List Controls

For API version information, refer to the API Version History section.

V2.0|V3.0

V2.0

GET POST/api/2.0/fo/compliance/control/?action=list

View a list of compliance controls which are visible to the user. The user has the ability to select the amount of additional information to include for each control in the output. By default, this basic control information is included: the control ID, the control category, the control sub-category, the control statement, and a list of technologies.

Using the Qualys user interface, it’s possible to customize the list of frameworks at the subscription level. Under PC, go to Policies > Setup > Frameworks to customize the frameworks list. If the frameworks list is customized for your subscription, then the customized list of frameworks will appear in the controls list output returned by a control list API request.

Permissions - Click here to view permissions info

Maximum Controls per API Request

The output of the Compliance Control API is paginated. By default, a maximum of 1,000 control records are returned per request. You can customize the page size (i.e. the number of control records) by using the parameter “truncation_limit=2000” for instance. In this case the results will be return with pages of 2,000 records.

Input ParametersInput Parameters

Parameter

Required/Optional

Data Type

Description

action=list

Required

String 

Specifies the action type used to request a control list.

echo_request={0|1}

Optional

Integer 

Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

details={Basic|All|None}

Optional

Boolean 

Show the requested amount of host information for each host. A valid value is:

Basic - (default) Includes all control details except framework mappings

All - includes all control details

None - includes control ID only

ids={value}

Optional

Integer 

Show only certain control IDs and/or ID ranges. One or more control IDs/ranges may be specified. A control ID range entry is specified with a hyphen (for example, 3000-3250). Valid control IDs are required.

id_min={value}

Optional

Integer 

Show only controls which have a minimum control ID value. A valid control ID is required.

id_max={value}

Optional

Integer 

Show only controls which have a maximum control ID value. A valid control ID is required.

updated_after_datetime={value}

Optional

Integer 

Show only controls updated after a certain date/time. See “Date Filters” below.

created_after_datetime={value}

Optional

Integer 

Show only controls created after a certain date/time. See “Date Filters” below.

truncation_limit={value}

Optional

Integer 

The maximum number of control records processed per request. When not specified, the truncation limit is set to 1,000 host records.

If the requested list identifies more records than the truncation limit, then the XML output includes the <WARNING> element and the URL for making another request for the next batch of records.

You can specify truncation_limit=0 for no truncation limit. This means that the output is not paginated and all the records are returned in a single output. WARNING: This can generate very large output and processing large XML files can consume a lot of resources on the client side. In this case it is recommended to use the pagination logic and parallel processing. The previous page can be processed while the next page is being downloaded.

Date FilterDate Filter

The date/time is specified in YYYY-MM-DD{THH:MM:SSZ] format (UTC/GMT), like “2010-03-01” or “2010-03-01T23:12:00Z”

If you specify a date but no time as for example 2010-03-01, then the service automatically sets the time to 2010-03-01T00:00:00Z (the start of the day).

When date filters are specified using both input parameters for a single API request, both date filters are satisfied (ANDed).

Sample - List Controls, All DetailsSample - List Controls, All Details

API Request

https://<qualys_base_url>/api/2.0/fo/compliance/control/?action=list&details=All

XML Output

<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2010-03-16T22:53:05Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>1044</ID>
        <UPDATE_DATE>2018-02-12T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2016-10-12T00:00:00Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Authorizations (Multi-user ACL/role)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the 'O7_DICTIONARY_ACCESSIBILITY' setting in init.ora (ORACLE Data Dictionary)]]></STATEMENT>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>7</ID>
            <NAME>Oracle 9i</NAME>
            <RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>8</ID>
            <NAME>Oracle 10g</NAME>
            <RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>9</ID>
            <NAME>Oracle 11g</NAME>
            <RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      <CONTROL>
        <ID>1045</ID>
        <UPDATE_DATE>2018-03-03T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2016-10-12T00:00:00Z</CREATED_DATE>
        <CATEGORY>OS Security Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[System Settings (OSI layers 6-7)]]> </SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the 'Clipbook' service (Guidance = Disabled)]]></STATEMENT>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>1</ID>
            <NAME>Windows XP desktop</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access. As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>2</ID>
            <NAME>Windows 2003 Server</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access.  As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>12</ID>
            <NAME>Windows 2000</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access.  As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
          </TECHNOLOGY>
</CONTROL_LIST_OUTPUT>

Updates You See Once Agent UDC Support is AvailableUpdates You See Once Agent UDC Support is Available

New Agent UDC Support will be announced soon via the Qualys Technology blog once remaining components are released.

The XML output may include the USE_AGENT_ONLY element for these Windows and Unix control types: Directory Search Control and Directory Integrity Control. This is set to 1 when the “Use agent scan only” option is enabled for the control.

The XML output may include the AUTO_UPDATE element for these Windows and Unix control types: File Integrity Control and Directory Integrity Control. This is set to 1 when the “Auto update expected value” option is enabled for the control.

Sample - Control List Output when Agent UDC Support is Available

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2018-10-05T10:23:54Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>100023</ID>
        <UPDATE_DATE>2018-11-16T06:27:14Z</UPDATE_DATE>
        <CREATED_DATE>2018-11-16T06:27:14Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Directory Integrity Check]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[SERIOUS]]></LABEL>
          <VALUE>3</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[Windows Directory Integrity Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[test]]></COMMENT>
        <USE_AGENT_ONLY>1</USE_AGENT_ONLY>
        <AUTO_UPDATE>1</AUTO_UPDATE>
        <IGNORE_ERROR>0</IGNORE_ERROR>
...

Database UDC for MS SQL, Oracle, Sybase, and PostgreSQL/Pivotal GreenplumDatabase UDC for MS SQL, Oracle, Sybase, and PostgreSQL/Pivotal Greenplum

You can create custom controls for MSSQL, Oracle, Sybase, and PostgreSQL/ Pivotal Greenplum databases. To support database controls, we’ve added new elements to the XML output and DTDs for Control List Output and Policy Export Output.

You’ll see these changes:

- New database controls allow you to ignore errors and set the status to Pass or Fail. The new element ERROR_SET_STATUS indicates the Pass/Fail setting for each control. This appears in the XML output for Control List and Policy Export.

- The SQL query configured for a database control appears in the new DB_QUERY element, and the description configured for the control appears in the new DESCRIPTION element. These appear in the XML output for Control List and Policy Export.

