Policy Compliance

Training Labs
Table of Contents
Introduction ...................................................................................................................................... 4
Prerequisites/System Requirements .................................................................................................. 4
LAB 1: Account Setup (20 min.) .................................................................................................. 5
Login to Qualys ............................................................................................................................................ 5
Update User Profile ................................................................................................................................... 9
General Information ................................................................................................................................................. 9
User Role ..................................................................................................................................................................... 10
Notification Options ............................................................................................................................................... 10
Security ........................................................................................................................................................................ 11
Account Settings ....................................................................................................................................... 12
The Auditor Role ...................................................................................................................................... 14
Create Auditor Account ........................................................................................................................................ 14
Add Host Assets to your Subscription ............................................................................................... 17
Policy Scope and Asset Groups ............................................................................................................ 19
Create Windows Compliance Asset Group ................................................................................................... 19
Create Unix Compliance Asset Group ................................................................................................................ 20
Asset Tags ................................................................................................................................................... 22
LAB 2: Create User Defined Controls (30 min.) .................................................................. 23
UDC #1 - File Content Check ................................................................................................................. 23
UDC #2 - File Integrity Check ............................................................................................................... 25
UDC #3 - Registry Value Content Check ............................................................................................ 27
UDC #4 - WMI Query Check ................................................................................................................... 29
LAB 3: Compliance Scanning (20 min.) .................................................................................. 31
Authentication Records ......................................................................................................................... 31
Create Unix Authentication Record .................................................................................................................... 31
Create Windows Authentication Record .......................................................................................................... 33
Create Custom Compliance Profile ..................................................................................................... 35
Launch Compliance Scans ..................................................................................................................... 38
Unix Compliance Scan ........................................................................................................................................... 38
Windows Compliance Scan ................................................................................................................................. 39
LAB 4: Create Policy (30 min.) .................................................................................................. 41
Import Policy from Library ................................................................................................................... 41
Define Policy Scope ................................................................................................................................................ 42
Create Policy from Scratch .................................................................................................................... 44
Add Technologies to Policy ................................................................................................................................. 44
Define Policy Scope ................................................................................................................................................ 45
Add CID 5241 to Policy ......................................................................................................................................... 46
Add CID 8375 to Policy ......................................................................................................................................... 50
UDC #1: File Content Check ................................................................................................................................ 52
LAB 5: Compliance Reports (30 min.) .................................................................................... 54
Authentication Report ............................................................................................................................ 54
Policy Report Template ......................................................................................................................... 56
Create Policy Report ............................................................................................................................... 57
Interactive Report ................................................................................................................................... 59
Requesting Exceptions .......................................................................................................................................... 59
Working with Exceptions .................................................................................................................................... 62
2

Additional Exercises .................................................................................................................... 64
Compliance Scorecard Report ............................................................................................................. 64
LAB 6: Security Assessment Questionnaire ......................................................................... 66
SAQ User Roles and Participants ........................................................................................................ 66
Create Recipient ...................................................................................................................................................... 66
Create Reviewer ...................................................................................................................................................... 67
Create Approver ...................................................................................................................................................... 68
Create a Campaign ................................................................................................................................... 69
Answer Questions .................................................................................................................................... 74
Monitor Campaign Progress ............................................................................................................................... 75

Introduction
Qualys Policy Compliance (PC) is a cloud service that performs automated security configuration
assessments on IT systems throughout your network. It helps you to reduce risk and continuously
comply with policies and regulations.

Exercises in this lab will be performed using the
Policy Compliance application. Policy Compliance is
just one of the many applications and services
available within the Qualys Cloud Platform.

Prerequisites/System
Requirements
To perform the exercises in this lab, you will need:
1. Qualys Account
2. Web Browser:
a. Internet Explorer
b. Firefox (latest version)
c. Chrome (latest version)
d. Safari (latest version)
3. Java Browser Plug-in
4. Adobe Acrobat Reader or comparable

Tip: Your browser’s Pop-up Blocking configuration can interfere with the proper functioning of the
Qualys User Interface. Please modify the settings of your Web browser to:
1. Allow all pop-ups, or
2. allow pop-ups from qualys.com (more secure)

LAB 1: Account Setup (20 min.)
The exercise steps that follow will help you activate your student trial account, and configure the
Policy Compliance application.

Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated and sent to
your email inbox, within 2 business days (please enroll with your business or company email
address…public email accounts are not supported).
Student account credentials for Instructor-Led training classes are provided by the Qualys class
instructor.
Your student account is active for 30 days. Please contact training@qualys.com with account
credential issues or questions.

1. Open your Qualys student trial account message/document.

2. Record the USERNAME from this document and save it in a secure place.
**The period at the end of the sentence is NOT a part of the USERNAME.
3. Click the ONE-TIME link to view the password page. The “one time” link is designed to
prevent others from viewing your password information; it will not work a second time.

 For security, the Login username on this page appears partially obfuscated with ******.
4. Record the PASSWORD from this document and save it in a secure place.

5. Use the link provided to login and activate your Qualys student trial account.

NOTE: All the student accounts are located on the following Qualys Cloud Platform. It is
recommended to bookmark the following URL in your web browser for the ease of access.
USPOD 3 - https://qualysguard.qg3.apps.qualys.com/

6. Scroll down, and select the check box to accept the “Service User Agreement” and click the
“I Agree” button.

7. Enter your current password, and then chose a new password (please record your new
password).

8. Click the “Save” button, followed by the “Close” button.

 9. Log back in to your student account using your new credentials.
The New Data Security Model (NDSM) combines high performance disk encryption with
Virtual Private Database (VPD) technology to provide enhanced security as well as advanced
productivity and detection features.

