Customizing compliance results

You must have the Comply Report Content Administrator role to customize compliance results. For more information about Comply roles, see User roles.

Custom profiles

A profile defines a set of rules to be evaluated and the parameters for those rules. Custom profiles allow you to specify just a subset of the checks available in a benchmark to be deployed.

  1. At the top right of the Home page, click Settings .
  2. On the Compliance Customizations tab, click Custom Profiles.

You can either create a custom profile or upload one from a tailoring file.

To create a new custom profile

  1. Click Create Custom Profile.
  2. On the New Custom Profile page, enter a Title and Description.
  3. In the Rules section, select a benchmark from the Benchmark drop-down list.
  4. Select each rule you would like to include in your custom profile.
  5. Click Add Selection to Profile to move the selected rules to the Selected Rules section. You can click Remove Selection From Profile to remove any rules you have added.

  6. Click Create to create the new custom profile.

You can also modify some rule values within your custom profile. If a rule value is customizable, a value of true will appear in the Can Customize column along with the default value for the rule in the Default Value column.

To customize a rule value

  1. Select the rule and click Modify Rule Value.
  2. In the Modify Custom Profile Value window, enter a Custom Rule Title and change the Custom value field.


  3. Rule titles occasionally include the value used in the rule. Customize the title of rules for which values have been changed. The customized rule titles will then show up in report results, question answers, and report exports. For example, If you provide a new value for the rule (L1) Ensure 'Enforce password history' is set to '24 or more password(s)', you can change 24 to match the custom value.

  4. Click Save. The new value will appear in the User-defined Value column. You can return to the Default Value of a rule by clicking Use Default.

On the Custom Profiles page, click a custom profile to view its details.

You will see the rules included in the custom profile as well as those for which the values have been modified.



To upload a new custom profile

  1. On the Compliance Customizations tab, click Import Tailoring File.
  2. In the Upload Custom Profile window, enter a Description.
  3. Select a benchmark from the Benchmark drop-down list.
  4. Click Select File and locate the tailoring file for the new profile.
  5. A custom profile can also be specified with a tailoring file. For more information about tailoring files, see NIST's Technical Specification for the Security Content Automation Protocol (SCAP) or consult with your TAM.

Cloning custom profiles

  1. Click Clone next to the custom profile.
  2. Provide a new Title and Description for the duplicate custom profile.
  3. Make any necessary changes to the rules included in the custom profile.
  4. Click Create.

Custom checks

You can create custom checks in Comply to check a condition on endpoints that may not be included in any benchmark. A custom check can be either PowerShell or VBScript on Windows and bash shell scripts on Linux/OS X. PowerShell scripts should use the file extension .ps1, and VBScript files should use the .vbs extension.

You must have the Comply Custom Check Writer role to write custom checks. For more information about Comply roles, see User roles.

  1. At the top right of the Home page, click Settings .
  2. On the Compliance Customizations tab, click Custom Checks.
  3. Click Create Check.
  4. In the New Custom Check window, enter a Title, Description, and Identifier.
  5. Select the appropriate Severity and Platform.
  6. Click Select File and locate the file for the custom check.
  7. Click Save. Your custom check will now show under Custom Checks and be available in the Advanced section of the New Configuration Compliance Report page when you create a new report.

Custom ID mappings

Custom ID mappings allow you to create a custom column on results that associates a specific tag with a custom check or rule identifier.

  1. At the top right of the Home page, click Settings .
  2. On the Compliance Customizations tab, click Custom ID Mappings.
  3. Click Create Custom ID.
  4. In the New Custom ID window, enter a Name and Description.
  5. Click Select File and locate the custom ID mapping file.
  6. Click Save. Your custom ID will now show under Custom ID Mappings and be available in the Advanced section of the New Configuration Compliance Report page when you create a new report.

Following is the file format used for a custom ID mapping: Rule id|custom id

Example: xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp|company_policy_rule_42

Note: A report can only have a single custom ID mapping associated with it; however, it can have multiple benchmarks and custom checks. When selecting the benchmarks and custom checks, be aware that a report is targeted to a single action group.

View Custom IDs in Interact

  1. Obtain the hash for the custom ID for a report by clicking on the report name on the Configuration Compliance Reports page and expanding More Details. You can click Copy to copy the hash.
  2. In Interact, ask the question that matches the engine type such as Get Comply - CIS-CAT Results from all machines and paste the hash in the Comply bundle hash field.

  3. Use the appropriate Comply sensor for the engine type:

    • Comply - CIS-CAT Results
    • Comply - JovalCM Results
    • Comply - SCC Results
  4. Click Go.
  5. The Custom ID column in the results grid shows any custom IDs for compliance benchmarks.

Download custom check or ID mapping

In order to view, edit, or reuse a custom check or ID mapping, you can download it.

Select a custom check or custom ID and click download .

Last updated: 7/31/2018 7:34 PM | Feedback