Sample - Control List API for MS SQL

API Request

curl -u "username:password" -H "Content-type: text/xml" -X "POST"-d "action=list&details=All&ids=100022" "https://<qualys_base_url>/api/2.0/fo/compliance/control/">MSSQLControlAPI.xml

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2019-05-08T18:31:17Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>100022</ID>
        <UPDATE_DATE>2019-05-08T18:31:08Z</UPDATE_DATE>
        <CREATED_DATE>2019-04-29T20:21:11Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[CustomerData]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[URGENT]]></LABEL>
          <VALUE>5</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[MSSQL Database Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[testComment]]></COMMENT>
        <IGNORE_ERROR>1</IGNORE_ERROR>
        <ERROR_SET_STATUS>PASS</ERROR_SET_STATUS>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>22</ID>
            <NAME>Microsoft SQL Server 2008</NAME>
            <RATIONALE><![CDATA[select all from customer]]></RATIONALE>
            <DB_QUERY><![CDATA[select * from customers;]]></DB_QUERY>
            <DESCRIPTION><![CDATA[select all the rows from customers]]></DESCRIPTION>
            
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
    </CONTROL_LIST>
  </RESPONSE>
</CONTROL_LIST_OUTPUT>

Sample - Control List API for Oracle

API Request

curl -u "username:password" -H "Content-type: text/xml" -X "POST"-d "action=list&details=All&ids=100060" "https://<qualys_base_url>/api/2.0/fo/compliance/control/">OracleControlAPI.xml

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2019-05-08T18:32:46Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>100060</ID>
        <UPDATE_DATE>2019-05-08T18:32:04Z</UPDATE_DATE>
        <CREATED_DATE>2019-05-03T19:32:18Z</CREATED_DATE>
        <CATEGORY>Database Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[DB Access Controls]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[OracleselectAllCustomerData]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[MINIMAL]]></LABEL>
          <VALUE>1</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[Oracle Database Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[Gather All Data ]]></COMMENT>
        <IGNORE_ERROR>1</IGNORE_ERROR>
        <ERROR_SET_STATUS>FAIL</ERROR_SET_STATUS>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>7</ID>
            <NAME>Oracle 9i</NAME>
            <RATIONALE><![CDATA[GatherAllData]]></RATIONALE>
            <DB_QUERY><![CDATA[SELECT * FROM Customers WHERE ROWNUM >= 3;]]></DB_QUERY>
            <DESCRIPTION><![CDATA[select all the data]]></DESCRIPTION>
            
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>8</ID>
            <NAME>Oracle 10g</NAME>
            <RATIONALE><![CDATA[GatherAllData]]></RATIONALE>
            <DB_QUERY><![CDATA[select * from Customers;]]></DB_QUERY>
            <DESCRIPTION><![CDATA[select all the data]]></DESCRIPTION>
            
          </TECHNOLOGY>
          ...
  </RESPONSE>
</CONTROL_LIST_OUTPUT>

Sample - Control List API for Sybase

API Request

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST"-d "action=list&details=All&ids=100947" "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/"

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/contro l_list_output.dtd">
<CONTROL_LIST_OUTPUT>
    <REQUEST>
        <DATETIME>2020-03-21T05:29:10Z</DATETIME>
        <USER_LOGIN>quays_sp1</USER_LOGIN>
        <RESOURCE>https://qualysapi.qualys.com/api/2.0/fo/compliance/contr ol/</RESOURCE>
        <PARAM_LIST>
            <PARAM>
                <KEY>action</KEY>
                <VALUE>list</VALUE>
            </PARAM>
            <PARAM>
                <KEY>ids</KEY>
                <VALUE>100947</VALUE>
            </PARAM>
            <PARAM>
                <KEY>echo_request</KEY>
                <VALUE>1</VALUE>
            </PARAM>
        </PARAM_LIST>
    </REQUEST>
    <RESPONSE>
        <DATETIME>2020-03-21T05:29:10Z</DATETIME>
        <CONTROL_LIST>
            <CONTROL>
                <ID>100947</ID>
                <UPDATE_DATE>2020-03-20T15:05:35Z</UPDATE_DATE>
                <CREATED_DATE>2020-03-18T05:50:27Z</CREATED_DATE>
                <CATEGORY>Access Control Requirements</CATEGORY>
                <SUB_CATEGORY>
                <STATEMENT>
                    <![CDATA[sybase db udc]]>
                </STATEMENT>
                <CRITICALITY>
                    <LABEL>
                        <![CDATA[UNDEFINED]]>
                    </LABEL>
                    <VALUE>0</VALUE>
                </CRITICALITY>
                <CHECK_TYPE>
                    <![CDATA[Sybase Database Check]]>
                </CHECK_TYPE>
                <COMMENT>
                    <![CDATA[]]>
                </COMMENT>
                <IGNORE_ERROR>0</IGNORE_ERROR>
                <ERROR_SET_STATUS></ERROR_SET_STATUS>
                <TECHNOLOGY_LIST>
                    <TECHNOLOGY>
                        <ID>69</ID>
                        <NAME>Sybase ASE 15</NAME>
                        <RATIONALE>
                            <![CDATA[select db_name() as dbname, s.name as segment_name, t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status, t.proc_name, suser_name(t.suid) as owner from syssegments s, systhresholds t where t.segment = s.segment]]>
                        </RATIONALE>
                        <DB_QUERY>
                            <![CDATA[select db_name() as dbname, s.name as segment_name,            t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status,            t.proc_name, suser_name(t.suid) as owner            from syssegments s, systhresholds t            where t.segment = s.segment]]>
                        </DB_QUERY>
                        <DESCRIPTION>
                            <![CDATA[select db_name() as dbname, s.name as segment_name,            t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status,            t.proc_name, suser_name(t.suid) as owner
     from syssegments s, systhresholds t            where t.segment = s.segment]]>
                        </DESCRIPTION>
                    </TECHNOLOGY>
                    <TECHNOLOGY>
                        <ID>116</ID>
                        <NAME>SAP Adaptive Server Enterprise 16</NAME> s.name as segment_name,         
                        <RATIONALE>
                            <![CDATA[select db_name() as dbname, t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status, t.proc_name, suser_name(t.suid) as owner from syssegments s, systhresholds t where t.segment = s.segment]]>
                        </RATIONALE>
                        <DB_QUERY>
                            <![CDATA[select db_name() as dbname, s.name as segment_name,            t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status,            t.proc_name, suser_name(t.suid) as owner            from syssegments s, systhresholds t            where t.segment = s.segment]]>
                        </DB_QUERY>
                        <DESCRIPTION>
                            <![CDATA[select db_name() as dbname, s.name as segment_name,            t.free_space as free_space_pages, case t.status when 1 then 'LAST CHANCE' else 'OTHER' end as status,            t.proc_name, suser_name(t.suid) as owner            from syssegments s, systhresholds t            where t.segment = s.segment]]>
                        </DESCRIPTION>
                    </TECHNOLOGY>
                </TECHNOLOGY_LIST>
            </CONTROL>
        </CONTROL_LIST>
    </RESPONSE>
</CONTROL_LIST_OUTPUT>           