10. Click the “Enable Now” button.

Update User Profile
The steps that follow will help to personalize your student user account, and make other adjustments
that will provide a more effective training environment.

1. Click on your User ID (located between “Help” and “Logout”) and select the “User Profile”
option.

General Information
Please make any necessary adjustments to the “General Information” section of your user profile.

2. Update the “E-mail Address” field with your current e-mail address (notifications and
password reset information will be sent to the address you provide).

User Role
Different Qualys user accounts, take on different user roles.

3. Click “User Role” in the navigation pane (left), and make note that your student account
“User Role” is: Manager, and you can access your account using the Graphical User Interface
(GUI) or the Application Program Interface (API).

Notification Options
All notifications will be sent to the e-mail address specified in the “General Information” section.

4. Click “Options” in the navigation pane (left) and make the appropriate selections for the
type of notifications you would like to receive.
10

Security
Individual security settings can be configured for two-factor authentication, and Security Questions
are provided to facilitate any attempt to reset a user password.

5. Click “Security” in the navigation pane (left), and take a moment to complete the Security
Questions.
6. Click the “Save” button.

Completing these Security Questions is a requirement for using the “Forgot Password” link found
on the Qualys Login page.

11

Account Settings
Changes made to account settings will affect all user accounts in your Qualys subscription.

1. Click on your User ID (located between “Help” and “Logout”) and select the “Account
Settings” option.

2. Click the “Security” setup option
3. Scroll down to the “New Data Security Model” section.

4. Just below the NDSM settings ensure this feature has been enabled (as
depicted above).

12

 5. If the NDSM has not yet been enabled, select the check box to “accept the new
data security model” (as depicted below).

6. Increase your Session Timeout value to the maximum (240 min.) to help you to maintain an
ACTIVE session throughout the entire training class.
7. Click the “Save” button, followed by the “Close” button.

13

The Auditor Role
The role of Auditor, was created primarily to handle exceptions requested for failing hosts. To
properly fulfill this role an auditor should be familiar with your organizations security policies,
governing regulations, as well as security frameworks.
In addition to handling exceptions, auditors can:
• Create and edit policies
• Generate reports
• Add new controls to the Control Library

Additional Auditor Characteristics:

• Auditors cannot be added to a Business Unit.
• Auditors cannot run compliance scans.
• Auditors have access to all hosts in your Policy Compliance subscription (and cannot be
restricted to a single Asset Group).
• Auditors only have visibility into compliance data (not vulnerability data).

Create Auditor Account

Use the following steps to create an Auditor account:

1. Navigate to A) the “Users” section, and click B) the “Users” tab.

2. Click the “New” button and select C) the “User” option.

14

 3. Fill out all of the required “General Information” fields (marked with an asterisk).
In the “Email Address” field, use an email address you can access from where you are seated.
The registration email will be sent to that account.

4. Click “User Role” in the navigation pane.

5. Click the “User Role” drop down menu and select “Auditor”.
Other user roles cannot be changed to the role of Auditor. Clicking the “Save” button, while
another role is selected (other than Auditor), will prevent you from changing the role to
“Auditor.”
6. Click the “Save” button.

15

 An e-mail confirmation will be sent to the e-mail address specified in the Auditor account’s General
Information section.

You do not have to activate the Auditor account now and may wait until the reporting lab to do so.

16

Add Host Assets to your Subscription
Manager users are responsible for adding host assets to the Policy Compliance application.
**Important Notice about your student account**
With your demo account, you have permission to scan the target IP addresses provided by
Qualys. You do not have permission to scan any other IP address or web application using
this account.
Best Practice - Before scanning, always get approval to scan IP addresses and/or web
applications. It is your responsibility to obtain this approval.

1. Make sure you are in the Policy Compliance application.

2. Navigate to A) the “Assets” section, and click B) the “Host Assets” tab.

3. Click the “New” button and select C) “IP Tracked Hosts...”

General license information for your VM and PC subscriptions is displayed.

17

 4. In the left navigation pane, click “Host IPs”.

5. Type IP address range: 64.41.200.243-64.41.200.250, into the IPs field.

Please use a text editor to review and clean your input, if using Copy & Paste.
6. Select the “Add to VM Module” checkbox.
This will make the same IPs available for vulnerability scanning.
7. Click the “Add” button, followed by the “Apply” button.

18

Policy Scope and Asset Groups
Each policy you create must identify the hosts it will audit (the policy scope). Asset Groups and Asset
Tags are the tools used for identifying which assets are impacted by each policy you create.
In this section, you will create two Asset Groups that will be used to define the scope for policies you
will create later.

Create Windows Compliance Asset Group

This first Asset Group will only contain Windows-based hosts.

1. Navigate to A) the “Assets” section, and click B) the “Asset Groups” tab.
2. Click the “New” button and select C) the “Asset Group…” option.
3. Give your Asset Group the title, “Windows Compliance AG”.

4. Click “IPs” in the navigation pane and then click the “Select IPs/Ranges” link.

19

 5. Click the “Expand” icon to expand the IP address range.
6. Place a check mark next to the following IP addresses:
ü 64.41.200.246
ü 64.41.200.247
ü 64.41.200.248
ü 64.41.200.249
7. Click the “Add” button, followed by the “Save” button.

