You are on page 1of 70


Policy Compliance
and Web Application
Introductions And Expectations
− Who am I?
− Who are YOU?
Experience with QualysGuard Products
− Expectations for Class:
To succeed in class, you must understand the basic
functions within QualysGuard, or have reviewed the
"Getting started with QualysGuard” online demonstration.
− Please turn your phones to vibrate
− Breaks are generally every hour
− Class usually ends early
Policy Compliance
− Policy Compliance and
Understanding the nuances
The Risk Factor
− Policy Development
within an organization
− QualysGuard Controls
and Policies
− Compliance Scanning
and Reporting
Web Application Scanning
− Some history
− The Basics of Web
Application Security
− The WAS lifecycle
Set Up
− Troubleshooting
Useful QIDs
Policy Compliance – in the formal sense - is
heavily dependent on the auditor and
auditing practices of your auditor.
While QualysGuard cannot guarantee
compliance with a particular regulation, we
do assist in your compliance endeavor.
QualysGuard Policy Compliance
Differences between Vulnerability
Management and Policy Compliance
QualysGuard Training
QualysGuard Policy Compliance
Policy Compliance Mindset
No longer are we
just concerned about
“Discovery” on a Host
Now we are
concerned with an
overall Security
QualysGuard Policy Compliance
Vulnerability Mgmt vs Policy Compliance
Vulnerability Management
− Real time check of hosts
Patch levels
− Access to Raw Scan data
− Remediation tools
Policy Compliance
− Realtime configuration
− Raw Scan data is not
Has no meaning until
checked against a policy
QualysGuard gathers all
information about a host
− Use Exceptions to exempt
specific devices from
QualysGuard Policy Compliance
Compliance Workflow
QualysGuard Policy Compliance
Deployment Methodology
−Create Policy
−Assign Policy to Asset Groups
Define Asset Groups
Add Asset Groups to Policy
−Compliance Scan
− Define Options Profile
− Select Scanner Appliance
− Run Compliance Scan
−Compliance Policy Reports
Define Report Template
Run Report
−Create and Manage Exceptions
Run Interactive Report
Request Exception
Policy Development within an
QualysGuard Training
Compliance Process
a “Top - Down” Approach
Simple Compliance Framework
Procedures and Guidelines
/!0ample1 2ulnera)le
Processes must )e
C'D ++56
*7e telnet
daemon s7all
)e disa)led
A'% 830 *ec7nolo#9 *elnet
streams are transmitted in
clear te0t, includin# usernames
and passwords3 *7e entire
session is suscepti)le to
interception )9 *7reat A#ents3
Frameworks you can use within QualysGuard
Frameworks in QualysGuard
CIS - Cisco IOS, 2.2
CIS - Cisco IOS, 2.4.0
CIS - Microsoft SQL Server 2000 1.0
CIS - Microsoft SQL Server 2005 1.1
CIS - Microsoft Windows 7
CIS - Oracle 11g 1.0
CIS - Oracle 9i, 10g v. 2.0
CIS - Red Hat Ent. Linux 2.1, 3.0, 4.0
CIS - Red Hat Ent. Linux 5 v. 1.0
CIS - Solaris 10,
CIS - Solaris 8, 9
CIS - SuSE Linux Enterprise Server 2.0,
CIS - SuSE Linux Enterprise Server 1.0
CIS - Windows 2000 Server Operating System Level 2
Benchmark Consensus Baseline Security Settings
(Stand-alone and Member Servers)
CIS - Windows 2003 2.0, [Member Server]
CIS - Windows 2003, 1.2 [Member Server]
CIS - Windows 2008, 1.0 [Member Server]
CIS - Windows Server 2003, 2.0 [Domain Controller]
CIS - Windows XP Professional Operating System
Legacy, Enterprise, and Specialized Security
Benchmark Consensus Baseline Security Settings
CobiT 4.0 Guidelines (10.2005)
CobiT 4.1 Guidelines (05/2007)
FFIEC version 1 Published: 2006
Health Insurance Portability and Accountability Act
[HIPAA] 1996 45 CFR Parts 160/164
ISO 17799 (2005) ISO/IEC 17799:2005
ISO 27001 (2005) ISO/IEC 17799:2005
IT Infrastructure Library (version 2)
IT Infrastructure Library (version 3)
NERC version 1 (CIP) Published: 2007 vol. 1
NERC version 2 (CIP) Critical Cyber Identification
NIST 800-53 version 1 Published: 2006
