Manage Controls
Controls are the building blocks of the policies used to measure and report compliance for a set of hosts. We provide many controls for you to choose from and you can create your own. Your compliance reports will show you the host compliance status (pass or fail) with the policy controls.
What can I do? |
How do I customize the list of frameworks?How do I customize the list of frameworks? By default all available frameworks are displayed with controls in compliance policies and reports. Managers have the option to choose which frameworks to display. Go to Policies > Setup > Frameworks, choose "Customize the list of frameworks", select the frameworks you want to display from the Available frameworks list and click Add. Learn more |
How do I customize the list of technologies?How do I customize the list of technologies? By default all available technologies are displayed with controls while creating compliance policies. Managers have the option to choose which technologies to display. Go to Policies > Setup > Technologies, choose "Display my preferred technologies", select the technologies you want to display from the list and click Add. |
Tell me about control types (SDC, UDC, QCC)Tell me about control types (SDC, UDC, QCC) System Defined Control (SDC) - These are controls provided by Qualys. Add system defined controls to your policies to report on them. User Defined Control (UDC) - These are custom controls that you create. In order to report on policies with user defined controls, be sure to add these controls to your account before you scan. To add a new UDC, go to PC > Policies > Controls and select New > Control. Learn more Qualys Custom Control (QCC) - These are predefined controls provided by Qualys when you import policies from the library. These are similar to user defined controls. Once added to your account you can copy any QCC to make your own UDC that you can customize to meet your needs. Learn more |
How do I create a control?How do I create a control? Go to PC > Policies > Controls > New > Control. Select Windows Control Types, Unix Control Types or Database Control Types. Then click the control type you want to create. Tip - Click the launch
help link for help with control settings. Note - Support for the MD5 hash type has been discontinued. The default Hash Type is now set to SHA-1. |
Can I import and export user-defined controls?Can I import and export user-defined controls? Manager and Auditor users can import and export user-defined controls in XML format. Other users can export user-defined controls if they have the "Manage Compliance" permission; these users do not have permission to import controls. Learn more |
Can I edit a control?Can I edit a control? Managers and Auditors can edit controls. Unit Managers
may be granted permission to edit user-defined controls.
Go to PC > Policies > Controls, select a control
and choose Edit from the Quick Actions menu. Note - Support for the MD5 hash type has been discontinued. The default Hash Type is now set to SHA-1. |
Can I delete controls?Can I delete controls? Controls provided by our service cannot be deleted. Managers and Auditors can delete user-defined controls. Unit Managers may be granted this permission. Go to PC > Policies > Controls. Select the user-defined control(s) you want to delete and then select Actions > Delete. Any scan data collected on hosts for those controls will also be deleted. After removing a control, it is recommended to click Evaluate Now while saving the policy. |
How do I search for controls? How do I search for controls? Go to PC > Policies > Controls > Search, and then, in the Search dialog box, search for the controls by using the various search filters. You can search controls by their CIDs, control text, the Deprecated status, OS-dependent database controls (only SDCs), technologies and frameworks, framework ID, category, criticality, and control type, among others. |
Tell me about About CommandTell me about About Command
Audit Command provides a better visibility of the Actual Value of the technology associated to the Control. It also helps in understanding how the value is derived. To view the Audit Command for a technology for a Control, navigate to Policies > Controls > Quick Actions > Info > Technologies Included. |
It is recommended to click Evaluate Now while saving a policy after making any changes that impact the posture, such as:
- Adding or removing controls
- Adding or removing a technology at the policy or the control level
- Adding or removing an asset group
- Updating an expected value
Failing to click Evaluate Now might result in inconsistent posture data. This is because the posture data for assets associated with removed controls, technologies, or asset groups may not be deleted immediately. The data is deleted when the policy evaluation takes place during the next scan or policy processing triggered by a change in the asset group or UDC.
Videos
Check out these videos:
Still have questions?
How do we calculate expected values?How do we calculate expected values?
We calculate the expected value for each control for each technology depending on parameters provided for the control. The calculation logic is determined by the control data type. Learn more
What are deprecated controls?What are deprecated controls?
A deprecated control is a control that has been retired for
all technologies. You'll see the deprecated control icon when viewing deprecated controls in
policies and in policy compliance reports. Learn
more