Using this API, you can get the details about a specific library policy using policy ID or the title of the policy.
|
Parameter |
Required/ Optional |
Data Type |
Description |
|---|---|---|---|
| Authorization | Required | String | Enter the Bearer token. |
| policyId={value} | Optional | Integer |
Specify the policy ID for which details are to be returned. |
| policyTitle={value} | Optional | String |
Specify the policy title for which details are to be displayed. The policy title must be encoded. For example, Security Configuration in encoded format displays as Security%20Configuration. |
| details={basic|full} | Optional | String |
Specify the level of details to be displayed:
|
For getting the policy details, provide any one of the two parameters - policyID or policyTitle.
API Request
curl -X 'GET' '<qualys_base_url>/pcas/v1/library/policy?policyTitle=<policytitle>&details=basic'
-H 'accept: application/json'
-H 'Authorization: Bearer <AuthToken>'JSON Output
{
"policyId": 1464240,
"policyTitle": "CIS Benchmark for CentOS Linux 7, v4.0.0 [Automated and Manual, Level 1 and Level 2]",
"coverPage": "This CIS certified policy for CentOS Linux 7 is based on the CIS Benchmark for Oracle Linux 7, v4.0.0. The policy contains Level 1 and Level 2, Automated, and Manual types of checks from the benchmark. The controls within the policy are configured on the basis of values provided by the CIS benchmark. As this policy and the controls within the policy are certified by CIS, the policy is LOCKED to prohibit any changes to the controls or their configuration values. If the organizational security policy requires different configuration values or changes to the policy, please make a copy of this policy and modify the configured values for the required controls as per the need of the organization's security/configuration policy.\n\nIn the case of CIS-required Control duplication (where a Control requirement appears in more than one section of the benchmark), Policy Editor limits the existence of any Controls within a single policy to one (1) occurrence of each control.\n\nCIS has stated that these settings should be considered as minimum allowable values; if an Organization requires more stringency than the CIS minimum, these more restrictive and/or stringent values shall all be considered as a PASS. The settings assigned to any given control by CIS are not guaranteed to be appropriate for any particular environment and all settings should be reviewed and applied according to the needs of the business. Before you apply the recommendations from the policy, check the relevant vendor documentation to avoid discrepancies. Also, it is recommended that these values be tested before applying to the Production Environment.\n\nAdditional Information:\n\n1) The following list of Control(s) in this policy is configured with default configuration value (.*) because the configuration is specific to the needs of an organization. Controls with default configuration values always result in PASS and should be configured as appropriate to the needs of the business and/or as per the need of the organization's security/configuration policy.\n\nCIS Ref #4.2.4:5215 - Status of the 'AllowGroups' setting in the 'sshd_config' file\nCIS Ref #4.2.4:5217 - Status of the 'AllowUsers' setting in the 'sshd_config' file\nCIS Ref #4.2.4:5224 - Status of the 'DenyGroups' setting in the 'sshd_config' file\nCIS Ref #4.2.4:5225 - Status of the 'DenyUsers' setting in the 'sshd_config' file\n\n2) The following list of Manual types of checks from the benchmark is set as INACTIVE in the policy:\n1.2.1, 1.2.3, 1.2.4, 1.2.5, 2.2.22, 3.1.1, 3.4.2.3, 3.4.2.4, 3.4.3.2, 3.4.3.6, 3.4.4.2.2, 3.4.4.3.2, 4.4.2.2.4, 5.1.1.2, 5.1.1.3, 5.1.1.6, 5.1.2.1.1, 5.1.2.1.2, 5.1.2.1.3, 5.1.2.5, 5.1.2.6, 5.1.3, 5.2.3.21, 6.1.13, 6.1.14\n\n3) Being procedural, the following requirement is not part of this policy:\n5.1.1.5\n\n4) The controls for all the requirements are configured as per the CIS recommendation. If you have any alternative methods implemented for the CIS checks through which CIS requirements are met, you can find the controls from the library and replace the controls in this policy by importing the policy and creating your own customized policy or you can take an exception for those CIS checks.\n\nE.g.: For firewalls, the firewalld, nftables and iptables cannot be used at the same time. So if you are using firewalld, you can remove/reconfigure the controls for iptables and nftables or take an exception for those CIS checks.",
