it into another subscription? Customers with multiple subscriptions and partners have been requesting this capability and with the release of QualysGuard 6.22, their requests have been answered. With this release, policies can be exported and imported freely.
Why importing and exporting is important?
Policy creation is a key component of Policy Compliance. It is the policy that sets the expected values to determine overall compliance. Once a policy is created in a subscription with QualysGuard 6.22, the policy can be easily transported to another subscription and used there. This makes it easier for partners and customers with multiple subscriptions to fully adopt Policy Compliance.
How to transport policies?
With QualysGuard 6.22, you can now export a policy as an XML file from one subscription and import the policy into another subscription in four easy steps:
Select a policy and click export.
Save the XML file to your computer.
In another subscription, select New, Import Compliance Policy, Import from XML file.
Select the XML file on your computer.
New possibilities for sharing policies
In addition to transporting policies for partners and customers with multiple subscriptions, this new capability provides new possibilities for customers to share policies with each other. It also allows Qualys to share new policies with customers and prospects quickly before they become available in the import library. Adding policies to the import library requires thorough testing prior to upload. However, this new feature will allow us to share these policies prior to upload, allowing customers to get a head start on policy creation.
Sometimes it’s the little things that make your day run more smoothly. The release of QualysGuard 6.19 includes highly-focused new features that add functionality for Windows systems. Also, an update to the Qualys KnowledgeBase identifies vulnerabilities that can be attacked via exploit kits, helping organizations better prioritize patching efforts and protect against vulnerabilities that could be abused via exploit kits.
Windows Share Enumeration: Find Windows shares that are readable by everyone, and report details like the number of files in the share and whether the files are writable. This is good for identifying groups of files that may need tighter access control.
Detailed Audit Settings: Verify auditing subcategory settings introduced in Windows Vista, Windows 7, and Windows Server 2008. You can now check all of the audit logging settings within Windows.
ExploitKit Mapping: If a vulnerability can be attacked via an exploit kit, it should be considered higher priority simply because of the larger number of people who can easily attempt to attack it via the exploit kit. The new ExploitKit Mapping in the KnowledgeBase makes it easier to identify these vulnerabilities and prioritize their remediation.
Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy? You’re not alone. These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance. The translation of these special values vary by technology and configuration. With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values. In addition, policy reports will no longer display these special values; only the translated values.
The Use of Pi and Golden Ratio
Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:
314159265358979 (the first 15 digits of PI)
161803399999999 (the first 15 digits of the "Golden Ratio")
These values are highly unique numbers which represent various conditions encountered during scanning. The status values will have slightly different results according to which technology the control is using. Valid examples of these special values include, but are not limited to, the following:
Registry key path was not found.
Registry key parameter was not found.
File was not found.
Setting was not found.
Previous Policy Editor and Reports
Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:
The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'. Notice the AND condition makes sure that the value is less then Golden Ratio. Golden Ratio is returned when the setting is not found, and therefore not set. This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found. Figure 1: Complex Control using Golden Ratio
The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service. Notice both Pi and Golden Ratio are included in the regular expression. Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed. Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio. Figure 2: Complex Regular Expression using Pi and Golden Ratio
These special values may also appear in your compliance reports. We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.
Improved Policy Editor and Reports
With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings. Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time. However, new controls will be created using this new feature.
After QualysGuard 6.18, all controls will fall into one of the following categories:
Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
Hybrid: The control allows a combination of user-customized criteria and fixed value selections.
Below are the same samples from above using the new feature in QualysGuard 6.18:
The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'. Notice the AND condition has been removed and replaced with check boxes. These check boxes will allow you to pass the control if the setting is not found. Figure 3: Hybrid Control using Value and Fixed Values
The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service. Notice that all values, including Pi and Golden Ratio, have been converted to check boxes. By checking the appropriate check boxes, we can now check all conditions of the service. Figure 4: Fixed Values Control
Updated compliance reports will now display the translated values for the 'Expected' column. A sample report for the Fixed Values example above is provided below:
Figure 5: Fixed Values Report
In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports. We added shading to both the policy editor and reports to highlight the values associated with each control. We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.