Sample - Control List API for PostgreSQL/Pivotal Greenplum

API Request

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&details=All&ids=101335" "https://<qualys_base_url>/api/2.0/fo/compliance/control/"

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2020-10-15T16:59:13Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>101335</ID>
        <UPDATE_DATE>2020-10-14T20:11:29Z</UPDATE_DATE>
        <CREATED_DATE>2020-10-14T19:46:01Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[prePostGreSQL_selectStatement]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[URGENT]]></LABEL>
          <VALUE>5</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[PostgreSQL Database Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[comments]]></COMMENT>
        <IGNORE_ERROR>0</IGNORE_ERROR>
        <ERROR_SET_STATUS></ERROR_SET_STATUS>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>114</ID>
            <NAME>PostgreSQL 9.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>143</ID>
            <NAME>PostgreSQL 10.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>192</ID>
            <NAME>PostgreSQL 11.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>201</ID>
            <NAME>Pivotal Greenplum 5.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>228</ID>
            <NAME>PostgreSQL 12.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>230</ID>
            <NAME>Pivotal Greenplum 6.x</NAME>
            <RATIONALE><![CDATA[Rationale]]></RATIONALE>
            <DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
            <DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
    </CONTROL_LIST>
  </RESPONSE>
</CONTROL_LIST_OUTPUT>

Sample - Control List API for IBM DB2Sample - Control List API for IBM DB2

API Request

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&ids=100010" "https://<qualys_base_url>/api/2.0/fo/compliance/control/"

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM
"https://<qualys_base_url>/api/2.0/fo/compliance/control/contro
l_list_output.dtd">
<CONTROL_LIST_OUTPUT>
 <RESPONSE>
 <DATETIME>2021-06-22T11:14:08Z</DATETIME>
 <CONTROL_LIST>
 <CONTROL>
 <ID>100010</ID>
 <UPDATE_DATE>2021-06-22T08:24:27Z</UPDATE_DATE>
 <CREATED_DATE>2021-06-22T08:24:27Z</CREATED_DATE>
 <CATEGORY>Database Settings</CATEGORY>
 <SUB_CATEGORY><![CDATA[DB Access
Controls]]></SUB_CATEGORY>
 <STATEMENT><![CDATA[db2 statement]]></STATEMENT>
 <CRITICALITY>
 <LABEL><![CDATA[SERIOUS]]></LABEL>
 <VALUE>3</VALUE>
 </CRITICALITY>
 <CHECK_TYPE><![CDATA[DB2 Database Check]]></CHECK_TYPE>
 <COMMENT><![CDATA[comment for db2 udc]]></COMMENT>
 <IGNORE_ERROR>1</IGNORE_ERROR>
 <ERROR_SET_STATUS>FAIL</ERROR_SET_STATUS>
 <TECHNOLOGY_LIST>
 <TECHNOLOGY>
 <ID>40</ID>
 <NAME>IBM DB2 9.x</NAME>
 <RATIONALE><![CDATA[db2 udc rationale]]></RATIONALE>
 <DB_QUERY><![CDATA[select * from
sysadmin]]></DB_QUERY>
 <DESCRIPTION><![CDATA[test db2 udc
descprition]]></DESCRIPTION>
 </TECHNOLOGY>
 <TECHNOLOGY>
    <ID>93</ID>
    <NAME>IBM DB2 10.x</NAME>
    <RATIONALE><![CDATA[db2 udc rationale]]></RATIONALE>
    <DB_QUERY><![CDATA[select * from
   sysadmin]]></DB_QUERY>
    <DESCRIPTION><![CDATA[test db2 udc
   descprition]]></DESCRIPTION>
    </TECHNOLOGY>
    <TECHNOLOGY>
    <ID>142</ID>
    <NAME>IBM DB2 11.x</NAME>
    <RATIONALE><![CDATA[db2 udc rationale]]></RATIONALE>
    <DB_QUERY><![CDATA[select * from
   sysadmin]]></DB_QUERY>
    <DESCRIPTION><![CDATA[test db2 udc
   descprition]]></DESCRIPTION>
    </TECHNOLOGY>
    </TECHNOLOGY_LIST>
    </CONTROL>
    </CONTROL_LIST>
    </RESPONSE>
   </CONTROL_LIST_OUTPUT>

Sample - Control List API for File Content CheckSample - Control List API for File Content Check

API Request

curl -u "username:password" -H "Content-type: text/xml" -X "POST" -d "action=list&echo_request=1&ids=100006,100000,100026&details=All" "https://<qualys_base_url>/api/2.0/fo/compliance/control/"> control_list.xml