Create Unix Compliance Asset Group

1. From the Asset Groups tab click the “New” button and select the “Asset Group…” option.
2. The Title for this Asset Group is: “Unix Compliance AG”.

3. Click “IPs” in the navigation pane.

4. Click the “Select IPs/Ranges” link.

20

 5. Click the “Expand” icon to expand the IP address range.
6. Place a check mark next to the following IP addresses:
ü 64.41.200.243
ü 64.41.200.244
ü 64.41.200.245
ü 64.41.200.250
7. Click the “Add” button, followed by the “Save” button.

The “Asset Groups” tab now contains two Asset Groups that will be used later to define the SCOPE
of your policies.

21

Asset Tags
The Qualys platform will automatically create an Asset Tag for each Asset Group you add to your
account. You can also create your own “custom” tags using the Qualys AssetView application.

1. Click the application dropdown menu and select the “AssetView” application.

2. From A) the “Assets” section, click B) the “Tags” tab, and expand the “Asset Groups”
hierarchy.
When you added the Unix and Windows Compliance Asset Groups earlier, matching Asset
Tags were automatically created.
If your matching Asset Tags are not yet visible, please check back in a few minutes.

3. Use the application drop-down menu to return to the “Policy Compliance” application.

22

LAB 2: Create User Defined Controls (30 min.)
User Defined Controls (UDC) extend the coverage already provided by the Qualys Control Library. A
UDC is created and customized by an end user, and then added to the Controls Library. You can
create any number of custom controls, to meet the specific needs of your organization.

UDC #1 - File Content Check

Most of the configuration settings on a UNIX-based host are still stored within text-based
configuration files. File Content Check permits you to enumerate the contents of any text-based file.
This exercise will create a Unix Control Type to perform a file content check on /etc/ssh/sshd_config.

1. From A) the “Policies” section, click B) the “Controls” tab.

2. Click the “New” button and select C) the “Control…” option.

3. Click “Unix Control Types” in the navigation panel and select the “File Content Check” radio
button.
4. In the “Statement” textbox, type “Enumerate the contents of sshd_config”.
5. Use the “Category” drop down menu to select “[Entire] Network Setting”.
6. Set the Sub-category to “[Dedicated] Remote Access/VPN”.
7. Under Comments, enter your initials.

23

8. Click and fill the form out as illustrated above.

The “Regular expression” field can be used to locate a specific line in the ‘sshd_config’ file, or
a specific configuration parameter.

Placing a value of “.*” in the “Regular expression” field will enumerate the entire contents of
the ‘sshd_config’ file (“.*” will match any number of any characters).

9. Click the “Add” button.

10. Under the “Default Values for Control Technologies” section, fill the form out as illustrated
above.
11. Under the “Control Technologies” section, scroll down and select the checkboxes for
CentOS 6.x, Oracle Enterprise Linux 5.x, and Oracle Enterprise Linux 7.x.
12. Scroll down and click the “Create” button, followed by the “Close” button.

24

UDC #2 - File Integrity Check
Now you are going to create a User Defined Control (UDC) that will be used to perform a file integrity
check on a UNIX host.

1. Navigate to A) the “Policies” section, and click B) the “Controls” tab.
2. From the “Controls” tab, click the “New” button and select C) the “Control” option.

3. For Unix Control Types click the radio button for “File Integrity Check”.
4. In the “Statement” textbox, enter “File Integrity Check: /etc/hosts”.
5. Use the “Category” drop down menu to select “Integrity and Availability”.
6. Leave Sub-category set to “Auditing/logging.”
7. Under Comments, enter your initials.

25


8. Click “Add Parameters” and fill the form out as illustrated above.
9. Click the “Add” button.

10. Under the “Default Values for Control Technologies” section, fill the form out as indicated
above.
The “Use scan data as expected value” option will automatically calculate the hash value of
the “hosts” file.
11. Under the “Control Technologies” section, scroll down and select the checkboxes for
CentOS 6.x, Oracle Enterprise Linux 5.x, and Oracle Enterprise Linux 7.x.
12. Click the “Create” button, followed by the “Close” button.

26

UDC #3 - Registry Value Content Check
The Windows System Registry contains a wealth of information that can be used to validate
thousands of compliance and auditing objectives. Registry Value Content Check permits you to check
the content of any registry key.

1. Navigate to A) the “Policies” section, and click B) the “Controls” tab.
2. From the “Controls” tab, click the “New” button and select C) the “Control” option.
3. For Windows Control Types click the radio button for “Registry Value Content Check”.

4. Type “Status of Remote Access Terminal Service” in the “Statement” field.

5. Use the “Category” drop down menu to select “ Services”.
6. Set the Sub-Category to “Guidelines/Procedures (Services)”.
7. In the Comments text box, type your initials (you will search on this later).

27



8. Scroll down to the Scan Parameters section and click (fill in the fields to
look like the example above).
9. Click the “Add” button to save your settings.

10. In the “Default Values for Control Technologies” section, use the illustration above to fill in
the required fields:
A “Default Value” of 4 specifies that Terminal Service must be disabled:

• 2 = Automatic
• 3 = Manual
• 4 = Disabled
11. Under the “Control Technologies” section, scroll down and select a check box for: Windows
2008 Server, Windows 2012 Server, Windows 7, and Windows 8.1.
12. Click the “Create” button, followed by the “Close” button.