"technologies": [
{
"technologyId": 80,
"technologyName": "CentOS 7.x"
}
],
"sections": [
{
"sectionNumber": 1,
"sectionHeading": "Initial Setup"
},
{
"sectionNumber": 2,
"sectionHeading": "Services"
},
{
"sectionNumber": 3,
"sectionHeading": "Network"
},
{
"sectionNumber": 4,
"sectionHeading": "Access, Authentication and Authorization"
},
{
"sectionNumber": 5,
"sectionHeading": "Logging and Auditing"
},
{
"sectionNumber": 6,
"sectionHeading": "System Maintenance"
}
]
}
API Request
curl -X 'GET' '<qualys_base_url>/pcas/v1/library/policy?policyTitle=<policytitle>'
-H 'accept: application/json'
-H 'Authorization: Bearer <AuthToken>'JSON Output
{
"policyId": 1464495,
"policyTitle": "CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0 [Automated and Manual, Level 1 and Level 2]",
"coverPage": "This CIS certified policy for Red Hat Enterprise Linux 8 is based on the CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0. The policy contains Level 1 and Level 2, Automated, and Manual types of checks from the benchmark. The controls within the policy are configured on the basis of values provided by the CIS benchmark. As this policy and the controls within the policy are certified by CIS, the policy is LOCKED for prohibiting any changes to the controls or their configuration values. If the organizational security policy requires different configuration values or changes to the policy, please make a copy of this policy and modify the configured values for the required controls as per the need of the organization's security/configuration policy.\n\nIn the case of CIS-required Control duplication (where a Control requirement appears in more than one section of the benchmark), Policy Editor limits the existence of any Controls within a single policy to one (1) occurrence of each control.\n\nCIS has stated that these settings should be considered as minimum allowable values; if an Organization requires more stringency than the CIS minimum, these more restrictive and/or stringent values shall all be considered as a PASS. The settings assigned to any given control by CIS are not guaranteed to be appropriate for any particular environment and all settings should be reviewed and applied according to the needs of the business. Before you apply the recommendations from the policy, check the relevant vendor documentation to avoid discrepancies. Also, it is recommended that these values be tested before applying to the Production Environment.\n\nAdditional Notes:\n\n1. Being procedural, the following requirements are not part of the policy:\n5.1.1.5\n\n2. The following list of Manual types of checks from the benchmark is set as INACTIVE in the policy:\n1.2.1, 1.2.3, 1.2.4, 1.2.5, 2.2.22, 3.1.1, 3.4.2.3, 3.4.2.4, 4.4.3.2.3, 5.1.3, 5.1.1.2, 5.1.1.3, 5.1.1.5, 5.1.1.6, 5.1.2.1.1, 5.1.2.1.2, 5.1.2.1.3, 5.1.2.5, 5.1.2.6, 5.2.3.21, 6.1.13, 6.1.14\n\n3. The following requirements in the policy are configured with default values of '.*' or '.+' as the configuration is specific to the needs of an organization. They should be reviewed and configured per the business's needs and the organization's security policies:\n1.2.1, 1.2.5, 1.8.2, 2.2.22, 3.4.2.3, 5.1.1.6, 5.1.2.1.2, 5.1.3, 5.2.2.1, 6.1.13, 6.1.14\n\n4) The controls for all the requirements are configured as per the CIS recommendation. If you have any alternative methods implemented for the CIS checks through which CIS requirements are met, you can find the controls from the library and replace the controls in this policy by importing the policy and creating your own customized policy, or you can take an exception for those CIS checks.