Policy Audit Release 1.1.0 API
July 7, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
We have implemented versioning for APIs. For more information on API versioning, refer to the Introducing API Versioning: A Strategic Upgrade for Enhanced Stability and Control for API Integrations blog.
Polices API: View Control Status for a Policy
| New or Updated API | Updated |
| API Endpoint (deprecation Timeline - December 2025) | /api/2.0/fo/compliance/policy |
| API Endpoint (New Version) |
/api/3.0/fo/compliance/policy |
| Method | GET and POST |
| DTD or XSD changes | Yes |
With this release, we have added a new tag - STATUS to the List Policies API. With the addition you can view the status (either active or inactive) of each Control associated to the Policy.
To ensure alignment with the Policy List API, the Policy Export and Policy Import APIs are now on version 3.0 (v3.0). Support for the new tag is not currently available in these APIs.
List Policies API
Sample - List PolicySample - List Policy
API Request
curl -k -s -S -H 'X-Requested-With:curl demo2' -u "username:Password#" -d "action=list&details=Basic&ids=5744989" "https://<qualys_base_url>/api/3.0/fo/compliance/policy/"
API Response
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE POLICY_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/compliance/policy/policy_list_output.dtd"> <POLICY_LIST_OUTPUT> <RESPONSE> <DATETIME>2025-06-30T06:26:19Z</DATETIME> <POLICY_LIST> <POLICY> <ID>5744989</ID> <TITLE> <![CDATA[One UDC]]> </TITLE> <CREATED> <DATETIME>2025-06-25T15:04:04Z</DATETIME> <BY>ctxta</BY> </CREATED> <LAST_MODIFIED> <DATETIME>2025-06-27T11:57:34Z</DATETIME> <BY>ctxta</BY> </LAST_MODIFIED> <LAST_EVALUATED> <DATETIME>2025-06-30T06:01:44Z</DATETIME> </LAST_EVALUATED> <STATUS> <![CDATA[active]]> </STATUS> <IS_LOCKED>0</IS_LOCKED> <EVALUATE_NOW> <![CDATA[yes]]> </EVALUATE_NOW> <ASSET_GROUP_IDS>10898081,10919108,10926154,10996581,11000130,11000163-11000164,11024194,11035730,11072689,11076105,11080595,11080756,11081917,11111120</ASSET_GROUP_IDS> <CONTROL_LIST> <CONTROL> <ID>1071</ID> <STATEMENT> <![CDATA[Status of the 'Minimum Password Length' setting]]> </STATEMENT> <CRITICALITY> <LABEL> <![CDATA[URGENT]]> </LABEL> <VALUE>5</VALUE> </CRITICALITY> <STATUS> <![CDATA[Active]]> </STATUS> </CONTROL> <CONTROL> <ID>100000</ID> <STATEMENT> <![CDATA[CitiJSONUDC2]]> </STATEMENT> <CRITICALITY> <LABEL> <![CDATA[URGENT]]> </LABEL> <VALUE>5</VALUE> </CRITICALITY> <STATUS> <![CDATA[Active]]> </STATUS> </CONTROL> </CONTROL_LIST> </POLICY> </POLICY_LIST> <GLOSSARY> <ASSET_GROUP_LIST> <ASSET_GROUP> <ID>10898081</ID> <TITLE> <![CDATA[IBMDB2]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>10919108</ID> <TITLE> <![CDATA[Inflobox AG]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>10926154</ID> <TITLE> <![CDATA[ip agent merge case]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11081917</ID> <TITLE> <![CDATA[pyscand ag3]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11111120</ID> <TITLE> <![CDATA[Windows AG nEw]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>10996581</ID> <TITLE> <![CDATA[dtest AG]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11000130</ID> <TITLE> <![CDATA[Windows AG]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11000163</ID> <TITLE> <![CDATA[Vcenter]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11000164</ID> <TITLE> <![CDATA[VMagentPCIP]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11024194</ID> <TITLE> <![CDATA[PC Only Ip]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11035730</ID> <TITLE> <![CDATA[1.1.1.1]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11072689</ID> <TITLE> <![CDATA[red hat 8]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11076105</ID> <TITLE> <![CDATA[pyscand ag2]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11080595</ID> <TITLE> <![CDATA[windows and unix agent ip]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> <ASSET_GROUP> <ID>11080756</ID> <TITLE> <![CDATA[RDS]]> </TITLE> <NETWORK_ID>0</NETWORK_ID> </ASSET_GROUP> </ASSET_GROUP_LIST> </GLOSSARY> </RESPONSE> </POLICY_LIST_OUTPUT>
DTD UpdateDTD Update
A DTD for the List Policies API has been added.
