4.5 Modifying or Creating Custom Security Checks

Available only in the Windows console.

Secure Configuration Manager provides hundreds of built-in security checks to ensure policy compliance. The built-in security checks and the updates provided with the AutoSync feature provide thorough vulnerability coverage. You can edit an existing security check to meet your organization’s security policies.

You can also create your own security checks to meet your specific needs. Custom security checks are queries that you define. Secure Configuration Manager provides a wizard to guide you through the process of building custom checks. Because these custom checks are flexible, you can tailor them to meet the technical policies and regulations specific to your workplace. For more information about creating a custom check in the Security Check wizard, see Creating Custom Security Checks. You can also use programming languages such as TCL to create queries outside of the wizard. For more information about advanced custom check development, contact NetIQ Professional Services.

After you create custom checks, you can export those checks as XML files. You can also export some built-in checks. You can import security checks that were previously exported from your current Core Services computer, from another Secure Configuration Manager Core Services computer, or from custom checks created outside of the console. For more information about working with existing security checks, see Understanding Security Checks.

4.5.1 Checklist for Editing and Creating Security Checks

Each security check is equivalent to asking a question about a particular attribute of a particular object on a particular platform. For example, does every User attribute of the Windows_Workstation object have a proper password? Are all Unix_Process objects running under the appropriate User attribute?

Use the following checklist as a guide for building the question, and then editing and creating security checks.

 

Checklist Items

  1. Identify the platform of the agents and endpoints that you want to assess. For example, is the endpoint an Oracle database?

  1. Identify the objects and attributes for which you want information. For example, do all passwords have an expiration date? See Understanding How Agents Identify Data to Collect.

  1. Identify the values of the attributes by which you want to filter the data. For example, at what interval do we require users to change their passwords? See Security Check Filters.

  1. Identify the scoring method that you want to apply to the data.See Scoring Method.

  1. Identify the numeric penalty that you want to assign to the endpoint if the security check returns violations. For example, each violation scores 10 points. For more information about the numeric penalty, see Threat Factors.

  1. Identify the amount of data you expect the security check to return for each endpoint. For example, you expect to see no returned data when querying the number of passwords without an expiration date. See Expected Number of Rows Returned.

  1. (Conditional) If you have a naming convention for your custom security checks, review the convention to create a new security check name.

  1. Identify the category in which you want to place your security check. See Security Check Categories.

  1. Write a brief description, detailed explanation, and additional information describing the check and its uses. see Security Check Properties.

4.5.2 Modifying Built-in Security Checks

Available only in the Windows console.

Occasionally, you might want to customize a built-in security check to better suit your organizational needs. For example, you can change the way the check scores or add another column of returned data. Secure Configuration Manager enables you to edit some security checks and save the revised check under a new name. In the content pane where checks are listed, a value of Yes in the Edit column indicates that you can edit that check. To edit a check, your console user account needs the Edit Security Check permission. For more information, see Managing Permissions. When you edit a built-in security check, Secure Configuration Manager displays the same wizard as used for creating a custom check. For more information about editing a check, see Creating Custom Security Checks.

As you update your inventory and security policies, you may need to delete the custom checks and policy templates you use to assess your environment. You cannot delete any security checks that are part of a policy template. To delete a security check, your console user account needs the Delete Security Check permission. For more information, see Managing Permissions.

4.5.3 Creating Custom Security Checks

To create a custom security check, you must use the Windows console.

To meet your organization’s specific security needs, you can create custom security checks that evaluate Microsoft Internet Information Services (IIS), Oracle, SQL Server, UNIX, Lightweight UNIX, and Windows endpoints. For more information about supported versions of these endpoint types, see the NetIQ Support site. Secure Configuration Manager provides a wizard to guide you through the process of building your custom checks. Once you create a security check, you can save that check and include it in one or more policy templates.

In addition to the wizard provided in the Secure Configuration Manager console, you can use a programming language such as TCL to create queries outside of the console. You can then import those custom checks into the console to include them in policy templates. For more information about using programming languages to create custom checks, contact NetIQ Corporation Professional Services.

For examples of custom security checks, see Custom Security Check Examples. To create a custom check, your console user account needs the New Security Check permission. For more information, see Managing Permissions.

To create a custom security check:

  1. Log in to the Windows console.

  2. In the left pane, click Security Knowledge.

  3. In the Security Knowledge tree pane, expand Security Checks.

  4. Right-click My Checks, and then click New Security Check.

  5. On the Select Platform window, select a platform and an object.

    NOTE:For queries that require a Windows agent, NetIQ recommends that you expand the top-level objects and select objects at a lower level. If you select a top-level object, such as Windows > Workstation, the security check report includes results for all endpoints associated with the specified Windows agent, rather than limiting the results to the endpoint specified for the security check run.

  6. Click Next.

  7. On the Select Returned Attributes window, select the attributes that you want to use as the columns of data returned by the query.

  8. Click Next.

  9. (Optional) To create a single filter, specify the following items:

    • Attribute

    • Operator

    • Type

    • Criteria

      NOTE:The Filter page of the wizard does not support wildcard characters.

  10. If you want to create multiple filters, specify the items in Step 9 and specify the AND/OR logic of how the filters combine. For more information about filter components and filter logic, see Security Check Filters.

    NOTE:To view the format of an attribute value, run an unfiltered check. The unfiltered check returns data in the correct format, providing you an explicit example.

  11. Click Next.

  12. (Conditional) If your custom check includes required parameters, specify the default values, and then click Next.

  13. Select a method in the Scoring Method field.

  14. Enter values in the Threat Factor and Expected Number of Rows Returned fields, or accept the defaults.

  15. Click Next.

  16. Type a unique name for the custom check in the Check Name field. Ensure that the name is consistent with your naming convention.

    NOTE:Secure Configuration Manager does not support using colon (:) and semicolon (;) characters in security check names.

  17. Select the appropriate category in the Category field.

  18. (Optional) To modify the available categories or add a new one, click Edit Categories, make changes, and then click OK.

  19. Type a description of your custom check in the Brief Description field.

  20. Type the remaining descriptive fields as necessary.

  21. Click Next.

  22. Review the summary of your custom check. To make changes, select the appropriate window in the tree pane.

  23. (Optional) To run the custom security check at this time, select the Run this security check now check box.

  24. Click Finish to save the custom check and close the wizard.

4.5.4 Working with the Generic Network Device Security Check

In addition to the device-specific security checks for Cisco and Juniper network devices endpoints, Secure Configuration Manager provides a generic check called Execute Command on Network Device. You can run this check against any type of network device, and you can use check during configuration of a generic network device endpoint.

You can customize the Execute Command on Network Device check by specifying values for the following parameters in the Run Security Check window while running this check:

Classification

Parameter

Description

Parameters

Command

Specify the command that you want to execute on the generic network device.

IsScorable

Specify whether you want to make the check scorable.

Regular Expression

Specify the regular expression to be used on the command output.

Scoring

Comparator

Displays the comparator that is used in the security check. This parameter is displayed only when IsScorable is set to true.

Expected Value

Specify the expected return value.

Threat Factor

Specify the approximate penalty value for calculating the exposure score of the security check. This value must be greater than zero.

Description

Specify the description of the security check.

IMPORTANT:There is no restriction on the type of commands that can be executed by this check. NetIQ recommends that you exercise caution while executing commands that can modify the device content.