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM
"https://<qualys_base_url>/api/2.0/fo/compliance/control/contro
l_list_output.dtd">
<CONTROL_LIST_OUTPUT>
 <REQUEST>
 <DATETIME>2019-10-14T21:17:21Z</DATETIME>
 <USER_LOGIN>username</USER_LOGIN>
<RESOURCE>https://<qualys_base_url>/api/2.0/fo/compliance/contr
ol/</RESOURCE>
 <PARAM_LIST>
 <PARAM>
    <KEY>action</KEY>
    <VALUE>list</VALUE>
    </PARAM>
    <PARAM>
    <KEY>echo_request</KEY>
    <VALUE>1</VALUE>
    </PARAM>
    <PARAM>
    <KEY>ids</KEY>
    <VALUE>100006,100000,100026</VALUE>
    </PARAM>
   <PARAM>
    <KEY>details</KEY>
    <VALUE>All</VALUE>
    </PARAM>
    </PARAM_LIST>
    </REQUEST>
    <RESPONSE>
    <DATETIME>2019-10-14T21:17:21Z</DATETIME>
    <CONTROL_LIST>
    <CONTROL>
    <ID>100000</ID>
    <UPDATE_DATE>2019-10-10T21:54:35Z</UPDATE_DATE>
    <CREATED_DATE>2019-10-08T19:16:02Z</CREATED_DATE>
    <CATEGORY>Access Control Requirements</CATEGORY>
    <SUB_CATEGORY><![CDATA[Account Creation/User
   Management]]></SUB_CATEGORY>
    <STATEMENT><![CDATA[preFCCUDC]]></STATEMENT>
    <CRITICALITY>
    <LABEL><![CDATA[min]]></LABEL>
    <VALUE>1</VALUE>
    </CRITICALITY>
    <CHECK_TYPE><![CDATA[Windows File Content
   Check]]></CHECK_TYPE>
    <COMMENT><![CDATA[]]></COMMENT>
    <IGNORE_ERROR>0</IGNORE_ERROR>
    <IGNORE_ITEM_NOT_FOUND>0</IGNORE_ITEM_NOT_FOUND>
    <SCAN_PARAMETERS>
    <PATH_TYPE><![CDATA[Use file search]]></PATH_TYPE>
    <FILE_QUERY><![CDATA[QWEB*]]></FILE_QUERY>
    <BASE_DIR><![CDATA[c:\]]></BASE_DIR>
    <DEPTH_LIMIT><![CDATA[3]]></DEPTH_LIMIT>
   
   <FILE_NAME_MATCH><![CDATA[preTest2.txt]]></FILE_NAME_MATCH>
    <FILE_NAME_SKIP><![CDATA[]]></FILE_NAME_SKIP>
    <DIR_NAME_MATCH><![CDATA[*]]></DIR_NAME_MATCH>
    <DIR_NAME_SKIP><![CDATA[]]></DIR_NAME_SKIP>
    <TIME_LIMIT><![CDATA[300]]></TIME_LIMIT>
    <MATCH_LIMIT><![CDATA[50]]></MATCH_LIMIT>
    <DATA_TYPE>String List</DATA_TYPE>
    <DESCRIPTION><![CDATA[FileContentChech]]></DESCRIPTION>
    </SCAN_PARAMETERS>
    <TECHNOLOGY_LIST>
    <TECHNOLOGY>
    <ID>53</ID>
    <NAME>Windows 2012 Server</NAME>
    <RATIONALE><![CDATA[rationale]]></RATIONALE>
    <DATAPOINT>
    <CARDINALITY>contains</CARDINALITY>
    <OPERATOR>xre</OPERATOR>
    <DEFAULT_VALUES total="1">
    <DEFAULT_VALUE><![CDATA[true]]></DEFAULT_VALUE>
    </DEFAULT_VALUES>
    </DATAPOINT>
    </TECHNOLOGY>
    <TECHNOLOGY>
    <ID>75</ID>
    <NAME>Windows Server 2012 R2</NAME>
    <RATIONALE><![CDATA[rationale]]></RATIONALE>
    <DATAPOINT>
    <CARDINALITY>contains</CARDINALITY>
    <OPERATOR>xre</OPERATOR>
    <DEFAULT_VALUES total="1">
    <DEFAULT_VALUE><![CDATA[true]]></DEFAULT_VALUE>
    </DEFAULT_VALUES>
    </DATAPOINT>
    </TECHNOLOGY>
    </TECHNOLOGY_LIST>
    </CONTROL>
    <CONTROL>
    <ID>100006</ID>
    <UPDATE_DATE>2019-10-14T19:06:55Z</UPDATE_DATE>
    <CREATED_DATE>2019-10-09T22:00:50Z</CREATED_DATE>
    <CATEGORY>Database Settings</CATEGORY>
    <SUB_CATEGORY><![CDATA[DB Access Controls]]></SUB_CATEGORY>
    <STATEMENT><![CDATA[Windows_FCC_Use_Reg]]></STATEMENT>
    <CRITICALITY>
    <LABEL><![CDATA[min]]></LABEL>
    <VALUE>1</VALUE>
    </CRITICALITY>
    <CHECK_TYPE><![CDATA[Windows File Content
   Check]]></CHECK_TYPE>
   <COMMENT><![CDATA[]]></COMMENT>
   <IGNORE_ERROR>0</IGNORE_ERROR>
   <IGNORE_ITEM_NOT_FOUND>0</IGNORE_ITEM_NOT_FOUND>
   <SCAN_PARAMETERS>
   <PATH_TYPE><![CDATA[Use Registry key]]></PATH_TYPE>
   <REG_HIVE><![CDATA[HKEY_CLASSES_ROOT
  (HKCR)]]></REG_HIVE>
   <REG_KEY><![CDATA[TestKey\user]]></REG_KEY>
   <REG_VALUE_NAME><![CDATA[preName]]></REG_VALUE_NAME>
   <FILE_PATH><![CDATA[]]></FILE_PATH>
   <FILE_QUERY><![CDATA[.*]]></FILE_QUERY>
   <DATA_TYPE>String List</DATA_TYPE>
   <DESCRIPTION><![CDATA[reg key]]></DESCRIPTION>
   </SCAN_PARAMETERS>
   <TECHNOLOGY_LIST>
   <TECHNOLOGY>
   <ID>53</ID>
   <NAME>Windows 2012 Server</NAME>
   <RATIONALE><![CDATA[rationale]]></RATIONALE>
   <DATAPOINT>
   <CARDINALITY>contains</CARDINALITY>
  <OPERATOR>xre</OPERATOR>
   <DEFAULT_VALUES total="1">
   <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
   </DEFAULT_VALUES>
   </DATAPOINT>
   </TECHNOLOGY>
   <TECHNOLOGY>
   <ID>75</ID>
   <NAME>Windows Server 2012 R2</NAME>
   <RATIONALE><![CDATA[rationale]]></RATIONALE>
   <DATAPOINT>
   <CARDINALITY>contains</CARDINALITY>
   <OPERATOR>xre</OPERATOR>
   <DEFAULT_VALUES total="1">
   <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
   </DEFAULT_VALUES>
   </DATAPOINT>
   </TECHNOLOGY>
   </TECHNOLOGY_LIST>
   </CONTROL>
   <CONTROL>
   <ID>100026</ID>
   <UPDATE_DATE>2019-10-11T20:12:48Z</UPDATE_DATE>
   <CREATED_DATE>2019-10-11T20:12:48Z</CREATED_DATE>
   <CATEGORY>Access Control Requirements</CATEGORY>
   <SUB_CATEGORY><![CDATA[Account Creation/User
    Management]]></SUB_CATEGORY>
     
