Policy Compliance

Strategies & Best Practices

 PCSBP Course Prerequisites

• The PCSBP training course is designed for candidates already familiar with
the Qualys Control Library and the requirements for performing compliance
scans, creating policies and building compliance reports within the Qualys
Policy Compliance application.

• RECOMMENDED: Complete the Qualys Policy Compliance training course,

before starting or attempting this course:
https://www.qualys.com/training/course/policy-compliance/

2 Qualys, Inc. Corporate Presentation

 Agenda

q PCSBP Overview
§ LAB 1: Account Setup

q Compliance Scanning Options

§ LAB 2: Compliance Scan

q User Defined Controls

§ LAB 3: Import Sample UDC Policy
§ LAB 4: Export, Edit and Import UDCs

q Tuning Controls
§ LAB 4: Tuning Controls

q Working with Mandates

§ LAB 5: Working with Mandates

3 Qualys, Inc. Corporate Presentation

Qualys Training & Certification Portal

• LAB exercises
• Presentation slides
• Sample UDC Policy
 PCSBP Overview

5 Qualys, Inc. Corporate Presentation

 Path To Compliance
§ Your User Defined Controls (UDCs) are
Qualys Control added to the Qualys Control Library.
Library (CIDs) • Windows UDCs
• Unix UDCs
• Database UDCs

§ Compliance Profile scanning options will

Scan Results Policy influence the ACTUAL values or data
(ACTUAL) (EXPECTED) points collected from target hosts.
§ Only controls added to a Policy will be
evaluated.
§ A Mandate Report can contain up to 3
separate Mandates and up to 10
Mandate Report
(PASS/FAIL) Mandate different policies.

6 Qualys, Inc. Corporate Presentation

 LAB 1

Account Setup

10 min.

7 Qualys, Inc. Corporate Presentation

 Compliance Scanning Options

8 Qualys, Inc. Corporate Presentation

 Performance

§ High – Optimized for networks

with abundant bandwidth.
§ Normal - Recommended as best
practice. Well balanced between
bandwidth usage and
performance.
§ Low - Optimized for low
bandwidth network connections.
§ Scanner Appliances == Internal
Scanners.

9 Qualys, Inc. Corporate Presentation

 Scan Restriction - Scan By Policy

• Restrict scans to only those controls contained in the policy(s) you specify.
• This approach is typically used to reduce scan time (i.e., complete scans are
typically longer).

10 Qualys, Inc. Corporate Presentation

 Delete a “Scan Restriction” Policy

§ A policy must be removed from the Option Profile’s “Scan Restriction”

configuration, before it can be deleted from your account.

11 Qualys, Inc. Corporate Presentation

 Best Practice

• Schedule “complete” scans to run at regular or frequent

intervals.
• Use scan restrictions (i.e., Scan by Policy) when time is
short, or when building and testing controls.

12 Qualys, Inc. Corporate Presentation

 Set Limits On Database Control Types

§ Set a limit on the number

of rows to be returned
per scan for:
• MS SQL Database
checks
• Oracle Database
checks
• Sybase Database
checks

13 Qualys, Inc. Corporate Presentation

 Auto Update Expected Value

• When enabled, a control’s EXPECTED value will be updated with the

ACTUAL value returned by the most recent scan.
• Controls must be configured with “Use scan data as expected value”.
• IMPORTANT: Generate compliance reports between successive scans
(before an updated hash value becomes effective).

14 Qualys, Inc. Corporate Presentation

 Best Practice

• When using the “Auto update expected value” option,

compliance reports should be generated in-between
successive scans to capture file integrity monitoring
checks that have a FAIL result (i.e., before the updated
hash value becomes effective).

15 Qualys, Inc. Corporate Presentation

 Control Types

§ Select these control types for UDCs that perform file integrity
monitoring or WMI queries.
§ If using the “Scan by Policy” option, the need for these control types
will be determined by the CIDs in the targeted policy(s).

