Configuring a Custom Command Check 

Create custom command check control (non-agent) for network devices. This control is useful to do compliance assessments of network devices. Most network devices support Command Line Interface (CLI) to configure and manage the device. By using Network UDCs, you can create custom checks by executing commands on the network devices. You can then use the command output data for policy evaluation.

To configure network control types:

1) Navigate to Policies > Controls> New> Control> Network Control Types> Custom Command Check.

2) Configure the following settings:

Help me with the settings

Basic Information- Identify this control

Control Statement - The statement you provide is like the control name that describes what it is and how it should be implemented in the environment.

Category - You need to decide which category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement.

Control Criticality - Select criticality of the control as per your business requirements. By default, UNDEFINED is selected. For more information refer to understanding control criticality

Comment - You can provide an additional information about the control such as the intent of creating this control. 

Control Information-Scan parameters

The scan parameters are used to gather data needed for compliance evaluation at scan time.

Command - This is the command to be executed on the network device.

Description - This is the a brief explanation of the command's purpose.

Output Filters The command output serves as the data point for policy evaluation. However, the raw output may not always be in a format suitable for parsing and evaluation. To address this, text post-processing is often necessary. Output Filters provide the ability to transform the command output into a more structured and evaluation-friendly format.

The following command output filter types are available. Choose the filter type as per your business requirements.

Click Add Filter to add more than one filter.

Filter Types:

  • Filter Use this to extract specific portions of the command output based on a regular expression. 

  • Table Use this to organize the command outout data into a tabular format for easier interpretation.

  • Substitute Use this to modify the command output by removing or replacing specific parts.

Show me an example for using output filters

output filters.

Control Information-Evaluation Conditions 

Specify the evaluation condition for the chosen technology.

Rationale - This is the rationale statement explaining how the control should be implemented for each technology.

Cardinality - This is the appropriate cardinality for the control. For more information refer to understanding cardinality.

Operator  Define the operator to compare the scan results with the default evaluation value. Possible values: 

Operator

Description

XEQ

string list

XRE

regular expression list

Default Evaluation ValueSpecify the expected evaluation value for each technology. The scan results are compared against the default evaluation value for the control.

Remediation- A short description about how it can be remediated. 

You can lock the Cardinality, Operator or Default Value if you do not want users to be able to change these values in the Policy Editor.
Control Information-Control Technologies

Your control may apply to many technologies. Select each technology you are interested in and provide a rationale statement and expected value.

If you plan to enter the same settings for each technology you only need to do it once. Make your selections in the "Default Evaluation Condition" section first and then select the check box for each technology you want. you can view that the settings get copied automatically to each technology that you select.

Supported Technologies:

  • Cisco IOS 12.x - 15.x

  • Cisco IOS XR 6.x - 7.x

  • Cisco IOS XE

  • Cisco ASA 8.x - 9.x

  • ArubaOS 6.x and 8.x

  • Juniper JUNOS 10.x - 22.x

  • IBM Datapower Gateway 10.x

  • Arista EOS 4.x

  • ApconTap Switch

Make these settings:

Rationale - Enter a rationale statement describing how the control should be implemented for each technology.

Default Evaluation Value - Specify the expected evaluation value for each technology. The scan results are compared against the default evaluation value for the control.

Control Information-Reporting Options

We report the compliance status (Passed, Failed or Error) for each control instance in your compliance reports and on your PA dashboard. The status Error is returned in cases where errors occurred during control evaluation. This means the control was not tested for compliance.

If you do not want to see the Error status then you can ignore these errors and set their status to Pass or Fail. This reflects in your reports accordingly.

Control Information-References

Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://.  For example, enter http://www.qualys.com to link to the Qualys web site. Once added users have the option to include references in policy reports.

Click Add References to add more than one references. 

3) Review and confirm the control settings and click Create. The control gets successfully created and displays on the control list.

If desired, you can edit this control. To learn more on how to edit the control, refer to Edit a Control.

© Qualys, Inc. All rights reserved. Privacy Policy.