28

UDC #4 - WMI Query Check
This User Defined Control (UDC) will use a WMI Query to enumerate the running processes on a
Windows host. This list can then be evaluated to identify the absence of REQUIRED processes,
and/or the presence of PROHIBITED processes.

1. Navigate to A) the “Policies” section, and click B) the “Controls” tab.
2. From the “Controls” tab, click the “New” button and select C) the “Control” option.
3. For Windows Control Types click the radio button for “WMI Query Check”.
4. In the “Statement” textbox enter “WMI Query Check - Enumerate Active Services”.
5. Use the “Category” drop down menu to select “Integrity and Availability”.
6. Leave Sub-Category set to “Auditing/Logging”.
7. In the Comments text box, type your initials (you will search on this later).
8. In the Ignore Errors section, select the check box to “Ignore errors and mark status as
Passed”.

In this context, an error returned from a failed WMI query does not necessarily imply that a
host is out of compliance.

29



9. In the Scan Parameters section click the “Add Parameters” button and fill in the forms to
look like the window above.
10. Click the “Add” button to save your settings.

11. In the “Default Values for Control Technologies” section, use the illustration above to fill
the required fields:
The value of .* is a regular expression that will match any number of any characters,
including blank space. You will replace this value with actual service names, when this UDC is
added to one of your policies.
12. Under the “Control Technologies” section, scroll down and select the checkboxes for:
Windows 2008 Server, Windows 2012 Server, Windows 7, and Windows 8.1.
13. Click the “Create” button, followed by the “Close” button.

30

LAB 3: Compliance Scanning (20 min.)
A compliance scan collects data points (defined in the Qualys Control Library) from the host assets
you target. Although some policies can be created without scan data, the availability of compliance
scan data will help you test and evaluate controls as you add them to a policy. Before you launch
your first compliance scan, you will need to create authentication records for the Windows and Unix
hosts, and build a Compliance Profile containing your custom scanning preferences.

Authentication Records
Authentication is a requirement of the Policy Compliance application. Authentication is available for
multiple OS platforms, services, and software applications. The lab exercise steps that follow, will
create two authentication records: one for Unix and one for Windows.

Create Unix Authentication Record

1. Navigate to A) the “Scans” section and select B) the “Authentication” tab.
2. Click C) the “New” button and select “Unix Record”.
3. Type “qscanner with Sudo” in the “Title” field.

4. Click “Login Credentials” in the navigation pane, and enter the following credentials:
User Name: qscanner
Password: abc1234!

31

 5. Click “Root Delegation” in the navigation pane and then click the “Add Root Delegation”
button on the right.
6. Select “Sudo” from the dropdown menu as your “Root Delegation” option.
7. Enter password: abc1234!
8. Click the “Save” button.

9. Click “IPs” in the navigation pane.

10. Add the following IPs:
• 64.41.200.243
• 64.41.200.244
• 64.41.200.245
• 64.41.200.250
11. Click the “Create” button.

32

Create Windows Authentication Record

1. Navigate to A) the “Scans” section, and click B) the “Authentication” tab.

2. From the Authentication tab, click C) the “New” button and select “Windows Record…”
3. Type “qscanner as Domain Admin” in the “Title” field.

4. Click “Login Credentials” in the navigation pane, and ensure the “Domain” radio button is
selected (under Windows Authentication).
5. Select “Active Directory” using the “Domain Type” drop-down menu.
Active Directory API calls are used to retrieve the IP addresses of domain members. Therefore, IP
address information is NOT required, when creating an Active Directory Authentication Record.
6. Type “trn.qualys.com” (omit quotes) in the “Domain name” field.

7. Type the following Username and Password (case sensitive):

User Name: qscanner
Password: abc1234!

8. Click “Save”.
33


You can return to the “Authentication” tab, after completing a compliance scan, to view the
PASS/FAIL results of the Qualys scanner’s authentication attempts. Just click the “Details” link at the
end of any Authentication Record.

34

Create Custom Compliance Profile
A Compliance Profile contains your scanning options and is a required component of every
compliance scan. Create a custom Compliance Profile that contains all the required options for your
compliance scans.

1. Navigate to A) the “Scans” section, and select B) the “Option Profiles” tab.
2. Click the “New” button and select C) the “Compliance Profile” option.
3. Name the profile “Custom Compliance Profile”.
In an earlier exercise you created a User Defined Control (UDC) to perform a file integrity
check. The “Auto Update expected value” option will automatically record the hash value of
targeted files.

4. Click “Scan” in the navigation pane (left) and select the “Auto Update expected value”
checkbox, under the Integrity Monitoring section.

5. Select (check) both Control Types: “File Integrity Monitoring” and “WMI Query Checks.”

35

 These special control types work together with user defined controls (UDCs) you create for
File Integrity Monitoring and WMI Query Checks.
§ File Integrity Monitoring – Enable to collect the hash values needed to perform file
integrity checks on both Unix and Windows systems.
§ WMI Query Checks – Enable to perform WMI queries that collect the kind of data
that cannot be acquired from Active Directory or the Windows Registry.

6. Click the “Dissolvable Agent” link to activate the Dissolvable Agent for your subscription.
7. When prompted, click the “Accept” button, followed by the “Close” button.