16 Qualys, Inc. Corporate Presentation

 Dissolvable Agent

§ For Windows checks that require a temporary agent.

§ Temporary agent ”dissolves” when the task completes.
§ If using the “Scan by Policy” option, the need for a Dissolvable Agent
will be determined by the CIDs in the targeted policy(s).

17 Qualys, Inc. Corporate Presentation

 Ports

§ Because authentication is required, a “Targeted Scan” is effective

using a smaller list of ports than the “Standard Scan” option and is
the recommended setting.

18 Qualys, Inc. Corporate Presentation

 System Authentication Records

§ Allow the system to create

authentication records
automatically using data
discovered from one or more
scanned assets.
§ Future compliance
assessments can then be
performed using the system
created records.
§ Only one option (Create or
Use) can be selected at a
time (in the same Option
Profile).
§ See LAB Appendix A

19 Qualys, Inc. Corporate Presentation

 System Authentication Records
Create Records

§ Scans using a Compliance Profile with this option enabled, will restrict scans to
instance discovery and record creation.
§ Unix authentication is required.
§ Compliance assessments will not be performed.

20 Qualys, Inc. Corporate Presentation

 Oracle System Record Template

§ Oracle System Record Templates can be created under the “Authentication” tab.

21 Qualys, Inc. Corporate Presentation

 System Authentication Records
Scan Results

§ A summary of “Auto Discovered Instances” can be found in your

scan results.

22 Qualys, Inc. Corporate Presentation

 System Authentication Records
Authentication Tab

§ System created authentication records for “Auto Discovered Instances”

are added to the “Authentication” tab.
§ System created records are locked and cannot be edited.

23 Qualys, Inc. Corporate Presentation

 System Authentication Records
Use Records

§ When selected, compliance assessments will include system created

authentication records in scans.

§ If there are two records

(system and user created) for
the same instance, indicate
which record to use.

24 Qualys, Inc. Corporate Presentation

 LAB 2

Compliance Scan

10 min.

25 Qualys, Inc. Corporate Presentation

 User Defined Controls

26 Qualys, Inc. Corporate Presentation

 UDC Components

1. Statement or Title - Name that appears in the Control Library.

2. Category – Group controls of the same type.
3. Criticality – (1) Minimal, (2) Medium, (3) Serious, (4) Critical, (5) Urgent
4. Comments – Include text to quickly find your UDCs.
5. Reporting Options – Specify if/when to ignore errors.
6. Scan Parameters - Targeted datapoint or configuration setting (this is
what is collected during a scan).
7. Default Values - Evaluation expression and expected value for each
control technology (this determines PASS/FAIL results).

27 Qualys, Inc. Corporate Presentation

 Scan Parameters

§ Target (File path, Directory path, Registry key, Registry value, Group name, Share
user, Path user, Query etc...)
§ Regular Expression (File Content Check, only)
§ Data Type (Return value of control: Boolean, Integer, String, String List, Line List)
§ Description (Describe what will be collected)

28 Qualys, Inc. Corporate Presentation

 Default Value

§ Rationale (Explain the reasoning or logic for the assessment)

§ Cardinality (Required for controls that return a ”list” of values)
§ Operator (Specifies how the “Default Value” will be interpreted: string
vs. regex)
§ Default Value (Expected value of the data collected)
29 Qualys, Inc. Corporate Presentation
 Best Practice

§ Leverage the power of regular expressions (regex) to

define the default values of a control.

§ Operator = Regular Expression or Regular Expression List.

30 Qualys, Inc. Corporate Presentation

 Regex Metacharacters
Metacharacter Name Description
. Dot Matches any single character
[…] Character Class Matches any of the listed characters

* Star Matches any number of items in front of it (or none)

+ Plus Matches any number of items in front of it (must have at least one)

^ Caret Match from the beginning of a line

$ Dollar Sign Match at the end of a line
\ Escape Character Converts a metacharacter to a literal

| Alternation Items on either side are available as options to match

§ Metacharacters: characters that have special meaning to regex that provide

the power and functionality of regex.
§ Literals: the set of standard characters regex matches in a string (typically
letters and numbers).
Regex Examples
^[Cc]at
§ Matches the word “cat” or “Cat” only if it is at the beginning of a line.
§ ^ represents the start of a line.
§ [ ] is a character class for representing alternate characters.

