Currently I'm having some issues with an evaluation of the Policy Compliance module for Qualys. We use qualys for our vulnerability scanning so I've got a strong understanding of how Qualys works and have tried applying this knowledge to the PC module without success.
Currently I've configured a compliance profile and I've created some policies for which I've assigned asset groups or IP address to them. However when I run the scan, it complete, I then run a report and nothing shows in the report. I've gone through the guides from scratch yet have so far not created one useful report.
I figure I'm just missing some steps as I'm new to the PC module and was hoping I could get some assistance.
Just as a first start I'd like to complete a scan against 1 server 2008 machine, 1 windows 7 machine against the CIS standards for each. For example with Nessus I can install a plugin to the scan policy and this very easily achieve this result for me. I'd like basically the same with Qualys PC but have the added advantage of the great reporting that Qualys provides and nessus professional feed lacks.
Also if I want to audit values that are set within my group policies is there an easy way to import these into Qualys or do I have to set them one by one?
One of the standards that I'd like qualys to audit against is whether or not a server or workstation has policies applied to it such as those in the microsoft security best practice packs which provide an enterprise policy and a limited functionality policy? Does qualys have a pre made solution for this?
Much appreciate any assistance with any of the questions above.