Qualys Blog

www.qualys.com

Improving Policy Editing and Reporting

Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy?  You’re not alone.  These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance.  The translation of these special values vary by technology and configuration.  With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values.  In addition, policy reports will no longer display these special values; only the translated values.

The Use of Pi and Golden Ratio

Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:

  1. 314159265358979 (the first 15 digits of PI)
  2. 161803399999999 (the first 15 digits of the "Golden Ratio")

These values are highly unique numbers which represent various conditions encountered during scanning.  The status values will have slightly different results according to which technology the control is using.  Valid examples of these special values include, but are not limited to, the following:

  1. Registry key path was not found.
  2. Registry key parameter was not found.
  3. File was not found.
  4. Setting was not found.

Previous Policy Editor and Reports

Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:

  1. The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition makes sure that the value is less then Golden Ratio.  Golden Ratio is returned when the setting is not found, and therefore not set.  This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found.
    Hybrid before Mask Pi-GR
    Figure 1: Complex Control using Golden Ratio

  2. The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service.  Notice both Pi and Golden Ratio are included in the regular expression.  Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed.  Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio.
    Fixed Values before Pi-GR
    Figure 2: Complex Regular Expression using Pi and Golden Ratio

These special values may also appear in your compliance reports.  We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.

Improved Policy Editor and Reports

With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings.  Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time.  However, new controls will be created using this new feature. 

After QualysGuard 6.18, all controls will fall into one of the following categories:

  • Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
  • Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
  • Hybrid: The control allows a combination of user-customized criteria and fixed value selections.

Below are the same samples from above using the new feature in QualysGuard 6.18:

  1. The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition has been removed and replaced with check boxes.  These check boxes will allow you to pass the control if the setting is not found.
    Hybrid after Mask Pi-GR
    Figure 3: Hybrid Control using Value and Fixed Values

  2. The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service.  Notice that all values, including Pi and Golden Ratio, have been converted to check boxes.  By checking the appropriate check boxes, we can now check all conditions of the service.
    Fixed Values after Mask Pi-GR
    Figure 4: Fixed Values Control

Updated compliance reports will now display the translated values for the 'Expected' column.  A sample report for the Fixed Values example above is provided below:

Fixed Values Report after Pi-GR

Figure 5: Fixed Values Report

In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports.  We added shading to both the policy editor and reports to highlight the values associated with each control.  We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.

Demo

To see a demo of this new feature, please view the Improved Policy Editor and Reporting Demo.

Leave a Reply