Rules evaluation

Possible status of rules

  • Success: The system is compliant regarding the tested rule
  • Failed: The system is not compliant regarding the tested rule
  • Anomaly: An error occurred while executing the compliance script, this can be due to a missing dependency or file on the tested system.
  • Skipped: The rule was not run. This happens when the asset is not scanned with sufficient privileges

Rules levels

Rules levels form guiding principles to help in the system administration. Interpretation of these levels follows that given by the ANSSI:

  • Minimal: To be implemented systematically on every system
  • Medium: To be implemented as soon as possible on most systems once the minimal level recommendations are applied
  • Reinforced: To be implemented on systems in need of stronger security or that have multiple applications that must be isolated from each other
  • High: To be implemented only if the internal resources have enough skills and time to maintain them, otherwise the security of the system may be degraded. However, these recommendations can bring huge security improvements

Custom rules

A custom rule is defined by:

  • a script to run on the asset,
  • a regular expression of compliance,
  • a regular expression of non-compliance,
  • a regular expression of applicability.

When checking the script’s output, Cyberwatch will proceed in the following way:

  1. if a regular expression of applicability is provided but does not match the output, the rule’s state becomes Skipped,
  2. else, if the output matches the regular expression of compliance, the rule’s state becomes Success,
  3. else, if the output matches the regular expression of non-compliance, the rule’s state becomes Failed,
  4. else, the rule’s state becomes Anomaly.

Declarative compliance

Air gap assets or assets shell script execution capabilities allow instead users to manually edit their declarative compliance data from the Analyses tab of their details page or via API.

Compliance data have the following format:

--cbw-compliance-check
Rule: Rule-reference

Rule output.

--cbw-compliance-check
Rule: Rule-reference
Status: Skipped

Case of a skipped rule.

The status of a declarative rule is evaluated by comparing its output against the regular expressions configured in the rule, as if the rule had been executed by a shell script.

A custom rule can be configured as declarative, in which case it will have no script and can only be used via the declarative data presented above. A shell rule can be either executed or declared, depending on the asset.

The asset’s repositories have no impact on the assignment or evaluation of compliance rules via declarative data.

Relaunch already executed rules on an asset

  1. Go to the Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Check rules” button to relaunch all rules associated to the asset

Relaunch all rules on multiple assets

  1. Go to the Inventory
  2. Select the assets for which all rules affected to them will be relaunched
  3. Click on the “Bulk actions” button
  4. Click on “Relaunch the assets analysis now”

Ignore a rule

  1. Go to Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Compliance” tab
  4. Select the rule(s) to ignore
  5. Click on the “Ignore” button

Activate a rule

  1. Go to Inventory
  2. Click on the asset’s name or on the magnifying glass icon to go to the asset’s page
  3. Click on the “Compliance” tab
  4. Select the ignored rule(s) to activate
  5. Click on the “Activate” button

Comment on an ignored rule

As explained in the “Ignore a rule” section, you can comment on a rule via the advanced actions in the drop-down menu.

Back to top

English Français Español