Q&A from June 2020 Customer Webcast on InsightVM Custom Policy Builder

This blog was co-authored by Naveen Bibinagar, Greg Wiseman, and Joel Kinzel.

During our most recent “Seeing 20/20 with InsightVM” customer webcast on Custom Policy Builder, we received a lot of great questions from attendees. So many, in fact, that we didn’t have time to answer all of them! In this post, we are going to address some of the questions that were asked in the live session:

1. Which InsightVM version release is Custom Policy Builder available for?

We released Custom Policy Builder as part of the June 3, 2020 release (InsightVM 6.6.25).

2. What permissions do you need in order to edit the policies? Global admin? Can access to Custom Policy Builder be limited in the RBAC configuration of InsightVM?

Global administrator roles on InsightVM console by default have full permissions to create, copy, and modify custom policies. If not a global admin, a custom role can be created with “manage policies” permission to allow only those specific users to either copy, create, or customize policies.

Currently, Custom Policy Builder permissions are coupled with the permissions available on InsightVM Console.

3. With all the options in the policies, is there any way to determine how much load or time it may add during the scans of assets? Clients will want to know how hard their systems will be hit during scans, fearing performance issues on their asset.

This is highly dependent on the policy in question and the systems being scanned. If performance issues are a concern, it may help to schedule policy scans to occur during off-peak hours, if possible. Otherwise, it may help to do a test scan using tools such as Windows Performance Monitor.

4. Should we have a policy for passwords already, or does that need to be created?

Many of InsightVM’s built-in benchmarks contain tests for password policies, so there is no need to create from scratch.

5. Does Custom Policy Builder apply to only local policies, or domain policies as well?

When we use the term “policy,” we mean it in the sense of validating configuration on a system. On Windows assets, this would be local, but should reflect any domain policy if it has been applied correctly.

6. Any best practices you recommend for policy scanning? How often should you perform policy scans?

Many factors may influence how often you perform policy scans, such as audit/compliance requirements, considerations around impact to scan targets, and organizational change control processes, among others.

7. Is it possible to create scripts in the policy to pull specific information, such as Motherboard Serial numbers?

You could use a shell command test on Linux systems, for example, to run a DMI decode command, which is where that type of hardware information is available. On Windows, you could use the WMI 57 test to issue a query using WMI to see the hardware information.

8. Is there a way to update the CPE of a policy (aka the OS) by deleting the check on release, defaulting to any Windows family? Is there a way to “easily” update the version/release string to include all Windows OS?

Yes, you can edit the CPE. You can update the existing test, but we currently do not allow you to remove or add additional tests for CPEs. You can modify the reg-ex value to include the versions of Windows or other operating systems that would be running in your environment.

9. I have RHEL OVAL policies added. Is it a good idea to perform both vulnerability and policy scans in the same template? Or should I have a separate template for vulnerability scan and policy scan?

It really depends on what works best for your environment. Policy scans can take a bit longer than vulnerability scans, but it just depends on your environment, timing, and how often you’re scanning.

10. If I have my “modified” policies that I have used with the old system, how can I modify them with the new one?

You can still click on “Edit” on the main policy list page in InsightVM, and it will open in the new experience. This will happen automatically behind-the-scenes for you. You can also upload an existing policy into InsightVM, then edit it in the new experience.

11. Can you remove the version so the policy runs against all operating systems?

Yes, you can make the version more permissive. However, we wouldn’t recommend running against ALL operating systems. We recommend keeping it to one family, such as Windows.

12. Can we create a policy for vulnerabilities with a patch solution older than a date, for example, older than 15 days? A patch age policy would be very useful.

We have other InsightVM features like Goals & SLAs and Remediation Projects that would be better fits for this use case. This is not possible through Custom Policy Builder.

13. Any issues to watch for with specific policy checks, rules, in groups/sites that have multiple asset types, i.e., Linux vs. Windows ?

The CPE should limit the platforms that a policy can be scanned on. The scanner will first check the CPE to ensure the target device meets those requirements.

14. As per the Password Policy example, can we report on checks performed normally and with policies for both Insight and Nexpose?

Yes, we do have built-in policy reporting. This is an InsightVM feature only. If you’re on Nexpose, you will need to upgrade to InsightVM.

15. I saw you have a way to customize the operating system a policy applies to. Is there a way for one single benchmark to apply to multiple operating systems? For example, can one benchmark apply to all builds of Windows 10 (build 1709, 1803, 1809, etc.)?

Yes. Currently our Windows policies are not broken out by build numbers. In the future, we may do that to reduce confusion about which policies apply to which builds. In that case, the CPE can be edited so the build check is more widely defined.

16. Do we offer support of Cisco IOS XE to your Cisco CIS policy?

Yes, we’ve added support for the IOS EX benchmark, version 1.

17. If you import a rule, will it change when the original rule has changed?

No. We create a new copy of that rule when we import it to another policy.

18. How can we consolidate policies for 2016 Windows OS and 2019 Windows OS into one, and scan both operating systems using the same policy?

You will need to update the CPE check to run both 2016 and 2019. The tests might be slightly different from version to version, so you might need to tweak the tests.

19. Is there any plan to “clone” policies? This would be helpful if, for example, you wanted to check something very close to an existing rule, but change a directory.

Cloning policies is already possible in InsightVM today!

Thank you to all our customers who attended the webcast and asked these great questions. We hope that these answers help you achieve your goals and are looking forward to seeing you all during our next webcast in August.