Rules evaluation

Possible status of rules

  • Success: The system is compliant regarding the tested rule
  • Failed: The system is not compliant regarding the tested rule
  • Anomaly: An error occurred while executing the compliance script, this can be due to a missing dependency or file on the tested system.
  • Skipped: The rule was not run. This happens when the asset is not scanned with sufficient privileges

Rules levels

Rules levels form guiding principles to help in the system administration. Interpretation of these levels follows that given by the ANSSI:

  • Minimal: To be implemented systematically on every system
  • Medium: To be implemented as soon as possible on most systems once the minimal level recommendations are applied
  • Reinforced: To be implemented on systems in need of stronger security or that have multiple applications that must be isolated from each other
  • High: To be implemented only if the internal resources have enough skills and time to maintain them, otherwise the security of the system may be degraded. However, these recommendations can bring huge security improvements

Custom rules

A custom rule is defined by:

  • a script to run on the asset,
  • a regular expression of compliance,
  • a regular expression of non-compliance,
  • a regular expression of applicability.

When checking the script’s output, Cyberwatch will proceed in the following way:

  1. if a regular expression of applicability is provided but does not match the output, the rule’s state becomes Skipped,
  2. else, if the output matches the regular expression of compliance, the rule’s state becomes Success,
  3. else, if the output matches the regular expression of non-compliance, the rule’s state becomes Failed,
  4. else, the rule’s state becomes Anomaly.

Relaunch already executed rules on an asset

  1. Go to the Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Check rules” button to relaunch all rules associated to the asset

Relaunch all rules on multiple assets

  1. Go to the Inventory
  2. Select the assets for which all rules affected to them will be relaunched
  3. Click on the “Bulk actions” button
  4. Click on “Relaunch the assets analysis now”

Ignore a rule

  1. Go to Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Compliance” tab
  4. Select the rule(s) to ignore
  5. Click on the “Ignore” button

Activate a rule

  1. Go to Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Compliance” tab
  4. Select the ignored rule(s) to activate
  5. Click on the “Activate” button

Comment on an ignored rule

As explained in the “Ignore a rule” section, you can comment on a rule via the advanced actions in the drop-down menu.

Back to top