    <STATEMENT><![CDATA[pre_fcc_file_path_regexwith$]]></STATEMENT>
     <CRITICALITY>
     <LABEL><![CDATA[min]]></LABEL>
     <VALUE>1</VALUE>
     </CRITICALITY>
     <CHECK_TYPE><![CDATA[Windows File Content
    Check]]></CHECK_TYPE>
     <COMMENT><![CDATA[]]></COMMENT>
     <IGNORE_ERROR>0</IGNORE_ERROR>
     <IGNORE_ITEM_NOT_FOUND>0</IGNORE_ITEM_NOT_FOUND>
     <SCAN_PARAMETERS>
     <PATH_TYPE><![CDATA[Use file path]]></PATH_TYPE>
    <FILE_PATH><![CDATA[C:\user\PreTest\pretestfile1.txt]]></FILE_PATH
    >
     <FILE_QUERY><![CDATA[pre\$]]></FILE_QUERY>
     <DATA_TYPE>String List</DATA_TYPE>
     <DESCRIPTION><![CDATA[pre\$]]></DESCRIPTION>
     </SCAN_PARAMETERS>
     <TECHNOLOGY_LIST>
     <TECHNOLOGY>
     <ID>1</ID>
     <NAME>Windows XP desktop</NAME>
     <RATIONALE><![CDATA[ration]]></RATIONALE>
     <DATAPOINT>
     <CARDINALITY>contains</CARDINALITY>
     <OPERATOR>xre</OPERATOR>
     <DEFAULT_VALUES total="1">
     <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
     </DEFAULT_VALUES>
     </DATAPOINT>
     </TECHNOLOGY>
     <TECHNOLOGY>
     <ID>2</ID>
     <NAME>Windows 2003 Server</NAME>
     <RATIONALE><![CDATA[ration]]></RATIONALE>
     <DATAPOINT>
     <CARDINALITY>contains</CARDINALITY>
     <OPERATOR>xre</OPERATOR>
     <DEFAULT_VALUES total="1">
     <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
     </DEFAULT_VALUES>
     </DATAPOINT>
     </TECHNOLOGY>
     <TECHNOLOGY>
        <ID>12</ID>
        <NAME>Windows 2000</NAME>
        <RATIONALE><![CDATA[ration]]></RATIONALE>
        <DATAPOINT>
        <CARDINALITY>contains</CARDINALITY>
        <OPERATOR>xre</OPERATOR>
        <DEFAULT_VALUES total="1">
        <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
        </DEFAULT_VALUES>
        </DATAPOINT>
        </TECHNOLOGY>
        <TECHNOLOGY>
        <ID>18</ID>
        <NAME>Windows Vista</NAME>
        <RATIONALE><![CDATA[ration]]></RATIONALE>
        <DATAPOINT>
        <CARDINALITY>contains</CARDINALITY>
        <OPERATOR>xre</OPERATOR>
        <DEFAULT_VALUES total="1">
        <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
        </DEFAULT_VALUES>
        </DATAPOINT>
        </TECHNOLOGY>
        <TECHNOLOGY>
        <ID>21</ID>
        <NAME>Windows 2008 Server</NAME>
        <RATIONALE><![CDATA[ration]]></RATIONALE>
        <DATAPOINT>
        <CARDINALITY>contains</CARDINALITY>
       <OPERATOR>xre</OPERATOR>
        <DEFAULT_VALUES total="1">
        <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
        </DEFAULT_VALUES>
        </DATAPOINT>
        </TECHNOLOGY>
        <TECHNOLOGY>
        <ID>37</ID>
        <NAME>Windows 7</NAME>
        <RATIONALE><![CDATA[ration]]></RATIONALE>
        <DATAPOINT>
        <CARDINALITY>contains</CARDINALITY>
        <OPERATOR>xre</OPERATOR>
        <DEFAULT_VALUES total="1">
        <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
    </DEFAULT_VALUES>
</DATAPOINT>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>53</ID>
<NAME>Windows 2012 Server</NAME>
<RATIONALE><![CDATA[ration]]></RATIONALE>
<DATAPOINT>
<CARDINALITY>contains</CARDINALITY>
<OPERATOR>xre</OPERATOR>
<DEFAULT_VALUES total="1">
<DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
</DEFAULT_VALUES>
</DATAPOINT>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>54</ID>
<NAME>Windows 8</NAME>
<RATIONALE><![CDATA[ration]]></RATIONALE>
<DATAPOINT>
<CARDINALITY>contains</CARDINALITY>
<OPERATOR>xre</OPERATOR>
<DEFAULT_VALUES total="1">
<DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
</DEFAULT_VALUES>
</DATAPOINT>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>72</ID>
<NAME>Windows 8.1</NAME>
<RATIONALE><![CDATA[ration]]></RATIONALE>
<DATAPOINT>
<CARDINALITY>contains</CARDINALITY>
<OPERATOR>xre</OPERATOR>
<DEFAULT_VALUES total="1">
<DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
</DEFAULT_VALUES>
</DATAPOINT>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>75</ID>
<NAME>Windows Server 2012 R2</NAME>
<RATIONALE><![CDATA[ration]]></RATIONALE>
<DATAPOINT>
<CARDINALITY>contains</CARDINALITY>
<OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>91</ID>
 <NAME>Windows 10</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>106</ID>
 <NAME>Windows 2016 Server</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>144</ID>
 <NAME>Windows Embedded 7</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
<DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>145</ID>
 <NAME>Windows Embedded 8</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>146</ID>
 <NAME>Windows Embedded 8.1</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 <TECHNOLOGY>
 <ID>180</ID>
 <NAME>Windows 2019 Server</NAME>
 <RATIONALE><![CDATA[ration]]></RATIONALE>
 <DATAPOINT>
 <CARDINALITY>contains</CARDINALITY>
 <OPERATOR>xre</OPERATOR>
 <DEFAULT_VALUES total="1">
 <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
 </DEFAULT_VALUES>
 </DATAPOINT>
 </TECHNOLOGY>
 </TECHNOLOGY_LIST>
 </CONTROL>
 </CONTROL_LIST>
 </RESPONSE>
</CONTROL_LIST_OUTPUT>

Sample - List Unix File Content Custom Controls When Evaluate as String is EnabledSample - List Unix File Content Custom Controls When Evaluate as String is Enabled

You have an option in Unix File Content custom controls to evaluate scan results as a string instead of string list. Once the <EVALUATE_AS_STRING> parameter is enabled (1), the scan result is evaluated as a single string. By default the option is disabled (0).

