Compliance Custom module

Documentation page describing Compliance Custom module usage.

Feature’s goals

The Compliance Custom module allows:

  • the creation of new rules
  • the duplication of existing rules
  • the edition of custom rules

Activate the feature

The full activation of the module requires a pre-activation by Cyberwatch.

You can send us an e-mail at support@cyberwatch.fr to ask for this pre-activation.

Once this pre-activation is effective, you can go to the Administration page and activate “Custom analyses”.

Rules evaluation

To understand how rules are evaluated in Cyberwatch, consult the documentation section on the rules evaluation.

Creation of a rule made of multiple equations requires using the API. The rule creation form in Cyberwatch allows to create mono equation rules only.

Create a custom rule

  1. Go to the Compliance rules encyclopedia
  2. Click on the button + Add
  3. Fulfill the fields of the rule creation form:

    • Reference: unique reference for each rule (e.g., CIS-debian-9-2.3.4)
    • Name: brief description of the rule’s goal (e.g., Ensure telnet client is not installed)
    • Description: description of the product/configuration concerned
    • Rationale: description of security concerns linked to non-compliance
    • Audit: description of the analysis to be conducted (e.g., Ensure package name equals 'telnet' is not installed)
    • Remediation: technical solution to become compliant
    • Script type: language of the script that will be run
    • Script content: complete code of the script
    • Regular expression of compliance: regular expression the script’s output has to match to be compliant with the rule
    • Regular expression of non-compliance: regular expression the script’s output has to match to be non-compliant with the rule
    • Concerned operating systems: list of operating systems to which the rule applies
    • Admin rights: whether the script requires admin rights to be run
    • Level: compliance level of the rule
    • Repositories: repositories in which the rule will be added to
  4. Accept the terms of service that comes with the creation of a custom compliance rule
  5. Save

If all fields are valid, the rule will immediately be added to the Rule encyclopedia.

Every rule created with the Compliance custom module has its Reference prefixed by “custom-“.

Duplicate a rule

  1. Go to the Compliance rules encyclopedia
  2. Click on the reference of the rule to duplicate
  3. In the rule’s specific page, click on the button “Actions > Duplicate rule”
  4. Modify the fields in the form. These fields are automatically fulfilled with the duplicated rule fields
  5. Accept the terms of service that comes with the creation of a custom compliance rule
  6. Save

If all fields are valid, the rule will immediately be added to the Rule encyclopedia.

Among the default rules, only those with an SCE script can be duplicated. It is also possible to duplicate custom rules. However, there are limitations when duplicating rules that have multiple checks.

Every rule duplicated with the Compliance custom module has its Reference prefixed by “custom-“.

Edit a custom rule

Only rules created with the Compliance custom module can be edited.

  1. Go to the Compliance rules encyclopedia
  2. Click on the reference of the rule to duplicate (necessarily prefixed by “custom-“)
  3. In the rule’s specific page, click on the button “Actions > Edit”
  4. Modify the fields in the form. These fields are automatically fulfilled with the edited rule fields
  5. Accept the terms of service that comes with the creation of a custom compliance rule
  6. Save

If all fields are valid, the rule will immediately be updated in the Rule encyclopedia.

Delete a custom rule

Only rules created with the Compliance custom module can be deleted.

  1. Go to the Compliance rule encyclopedia
  2. Click on the reference of the rule to delete (necessarily prefixed by “custom-“)
  3. In the rule’s specific page, click on the button “Actions > Delete”
  4. Accept the deletion popup

The rule is immediately deleted from the Rule encyclopedia.