C:\\windows\\explorer\.exe
§ Matches the C:\windows\explorer.exe file path.
§ Both “.” and “\” are metacharacters.
§ The escape character “\” converts a metacharacter to a literal.
regex101.com

• Qualys applications user Perl Compatible Regular Expressions (PCRE).

Testing Regular Expressions

• Use the “Evaluate” button in the Policy Editor to test regex.

 Best Practice

§ Leverage a control’s “Evaluate” button (in the Policy

Editor) to test your regular expressions against real
host assets within your subscription.

35 Qualys, Inc. Corporate Presentation

 Import Policy from XML File

• The next lab exercise provides steps for importing the PCSBP Sample
UDC Policy.
• This policy contains examples of Windows UDC control types, and Unix
UDC control types, for the targets used in this course.

36 Qualys, Inc. Corporate Presentation

 Sample UDC Policy Export

• The option to “Include UDCs” was selected, when the Sample UDC
Policy was originally exported.
• Only policies saved in the XML file format, can be IMPORTED.
37 Qualys, Inc. Corporate Presentation
 Sample UDC Policy Import

• Be sure to select the “Create user-defined controls” option, when

importing the Sample UDC Policy.

38 Qualys, Inc. Corporate Presentation

 LAB 3

Import Sample UDC Policy

15 min.

39 Qualys, Inc. Corporate Presentation

 Lab Review

40 Qualys, Inc. Corporate Presentation

 Best Practice

§ Use the “Comments” field within your controls, to

uniquely label and then find specific groups of UDCs.

41 Qualys, Inc. Corporate Presentation

 PCSBP Controls

42 Qualys, Inc. Corporate Presentation

 PCSBP Policy

43 Qualys, Inc. Corporate Presentation

 User Defined Controls for Windows

44 Qualys, Inc. Corporate Presentation

 Windows Registry Keys and Values

• HKEY_LOCAL_MACHINE\SOFTWARE\Qualys refers to the subkey ”Qualys" of the subkey

"SOFTWARE" of the HKEY_LOCAL_MACHINE root key.
• Registry values are name/data pairs stored within keys.
45 Qualys, Inc. Corporate Presentation
 Windows Registry Key Existence

§ True = Registry key found

§ False = Registry key not found
46 Qualys, Inc. Corporate Presentation
 Windows Registry Value Existence

§ Value “NAME” must be specified along with registry key.

§ True = Registry value found
§ False = Registry value not found

47 Qualys, Inc. Corporate Presentation

 Windows Registry Value Content Check

• The “Data Type” selected must match the targeted registry value.
• ALERT: Operator only supports regular expressions.
48 Qualys, Inc. Corporate Presentation
 Windows Registry Permission

• Cardinality must be specified for the “String List” data type.

• Operator supports both regex and string lists.
49 Qualys, Inc. Corporate Presentation
 Windows File Content Check (Agent Only)

• Result set is limited to 40kb in size.

• ALERT: Operator only supports regular expressions.
50
 Windows File/Directory Existence

• True = file/directory exists

• False = file/directory not found

51 Qualys, Inc. Corporate Presentation

 Windows File/Directory Permission

• Cardinality must be specified for the “String List” data type.

• Operator supports both regex and string lists.
52 Qualys, Inc. Corporate Presentation
 Windows File Integrity Check

• Specify the targeted file and its corresponding hash value or use scan data
as expected value.
• Scans must use a Compliance Profile with File Integrity Monitoring controls
enabled.

