Compliance Toolkit - Example Scripts
This directory contains example scripts for automating the Compliance Toolkit.
Files
1. scheduled_compliance_scan.bat
Windows Batch Script for Task Scheduler
Usage:
scheduled_compliance_scan.bat
Features:
- Runs all compliance reports in quiet mode
- Logs results to output/logs/scheduled_scan.log
- Returns proper exit codes for monitoring
- Optional email notification on failure
Best For: - Simple scheduled tasks - Windows systems without PowerShell
2. scheduled_compliance_scan.ps1
PowerShell Script with advanced features
Usage:
# Basic usage
.\scheduled_compliance_scan.ps1
# With archiving
.\scheduled_compliance_scan.ps1 -ArchiveReports -ArchiveBase "C:\Compliance\Archive"
# With email notifications
.\scheduled_compliance_scan.ps1 `
-EmailTo "admin@company.com" `
-EmailFrom "compliance@company.com" `
-SmtpServer "smtp.company.com"
# Run specific report
.\scheduled_compliance_scan.ps1 -ReportName "NIST_800_171_compliance.json"
# Combine all features
.\scheduled_compliance_scan.ps1 `
-ReportName "all" `
-ArchiveReports `
-ArchiveBase "\\fileserver\compliance\archive" `
-EmailTo "security-team@company.com" `
-SmtpServer "smtp.company.com"
Parameters:
- -ToolkitPath: Path to ComplianceToolkit.exe (default: .\ComplianceToolkit.exe)
- -ReportName: Report to run (default: all)
- -ArchiveReports: Enable archiving of reports
- -ArchiveBase: Archive directory (default: .\archive)
- -EmailTo: Email address for notifications
- -EmailFrom: From address (default: compliance@company.com)
- -SmtpServer: SMTP server for email
Features: - Automatic report archiving by date - Cleanup of old archives (>90 days) - Email notifications (success and failure) - Comprehensive logging - Error handling
Best For: - Enterprise environments - Advanced automation - Compliance teams needing notifications
Windows Task Scheduler Setup
Method 1: Using Batch Script
- Open Task Scheduler (
taskschd.msc) - Create Basic Task
- Configure:
- Name: "Daily Compliance Scan"
- Trigger: Daily at 2:00 AM
- Action: Start a program
- Program:
C:\Path\To\ComplianceToolkit.exe - Arguments:
-report=all -quiet - Start in:
C:\Path\To\ - Settings:
- β Run whether user is logged on or not
- β Run with highest privileges
Method 2: Using PowerShell Script
- Open Task Scheduler (
taskschd.msc) - Create Basic Task
- Configure:
- Name: "Advanced Compliance Scan with Archive"
- Trigger: Weekly on Sunday at 3:00 AM
- Action: Start a program
- Program:
powershell.exe - Arguments:
-ExecutionPolicy Bypass -File "C:\Path\To\examples\scheduled_compliance_scan.ps1" -ArchiveReports - Start in:
C:\Path\To\examples\ - Settings:
- β Run whether user is logged on or not
- β Run with highest privileges
Testing Scripts
Test Batch Script
cd examples
scheduled_compliance_scan.bat
echo Exit Code: %ERRORLEVEL%
Test PowerShell Script
cd examples
.\scheduled_compliance_scan.ps1 -Verbose
echo "Exit Code: $LASTEXITCODE"
Monitoring Script Execution
View Scheduled Task History
- Open Task Scheduler
- Select your task
- Click "History" tab
- Review execution results
View Application Logs
# View latest log file
Get-Content ..\output\logs\scheduled_scan.log -Tail 50
Check for Failed Scans
# Search for errors in logs
Select-String -Path ..\output\logs\*.log -Pattern "ERROR"
Customization
Change Report Type
Batch:
SET REPORT=NIST_800_171_compliance.json
"%TOOLKIT_EXE%" -report=%REPORT% -quiet
PowerShell:
.\scheduled_compliance_scan.ps1 -ReportName "fips_140_2_compliance.json"
Archive to Network Share
PowerShell:
.\scheduled_compliance_scan.ps1 `
-ArchiveReports `
-ArchiveBase "\\fileserver\compliance\archive"
Increase Timeout for Slow Systems
Batch:
"%TOOLKIT_EXE%" -report=all -quiet -timeout=60s
PowerShell:
Start-Process -FilePath $ToolkitExe -ArgumentList "-report=all -quiet -timeout=60s"
Troubleshooting
Script Doesn't Run from Task Scheduler
Check: 1. User account has admin privileges 2. "Run with highest privileges" is checked 3. Paths are absolute (not relative) 4. Script execution policy allows PowerShell scripts
Fix PowerShell Execution Policy:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Email Notifications Not Sending
Check: 1. SMTP server is correct 2. Network connectivity to SMTP server 3. Firewall allows outbound SMTP (port 25/587) 4. Email credentials if required
Test SMTP:
Send-MailMessage -To "test@company.com" -From "test@company.com" -Subject "Test" -Body "Test" -SmtpServer "smtp.company.com"
Reports Not Archived
Check:
1. Archive directory exists and is writable
2. -ArchiveReports switch is specified
3. Network share is accessible
Test Archive Path:
New-Item -ItemType Directory -Path "C:\Archive\Test" -Force
Test-Path "C:\Archive\Test" # Should return True
Security Considerations
1. Store Credentials Securely
Don't hardcode SMTP credentials in scripts. Use Windows Credential Manager:
# Store credential
$Cred = Get-Credential
$Cred | Export-Clixml -Path "$env:USERPROFILE\smtp_cred.xml"
# Use in script
$Cred = Import-Clixml -Path "$env:USERPROFILE\smtp_cred.xml"
Send-MailMessage -Credential $Cred ...
2. Restrict Script Permissions
# Allow only Administrators to execute
$Acl = Get-Acl scheduled_compliance_scan.ps1
$Acl.SetAccessRuleProtection($true, $false)
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "Allow")
$Acl.SetAccessRule($Rule)
Set-Acl scheduled_compliance_scan.ps1 $Acl
3. Use Service Accounts
Run scheduled tasks with dedicated service accounts instead of personal accounts.
Next Steps
- Test manually before scheduling
- Review generated reports to ensure accuracy
- Set up monitoring for failed tasks
- Configure email notifications for compliance team
- Archive old reports regularly to save disk space
For more information, see: - CLI_USAGE.md - Complete CLI documentation - PROJECT_STATUS.md - Project overview - QUICK_REFERENCE.md - Quick start guide