NIST 800-53 version 3 (2009) 3: 2009
Policy Creation Lifecycle
The Compliance “Project”
I. Planning the Policy Approach
Establish Cross-functional team
− Internal Auditors
− Business owners
− Technical teams
Establish naming conventions:
− Policies
− Comments
− User Defined Controls
Establish approach on technology versions
Establish phases of policy creation steps
Policy Creation Lifecycle
The Compliance “Project”
II. Creation Steps
1. Perform Gap Analysis
− Search controls or create Gap Sheet
2. Create / Import New Policy and add controls
3. Configure parameters of these controls
− May require a scan to be run to gather actual data
This data can aid in the parameter value
Policy Creation Lifecycle
The Compliance “Project”
4. Identify and create simple UDC controls that can be
completed quickly
− File/Registry key existence, permissions, simple file content
checks can be done quickly
− TIP: Create separate policy of UDCs for testing
5. Identify and create more complex UDC controls
− Will require Research and technical assistance
− May involve complex regular expressions to allow a range of values for example
6. Identify and create UDC controls that require custom
shell scripts on UNIX systems
III. Review and approval of final policy
Setting up QualysGuard
QualysGuard Training
QualysGuard Setup
Best Practices
1. Create Users
2. Add Domains and Hosts to subscription
3. Map the Network and Add any Additional Hosts
4. Create necessary Asset Groups
5. Create General Policy
6. Assign Policy to affected Hosts
7. Scan Hosts
8. Generate Policy Reports
9. Tweak Policy
10. Rerun Policy Reports
11. Request necessary exceptions
QualysGuard Setup
Creating Users
To enable Compliance for
any role other than
“Manager” and “Auditor”’
the Extended Permission
of “Manage Compliance”
must be checked
Types of Roles
Unit Manager
QualysGuard Setup
Compliance User Role - Auditor
− Limited Access to those areas of
QualysGuard which involve Policy
− Responsible for Exceptions
− Cannot be assigned to a BU
− Cannot run Compliance Scans
QualysGuard Setup
Adding Domains or Hosts
− Add Domains or IPs
This may have been
done with your TAM
QualysGuard Setup
Asset Discovery (Mapping)
• Gives a good
overall “picture” of
the network
QualysGuard Setup
Asset Discovery Map
QualysGuard Setup
Asset Discovery
− Mapping looks at the Domain or
− Scanning looks at the individual
hosts – narrow focus
− Know what assets are there to
provide proper protection
− Verify what is supposed to
be there via Approved Hosts
Mapping is the foundation for proper asset management
Shows an overall view of your corporate assets
QualysGuard Setup
Affected Hosts
− Must be in the QualysGuard subscription
They must also be included in the Policy Compliance module
− Policies need to be assigned to a Host or Asset Group
− Tip: start small – there can be performance impact when
doing compliance scans.
− Affected Hosts can be in an existing Asset Group, or on
their own
QualysGuard Setup
Creating Asset Groups
Asset Groups are “buckets” to hold devices
For Compliance, Qualys recommends setting up Asset Groups based on
the geographic location and need:
• One asset group for the HIPAA compliant Database Servers in the San Francisco office, and one
for the windows desktops
• HIPAA- San Francisco –DB
• HIPAA-San Francisco- Desktop
• Another set of asset groups for the office in Los Angeles
• HIPAA-LAX-Desktop
• HIPAA-LAX- Webservers
Control and Policy Setup
QualysGuard Training
Necessary parts of a policy
Policy must have associated
A policy contains a list of
In order to be useful, a policy
has to have the affected hosts
associated with it.
Set Technologies
Add Hosts
Add Controls
Parts of a policy
Technologies: What
are the technologies
we’ll be viewing for
Controls: What are the rules we want in
place to specify our posture?
Hosts: Which hosts will we check?
