Configuration Compliance imported data

Configuration Compliance imports policies, tests, authoritative sources, and test results from third-party integrations and stores them in modules for viewing.

Policies

Policies are related to authoritative documents and test records. A group of configuration tests define policies. Policies typically align to a technology class (ex. Windows, Oracle databases, Cisco IOS) and are often derived from the primary industry standard. Policies can be modified to meet the needs of the organization. A single Configuration Test can belong to multiple policies.

If the Qualys Vulnerability integration is installed, policies are retrieved and Control IDs populated by the scheduled job, Qualys PC Policies at 1:00AM. You can view the scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Policies.
Note: If you choose to run the integration manually, run Qualys PC Policies first.

Tests

Tests are libraries of data records that organize scans of computing assets. Configuration tests define how a class of technology assets should be governed.

A Configuration Compliance test is the mechanism third-party integration applications use to group assets by vulnerability type. Some third-party VA scanning solutions such as Qualys have very large libraries of tests (as many as 8,000) that are mapped to policies and "frameworks" of authoritative sources.

A Test can have many values, one-to-many, expected vs. actual, and so on. A test is anything that can be used to identify a class of software or hardware asset that is out of compliance. For example, a release or hardware number.

If the Qualys Vulnerability integration is installed, the scheduled job, Qualys PC Controls, retrieves the tests. You can view the scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Controls.
Note: If you choose to run the integration manually, run Qualys PC Controls after Qualys PC Policies.

Technologies

One of the techniques used by third-party vulnerability scanners to create test groups of software and hardware configuration items for analysis is to organize them by technology. Technologies are an imported library of OSes, network devices, databases, and apps that are associated with policies. Tests have multiple implementations for different technologies. Remediation is technology-specific, as well.

You can view the applicable technologies for a test, to better understand what kinds of software or hardware assets the control can be applied to. Examples of technologies that can be applied to controls include CentOS 7.x, Windows 8.1, Windows 2016 Server, and so on. The list of technologies is read-only and match the technologies defined in the Qualys Cloud Platform application.

Authoritative sources

Configuration Compliance uses Authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as "NIST 800-53 version 3 (2009) 3: 2009, ยง SA-4".
Note: In the Qualys Vulnerability integration, this combination is referred to as framework.

Authoritative sources and citations (also known as mandates) are imported from the third-party vulnerability scanners (for example, Qualys Cloud Platform). Authoritative source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures. Configuration tests can reference multiple authoritative sources through citations. Authoritative sources can report on compliance for a given standard in preparation for an audit.

If the Qualys Vulnerability integration is installed, the scheduled job, Qualys PC Policies Detail, retrieves the authoritative sources and citations. You can view this scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Policies Detail.
Note: If you choose to run the integration manually, run Qualys PC Policies Detail after Qualys PC Policies.

Test results

Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Test Result Groups. See Configuration Compliance correlation for more information.

If the Qualys Vulnerability integration is installed, the scheduled job, Qualys PC Results, retrieves the test results. You can view this scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Results.
Note: If you choose to run the integration manually, run Qualys PC Results after Qualys PC Policies and Qualys PC Policies Detail.

The Qualys PC Results import is the only integration that uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.

When the Qualys PC Results import is complete, an event is fired to trigger end-of-import calculations. For more information see,