API Request

curl -u "USERNAME:PASSWORD" -H "X-Requested-With:curl" -X POST -d  "action=list&ids=102090&details=All""https://<qualys_base_url>/api/2.0/fo/compliance/control/"

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2021-04-06T11:14:08Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>102090</ID>
        <UPDATE_DATE>2021-04-01T11:59:40Z</UPDATE_DATE>
        <CREATED_DATE>2021-04-01T11:59:40Z</CREATED_DATE>
        <CATEGORY>Web Application Services</CATEGORY>
        <SUB_CATEGORY><![CDATA[Web Server/Tier Settings]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[FC_New Option Enabled _With String list]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[URGENT]]></LABEL>
          <VALUE>5</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[Unix File Content Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[String list]]></COMMENT>
        <IGNORE_ERROR>1</IGNORE_ERROR>
        <IGNORE_ITEM_NOT_FOUND>1</IGNORE_ITEM_NOT_FOUND>
        <SCAN_PARAMETERS>
            <FILE_PATH><![CDATA[/home/testscan/samram]]></FILE_PATH>
            <FILE_QUERY><![CDATA[.*]]></FILE_QUERY>
            <DATA_TYPE>String List</DATA_TYPE>
            <EVALUATE_AS_STRING>1</EVALUATE_AS_STRING>
            <DESCRIPTION><![CDATA[with string list]]></DESCRIPTION>
        </SCAN_PARAMETERS>
        <TECHNOLOGY_LIST>
        ...

Sample - List DS UDCs When Case Sensitive Search is DisabledSample - List DS UDCs When Case Sensitive Search is Disabled

You have an option to disable the case-sensitive search in Unix agent UDCs (Directory Search and Directory Integrity). Once the <DISABLE_CASE_SENSITIVE_SEARCH> parameter is enabled (1), the search result lists all possible combinations in the upper and/or lowercase file name. By default the option is disabled (0).

API Request

curl -u USERNAME:PASSWORD" -H "X-Requested-With:curl" -X POST -d  "action=list&ids=102154&details=All""https://<qualys_base_url>/api/2.0/fo/compliance/control/"

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2021-04-06T11:14:08Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>102154</ID>
        <UPDATE_DATE>2021-07-21T07:02:43Z</UPDATE_DATE>
        <CREATED_DATE>2021-07-07T06:38:30Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[DS UDC case sensitive with new option]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[MINIMAL]]></LABEL>
          <VALUE>1</VALUE>
        </CRITICALITY>
        <CHECK_TYPE><![CDATA[Unix Directory Search Check]]></CHECK_TYPE>
        <COMMENT><![CDATA[DI UDC case sensitive disabled]]></COMMENT>
        <USE_AGENT_ONLY>1</USE_AGENT_ONLY>
        <IGNORE_ERROR>0</IGNORE_ERROR>
        <SCAN_PARAMETERS>
         <BASE_DIR><![CDATA[/home/qa]]></BASE_DIR>
         <SHOULD_DESCEND><![CDATA[true]]</SHOULD_DESCEND>
         <DEPTH_LIMIT><![CDATA[10]]<</DEPTH_LIMIT>
         <FOLLOW_SYMLINK><![CDATA[true]]></FOLLOW_SYMLINK>
         <FILE_NAME_MATCH><![CDATA[*]]></FILE_NAME_MATCH>
         <FILE_NAME_SKIP><![CDATA[]]></FILE_NAME_SKIP>
         <DIR_NAME_MATCH><![CDATA[*]]></DIR_NAME_MATCH>
         <DIR_NAME_SKIP><![CDATA[]]></DIR_NAME_SKIP>
         <PERMISSIONS>
          <SPECIAL>
           <USER>any</USER>
           <GROUP>any<GROUP>
           <DELETION>any</DELETION>
          </SPECIAL>
          <USER>
           <READ>any</READ>
           <WRITE>any</WRITE>
           <EXECUTE>any</EXECUTE>
          </SPECIAL>
           <READ>any</READ>
           <WRITE>any</WRITE>
        <EXECUTE>any</EXECUTE>
          </GROUP>
          <OTHER>
           <READ>any</READ>
        <WRITE>any</WRITE>
           <EXECUTE>any</EXECUTE>
          </OTHER>
         </PERMISSIONS>
         <PERM_COND><![CDATA[all]]></PERM_COND>
         <TYPE_MATCH><![CDATA[d,f,l,p,b,c,s,D]]></TYPE_MATCH>
         <USER_OWNER><![CDATA[Any User]]></USER_OWNER>
         <GROUP_OWNER><![CDATA[Any Group]]></GROUP_OWNER>
         <TIME_LIMIT><![CDATA[300]]></TIME_LIMIT>
         <MATCH_LIMIT><![CDATA[50]]></MATCH_LIMIT>
    <DISABLE_CASE_SENSITIVE_SEARCH><![CDATA[true]]></DISABLE_CASE_SENSITIVE_SEARCH>
        <DATA_TYPE>String List</DATA_TYPE>
        <DESCRIPTION><![CDATA[/home/qa desc]]></DESCRIPTION>
     </SCAN_PARAMETERS>
     ...
   </CONTROL_LIST>
  </RESPONSE>
 </CONTROL_LIST_OUTPUT>

DTD

<platform API server>/api/2.0/fo/compliance/control/control_list_output.dtd

V3.0

GET POST/api/3.0/fo/compliance/control/?action=list

View a list of compliance controls which are visible to the user. The user has the ability to select the amount of additional information to include for each control in the output. By default, this basic control information is included: the control ID, the control category, the control sub-category, the control statement, and a list of technologies.

Using the Qualys user interface, it’s possible to customize the list of frameworks at the subscription level. Under PC, go to Policies > Setup > Frameworks to customize the frameworks list. If the frameworks list is customized for your subscription, then the customized list of frameworks will appear in the controls list output returned by a control list API request.

Permissions - Click here to view permissions info

Maximum Controls per API Request

The output of the Compliance Control API is paginated. By default, a maximum of 1,000 control records are returned per request. You can customize the page size (i.e. the number of control records) by using the parameter “truncation_limit=2000” for instance. In this case the results will be return with pages of 2,000 records.

