AnsweredAssumed Answered

Multiple acceptable control values for Policy Compliance

Question asked by John Kelly on May 31, 2019



I have a question around configuring controls in Policy Compliance, specifically for Oracle. We have a number of standard in place for settings, but some default accounts or profiles do not need to adhere to the standards. I was looking to see if there is a way to check for this in the controls.


For example, 

Control CID 9665 - "Status of the 'password_lock_time' for invalid login attempts for the all profiles" has a Regex expression for the number of days an account will be locked after failed attempts, and we have a value of say 30 days for default profiles.


We also have other profiles (for example, the Qualys profile used to perform the policy compliance scan) that can have values which could be non-numeric values like default or unlimited. So sample values could be:


Profile:          Limit:

DEFAULT     30




Is there a way to encode this in the "Expected" field to cater for each type?