Rules evaluation
Possible status of rules
- Success: The system is compliant regarding the tested rule
- Failed: The system is not compliant regarding the tested rule
- Anomaly: An error occurred while executing the compliance script, this can be due to a missing dependency or file on the tested system.
- Skipped: The rule was not run. This happens when the asset is not scanned with sufficient privileges
Rules levels
Rules levels form guiding principles to help in the system administration. Interpretation of these levels follows that given by the ANSSI:
- Minimal: To be implemented systematically on every system
- Medium: To be implemented as soon as possible on most systems once the minimal level recommendations are applied
- Reinforced: To be implemented on systems in need of stronger security or that have multiple applications that must be isolated from each other
- High: To be implemented only if the internal resources have enough skills and time to maintain them, otherwise the security of the system may be degraded. However, these recommendations can bring huge security improvements
How rules evaluation work
Each rule from the encyclopedia is made of an equation and one or multiple scripts that can be used to verify it on the concerned system.
While executing a rule script on a system, Cyberwatch retrieves the response of these scripts to check with regular expressions whether the rule has succeeded or not.
Results evaluation with regular expressions
Each script is made of:
- a script content, the actual code or command that will be run on the asset
- a regular expression of compliance
- a regular expression of non-compliance
When checking a script’s result, Cyberwatch will proceed the following way:
- verify if the result matches the regular expression of compliance and indicate the script as “Success” if so
- else, verify the result matches the regular expression of non-compliance and indicate the script as “Failed” if so
- else, indicate the script as “Anomaly” if it does not match any of the two regular expressions
Equations
The equation defines expected results regarding scripts execution, in order to indicate that the rule verified on the asset is conform or not. For example, a rule having for equation (1 && 2 && !3)
will succeed if all the following conditions are validated:
- the result of the first script matches with the regular expression of compliance of the first script
- the result of the second script matches with the regular expression of compliance of the second script
- the result of the third script matches with the regular expression of non-compliance of the third script
If not, the rule will be in failed status.
Equations support logical operators below:
&&
<=> logical AND||
<=> logical OR!
<=> logical negation
Relaunch already executed rules on an asset
- Go to the Inventory
- Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
- Click on the “Check rules” button to relaunch all rules associated to the asset
Relaunch all rules on multiple assets
- Go to the Inventory
- Select the assets for which all rules affected to them will be relaunched
- Click on the “Bulk actions” button
- Click on “Relaunch the assets analysis now”
Ignore a rule
- Go to Inventory
- Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
- Click on the “Compliance” tab
- Select the rule(s) to ignore
- Click on the “Ignore” button
Activate a rule
- Go to Inventory
- Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
- Click on the “Compliance” tab
- Select the ignored rule(s) to activate
- Click on the “Activate” button