Input ParametersInput Parameters

Parameter

Required/Optional

Data Type

Description

action=list

Required

String 

Specifies the action type used to request a control list.

echo_request={0|1}

Optional

Integer 

Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

details={Basic|All|None}

Optional

Boolean 

Show the requested amount of host information for each host. A valid value is:

Basic - (default) Includes all control details except framework mappings

All - includes all control details

None - includes control ID only

ids={value}

Optional

Integer 

Show only certain control IDs and/or ID ranges. One or more control IDs/ranges may be specified. A control ID range entry is specified with a hyphen (for example, 3000-3250). Valid control IDs are required.

id_min={value}

Optional

Integer 

Show only controls which have a minimum control ID value. A valid control ID is required.

id_max={value}

Optional

Integer 

Show only controls which have a maximum control ID value. A valid control ID is required.

updated_after_datetime={value}

Optional

Integer 

Show only controls updated after a certain date/time. See “Date Filters” below.

created_after_datetime={value}

Optional

Integer 

Show only controls created after a certain date/time. See “Date Filters” below.

truncation_limit={value}

Optional

Integer 

The maximum number of control records processed per request. When not specified, the truncation limit is set to 1,000 host records.

If the requested list identifies more records than the truncation limit, then the XML output includes the <WARNING> element and the URL for making another request for the next batch of records.

You can specify truncation_limit=0 for no truncation limit. This means that the output is not paginated and all the records are returned in a single output. WARNING: This can generate very large output and processing large XML files can consume a lot of resources on the client side. In this case it is recommended to use the pagination logic and parallel processing. The previous page can be processed while the next page is being downloaded.

Date FilterDate Filter

The date/time is specified in YYYY-MM-DD{THH:MM:SSZ] format (UTC/GMT), like “2010-03-01” or “2010-03-01T23:12:00Z”

If you specify a date but no time as for example 2010-03-01, then the service automatically sets the time to 2010-03-01T00:00:00Z (the start of the day).

When date filters are specified using both input parameters for a single API request, both date filters are satisfied (ANDed).

Sample - List ControlsSample - List Controls

API Request

curl -s -S -H 'X-Requested-With:curl demo2' -u "yyyuser:Yuser@123#" -d "action=list" "https://<qualys_base_url>/api/3.0/fo/compliance/control/" 