Policy Import/Export
Download a
(and share that
written policy)
policy from a
file or from
QualysGuard Policy Compliance
Controls Library
Edit and
view info
QualysGuard Policy Compliance
Compliance Categories, Frameworks and Technologies
Compliance Categories
Access Control
Database Settings
Integrity and Availability
OS Security Settings
Web Application Services
[Entire] Network Settings
QualysGuard Policy Compliance
Control Anatomy
Select Control to
view info
Select Control to
view info
Category and Sub Category
QualysGuard Policy Compliance
Control Cross Reference
Control Cross Reference to Internal Documentation
− Reference internal compliance documentation such as approved mitigation
QualysGuard Policy Compliance
Comments Section of a Control
Components of Controls
Cardinality of a control
X = Value Returned by the scan engine
Y = Represents the value expected by the control
Components of Controls
Control cardinality use:
QualysGuard Policy Compliance
Windows User Defined Controls
User Defined Controls
for Windows:
− Registry Key
− Registry Value
− Registry Value Content
− Registry ACL
− File Existence
− File Permissions
− File Integrity Check*
!ot enabled by default
QualysGuard Policy Compliance
UNIX User Defined Controls
User Defined Controls
for UNIX:
− File Content
− File Permissions
− File Existence
− File Integrity Check*
!ot enabled by default
QualysGuard Policy Compliance
User Defined Controls
User Defined Controls
− Add controls to QualysGuard that are tailored to existing policy
QualysGuard Policy Compliance
User Defined Controls
Why have them?
− Custom applications that require compliance audits
− Systems use filenames / locations other than default settings
− Determine if specific service packs are installed
What happens if I write a control that has already been
defined by Qualys?
− The system will present an error
How do we write them?
− Requires an understanding of the requirement and a technical
understanding of the system
Usually the auditor and the SysAdmin must be involved
Device Enumeration
QualysGuard Training
QualysGuard Policy Compliance
Compliance Scan Workflow
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
Requirements for Policy Compliance
QualysGuard must have administrative access to all
affected hosts
QualysGuard acts like an auditor
Hosts must be in the subscription and added to the
Policy Compliance module
A compliance scan pulls every bit of data it can
A Compliance report uses that data to measure your
compliance posture against a specific policy
So, what’s our real workflow?
Create *eneral
Create *eneral
Scan + &ull
everything down
s%ecified in Control
Scan + &ull
everything down
s%ecified in Control
-e%ort -e%ort
Create &olicy'Add
.ser Defined
Create &olicy'Add
.ser Defined
Scan again /which
will include your
new controls0
Scan again /which
will include your
new controls0
-e%ort -e%ort
QualysGuard Policy Compliance
Scanning the Affected Hosts
• Narrow the focus to the affected hosts
• Make sure you have created your Compliance Option
• Not created by default
• Ensure Full Administrative (or Root) access to hosts
• If this access is not granted, the scan will fail for that host entirely
• Compliance scanning happens less frequently than
vulnerability management scanning – scheduling should
reflect this
• Data is NOT readable in raw scan format
Option Profile
An Option Profile specifically for Policy Compliance
needs to be created.
Option Profiles
File Integrity check
− If you are using UDCs for file integrity, you must check this
box in your option profile
Password Auditing Controls
− Dissolvable Agent – performs password auditing
− Up to 100 passwords to check
Windows Share Enumeration
− Also uses the Dissolvable Agent
Authentication - Vaults
In large organizations where thousands of machines are scanned
regularly for vulnerabilities, managing passwords is a challenge.
For example if a password ages out and gets changed, then those
changes must be passed to QualysGuard so that its passwords remain
Some organizations are reluctant to let their credentials to leave the
Based on feedback from customers, including a major international bank
who is our design partner for this integration, we partnered with Cyber-
Ark to build a solution to this problem and reduce the burden of
credential management for trusted scans.
