4 Replies Latest reply on Nov 26, 2012 11:45 AM by joshmad

    Policy Compliance Results are Empty

    joshmad Level 1

      I have tried creating a few different policies and scan profiles, both default and custom, each time the scan takes about 8-10 minutes per host, successfully authenticates, and no results are visible when I generate a report or download the scan results.The only reports that indicate any information was gathered is the "authentication" validation report.

        • Policy Compliance Results are Empty
          Jason Creech Level 3

          Hi Joshmad,


          If the PC scan result shows successful auth and does not return "failed auth" or "insufficient" privileges, then you should have data in the data base but need to make sure your policy is assigned correctly.

          A common issue I see is the policy has not been assigned to the asset group you want to report on.


          A simple way to check is to use asset search and search for one of the IPs you completed the PC scan on. Drill into the Host Information Page and select the "Compliance" option on the left.


          This view will show you all policies that have been applied to asset groups of which that IP address is a member.


          Below is a more detailed process on how to do this check:

          Asset Search Test.jpg

          To view the above screen snippet, I just used the following procedure:


          1. Navigate to Assets=>Asset Search
          2. Enter in the IP or the Asset Group of the hosts you scanned with the PC scan
          3. Select one of the IP's from the resulsts window
          4. Selected "Compliance" from the list on the left of the Host Information Page
          5. Confirm you have policies listed with Pass/Fail summations on the right


          If you do not see at least one policy in the list, you will need to edit your policy and assign the policy you created or imported to an asset group that contains the scanned IP's. Policies must be assigned to the Asset Groups they are going to be used to report on.  Note that after you assign a policy to an asset group, you will need to a wait a few minutes as the QualyGuard service will perform a pass/fail evaluation once you assign the asset group to the policy.


          Let me know if this helps.


          Also which technology are you testing?  I have also seen where one flavor of technology was scanned like Windows 2003, but the policy used in reporting was for a slightly different technology like 2000 but applied to the correct asset group.  If you see a list of policies in the "Compliance View" for your IP but the totals are zero/zero for passed and failed, it usually means a technology mismatch but could be other things. Make sure that the policy matches the technology of the asset scanned.


          Best regards,


          Jason Creech


            • Policy Compliance Results are Empty
              joshmad Level 1

              It appears like their was a technology mismatch, when I created a policy that was set to only show the installed patches for a Windows 2003 system, it did not work; when I set it to account for any windows server operating system, it worked.


              My concern is that I was experiencing the same problem with the Server 2003 CIS Standards for Domain Members (and Domain Contollers).


              Thanks for the quick response.

                • Re: Policy Compliance Results are Empty
                  Jason Creech Level 3

                  Hi Joshmad,


                  How does the technology show up as for the IPs using host assets or asset search? Are these Windows 2003 systems or something else that you are trying to report on?


                  I would like to verify whether it was a policy missapplied to the wrong technology or if the service is identifying a technology incorrectly.


                  If you could post the technology description of what an example system appears like in your report, that can help me ascertain if this is a support issue or process issue.


                  To recap on your concern, the Windows 2003 CIS policy (Domain Members and/or Domain Controllers) will only report on Windows 2003 systems and ignore other Windows flavors like Windows 2000 systems even if both technologies are in the same asset group you assign the policy too.  The only way to make the CIS Windows 2003 policies report on non Windows 2003 systems is to add the appropriate technology to the policy (you would still have to configure the controls that are added to the policy for those new technologies).  When you added all Windows technologies to the policy, it actually added control instances for each technology under each CID in the policy.  So, in the report, the IPs you are reporting on will have resultant information in a control instance for that specific Windows version and the identified technology will be listed in the header for that asset as well.


                  If the issue you are reporting is that the CIS Windows 2003 importable policy will not report on Windows 2003 systems unless all Windows flavors are selected, we need to create a support ticket and take a deeper look into what might be causing this to occur.


                  If this is the case, please send your customer information and contact information to support@qualys.com, it will create a tracking ticket and they can start investigating. You may also let them you that you and I chatted about the issue.


                  Here is an example of the technology description in the report, what appears in the technology description for the asset in your report?  I have the area highlited with a red box:


                  Technology Description.jpg




                  Jason Creech