8. Once the Dissolvable Agent has been accepted, select all of the “Dissolvable Agent” check
boxes.
Only a Manager can activate the Dissolvable Agent, allowing users to leverage its
functionality:
§ Password Auditing – Perform password auditing tests to identify user accounts with:
empty passwords (CID 3893), passwords equal to the user name (CID 3894), or
passwords found in your own custom password dictionary (CID 3895).
§ Windows Share Enumeration - Find Windows shares that are readable by everyone and
report the number of files for each share on each host (Control ID 4528) and whether the
files are writable. This is good for identifying groups of files that may need tighter access
control.
§ Windows Directory Search - Select this option to include one or more Windows Directory
Search UDCs in the scan, that search for files/directories using many criteria such as file
name, user accounts, and specific user access permissions.
At scan time, Dissolvable Agent is installed on Windows devices to collect data, and once the
scan is complete it is completely removed from target systems.
9. Click the “Save” button.

36

 Your “Custom Compliance Profile” will now become the default profile for your compliance
scans, giving you all the functionality needed for the exercises in this lab.

37

Launch Compliance Scans
In this section you’ll launch two separate compliance scans. The first scan will target the Unix Asset
Group, and the second scan will target the Windows Asset Group.

Unix Compliance Scan

1. Navigate to A) the “Scans” section, and select B) the “PC Scans” tab.
2. Click the “New” button, and then select C) the “Scan” option.

3. Give your scan the title “Unix Compliance Scan” and use the “Custom Compliance Profile”
you created.
Since all targets in our training lab have public IPs, a Qualys External Scanner Appliance will
be used to perform your scan (by default).

4. Select the “Unix Compliance AG” Asset Group as your scan target.
5. Click the “Launch” button to start the scan.
6. Click the “Close” button to close the “Scan Status” window.
38

Windows Compliance Scan
1. Once again, click the “New” button, and then select the “Scan” option.

2. Give your scan the title “Windows Compliance Scan” and use the “Custom Compliance
Profile” you created.

3. Select the “Windows Compliance AG” Asset Group as your scan target.
4. Click the “Launch” button to start the scan.
5. Click the “Close” button to close the “Scan Status” window.
You can monitor the status of any scan, from the “PC Scans” tab.

All scans are initially queued, before they begin running. Note: The scans you just launched
will only collect data points for controls already in the Controls Library.
Wait for your scan to finish, before attempting to work with its results.

39

 6. When your scans have FINISHED, use the “Quick Actions” menu to view results.
Successful authentication is critical to the Policy Compliance application. All authentication
issues must be addressed to ensure accurate compliance results.

Use the “Authentication Issues” information provided in the scan report, to help you find
authentication issues encountered during the scan.
Please make note of any host IPs that have a failed authentication attempt. Data points will
not be available for these host assets.
The following provides a list of possible authentication results:
§ Passed – Authentication was successful.
§ Insufficient Privileges – Authentication was successful, but the Qualys scanning
account was not able to access data needed to perform one or more compliance
assessment tests.
§ Not Attempted – An authentication record was not found for a targeted host, and
therefore authentication was not attempted.
§ Failed – Authentication was not successful.

40

LAB 4: Create Policy (30 min.)
A Qualys Policy contains controls that reflect the requirements of security frameworks, regulations,
standards, and internal policies. The Qualys Policy Compliance applications offers multiple ways to
create a policy:

• Empty Policy – Build a policy from scratch.

• Existing Host – Build a policy from a previously scanned host.
• Policy Library – Choose from one of the policies in the Qualys Policy Library.

• XML File – Upload a policy from your local file system.

Import Policy from Library

In this exercise, you will import a policy from the Qualys Policy Library.
1. Navigate to the “Policies” section and click the “Policies” tab.

2. From the “Policies” tab, click A) the “New” button, followed by B) “Policy” and select C)
“Import from Library…”.

41

 3. In the “Technologies” column, place a check next to CentOS 6.x.
4. In the “Policies” column, click “CIS Benchmark for CentOS Linux 6, v2.1.0 [Scored, Level 1
and Level 2]” and then click the “Next” button.
5. Leave the Policy Name “as-is” and click the “Create” button.

Define Policy Scope

6. Click the option to “Edit” Asset Groups.

42

 7. Add the “Unix Compliance AG” Asset Group to this policy and click the “Save” button.

8. Click the “Evaluate now” checkbox.

9. Click the “Save” button one more time and then close the Policy Editor.
The policy just saved will be used later, as part of the Policy Report lab exercises.

43

Create Policy from Scratch
In this exercise, you will create a ‘blank’ policy, and manually add all policy components (i.e.,
technologies, assets, and controls).
1. Navigate to the “Policies” section and click the “Policies” tab.

2. From the “Policies” tab, click A) the “New” button, followed by B) “Policy” and select C)
“Create from Scratch…”.

Add Technologies to Policy

3. Use the “Search technologies” drop-down menu to add UNIX and Windows technologies
illustrated above (CentOS 6.x, Oracle Enterprise Linux 5.x, Oracle Enterprise Linux 7.x,
Windows 2008 Server, Windows 2012 Server, Windows 7, Windows 8.1)
4. Click the “Next” button.

44

Define Policy Scope

5. Add the “Windows Compliance AG” and “Unix Compliance AG” Asset Groups to this policy
and click the “Next” button.
6. Name your policy: “Sample Policy” and click the “Create” button.