Cyber-Ark Integration: benefits
Better manageability with Cyber-Ark integration
Increased security, control and audit of login credentials
Makes vulnerability trusted scans easier for better visibility
on the vulnerability, better prioritization of the remediation
Facilitates policy compliance scans
QualysGuard offers the best of both worlds to assist
customers adopt security in the cloud
Cyber-Ark Integration: How it works
Ser:er (Scan
.ser launch a trusted scan from the
1ualys S(C
The Scanner A%%liance /SA0 get the
credentials from the Cyber2Ark
&assword 3ault4
The SA scans the target using the
credentials /5indows and .ni60
Scan results are e6%orted to the 1ualys
Audit'control'%olicy enforcement using
Cyber2Ark &I7 suite features
BeyondTrust PowerBroker for Server, Version 6.0
− Similar to Sudo
− Executes “pbrun su –” on local target to escalate user to root shell
The following technology platforms have been verified:
− Red Hat Ent Linux v3, v4, and v5.x
− SUSE Linux Ent Server 9, 10, and 11
− HP-UX 11i v1, v2, and v3
− IBM AIX v5.x and 6.x
− SUN Solaris 8, 9, and 10
− VMware ESX 3.x and 4.x
− Mac OS X 10.x
Supports VM and PC Scanning
Authentication – PowerBroker
Authentication - PowerBroker
Enable in Unix
Authentication Record
− Root Delegation
Edit pb.conf locally
− Required: runuser = “root"
− Optional: if (user == "qualys" &&
basename(command) == "su"
&& argc == 2 && argv[1] == "-")
− Optional: iolog =
"/var/log/pb.iolog." + user + "." +
basename(command) + "." +
QualysGuard Training
To% Ten
To% 8
To% 8
Dashboard is a great
:# Double click
Failing &olicies
;# Automatically
generate re%ort
from the .I
<# See your to%
failing Controls
QualysGuard Policy Compliance
Compliance Reports
– Authentication
Success/Fail report
– Full Policy Report that
includes all results,
exceptions and audit
– Interactive Control
Pass/Fail report
– Interactive Host
Compliance report
– Includes workflow for
creating exceptions
Proof of pass/fail for
this control on this
QualysGuard Policy Compliance
The -e%ort Summary
• Pass/Fail Summar9 shows %assed and failed
control instances
• Pass/Fail and !0ceptions Summar9 %assed and failed
control instances with %ending e6ce%tions and %assed with
e6ce%tion status#
Best Practice: If the Passed with exception value remains constant, you may need
to revisit the compliance policy or review the asset group.
QualysGuard Policy Compliance
Policy Report
includes compliance
status with a specific
The report lists the
hosts assigned to the
policy with the
controls tested.
Results are shown
as a passed/failed
QualysGuard Policy Compliance
Authentication Reports
Review the Authentication
report to confirm necessary
administrator access
QualysGuard Policy Compliance
Interactive Reports
QualysGuard Policy Compliance
Creating Exceptions
Exceptions can only be created
via the Interactive Reports in
QualysGuard Policy Compliance
Creating Exceptions
Make sure the Control Pass/Fail has “Both” or “Failed” chosen:
QualysGuard Policy Compliance
Creating Exceptions
Request the exception
QualysGuard Policy Compliance
Exception UI
− Exceptions are created through the interactive report
− Auditor will click on “Edit” to open the ticket
QualysGuard Policy Compliance
Managing Exceptions
Regardless of
action, comments are
Set a time limit
on an e6ce%tion
QualysGuard Policy Compliance
Exceptions Approved
Note the “E” above the “passed” Posture
QualysGuard Policy Compliance
Examples of Exceptions:
Requirement: “ftp, or any form thereof should not be
enabled on any external facing device”
Reality: the support team must have ftp enabled to allow customers
to send files larger than 5MB when their email will not allow such
Requirement: “all workstations must have the latest
service pack installed”
Reality: you are in the midst of an upgrade and it will take 30 days to
have all systems tested and updated
QualysGuard Policy Compliance
Exceptions – the reality
− Unlike VM, where *most* vulnerabilities and remediation
tickets can be fixed with a patch, exception tickets present
a different use case:
Changing the corporate stance on password length
Allowing FTP on certain machines but not others
− “what to do” with an exception has been one of the biggest
questions seen from customers thus far.
Can I modify a control? (no)
Can I delete a control? (yes- but there may be consequences)
Policy Compliance Labs