<platform API server>/api/3.0/fo/compliance/policy/policy_list_output.dtd
DTD output for the List Policies API is as follows:
DTD Output
<!-- QUALYS POLICY_LIST_OUTPUT DTD -->
<!-- $Revision$ -->
<!ELEMENT POLICY_LIST_OUTPUT (REQUEST?,RESPONSE)>
<!ELEMENT REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?)>
<!ELEMENT DATETIME (#PCDATA)>
<!ELEMENT USER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE (#PCDATA)>
<!ELEMENT PARAM_LIST (PARAM+)>
<!ELEMENT PARAM (KEY, VALUE)>
<!ELEMENT KEY (#PCDATA)>
<!ELEMENT VALUE (#PCDATA)>
<!-- if returned, POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA (#PCDATA)>
<!ELEMENT RESPONSE (DATETIME, (POLICY_LIST|ID_SET)?, WARNING_LIST?, GLOSSARY?)>
<!ELEMENT POLICY_LIST (POLICY+)>
<!ELEMENT POLICY (ID, TITLE, CREATED?, LAST_MODIFIED?, LAST_EVALUATED?, STATUS?, IS_LOCKED?, EVALUATE_NOW?, ASSET_GROUP_IDS?, TAG_SET_INCLUDE?, TAG_INCLUDE_SELECTOR?, TAG_SET_EXCLUDE?, TAG_EXCLUDE_SELECTOR?, INCLUDE_AGENT_IPS?, CONTROL_LIST?)>
<!ELEMENT ID (#PCDATA)>
<!ELEMENT TITLE (#PCDATA)>
<!ELEMENT CREATED (DATETIME, BY)>
<!ELEMENT BY (#PCDATA)>
<!ELEMENT LAST_MODIFIED (DATETIME, BY)>
<!ELEMENT LAST_EVALUATED (DATETIME)>
<!ELEMENT STATUS (#PCDATA)>
<!ELEMENT IS_LOCKED (#PCDATA)>
<!ELEMENT EVALUATE_NOW (#PCDATA)>
<!ELEMENT ASSET_GROUP_IDS (#PCDATA)>
<!ATTLIST ASSET_GROUP_IDS has_hidden_data CDATA #IMPLIED>
<!ELEMENT TAG_SET_INCLUDE (TAG_ID+)>
<!ELEMENT TAG_ID (#PCDATA)>
<!ELEMENT TAG_INCLUDE_SELECTOR (#PCDATA)>
<!ELEMENT TAG_SET_EXCLUDE (TAG_ID+)>
<!ELEMENT TAG_EXCLUDE_SELECTOR (#PCDATA)>
<!ELEMENT INCLUDE_AGENT_IPS (#PCDATA)>
<!ELEMENT CONTROL_LIST (CONTROL+)>
<!ELEMENT CONTROL (ID, STATEMENT, CRITICALITY?, STATUS?, DEPRECATED?, TECHNOLOGY_LIST?)>
<!ELEMENT STATEMENT (#PCDATA)>
<!ELEMENT CRITICALITY (LABEL, VALUE)>
<!ELEMENT LABEL (#PCDATA)>
<!ELEMENT DEPRECATED (#PCDATA)>
<!ELEMENT TECHNOLOGY_LIST (TECHNOLOGY+)>
<!ELEMENT TECHNOLOGY (ID, NAME, RATIONALE, CUSTOMIZED, REMEDIATION?)>
<!ELEMENT NAME (#PCDATA)>
<!ELEMENT RATIONALE (#PCDATA)>
<!ELEMENT CUSTOMIZED (#PCDATA)>
<!ELEMENT REMEDIATION (#PCDATA)>
<!ELEMENT ID_SET (ID|ID_RANGE)+>
<!ELEMENT ID_RANGE (#PCDATA)>
<!ELEMENT WARNING_LIST (WARNING+)>
<!ELEMENT WARNING (CODE?, TEXT, URL?)>
<!ELEMENT CODE (#PCDATA)>
<!ELEMENT TEXT (#PCDATA)>
<!ELEMENT URL (#PCDATA)>
<!ELEMENT GLOSSARY (ASSET_GROUP_LIST?, ASSET_TAG_LIST?, USER_LIST?)>
<!ELEMENT ASSET_GROUP_LIST (ASSET_GROUP+)>
<!ELEMENT ASSET_GROUP (ID, TITLE, NETWORK_ID?, IP_SET?)>
<!ELEMENT NETWORK_ID (#PCDATA)>
<!ELEMENT IP_SET (IP|IP_RANGE)+>