The Policy Editor displays a blank policy. Controls have yet to be added.
7. Change the section title from “Untitled” to “Sample Controls.”

45

Add CID 5241 to Policy
The current list of installed 'Antivirus' programs (CID 5241), provides a list of the known installed
Antivirus applications, collected from the Windows Registry:
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall (32-bit)
• HKLM\Software\WoW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (64-bit)

1. Click the “Add Controls” button.

2. Click the “Search” button and type “antivirus” (omit quotes) in the “Text” field.
3. Click the “Search” button.

46

 4. Place a check to the left of CID 5241 – Current list of installed Antivirus program(s).
5. Click the “Add” button.

6. Click the “Edit” option for CID 5241.

7. Using the “Windows 2012 Server” Technology, click the “Test Control” button to evaluate
this control against a Windows Server host.

47

 8. Click the “View IPs” link to view the list of “Windows Server 2012” hosts you have scanned
for compliance.
9. If no IP addresses are listed, click the “Cancel” button and try another Windows
technology; otherwise, proceed to the next step.
If an IP address is not available for any of the Windows technologies, please verify that you
have completed a Windows scan. View the scan results to identify any authentication issues.
IP addresses will not appear for hosts with a failed authentication attempt; you may need to
re-create your Windows Authentication record and launch one more Windows scan.
10. Select an IP address and click the “Select” button.
The host IP address you selected is evaluated against the existing control parameters. Why
does this host receive a PASS result, even though it has no antivirus software installed?

The PASS/FAIL status is determined by comparing the EXPECTED value specified in the control
parameters, to the ACTUAL value collected from the target host.

48

 Notice this control has check marks for the “No matching products found” and “Key not
found” options. A check marked item identifies a PASS condition. If no matching products are
found on an audited host, this setting produces a PASS.
Likewise, if the targeted registry key is NOT found on the audited host, the “Key not found”
checkbox produces a PASS.
Removing the “No matching products found” or “Key not found” checkboxes will produce a
FAIL for any host missing this information.

11. Remove the check mark from the “No matching products found” check box.
12. Click the “Evaluate” button.
With the check mark removed from the “No matching products found” check box, the
“Control Result” will change to FAIL.

13. Click the “Back to Controls” option.

49

Add CID 8375 to Policy
The 'Current list of running processes' provides process name, process identification number, and
other useful information, about a host’s running processes. Maintaining a list of known processes for
each host, makes it easier to identify process anomalies.
1. Click the “Add Controls” button.

2. Click the “Search” button.

3. Type “running process” (omit quotes) in the “Text” field and click the “Search” button.
4. Place a check to the left of CID 8375 – Current list of running processes and click the “Add”
button.
5. Click the “Edit” option for CID 8375.
6. Using the “CentOS 6.x” Technology, click the “Test Control” button to evaluate this control
against a CentOS 6.x host.
Notice the default value ‘.*’ for this setting. This ‘regular expression’ will accept the name of
any running process as passing.
7. Click the “View IPs” link to view the list of CentOS 6 hosts you have scanned for
compliance.
8. If no IP addresses are listed, click the “Cancel” button and try another Unix technology;
otherwise, proceed to the next step.
If an IP address is not available for any of the Unix technologies, please verify that you have
completed a Unix scan. View the scan results to identify any authentication issues. IP
addresses will not appear for hosts with a failed authentication attempt; you may need to re-
create your Unix Authentication record and launch one more Unix scan.
9. Select an IP address and click the “Select” button.

50

 The host IP address you selected is evaluated against the existing control parameters.
Because the “.*” regex is used as the evaluation expression, all hosts are currently passing.

10. Replace “.*” with the following process names:

• sshd
• bash
• awk
11. Use the drop-down menu to select the ‘contains’ cardinality.
12. Click the “Evaluate” button to see how your changes impact the PASS/FAIL results.

13. Change the cardinality from ‘contains’ to ‘does not contain’.

14. Click the “Evaluate” button to see how your changes impact the PASS/FAIL results.

15. Continue to experiment with different cardinality settings and observe the results.

51

 16. Click the “Back to Controls” option.
17. Click the “Add Controls” button.
18. Use the “Search” tool to locate and add your User Defined Controls (UDCs) to the policy.
To clear your previous search results, click the “Search” button, followed by the “Clear”
button, and close the “Search” window.
HINT: Search for your initials in the “Comments” field…all UDCs begin at CID 100000.

UDC #1: File Content Check

1. Edit CID 100000 “Enumerate the contents of sshd_config.”

2. Select either the CentOS or Oracle Enterprise technology and use the “Test Control” button
to view the entire contents of the sshd_config file.

52

 The regular expression “.*” used to build this UDC, enumerates the entire contents of the
sshd_config file (“.*” matches any number of any characters).
Other variations of this UDC will use different regular expressions to focus on specific lines or
parameters within the ‘sshd_config’ file. Which lines or parameters would you want to focus
on?
What other UNIX configuration files would you want to analyze?

1. Click the “Evaluate now” checkbox (lower-right corner).

2. Click the “Save” button to secure the changes you have made, and then close the Policy
Editor.

53

LAB 5: Compliance Reports (30 min.)
Authentication Report
Authentication is a requirement for performing compliance scans; therefore, it is important to
monitor the success and failure of authentication attempts made by your Qualys Scanner Appliance.
An Authentication Report will help you identify failed authentication attempts and other conditions
that could result in the failure to collect compliance data.
1. Navigate to the “Reports” section and click the “Reports” tab.

