The Windows script-based user-defined controls (UDCs) in Qualys PC lets you evaluate the script-based UDC data on Windows platform, thereby, enabling you to leverage the power of Policy Compliance-CAR integration. Configure a Windows Script Result Check UDC to execute custom scripts on Custom Assessment and Remediation (CAR) and create corresponding compliance reports.
To evaluate the script-based UDC data on Windows platform, create the relevant user-defined controls in Qualys PC.
Notes:
- Evaluation of the Script Result Check type UDCs in a policy is only dependent on assets and the execution schedule defined for the associated script in Qualys CAR.
- The script result UDC is not evaluated when a script result is processed. Instead, it is evaluated during the next agent scan (PC/UDC/Middleware).
Before you create a Windows script-based UDC, ensure that:
- Qualys CAR is enabled for your subscription and you have a few scripts created and approved in CAR.
- PC-enabled agent is included in your subscription.
- The new PC dashboard is available and the Enable Script Execution UDC option is enabled for your subscription.
PowerShell, Python
Pre-requisites for PythonPre-requisites for Python
- Python installation using setup: It should be installed for all users on the client machine. The install location must be added to SYSTEM PATH variable.
- Python installation using portable zip: If a portable (zip) installation of Python is used, the path of the directory containing python.exe should be added to SYSTEM PATH variable.
Cloud Agent 4.6.1.6 or later
You can create a Windows script-based check with the following steps:
Click Select Script to choose the script based on which the UDC should be implemented.
Only scripts that are approved from Qualys CAR for Windows are listed.
Select the required script from the Select Script pop-up window and click Apply. You can also filter scripts using the search tokens available in the search bar.
After you select the script, click Next to proceed further.
Provide the following information needed to create the UDC:
Basic InformationBasic Information
The statement you provide is like the control name that describes what it is and how it should be implemented in the environment. You'll also need to decide which category and sub-category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement. You can also select a relevant criticality and add comments, if any.
Scan ParametersScan Parameters
The scan parameters are used to gather data needed for compliance evaluation at scan time. Make the following settings:
Output Filter - The output filter is a regular expression (regex) value that filters the script result output received from CAR and returns the matching data in actual value in report.
For example, if you have the following output that includes multiple states such as stopped, running, and so on:
Stopped AeLookupSvc
Application Experience
Running AppHostSvc Application
Host Helper Service
Running Appinfo Application
Information
Running AppMgmt Application
Management
To filter out only running state, you can use the regex pattern ?m^Running.*$ in the output filter. It matches the filter value with each line in the output as each line is considered as a separate value. It filters the output with only running state values.
Running AppHostSvc
Application Host
Helper Service
Running Appinfo Application
Information
Running AppMgmt Application
Management
Note: Embed the flag expression ?m into your regex pattern to activate multi-line mode matching. For example, ?m^Running.*$
Description - Describe your control here. The control description is displayed in compliance policies and reports. If you change the description at a later time, the description is updated for all controls that use the same set of parameters.
Evaluation ConditionsEvaluation Conditions
The evaluation conditions you pick may apply to many technologies.
Rationale - Enter a rationale statement describing how the control should be implemented for each technology. This value can have a maximum of 4000 characters.
Cardinality - Select a cardinality for the control. Tell me about these cardinalities.Tell me about these cardinalities.
A list of strings in the scan results (X) is compared to
a list of strings defined for the control (Y). The control
values include the default value (a string) and a cardinality.
The possible cardinalities are described below.
|
Cardinality |
You are compliant when |
|
contains |
X contains all of Y |
|
does not contain |
X does not contain any of Y |
|
intersect |
any string in X matches any string in Y |
|
matches |
all strings in X match all strings in Y (listed in any order) |
|
is contained in |
all strings in X are contained in Y |
Operator - The operator can be a "regular expression list" or a "string list". We'll use the operator to compare the scan results to the default value.
Default Evaluation Value - Enter the expected value for each technology as a list of regular expressions or strings. The list of values returned in the scan results will be compared to the list of values defined for the control.
Lock Cardinality, Lock Operator, Lock Default Value - You can lock the Cardinality, Operator or Default Value to prevent it from being changed by other users, when you associate UDC to a policy in the Policy Editor.
Remediation - Add remediation steps for this check. This value can have a maximum of 4000 characters.
We'll report the compliance posture status (Pass, Fail or Error) for each control instance in your compliance reports and on your PC dashboard.
The Error status is returned in cases where errors occurred during control evaluation. This means the control was not tested for compliance. If you do not want to see the Error status in your compliance reports, then select the Ignore errors and set status to check box and set their status to Pass or Fail. This reflects in your reports accordingly.
All the supported technologies are listed. Select the relevant one from the list.
Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://. For example, enter http://www.qualys.com to link to the Qualys web site. Once added users have the option to include references in policy reports.
Note: You can click Add Control to include multiple controls in a single check.
After you provide the control information, click Next to proceed further.
Review all the control information you provided for the check to be created and click Submit to create the Windows script-based UDC.
After you submit the required information, the control is created and listed in the Controls tab. To create a report on policies with user-defined controls, associate the control with a policy. You can restrict the scan to a policy in the scan settings (option profile) and then view the scan report.