53 Qualys, Inc. Corporate Presentation

 Windows File Integrity Check
Agent Scan Options

• Extend the “Auto Update Expected Value” option to AGENT

scans.
• Control must also have ”Use scan data as expected value”
selected.

54 Qualys, Inc. Corporate Presentation

 Windows Group Membership Check

• Result set will not exceed Max Return Value.

• Cardinality must be specified for the “String List” data type.
• Operator supports both regex and string lists.
55 Qualys, Inc. Corporate Presentation
 WMI Query Check

§ Especially useful for enumerating active services and running processes.

§ This control type executes a Windows Management Instrumentation (WMI)
query.
56 Qualys, Inc. Corporate Presentation
 Best Practice

§ Leverage the power of the “WMI Query Check” control

type to collect information not found or not easily
obtained from the Windows Registry or file system.

57 Qualys, Inc. Corporate Presentation

 Windows Share Access Check

• Optionally, you can specify a Path User to verify access at the directory (i.e., NTFS)
level.
• “Enable Windows Share Enumeration” in Compliance Profile.

58 Qualys, Inc. Corporate Presentation

 Windows Directory Search Check*
Scan Parameters

• Choose a base directory and maximum depth.

• Filter your search with file/directory inclusions and exclusions.
• Specify search limits.
• Return a list of file or directory objects or both.
* Scan Parameters can be modified or changed, after the control has been saved.
59
 Windows Directory Search Check*
Users

• Select principals from

the ”drop-down” menu,
or enter user as:
domain\user,
user@FQDN, or SID.

60 Qualys, Inc. Corporate Presentation

 Windows Directory Search Check*
Permissions

• Any == OR
• All == AND
61 Qualys, Inc. Corporate Presentation
 Windows Directory Search Check*
Default Values

§ Select “Enable Windows Directory Search” in Option Profile.

62 Qualys, Inc. Corporate Presentation

 Windows Directory Search Check*
Agent Scan Options

• Restrict control to agent data, exclusively (i.e., control will

not use data collected from scanner appliance).
• Select this option to use wildcards to define the “Base
Directory” field.

63 Qualys, Inc. Corporate Presentation

 Windows Directory Integrity Check*
Scan Parameters

• Specify targeted directory and maximum depth.

• Use inclusions/exclusions to filter result set.
• Data Type: String
* Scan Parameters can be modified or changed, after the control has been saved.
64 Qualys, Inc. Corporate Presentation
 Windows Directory Integrity Check*
Default Values

• Provide your own hash value or use scan data as expected value.
• Scans must use Compliance Profile with File Integrity Monitoring controls
enabled.
65 Qualys, Inc. Corporate Presentation
 Windows Directory Integrity Check*
Agent Scan Options

66 Qualys, Inc. Corporate Presentation

 User Defined Controls for Unix

67 Qualys, Inc. Corporate Presentation

 Unix File/Directory Existence

• True = file/directory exists

• False = file/directory not found

68 Qualys, Inc. Corporate Presentation

 Unix File/Directory Permission

• ALERT: Operator only supports regular expressions.

69 Qualys, Inc. Corporate Presentation

 Unix File Content Check

• Data Type: Line List – the default value only contains a single line.
• The “match all” and “match any” cardinality options were designed with one-to-many
relationships in-mind.
• ALERT: Operator only supports regular expressions.
70 Qualys, Inc. Corporate Presentation
 Unix File Integrity Check

• Specify the targeted file and its corresponding hash value or use scan data
as expected value.
• Scans must use a Compliance Profile with File Integrity Monitoring controls
enabled.
71 Qualys, Inc. Corporate Presentation
 Unix File Integrity Check
Agent Scan Options

• Extent the “Auto Update Expected Value” option to AGENT

scans.
• The control must also have ”Use scan data as expected value”
selected.

72 Qualys, Inc. Corporate Presentation

 Unix Directory Search Check*
Scan Parameters (1 of 3)

• Choose a base directory and maximum depth.

