Set Up Policies

A policy is a collection of controls used to measure and report compliance for a set of hosts. Your compliance reports shows you host compliance status (pass or fail) with the policy controls.

Interested in SCAP Policies? Go to SCAP Policies

When do I set up policies?

You need a policy in order to create compliance reports. You can restrict a scan to a policy in the scan settings (option profile). In this case you have to create your policy before you scan.

Can I create user-defined controls?

Yes, there are several types of controls you can create. In order to report on policies with user-defined controls, be sure to add these controls to your account before you scan.

How do I add these controls to my account? Go to PA > Policies > Controls and select New > Control.

What are Qualys Custom Controls?

Qualys Custom Control (QCC) is a predefined control type which is provided by Qualys when you import policies from the library.

With this control type you are quickly provided new controls that are similar to user-defined controls. Once added to your account you can copy any QCC to make your own UDC that you can customize to meet your needs.

Learn more

Do you have PA Agent?

Managers and Auditors can report on agent host compliance by adding agent host IPs to compliance policies. Edit the assets in the Policy Editor and select the check box "Include all hosts with PA agents". All hosts in your PA Agent license will be included. Note - This option only appears in accounts with PA Agent.

Ways to get started

Import from the library

Go to PA > Policies > New > Policy > Import from Library. Click on the policy you want and then click Next. Follow the wizard to give your policy a name and choose whether the policy should be locked or unlocked after import and whether to keep the policy active or inactive.

Can I edit the imported policy?

You can edit the policy to change the assigned assets. If the policy is unlocked, you can also change the title, technologies, controls, etc. If the policy is locked, no other changes are allowed. You can, however, save a copy of any locked policy with a new name and edit it as needed.

You can also lock a policy once you edit it, to prevent others from editing it further. Learn More

Interested in CIS policies?

You can import a CIS-certified policy from the library into your account, assign relevant assets to the policy and then use the policy to certify that you are meeting all requirements outlined in the CIS benchmark.

Create a policy from scratch

Go to PA > Policies > New > Policy > Create from Scratch. Follow the wizard to select policy technologies, assign assets to the policy, and give your policy a name. Choose whether to keep the policy active or inactive. When the Policy Editor appears, you can add controls to your policy and set control values.

Create a policy based on a scanned host

Go to PA > Policies > New > Policy > Create from Host. You can select a host that has already been scanned for compliance, and give your policy a name. Choose whether to keep the policy active or inactive and click Create. We will build the policy for you based on the latest compliance findings for the host. WeWe willdd controls to

Import from an XML file

Go to PA > Policies > New > Policy > Import from XML file. Follow the wizard to choose the XML file you want to import and give your policy a name. Choose whether to keep the policy active or inactive.

How does it work?

When you import a policy from an XML file, we perform several validation checks on the XML. If validation is successful, the policy is saved to your policies list. If validation fails, an error appears and the policy cannot be imported. Fix the XML and try again.

If the <EVALUATE> tag is present for any control, its checksum is validated to ensure that the evaluation logic hasn't been modified since the policy was exported. If the evaluation logic has changed then validation will fail. Note that you may remove the <EVALUATE> tag for any control. When the <EVALUATE> tag is not present for a control, the control is automatically assigned the default control value from the controls library.