Below is an example about building compliance policies from the CVEs.
Creating Policy
(1) Compliance -> (2) Policies -> (3) New -> (4) Name: CVE-2018-0282 -> (4) Save
Applying to all vendor Nodes
Under Node Group (1) New -> (2) Name: Cisco_IOS -> (3) Save
Creating Rule
If we scroll through the CVE article below is the information we derive:
So, we would be building rule and condition to identify these lines in the configuration.
Under Rule (1) New -> (2) Name: http_check -> (3) Rule type: Configuration -> (4) Vendor : Cisco_IOS
Under Rule (1) New Logic -> (2) Logic: if A then ( B or C) -> (3) Save
Creating Condition:
Define (A) to match the software version that is vulnerable:
Under Condition (1) A -> (2) Type: Software version -> (3) Must contain : 15.5(2) -> (4) Save
Define B:
This is to match the first line of config lines in the CVE document
(1) B -> (2) Must contain: ip http server -> (3) Save
Define C
This is to match the next lines of config from the CVE article
(1) C -> (2) Must contain: ip http secure-server -> (3) Save
This completes the creation of the policy.