Policies

Policies are related to authoritative documents and test records. A group of configuration tests define policies. Policies typically align to a technology class (ex. Windows, Oracle databases, Cisco IOS) and are often derived from the primary industry standard. Policies can be modified to meet the needs of the organization. A single Configuration Test can belong to multiple policies.

Tests

Tests are libraries of data records that organize scans of computing assets. Configuration tests define how a class of technology assets should be governed.

A Configuration Compliance test is the mechanism third-party integration applications use to group assets by vulnerability type. Some third-party VA scanning solutions such as Qualys have very large libraries of tests (as many as 8,000) that are mapped to policies and "frameworks" of authoritative sources.

A Test can have many values, one-to-many, expected vs. actual, and so on. A test is anything that can be used to identify a class of software or hardware asset that is out of compliance. For example, a release or hardware number.

Technologies

One of the techniques used by third-party vulnerability scanners to create test groups of software and hardware configuration items for analysis is to organize them by technology. Technologies are an imported library of OSes, network devices, databases, and apps that are associated with policies. Tests have multiple implementations for different technologies. Remediation is technology-specific, as well.

You can view the applicable technologies for a test, to better understand what kinds of software or hardware assets the control can be applied to. Examples of technologies that can be applied to controls include CentOS 7.x, Windows 8.1, Windows 2016 Server, and so on. The list of technologies is read-only and match the technologies defined in the Qualys Cloud Platform application.

Authoritative sources

Authoritative sources and citations (also known as mandates) are imported from the third-party vulnerability scanners (for example, Qualys Cloud Platform). Authoritative source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures. Configuration tests can reference multiple authoritative sources through citations. Authoritative sources can report on compliance for a given standard in preparation for an audit.

Test results

Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Test Result Groups. See Configuration Compliance correlation for more information.

The Qualys PC Results import is the only integration that uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.

When the Qualys PC Results import is complete, an event is fired to trigger end-of-import calculations. For more information see, Configuration Compliance states.