Create a policy to check compliance of your systems against the policy and the controls it contains.
Policy Compliance (PC) app only |
|
Copy control settings from one technology to other technologies |
|
Tell me about dates for Last updated, Evaluation date, Policy last evaluated |
|
Go to PC > Policies and choose New > Policy. You'll have these options: 1) start with an empty policy and build it from scratch, 2) create a policy based on scan data from an existing host, 3) import a policy from our Library or 4) import a policy from an XML file. We'll walk you through the steps.
Go to SCA > Policies and choose New > Import CIS Policy. We'll walk you through the steps. Keep in mind SCA lets you import and edit CIS policies only, custom policies are not supported.
You'll need to tell us the hosts that you want to test for compliance with each policy. You can do this by adding asset groups to the policy (all hosts in the specified asset group are included) or by adding asset tags in the include list (hosts that match any or all of the specified tags are included). You can also specify the asset tags that you want to exclude. Hosts having all or any of the tags in the exclude list are excluded from policy compliance assessment. Do you have PC Agent? You'll also see the option to include all hosts in your PC Agent license.
Controls are the building blocks of a compliance policy. Each control pertains to one or more operating systems and/or applications, referred to as technologies.
Using the policy editor drill-down into a policy section, and then double-click on any control (or click Edit) to see control details. From here you can change the control value for any technology, add/remove technologies for the control, add an external reference number, and edit the remediation value.
Yes. Drill-down into control details and you'll see the Remediation text field as part of the control settings. Initially, you'll see remediation values defined by the service for Service-Defined Controls (SDCs) and remediation values defined by users for User-Defined Controls (UDCs). The remediation value can be changed in the policy by simply typing in the text field (up to 4000 characters). Note that each control technology can have a custom remediation value since the steps you take for remediation may vary by technology.
In the control details you have the option to run a quick test to see whether the control will pass or fail for a scanned host in your account. Click the Test Control button, enter an IP address and click Evaluate. You'll see evaluation data based on the last scan of the host and the actual value on the host is returned. This allows you to modify the control value if needed before saving the policy.
Control values may include fixed value check boxes, integers, regular expressions/strings, Windows permissions, Unix permissions, and special compliance check status codes. (A compliance check is also referred to as a data point). The control definitions determine the types of control values and how they appear in your controls. Learn more
There are several dates that appear in policies and policy compliance reports, including the last evaluated date for the policy, the last scan date for the host, the last evaluation date for the control and the actual last updated date for the control value. To learn more about these dates and when they're updated, see Policy and Control Evaluation and Updated Dates.
Drill-down into a section from the home page, and click the Add Controls button to search for and add controls to the section. Note that you can only select controls that have not already been added to the policy, and the controls must be applicable to the global technologies list set for the policy.
Save time by copying controls and their settings from another policy. Just drill-down to a section of your policy, click Copy Controls, and select the policy you want to copy controls from. Then pick the controls you're interested in. We'll add the controls and copy their settings, including control value, cardinality/operator settings and remediation.
A few notes:
- When you copy a File Integrity or Directory Integrity control from another policy, we will not copy the actual hash value for the control. Instead you will see the control value as AUTO_UPDATED.
- You cannot copy deprecated controls.
When you add a new technology to your policy, you can choose the "Copy Control Settings" option to copy settings from another technology in the same policy, another policy in your account or a policy in the Library. For example, let's say you're adding Windows 10 to your policy and you choose to copy settings from another technology like Windows 8. We will apply settings from all applicable Windows 8 controls to Windows 10 controls. Control settings include the control value, cardinality/operator settings and remediation.
Drill-down into the control details for any control in your policy and pick a technology on the left side to see the control settings for that technology. Then click the "Copy to Other Technologies" button to copy the settings from the selected technology to all other technologies listed in the policy for the same control.
Note that if the control criteria is different between the technology that you've selected and another technology for the control (e.g. different cardinality, operator or fixed value options), then only the remediation value will be copied. Other control settings will not be copied in this case. You'll get a message on the screen that lets you know which technologies could not get all control settings. Click here to see an exampleClick here to see an example
Example when settings cannot be copied - If the control criteria is different between the technology that you’ve selected and another technology for the control (e.g. different cardinality, operator or fixed value options), then only the remediation value will be copied. Other control settings will not be copied. You’ll get a message on the screen that lets you know which technologies could not get all control settings.
In the following example, I chose to copy control settings from Windows 10 to all other technologies for CID 1092. You’ll notice that Windows 10 has these 4 check boxes selected:
- Disabled (0)
- Enabled (1)
- Attribute not found
- Unable to retrieve password policy
In this case, all control settings were copied to all other technologies, except Windows 2000 Active Directory and Windows 2008 Active Directory. Only the remediation value was copied to these technologies. The reason the other control settings were not copied is because the control criteria is different. Windows 2000 Active Directory and Windows 2008 Active Directory technologies only have 3 of the check boxes available:
- Disabled (0)
- Enabled (1)
- Attribute not found
The check box “Unable to retrieve password policy” is not listed. Since “Unable to retrieve password policy” is selected for Windows 10 but cannot be selected for the Active Directory technologies, we could not copy the settings to the Active Directory technologies. Only remediation was copied for these. When this happens, you’ll see a message like the one below.
You can add a reference to any control by either clicking the Add Ref # link from the list of controls or clicking Edit next to Reference # in the Control Details. The text you enter will appear in your policy reports under Control References. Note that Managers and Auditors can still add references (documents, URLs and text) by editing a control from the controls data list (go to PC > Policies > Controls).
From the controls list, you can reorder controls using these methods: 1) Click the Reorder button and then type over any control number. This is an easy way to move controls from one section to another, for example change control 2.1 to 1.1 to move it from section 2 to section 1. 2) Simply drag and drop a control to a new position in the list. Click the far left edge of the control row to move it.
You'll see the locked control icon for controls that are locked by our service. Locked controls cannot be edited within a policy.