Configuring a Windows Script Result Check

The Windows script-based user-defined controls (UDCs) in Qualys PA lets you evaluate the script-based UDC data on Windows platform, thereby, enabling you to leverage the power of Policy Audit-CAR integration. Configure a Windows Script Result Check UDC to execute custom scripts on Custom Assessment and Remediation (CAR) and create corresponding compliance reports.

To evaluate the script-based UDC data on Windows platform, create the relevant user-defined controls in Qualys PA.

  • Evaluation of the Script Result Check type UDCs in a policy is only dependent on assets and the execution schedule defined for the associated script in Qualys CAR.
  • The script result UDC is not evaluated when a script result is processed. Instead, it is evaluated during the next agent scan (PA/UDC/Middleware).

Requirements and Supported Versions

Prerequisites

Before you create a Windows script-based UDC, ensure that:

  • Qualys CAR is enabled for your subscription and you have a few scripts created and approved in CAR.
  • PA-enabled agent is included in your subscription.
  • The new PA dashboard is available and the Enable Script Execution UDC option is enabled for your subscription.

Supported Script Types PowerShell, Python

Before using PowerShell or Python with this functionality, ensure the following prerequisites are met for proper installation and environment configuration.

  • Python installation using setup
    It should be installed for all users on the client machine. The install location must be added to SYSTEM PATH variable.
  • Python installation using portable zip
    If a portable (zip) installation of Python is used, the path of the directory containing python.exe should be added to SYSTEM PATH variable.

Supported Agent Versions

Cloud Agent 4.6.1.6 or later

Create Windows Script-Based UDC

You can create a Windows script-based check with the following steps:

1. Select Script

Click Select Script to choose the script based on which the UDC should be implemented.

Option to choose the scipts that are created in Script Manager

Only scripts that are approved from Qualys CAR for Windows are listed.

Select the required script from the Select Script pop-up window and click Apply. You can also filter scripts using the search tokens available in the search bar.

Choose the scipt you wan to associate in the control check

After you select the script, click Next to proceed further.

2. Control Information

Provide the following information needed to create the UDC:

  • Basic InformationBasic Information

    The statement you provide is like the control name that describes what it is and how it should be implemented in the environment. You need to decide which category and sub-category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement. You can also select a relevant criticality and add comments, if any.

  • Scan ParametersScan Parameters

    The scan parameters are used to gather data needed for compliance evaluation at scan time. Make the following settings:

    Output Filter - The output filter is a regular expression (regex) value that filters the script result output received from CAR and returns the matching data in actual value in report.

    For example, if you have the following output that includes multiple states such as stopped, running, and so on:

    Stopped  AeLookupSvc        Application Experience
    Running  AppHostSvc         Application Host Helper Service
    Running  Appinfo            Application Information               
    Running  AppMgmt            Application Management                 

    To filter out only running state, you can use the regex pattern ?m^Running.*$ in the output filter. It matches the filter value with each line in the output as each line is considered as a separate value. It filters the output with only running state values.

    Running  AppHostSvc         Application Host Helper Service
    Running  Appinfo            Application Information               
    Running  AppMgmt            Application Management

    Embed the flag expression ?m into your regex pattern to activate multi-line mode matching. For example, ?m^Running.*$

    Description - Describe your control here. The control description is displayed in compliance policies and reports. If you change the description at a later time, the description is updated for all controls that use the same set of parameters.

  • Evaluation ConditionsEvaluation Conditions

    The evaluation conditions you pick may apply to many technologies.

    Rationale - Enter a rationale statement describing how the control should be implemented for each technology. This value can have a maximum of 4000 characters.

    Cardinality - Select a cardinality for the control. Tell me about these cardinalities.Tell me about these cardinalities.

    A list of strings in the scan results (X) is compared to a list of strings defined for the control (Y). The control values include the default value (a string) and a cardinality. The possible cardinalities are described below.

    Cardinality

     You are compliant when

    contains

    X contains all of Y

    does not contain

    X does not contain any of Y

    intersect

    any string in X matches any string in Y

    matches

    all strings in X match all strings in Y (listed in any order)

    is contained in

    all strings in X are contained in Y

    Operator - The operator can be a regular expression list or a string list. The operator is used to compare the scan results to the default value.

    Default Evaluation Value - Enter the expected value for each technology as a list of regular expressions or strings. The list of values returned in the scan results is compared to the list of values defined for the control.

    Lock Cardinality, Lock Operator, Lock Default Value - You can lock the Cardinality, Operator or Default Value to prevent it from being changed by other users, when you associate UDC to a policy in the Policy Editor.

    Remediation - Add remediation steps for this check. This value can have a maximum of 4000 characters.

  • Report OptionsReport Options

    Your compliance reports and PA dashboard display the compliance status (Passed, Failed, or Error) for each control instance.

    The Error status is returned in cases where errors occurred during control evaluation. This means the control was not tested for compliance. If you do not want to see the Error status in your compliance reports, then select the Ignore errors and set status to check box and set their status to Pass or Fail. This reflects in your reports accordingly.

  • TechnologiesTechnologies

    All the supported technologies are listed. Select the relevant one from the list.

  • ReferenceReference

    Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://.  For example, enter http://www.qualys.com to link to the Qualys web site. Once added users have the option to include references in policy reports.

You can click Add Control to include multiple controls in a single check.

After you provide the control information, click Next to proceed further.

3. Review and Confirm

Review all the control information you provided for the check to be created and click Submit to create the Windows script-based UDC.

After you submit the required information, the control is created and listed in the Controls tab. To create a report on policies with user-defined controls, associate the control with a policy. You can restrict the scan to a policy in the scan settings (option profile) and then view the scan report.

Related Topics

User-Defined Controls FAQs 

Manage Controls 

Agent UDC Support 

Set Up Policies

Scan for Policy Audit

© Qualys, Inc. All rights reserved. Privacy Policy.