2. Click A) the “New” button and select B) Authentication Report.

3. Type “Compliance Authentication Report” in the “Title” field.

4. Use the “Report Format” drop-down menu to select “HTML pages.”
5. Under “Report Source” select the “Asset Tags” radio button, and then click the “Add Tag”
link.
54

 6. Click the “Browse tags” icon and select both Windows Compliance AG and Unix
Compliance AG tags.
7. Ensure the logical operator is set to: Any (OR equivalent).
8. Click the “Run” button.
If your Asset Tags are not yet ready for use, change your Report Source targets to the
Windows and Unix Asset Groups.
Qualys recommends using root and Administrator equivalent accounts for all compliance
scans.
The illustrations below provide examples of authentication issues. Notice that ‘insufficient
privileges’ can be equally as problematic as a ‘failed’ attempt.

A status of “Not Attempted” typically identifies host IPs that do not have a corresponding
authentication record.
Limited or no compliance data is collected from a host, if the Qualys Scanner Appliance does
not successfully authenticate.
9. Close your Authentication Report.

55

Policy Report Template
The Policy Report Template provides some very useful report filtering options. The next few steps
will create a custom Report Template that focuses on FAILED control tests.
1. Navigate to the “Reports” section and click the “Templates” tab.

2. Click A) the “New” button and select B) the “Policy Template” option.
3. Type “Failed Controls Template” in the “Title” field.

4. Click “Layout” in the navigation panel (left).

5. Change the “Report Layout” options to focus on “Failed” controls; specifically, those that
are SERIOUS, CRITICAL, or URGENT.
6. Click the “Save” button.

56

Create Policy Report

1. From the “Templates” tab, use the “Quick Actions” menu for the “Failed Controls
Template” to Run a report.

2. Type “Failed Controls Policy Report” in the “Title” field.

3. Select “Failed Controls Template” in the “Report Template” field.
4. Select “Portable Document Format (PDF)” from the “Report Format” drop-down menu.
5. Under Report Source select the “CIS Benchmark for CentOS Linux 6” policy, created earlier.
6. Ensure that the radio button for “All Assets in policy” is selected.
7. Click the “Run” button.
8. When your report is displayed, scroll past the trend and summary data to view the FAIL
results for various hosts, and the collected evidence.

57

 A distinguishing characteristic of the Policy Report, is the evidence that impacts each
PASS/FAIL result.
This is the type of information needed by systems administrators and operational teams to
correct a configuration error or any other type of failed requirement.
9. Close your policy report.

58

Interactive Report
When a host fails to meet a control requirement, one option involves correcting the condition that
led to the failure. However, if a compensating control has been deployed to address the problem,
another option involves requesting an exception for the failed control. The Policy Compliance
Application provides Interactive Reports for requesting and managing exceptions:
Ø Control Pass/Fail Report - identifies the pass/fail status for a specific control. When running
this report, select the control you want to report on.
Ø Individual Host Compliance Report - identifies the compliance status for a specific host.
When running this report, select the host you want to report on.

Requesting Exceptions
This exercise will walk you through the steps of using of an interactive report to request an exception.
You will use two user accounts (MANAGER and AUDITOR) to complete the exercise steps. Please use
two separate browsers (e.g., Chrome AND Firefox) so you may keep both accounts active at the same
time (i.e., most Web browsers only allow one Qualys user session at a time).
Your AUDITOR account must be activated, before it can be used in the exception process.
1. Use a separate browser to login with the AUDITOR account you created earlier.
If this is your first AUDITOR login attempt, you will be prompted to “Save” your account
settings.
2. From your MANAGER account, navigate to the Reports section and click the “Reports” tab.
3. Click the “New” button and select “Interactive Report”.

4. Choose the “Individual Host Compliance” Report and click the “Run” button.

59

 5. Choose the “CIS Benchmark for CentOS Linux 6” policy, as the report target.
6. Select the “Unix Compliance AG” Asset Group.
7. Click the “Select” link and choose an IP address.

8. Click “Layout” in the left navigation pane.

9. Select the checkbox to “Display” Failed controls.
10. Select the checkboxes for the SERIOUS, CRITICAL, and URGENT criticality.
11. Sort by “Criticality”.
12. Click the “Run” button.
The report displays all controls with a “Failed” posture, along with a link to “Request” an
Exception.

60



13. Choose any control with a “Failed” posture and click its corresponding “Request” link in the
Exception column.

14. Assign the Request to your Auditor account. If you did not create an Auditor account, you
may use a Manager account for this step.
15. Add a comment.
Comments are required for all exception requests.

16. Click the checkbox to “Reopen exception on change of evidence”.

This applies only if the exception is approved. Reopen this exception if a future scan returns a
value that is different than the current value, and the control is still failing (or error).
17. Click the “Request” button.

61

Working with Exceptions
For Compliance exceptions, an Auditor or Manager must determine the Compliance impact of
allowing a failed control/host to be exempted from a policy. Exemptions will typically depend on
your overall corporate security policies. The business, regulatory and technical implications should be
reviewed in each case.