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2024-09-11T09:26:14Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
      <ID>1044</ID>
        <UPDATE_DATE>2021-04-14T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-10-12T00:00:00Z</CREATED_DATE>
        <CATEGORY>Access Control Requirements</CATEGORY>
        <SUB_CATEGORY><![CDATA[Authorizations (Multi-user ACL/role)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the &apos;O7_DICTIONARY_ACCESSIBILITY&apos; setting in init.ora]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[CRITICAL]]></LABEL>
          <VALUE>4</VALUE>
        </CRITICALITY>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>7</ID>
            <NAME>Oracle 9i</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>8</ID>
            <NAME>Oracle 10g</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>9</ID>
            <NAME>Oracle 11g</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>99</ID>
            <NAME>Oracle 12c</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>175</ID>
            <NAME>Oracle 18c</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>310</ID>
            <NAME>Oracle 12c Multitenant</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>311</ID>
            <NAME>Oracle 18c Multitenant</NAME>
            <RATIONALE><![CDATA[The 'O7_DICTIONARY_ACCESSIBILITY' setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations.  Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[FALSE]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      <CONTROL>
        <ID>1045</ID>
        <UPDATE_DATE>2018-10-12T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-10-12T00:00:00Z</CREATED_DATE>
        <CATEGORY>OS Security Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[System Settings (OSI layers 6-7)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the &apos;Clipbook&apos; service (startup type)]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[SERIOUS]]></LABEL>
          <VALUE>3</VALUE>
        </CRITICALITY>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>1</ID>
            <NAME>Windows XP desktop</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access.  As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>2</ID>
            <NAME>Windows 2003 Server</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access.  As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>12</ID>
            <NAME>Windows 2000</NAME>
            <RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text.  The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access.  As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      <CONTROL>
      <ID>1074</ID>
        <UPDATE_DATE>2022-03-10T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-10-17T00:00:00Z</CREATED_DATE>
        <CATEGORY>OS Security Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[Database Settings (non-Access Control/Logging)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[The current list of ORACLE accounts that not having &apos;Maximum Tablespace Quotas&apos; set to &apos;unlimited&apos;]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[CRITICAL]]></LABEL>
          <VALUE>4</VALUE>
        </CRITICALITY>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>7</ID>
            <NAME>Oracle 9i</NAME>
            <RATIONALE><![CDATA[Through 'tablespace quotas,' Oracle can limit the [collective] amount of disk storage made available to objects in a schema.  This permits selective control of the space consumed by those objects according to the schema type.  Quotas should be set for each tablespace, which can eliminate resource-contention/denial-of-service conditions, such as having 'online comment' fields repeatedly filled in by a malicious user's script, eventually consuming enough disk space to cause the database to freeze.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY>is contained in</CARDINALITY>
                <OPERATOR>xre</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>8</ID>
            <NAME>Oracle 10g</NAME>
            <RATIONALE><![CDATA[Through 'tablespace quotas,' Oracle can limit the [collective] amount of disk storage made available to objects in a schema.  This permits selective control of the space consumed by those objects according to the schema type.  Quotas should be set for each tablespace, which can eliminate resource-contention/denial-of-service conditions, such as having 'online comment' fields repeatedly filled in by a malicious user's script, eventually consuming enough disk space to cause the database to freeze.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY>is contained in</CARDINALITY>
                <OPERATOR>xre</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>9</ID>
            <NAME>Oracle 11g</NAME>
            <RATIONALE><![CDATA[Through 'tablespace quotas,' Oracle can limit the [collective] amount of disk storage made available to objects in a schema.  This permits selective control of the space consumed by those objects according to the schema type.  Quotas should be set for each tablespace, which can eliminate resource-contention/denial-of-service conditions, such as having 'online comment' fields repeatedly filled in by a malicious user's script, eventually consuming enough disk space to cause the database to freeze.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY>is contained in</CARDINALITY>
                <OPERATOR>xre</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>99</ID>
            <NAME>Oracle 12c</NAME>
            <RATIONALE><![CDATA[Through 'tablespace quotas,' Oracle can limit the [collective] amount of disk storage made available to objects in a schema.  This permits selective control of the space consumed by those objects according to the schema type.  Quotas should be set for each tablespace, which can eliminate resource-contention/denial-of-service conditions, such as having 'online comment' fields repeatedly filled in by a malicious user's script, eventually consuming enough disk space to cause the database to freeze.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY>is contained in</CARDINALITY>
                <OPERATOR>xre</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      <CONTROL>
       <CONTROL>
        <ID>1331</ID>
        <UPDATE_DATE>2024-04-18T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-12-07T00:00:00Z</CREATED_DATE>
        <CATEGORY>OS Security Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[Network Settings (OSI Layers 2-5)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the &apos;TCP packet numbering sequence randomization&apos; (TCP_STRONG) setting]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[SERIOUS]]></LABEL>
          <VALUE>3</VALUE>
        </CRITICALITY>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>4</ID>
            <NAME>Solaris 9.x</NAME>
            <RATIONALE><![CDATA[The 'sequence randomization' for TCP packet numbering was designed to prevent malicious users from crafting TCP packets, that could appear to be part of a pre-existing TCP sequence from one host, while slipping in their own packets from another.  (RFC 793 provides specifics on TCP design.)  As various spoofing and hijacking attacks have been based upon the ability to predict the sequence numbers of TCP packets, the method outlined in RFC1948, using a strong algorithm to randomize TCP sequence numbers, is the most secure option available for protecting the packet sequence and should be applied as appropriate to business needs.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[2]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>10</ID>
            <NAME>Solaris 10.x</NAME>
            <RATIONALE><![CDATA[The 'sequence randomization' for TCP packet numbering was designed to prevent malicious users from crafting TCP packets, that could appear to be part of a pre-existing TCP sequence from one host, while slipping in their own packets from another.  (RFC 793 provides specifics on TCP design.)  As various spoofing and hijacking attacks have been based upon the ability to predict the sequence numbers of TCP packets, the method outlined in RFC1948, using a strong algorithm to randomize TCP sequence numbers, is the most secure option available for protecting the packet sequence and should be applied as appropriate to business needs.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[2]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>46</ID>
            <NAME>Solaris 11.x</NAME>
            <RATIONALE><![CDATA[The 'sequence randomization' for TCP packet numbering was designed to prevent malicious users from crafting TCP packets, that could appear to be part of a pre-existing TCP sequence from one host, while slipping in their own packets from another.  (RFC 793 provides specifics on TCP design.)  As various spoofing and hijacking attacks have been based upon the ability to predict the sequence numbers of TCP packets, the method outlined in RFC1948, using a strong algorithm to randomize TCP sequence numbers, is the most secure option available for protecting the packet sequence and should be applied as appropriate to business needs.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[2]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      <CONTROL>
        <ID>1332</ID>
        <UPDATE_DATE>2019-03-12T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-12-07T00:00:00Z</CREATED_DATE>
        <CATEGORY>OS Security Settings</CATEGORY>
        <SUB_CATEGORY><![CDATA[Performance Monitoring  (All OSI Layers)]]></SUB_CATEGORY>
        <STATEMENT><![CDATA[Status of the &apos;Graphical User Interface (GUI)&apos; startup environment]]></STATEMENT>
        <CRITICALITY>
          <LABEL><![CDATA[MEDIUM]]></LABEL>
          <VALUE>2</VALUE>
        </CRITICALITY>
        <TECHNOLOGY_LIST>
          <TECHNOLOGY>
            <ID>3</ID>
            <NAME>Red Hat Enterprise Linux 3/4</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>4</ID>
            <NAME>Solaris 9.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.  (S99dtlogin)]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>5</ID>
            <NAME>HPUX 11.iv1</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[(^DESKTOP=$|161803399999999|314159265358979)]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>11</ID>
            <NAME>Red Hat Enterprise Linux 5.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>13</ID>
            <NAME>HPUX 11.iv2</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[(^DESKTOP=$|161803399999999|314159265358979)]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>14</ID>
            <NAME>Solaris 8.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.  (S99dtlogin)]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>15</ID>
            <NAME>SUSE Linux Enterprise 9/10</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>25</ID>
            <NAME>CentOS 4.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>26</ID>
            <NAME>CentOS 5.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>27</ID>
            <NAME>Debian GNU/Linux 5.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY>matches</CARDINALITY>
                <OPERATOR>xre</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>33</ID>
            <NAME>Oracle Enterprise Linux 4.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>34</ID>
            <NAME>Oracle Enterprise Linux 5.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[3]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>35</ID>
            <NAME>AIX 6.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[2]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>36</ID>
            <NAME>HPUX 11.iv3</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>re</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[.*]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>38</ID>
            <NAME>SUSE Linux Enterprise 11.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>43</ID>
            <NAME>CentOS 6.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>44</ID>
            <NAME>Oracle Enterprise Linux 6.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>45</ID>
            <NAME>Red Hat Enterprise Linux 6.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>52</ID>
            <NAME>AIX 7.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>eq</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[2]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>81</ID>
            <NAME>Red Hat Enterprise Linux 7.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>94</ID>
            <NAME>SUSE Linux Enterprise 12.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
          <TECHNOLOGY>
            <ID>96</ID>
            <NAME>Ubuntu 14.x</NAME>
            <RATIONALE><![CDATA[The graphical user interface (GUI) is set up through the kernel and provides windowing system, such as GNOME or KDE, which can be used to conduct host operations.  As the X-windows services used for supporting the GUI operations have been compromised by a number of exploits, use of the GUI and its associated processes should be disabled or restricted and used only where a clear business need is determined to exist.]]></RATIONALE>
            <DATAPOINT>
                <CARDINALITY/>
                <OPERATOR>ge</OPERATOR>
                <DEFAULT_VALUES total="1">
                    <DEFAULT_VALUE><![CDATA[0]]></DEFAULT_VALUE>
                </DEFAULT_VALUES>
            </DATAPOINT>
          </TECHNOLOGY>
        </TECHNOLOGY_LIST>
      </CONTROL>
      </CONTROL_LIST>
  </RESPONSE>
</CONTROL_LIST_OUTPUT>

DTD

<platform API server>/api/3.0/fo/compliance/control/control_list_output.dtd

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/api/2.0/fo/compliance/control/?action=list To be deprecated March 2025
/api/3.0/fo/compliance/control/?action=list Active September 2024

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.