• Filter your search with file/directory inclusions and exclusions.
* Scan Parameters can be modified or changed, after the control has been saved.

73 Qualys, Inc. Corporate Presentation

 Unix Directory Search Check*
Scan Parameters (2 of 3)

• Specify file permissions, file system object types and file owner.
* Scan Parameters can be modified or changed, after the control has been saved.

74 Qualys, Inc. Corporate Presentation

 Unix Directory Search Check*
Scan Parameters (3 of 3)

• Specify search limits.

• Return a list of string objects.
* Scan Parameters can be modified or changed, after the control has been saved.

75 Qualys, Inc. Corporate Presentation

 Unix Directory Search Check*
Default Values

• Find files and directories that match your search parameters.

76 Qualys, Inc. Corporate Presentation
 Unix Directory Integrity Check*
Scan Parameters (1 of 3)

• Specify the “Base directory” and “Maximum Depth.”

• Use file/directory inclusions/exclusions to refine your result set.

77 Qualys, Inc. Corporate Presentation

 Unix Directory Integrity Check*
Scan Parameters (2 of 3)

• Select targeted File System Object Types and File Owner.

78 Qualys, Inc. Corporate Presentation

 Unix Directory Integrity Check*
Scan Parameters (3 of 3)

• Check the integrity of Unix files at the directory level.

* Scan Parameters can be modified or changed, after the control has been saved.
79 Qualys, Inc. Corporate Presentation
 Unix Directory Integrity Check*
Default Values

• Specify the targeted file and its corresponding hash value or use scan data
as expected value.
• Scans must use a Compliance Profile with File Integrity Monitoring controls
enabled.
80 Qualys, Inc. Corporate Presentation
 Unix Directory Integrity Check*
Agent Scan Options

• Agents can also use the “Auto Update expected value” option.
• Alternatively, this control can be configured for agent scans only.

81 Qualys, Inc. Corporate Presentation

 User Defined Controls for Databases

82 Qualys, Inc. Corporate Presentation

 MS SQL Database Check

• Executes SQL statements on MS SQL databases.

83 Qualys, Inc. Corporate Presentation

 Oracle Database Check

• Executes SQL statements on Oracle databases.

84 Qualys, Inc. Corporate Presentation

 Sybase Database Check

• Executes SQL statements on Sybase databases.

85 Qualys, Inc. Corporate Presentation

 LAB 4

Export, Edit and Import UDCs

15 min.

86 Qualys, Inc. Corporate Presentation

 UDCs & Qualys Cloud Agent

87 Qualys, Inc. Corporate Presentation

 SDC & UDC Manifests

User Defined Control (UDC) - custom controls created by users.

Service Defined Control (SDC) - controls provided by Qualys.

• From the Cloud Agent application, view an agent’s details and select the
“Agent Summary” option.

88 Qualys, Inc. Corporate Presentation

 Agent UDC Manifest Requirements

• Both Policy Compliance and

Cloud Agent must be enabled
for your Qualys subscription.
• Agent hosts must have PC
module activated.
• UDC Manifest is
automatically assigned to
Windows agent versions 2.1
or later and Unix agent
versions 2.3 or later.
• Earlier agent versions require
the “Assign UDC Manifest”
option.

89 Qualys, Inc. Corporate Presentation

 UDC Options for Agent Hosts (Review)

• Windows and Unix Directory Integrity Checks

and Directory Search Checks, can be built
exclusively for agent host scanning.

• Windows and Unix File Integrity

Checks and Directory Integrity
Checks, can have their default
hash values automatically
updated, using agent scan data.

90 Qualys, Inc. Corporate Presentation

 Tuning Controls

91 Qualys, Inc. Corporate Presentation

 Evaluate & Tune Controls
§ To evaluate any control, it must
be added to a policy within your
account.

