A new great looking feature in our configuration assessment component has been added in Nexpose 5.4: the ability to customize policies to meet your unique contextual needs, i.e. are specific to your environment. You are now going to be able to copy a built-in policy, edit its configuration including the policy checks values to test your assets for compliance. This flexibility allows for custom, accurate and relevant configuration assessment.

Configuration assessment is important to assess the risk in deployments where heterogeneous configurations are present. It allows identifying the assets that are presenting a risk to a network by being misconfigured. Another advantage on configuration assessment is that it allows identifying the most and least compliant rules for each policy. This means that you will be able to identify not only areas where you are doing good, but also potential areas where your policies may not make sense.

The goal is then to assess configuration compliance for policies that make sense to your particular needs. One good example when this can become handy: Let's say your company policy for account lockout threshold is more restrictive than the FDCC Windows policy one(less than or equal to five). Your company has decided that three failed attempts can occur before an account is locked out.  You can now easily copy the FDCC policy, Find the Account Lockout Threshold rule, and tweak it to check for three instead of five.

This is where the policy editor and the new features shipped with Nexpose 5.4 come into play. There are several operations that were enabled on built-in policies, and some other that can be done against copies of the built-in policies.

Operations on built-in policies include:

  • Viewing the policy structure and check values with the policy viewer
  • Copying the policy

Operations on copies (custom) policies include:

  • Viewing the policy structure and check values with the policy viewer
  • Copying the policy
  • Editing the policy
  • Deleting the policy

All these options are available on the policies tab:

When you are on the policy viewer you can browse through the policy structure to find the groupings and rules that you are interested in, as well as using the "Find" mechanism to get to it. On viewer mode, you will only be able to see how a policy is configured.

On the left hand side you will see the policy structure in a tree format. On the right hand side you will see the details for the node selected on the left hand side.

When you are on the policy editor, you can not only browse through the policy structure, you can also modify the summary details for the policy (like its name and description), groups, rules and check values. Notice the "Save" and "Cancel" buttons available to save or cancel your modifications to the policy.

Once you have configured your policy to address your particular needs, you are ready to start checking for compliance on policies that you care about.

Stay tuned, there's more coming.