\n\n5) For the 4.2.2 requirement, the group name is considered as \"ssh_keys|_?ssh\" as specified by CIS. If you have any other designated group name for SSH, you can include it in this requirement's regex.\n\nExamples:\n - For firewalls, firewalld, nftables, and iptables cannot be used at the same time. If you are using firewalld, you can remove/reconfigure the controls for iptables and nftables or take an exception for those CIS checks.\n - For logging, the requirements in the benchmark may be separated between journald and rsyslog. If you are using journald, you can remove/reconfigure the controls for rsyslog or take an exception for those CIS checks.",
"technologies": [
{
"technologyId": 217,
"technologyName": "Red Hat Enterprise Linux 8.x"
}
],
"sections": [
{
"sectionNumber": 1,
"sectionHeading": "Initial Setup"
},
{
"sectionNumber": 2,
"sectionHeading": "Services"
},
{
"sectionNumber": 3,
"sectionHeading": "Network"
},
{
"sectionNumber": 4,
"sectionHeading": "Access, Authentication and Authorization"
},
{
"sectionNumber": 5,
"sectionHeading": "Logging and Auditing"
},
{
"sectionNumber": 6,
"sectionHeading": "System Maintenance"
}
]
}
API Request
curl -X 'GET' '<qualys_base_url>/pcas/v1/library/policy?policyTitle=<policytitle>&details=basic'
-H 'accept: application/json'
-H 'Authorization: Bearer <AuthToken>'JSON Output
{
"policyId": 1464495,
"policyTitle": "CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0 [Automated and Manual, Level 1 and Level 2]",
"exported": "16-09-2025 10:39:48",
"coverPage": "This CIS certified policy for Red Hat Enterprise Linux 8 is based on the CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0. The policy contains Level 1 and Level 2, Automated, and Manual types of checks from the benchmark. The controls within the policy are configured on the basis of values provided by the CIS benchmark. As this policy and the controls within the policy are certified by CIS, the policy is LOCKED for prohibiting any changes to the controls or their configuration values. If the organizational security policy requires different configuration values or changes to the policy, please make a copy of this policy and modify the configured values for the required controls as per the need of the organization's security/configuration policy.\n\nIn the case of CIS-required Control duplication (where a Control requirement appears in more than one section of the benchmark), Policy Editor limits the existence of any Controls within a single policy to one (1) occurrence of each control.\n\nCIS has stated that these settings should be considered as minimum allowable values; if an Organization requires more stringency than the CIS minimum, these more restrictive and/or stringent values shall all be considered as a PASS. The settings assigned to any given control by CIS are not guaranteed to be appropriate for any particular environment and all settings should be reviewed and applied according to the needs of the business. Before you apply the recommendations from the policy, check the relevant vendor documentation to avoid discrepancies. Also, it is recommended that these values be tested before applying to the Production Environment.\n\nAdditional Notes:\n\n1. Being procedural, the following requirements are not part of the policy:\n5.1.1.5\n\n2. The following list of Manual types of checks from the benchmark is set as INACTIVE in the policy.\n1.2.1, 1.2.3, 1.2.4, 1.2.5, 2.2.22, 3.1.1, 3.4.2.3, 3.4.2.4, 4.4.3.2.3, 5.1.3, 5.1.1.2, 5.1.1.3, 5.1.1.5, 5.1.1.6, 5.1.2.1.1, 5.1.2.1.2, 5.1.2.1.3, 5.1.2.5, 5.1.2.6, 5.2.3.21, 6.1.13, 6.1.14\n\n3. The following requirements in the policy are configured with default values of '.*' or '.+' as the configuration is specific to the needs of an organization. They should be reviewed and configured per the business's needs and the organization's security policies.