§ Manually ADD or COPY controls

to a policy.
§ Automatically add controls, using
the “Create from Host...” option.
§ Import policies (from Policy
Library) with certified controls.
92 Qualys, Inc. Corporate Presentation
 Add Controls vs. Copy Controls

§ Add controls from the Control Library or copy controls from other
policies.
§ Controls taken from the Control Library, commonly need to be
adjusted or tuned, once added to a policy.
§ The “Copy Control” option has the advantage of acquiring controls
from a policy that has already been tuned.

93 Qualys, Inc. Corporate Presentation

 Copy Controls

§ Copy controls from

another policy in your
account.
§ Copy controls from a
policy in the Policy
Library.
§ Reduce the need for
tuning.

94 Qualys, Inc. Corporate Presentation

 Best Practice

• Use the “Copy Control” option to add “pre-tuned”

controls to a policy.
• Import entire policies from the Policy Library that
contain controls already tuned to specific benchmarks,
regulations and standards.

95 Qualys, Inc. Corporate Presentation

 Create Policy from Existing Host

§ Policies created from an existing host will contain controls that are
automatically tuned to the host’s configuration specifications.

§ Controls will be selected based on

the host technology(s) discovered.
§ Because cardinality is difficult to
ascertain, the “contains”
cardinality, is used by default.
§ Controls with cardinality will
typically need adjustments and
tuning.

96 Qualys, Inc. Corporate Presentation

 Controls with Cardinality
Data Type: String List

Compares a list of values collected from a host (X), to a list of values

within the policy control (Y).
CARDINALITY YOU ARE COMPLIANT WHEN
contains X contains all of Y
does not contain X does not contain any of Y
matches All strings in X match all strings in Y (any
order)
intersect Any string in X matches any strings in Y
is contained in All strings in X are contained in Y
§ X (Actual) = List of values returned by a scan or agent.
§ Y (Expected) = List of values defined by a control.

97 Qualys, Inc. Corporate Presentation

 String List Cardinality Example

98 Qualys, Inc. Corporate Presentation

 Controls with Cardinality
Data Type: Line List

Compares a list of values collected from a host (X), to a single value (or
line) within the policy control (Y).

CARDINALITY YOU ARE COMPLIANT WHEN

match any any line in X matches Y
match all all lines in X match Y
match none no lines in X match Y
empty X is empty
not empty X is not empty
§ X (Actual) = List of values returned by a scan or agent.
§ Y (Expected) = A single value (or line) defined by the control.

99 Qualys, Inc. Corporate Presentation

 Line List Cardinality Example

100 Qualys, Inc. Corporate Presentation

 Best Practice

• When creating policies from an existing host, ensure

that you validate all controls that use cardinality.

101 Qualys, Inc. Corporate Presentation

 LAB 5

Tuning Controls

15 min.

102 Qualys, Inc. Corporate Presentation

 Working with Mandates

103 Qualys, Inc. Corporate Presentation

Mandates

• Mandates contain
controls (CIDs) from the
Control Library, which
are mapped to specific
Mandate requirements.
• Mandates do not
provide default values
or expected values
needed to perform
assessment tests.
Mandate Report

• A Mandate Report brings one of more Mandate(s) together with one or more
policy(s) that contain the necessary values to perform assessment tests.
Mandate Template
§ Use the “Filter by policy controls” option to filter-out controls that have
not been evaluated.

§ Group by “Mandate” for a single mandate reports.

§ Group by “Control objective” for reports that contain multiple mandates.
 CIS Security Controls (Top 5) Mandate

• Import a “CIS Benchmark for CentOS 6” policy, from the Policy Library.
• Create a Mandate Template (for a single Mandate)
• Combine the “CIS Security Controls (Top 5)” Mandate with the “CIS
Benchmark” policy, in a Mandate Report.

107 Qualys, Inc. Corporate Presentation

 LAB 6

Working with Mandates

15 min.

108 Qualys, Inc. Corporate Presentation

 Thank You

training@qualys.com

109 Qualys, Inc. Corporate Presentation