An Exception can be reassigned, accepted or rejected. An approved exception may be set to expire
after a certain amount of time. These decisions are contingent upon business need combined with
regulatory/mandate requirements. If an exception request is accepted, it will be noted in the next
interactive report. If an exception request is rejected, it will keep its failed status.
1. From you AUDITOR account, navigate to the “Exceptions” section and click the
“Exceptions” tab.

2. Use the “Quick Actions” menu to “Edit” the exception generated earlier.

62

 3. Approve the exception request and set to expire in 90 days.
4. Click the “Save” button.

63

Additional Exercises
You may perform all “Additional Exercises” at your own convenience. Other lab exercises in this
document are not dependent on the outcome of these exercises.

Compliance Scorecard Report

The Compliance Scorecard Report provides a high level view of your organization’s compliance
progress and status. You can use the Compliance Scorecard to review multiple policies at the same
time.

1. Navigate to the “Reports” section.

2. From the “Reports” tab, click the “New” button and select “Scorecard Report”.

64

 3. Type “Compliance Scorecard” in the “Title” field.
4. Use the drop-down menu to select the “Compliance Scorecard Report” Template.
5. Set the “Report Format” to Portable Document Format (PDF).
6. Under “Report Source” add all of your policies (see Additional Exercises in the “Create
Policy” Lab to create more policies).
7. Use Asset Tags, Asset Groups or Netblocks to select both Windows and Unix Compliance
assets as the targets for this report.
8. Click the “Run” button and view your Scorecard Report.

65

LAB 6: Security Assessment Questionnaire
Through automated campaigns and data collection, Qualys Security Assessment Questionnaire
expands the scope of compliance data to include administrative and procedural controls.
Here are just a few examples of the things you can accomplish with Qualys SAQ:
• Third-Party Risk Assessment – Identify and assess the compliance of your vendor, partner,
supplier and other third-party relationships.
• Internal Audit Management – Expand the scope of your compliance visibility by querying and
evaluating internal infrastructure and IT processes.
• Security Training and Awareness – Evaluate employee and contractor comprehension of
security policies, procedures, and training curricula - before and after security training
sessions.
• End-to-End Security Compliance – Accelerate and extend security compliance by combining
technical controls assessment (Qualys Policy Compliance) with procedural controls
assessment (Qualys Security Assessment Questionnaire).

SAQ User Roles and Participants

1. Open the Qualys SAQ application.

2. Click the “Start 14-Day Trial” button, followed by the “Confirm” button.
3. Click the “Close and Continue” button (do not play introductory video).

Create Recipient
A “Recipient” will receive an invitation to join a “Campaign” you have created and is responsible for
answering and responding to Questionnaire questions.

66

 1. Navigate to A) the “Users” section.
2. Click B) the “Add User” button, and enter the following information:

Use a valid email address, one you can access from your present location.
3. Click the “Add User” button.

Create Reviewer
A “Reviewer” is responsible for reviewing the responses submitted by any given recipient.

4. Click and enter the following information:

5. Click the “Add User” button.

67

Create Approver
An “Approver” is ultimately responsible for approving responses submitted by any given recipient.

6. Click and enter the following information:

7. Click the “Add User” button.

68

Create a Campaign
A “Campaign” contains one Questionnaire and identifies all campaign participants.

1. Navigate to A) the “CAMPAIGNS” section.
2. Click on B) the “New Campaign” button.

3. Type “PCI Compliance Campaign” in the “Campaign Name” field.

4. Select a due date 90 days from today.
5. Click the “Take me to Template list” button.

69

 6. Select “PCI” in the left navigation pane.
7. Select Payment Card Industry (PCI) Data Security Standard – Self-Assessment Questionnaire
(SAQ) A and Attestation of Compliance.
8. Click the “Add” button and then click “Next”.

9. Use the “Workflow” drop-down menu to select the “Full (4-Stage Workflow)” option.
10. Use the “Reviewer” drop-down menu to select the SAQ Reviewer user.
70

 11. Use the “Approver” drop-down menu to select the SAQ Approver user.
12. Click the “Next” button.

13. Click the “Take me to Recipients list” link.

14. Place a check to the left of the SAQ Recipient user and click the “Add” button.

71

 15. Click on the “Next” button twice and click “Create & Launch”.

16. Click the “Send” button to email the invitation to the SAQ Recipient user.

72

73

Answer Questions

1. Using the email account/address, specified when creating the “Recipient” user, open the
email invitation and click the “Get Started” button.

2. Choose a new password for the “Recipient” user.

WARNING: logging in and activating the “Recipient” user account will typically logout the
“Manager” user (i.e., the account you have been using up to this point).

74

 3. Click the “Quick Actions” menu, and select the “View Questions” option.

4. Fill in the input fields for A) Company Name, B) Contact Name, and C) Contact Title.
5. Click the “Save & Exit” button.

Monitor Campaign Progress

1. Log out of the “Recipient” user account, and log back in as the “Manager” user.

2. Open the Qualys SAQ application.

75

 3. From the SAQ “Dashboard”, click the “PCI Compliance Campaign” link to view the campaign
details.

You can monitor the progress of each campaign, and review question responses.
4. Click the “back” arrow.

5. Navigate to the “Reports” tab and click on “New Report”.

6. Set the “Report type” field to “Campaign Report” and click “Continue”.
7. Select the “PCI Compliance Campaign” from the dropdown and click “Preview”.

76

 8. Click the “Download” button and select “Portable Document Format (PDF)” and click
“Save”.

9. When your report reaches the “Complete” status, double-click to download and view.

77