\n1.2.1, 1.2.5, 1.8.2, 2.2.22, 3.4.2.3, 5.1.1.6, 5.1.2.1.2, 5.1.3, 5.2.2.1, 6.1.13, 6.1.14\n\n4) The controls for all the requirements are configured as per the CIS recommendation. If you have any alternative methods implemented for the CIS checks through which CIS requirements are met, you can find the controls from the library and replace the controls in this policy by importing the policy and create their own customized policy or you can take an exception for those CIS checks.\n\n5) For the 4.2.2 requirement, the group name is considered as \"ssh_keys|_?ssh\" as specified by CIS. If you have any other designated group name for SSH, you can include it in this requirement's regex.\n\nE.g.\n - For firewalls, the firewalld, nftables and iptables cannot be used at the same time. So if you are using firewalld, you can remove/reconfigure the controls for iptables and nftables or take an exception for those CIS checks.\n - For logging, the requirements in the benchmark may be separated between journald and rsyslog. So if you are using journald, you can remove/reconfigure the controls for rsyslog or take an exception for those CIS checks.",
"technologies": [
{
"technologyId": 217,
"technologyName": "Red Hat Enterprise Linux 8.x"
}
],
"sections": [
{
"sectionNumber": 1,
"sectionHeading": "Initial Setup",
"controls": [
{
"controlId": 28951,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the cramfs kernel module available in any installed kernel",
"criticality": "SERIOUS",
"isControlDisable": false,
"referenceText": "1.1.1.1.a",
"technologies": [
{
"technologyId": 217,
"technologyName": "Red Hat Enterprise Linux 8.x",
"evaluate": {
"dp": {
"k": "oel9.secman.general.kernel_module_cramfs",
"v": [".+"],
"l": 0,
"description": "The List String value of <B>X</B> indicates the status of the file system <B>cramfs kernel module</B> loaded in the kernel using <b>lsmod</b> utility.",
"op": "xre",
"cd": "does not contain",
"fv": [
{
"value": "161803399999999",
"set": "1",
"description": "Module exists but is not loaded"
},
{
"value": "314159265358979",
"set": "1",
"description": "Module does not exist"
}
]
}
},
"remediation": "Configure this setting as per the business requirements or the organization's security policy.\n\nEdit or create the file /etc/modprobe.d/CIS.conf and add the following line as appropriate:\ninstall cramfs /bin/true",
"rationale": "Cramfs (Compressed ROM File System) is a read-only file system designed for use in embedded systems and situations where storage space is limited. Misconfiguration can lead to security risks such as unauthorized access to sensitive data, data corruption, or exploitation of vulnerabilities. Configure this setting based on business requirements or security policy."
}
]
},
{
"controlId": 29271,
"sectionNumber": 1,
"controlNumber": 2,
"statement": "Status of 'install cramfs' setting from '/lib/modprobe.d/*.conf /etc/modprobe.d/*.conf /run/modprobe.d/*.conf'",
"criticality": "SERIOUS",
"isControlDisable": false,
"referenceText": "1.1.1.1.b",
"technologies": [
{
"technologyId": 217,
"technologyName": "Red Hat Enterprise Linux 8.x",
"evaluate": {
"dp": {
"k": "oel9.secman.install_module_cramfs",
"v": [
".+:\\s*install\\s+cramfs\\s+/bin/(true|false)"
],
"l": 0,
"description": "The List String value of <B>X</B> indicates the status of the <B>cramfs kernel module</B>.",
"op": "xre",
"cd": "matches",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Setting not found"
},
{
"value": "314159265358979",
"set": "1",
"description": "Module does not exist"
}
]
}
},
"remediation": "Configure this setting as per policy.\n\n1. Add this line to /etc/modprobe.d/cramfs.conf:\ninstall cramfs /bin/false\n2. Add this line:\nblacklist cramfs\n3. Run:\nsudo rmmod cramfs",
"rationale": "The cramfs kernel module is used to mount compressed read-only filesystems. Misconfiguration may expose the system to security risks including unauthorized access and denial of service. Configure this based on business requirements."
}
]
}
]
}
]
}