Customizing compliance results

You must have the Comply Report Content Administrator role to customize compliance results. For more information about Comply roles, see User role requirements.

Custom profiles

A profile defines a set of rules to be evaluated and the parameters for those rules. Custom profiles allow you to specify just a subset of the checks available in a standard to be deployed.

From the Comply menu, click Setup > Compliance.

You can either create a custom profile or upload one from a tailoring file.

Create a new custom profile

1. In the Custom Profiles tab, click the Create button.
2. On the New Custom Profile page, enter a Name and Description.
3. In the Rules section, select a standard from the Standard drop-down list.
4. Select each rule you would like to include in your custom profile.

Click Advanced Filter to filter the rules by category.


5. Click Add Selection To Profile to move the selected rules to the Selected Rules section.

   To remove a rule that you added, select the rule and click Remove Selection From Profile.

6. Some standards (for example, CIS Microsoft Windows Server 2008 and 2012) require you to choose a selector for certain rules. In the Selected Rules section, these rules have a drop-down list in the Selector column. In the CIS Windows example, set the MS (Member Server) or DC (Domain Controller) selector for each rule.

   To set or change the selector for multiple rules, select the rules and click Change Selector.

   
   
7. Click Create to create the new custom profile.

You can also modify some rule values within your custom profile. If a rule value is customizable, a value of true displays in the Can Customize column along with the default value for the rule in the Default Values column.

You cannot delete a custom profile that is used in an assessment. You must delete the assessment first, and then you can delete the custom profile.

Customize a rule value

1. Select the rule and click Modify Rule Value.
2. In the Modify Custom Profile Value window, enter a Custom Rule Title and change the Custom value field.

Rule titles occasionally include the value used in the rule. Customize the title of rules for which values have been changed. The customized rule titles will then show up in report results, question answers, and report exports. For example, If you provide a new value for the rule (L1) Ensure 'Enforce password history' is set to '24 or more password(s)', you can change 24 to match the custom value.

3. Click Save. The new value will appear in the User-defined Values column. You can return to the Default Value of a rule by clicking Use Default.

On the Custom Profiles page, click a custom profile to view its details.

You will see the rules included in the custom profile as well as those for which the values have been modified.

Import a new custom profile

1. Click Import > Custom Profile.
2. In the Import Custom Profile window, enter a Description.
3. Select a standard from the Standard drop-down list.
4. Click Select File and locate the tailoring file for the new profile.

A custom profile can also be specified with a tailoring file, which is supported in SCAP 1.2 and later.

Cloning custom profiles

1. Select a custom profile and click Clone.
2. Provide a new Title and Description for the duplicate custom profile.
3. Make any necessary changes to the rules included in the custom profile.
4. Click Create.

Editing custom profiles

1. Select a custom profile and click Edit .
2. In the Details section, you can edit the Title and Description.
3. In the Rules section, choose additional rules or select a new standard from the Standard drop-down list to select other rules.

If you choose to select a new standard, previously selected rules might no longer be valid. If a rule is invalid, No will be displayed as the value in the Valid column of the Selected Rules list. A warning also appears below the list indicating the total number of invalid rules that have been selected.

4. Click Update.
5. If any of the selected rules are invalid, a confirmation window appears that invalid rules will automatically be removed from the custom profile. Click OK.
6. If one or more assessments currently use this custom profile, a confirmation window appears. If you want to redeploy these assessments immediately, click Redeploy and Continue; otherwise, click Continue. Assessments with changes that are not redeployed will show a Warning next to them.

Custom checks

You can create custom checks in Comply to check a condition on endpoints that might not be included in any standard. A custom check can be either PowerShell or VBScript on Windows and bash shell scripts on Linux/macOS. PowerShell scripts should use the file extension .ps1, and VBScript files should use the .vbs extension.

You must have the Comply Custom Check Writer role to write custom checks. For more information about Comply roles, see User role requirements.

1. In the Comply menu, select Setup > Compliance.
2. On the Custom Checks tab, click the Create button.
3. In the New Custom Check window, enter a Name and Description.
4. In the Check Criteria section, enter and identifier, ID, for this check.
5. Select the appropriate Severity and Platform.
6. Click Select File and locate the file for the custom check.
7. Enter a Rationale for the check in the edit field.
8. In the Fix Text field, enter information for remediating the check.
9. Click Create. Your custom check will now show under Custom Checks and be available in the Custom Checks section of the page when you create a new Configuration Compliance report.

You cannot delete a custom check that is used in an assessment. You must delete the assessment first, and then you can delete the custom check.

The result of a custom check is indicated by the last line of output from the custom check. This value should appear on a line by itself after all other output and should return one of the following results:

Results are case-sensitive.

Result	Description
pass	All conditions are satisfied.
fail	All conditions are not satisfied.
error	Compliance evaluation could not be completed; therefore, the status of the endpoint(s) compliance has not been confirmed.
unknown	The result is unknown.

Custom ID mappings

Use custom ID mappings to create a custom column on results that associates a specific tag with a custom check or rule identifier.

1. In the Comply menu, select Setup > Compliance.
2. On the Custom ID Mappings tab, click the Import button.
3. In the New Custom ID window, enter a Name and Description.
4. Click Browse and locate the custom ID mapping file.
5. Click Import. Your custom ID will now show under Custom ID Mappings and be available in the Advanced Settings section when you create a new Compliance assessment.

You cannot delete a custom ID that is used in an assessment. You must delete the assessment first, and then you can delete the custom ID.

Use the following file format for a custom ID mapping: Rule id|custom id

Example: xccdf_org.cisecurity.standards_rule_1.1.1_Create_Separate_Partition_for_tmp|company_policy_rule_42

An assessment can only have a single custom ID mapping associated with it; however, it can have multiple standards and custom checks. When selecting the standards and custom checks, be aware that an assessment is targeted to a single action group.

Export custom check or ID mapping

In order to view, edit, or reuse a custom check or ID mapping, you can export it by doing the following:

1. On the Setup > Compliance page, click the Custom Checks tab.

2. Select a custom check and click Export . You will select this exported file from the other Tanium console.

3. Sign in to the Tanium console where you want to import the custom check and navigate to the Custom Checks tab.

4. Click the Create button and select Custom Check.

5. In the New Custom Check window, fill out the fields using the same information you entered for the exported file in the first Tanium console.

6. Click Browse and choose the file you exported in the second step.

7. Click Create.

If you have custom IDs to go along with the custom check, export and import them using the steps above, but from the Custom ID Mappings tab.