<!ELEMENT IP (#PCDATA)>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ELEMENT ASSET_TAG_LIST (ASSET_INCLUDE_TAG_LIST?, ASSET_EXCLUDE_TAG_LIST?)>
<!ELEMENT ASSET_INCLUDE_TAG_LIST (TAG+)>
<!ELEMENT ASSET_EXCLUDE_TAG_LIST (TAG+)>
<!ELEMENT TAG (TAG_ID?, TAG_NAME?)>
<!ELEMENT TAG_NAME (#PCDATA)>
<!ELEMENT USER_LIST (USER+)>
<!ELEMENT USER (USER_LOGIN, FIRST_NAME, LAST_NAME)>
<!ELEMENT FIRST_NAME (#PCDATA)>
<!ELEMENT LAST_NAME (#PCDATA)>
<!-- EOF -->
Policy Export API
Sample - Policy ExportSample - Policy Export
API Request
curl -k -s -S -H 'X-Requested-With:curl demo2' -u "username:Password#" -d "action=export&id=5744989&show_user_controls=1" "https://<qualys_base_url>/api/3.0/fo/compliance/policy/"> Policy_export_V3sample.xml
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE POLICY_EXPORT_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/compliance/policy/policy_export_output.dtd">
<POLICY_EXPORT_OUTPUT>
<RESPONSE>
<DATETIME>2025-06-27T12:02:10Z</DATETIME>
<POLICY>
<TITLE><![CDATA[One UDC]]></TITLE>
<EXPORTED><![CDATA[2025-06-27T12:02:10Z]]></EXPORTED>
<COVER_PAGE><![CDATA[]]></COVER_PAGE>
<STATUS><![CDATA[active]]></STATUS>
<TECHNOLOGIES total="1">
<TECHNOLOGY>
<ID>80</ID>
<NAME>CentOS 7.x</NAME>
</TECHNOLOGY>
</TECHNOLOGIES>
<SECTIONS total="2">
<SECTION>
<NUMBER>1</NUMBER>
<HEADING><![CDATA[UDC]]></HEADING>
<CONTROLS total="1">
<USER_DEFINED_CONTROL>
<ID>100000</ID>
<UDC_ID>3e8fada3-8bc3-f557-8115-c567323d327a</UDC_ID>
<CHECK_TYPE>Unix File/Directory Existence</CHECK_TYPE>
<IS_CONTROL_DISABLE><![CDATA[0]]></IS_CONTROL_DISABLE>
<CATEGORY>
<ID>2</ID>
<NAME><![CDATA[Web Application Services]]></NAME>
</CATEGORY>
<SUB_CATEGORY>
<ID>1028</ID>
<NAME><![CDATA[Web Server/Tier Settings]]></NAME>
</SUB_CATEGORY>
<STATEMENT><![CDATA[CitiJSONUDC2]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[URGENT]]></LABEL>
<VALUE>5</VALUE>
</CRITICALITY>
<COMMENT><![CDATA[]]></COMMENT>
<USE_AGENT_ONLY>0</USE_AGENT_ONLY>
<AUTO_UPDATE>0</AUTO_UPDATE>
<IGNORE_ERROR>0</IGNORE_ERROR>
<IGNORE_ITEM_NOT_FOUND>0</IGNORE_ITEM_NOT_FOUND>
<SCAN_PARAMETERS>
<FILE_PATH><![CDATA[/etc/profile]]></FILE_PATH>
<DATA_TYPE>Boolean</DATA_TYPE>
<DESCRIPTION><![CDATA[NA]]></DESCRIPTION>
</SCAN_PARAMETERS>
<TECHNOLOGIES total="1">
<TECHNOLOGY>
<ID>80</ID>
<NAME>CentOS 7.x</NAME>
<EVALUATE><CTRL><DP><K>custom.file_dir_exist.4211083</K><L>2</L><V>true</V></DP></CTRL></EVALUATE>
<RATIONALE><![CDATA[RA]]></RATIONALE>
<REMEDIATION><![CDATA[]]></REMEDIATION>
<DATAPOINT>
<CARDINALITY>no cd</CARDINALITY>
<OPERATOR>no op</OPERATOR>
<DEFAULT_VALUES total="1">
<DEFAULT_VALUE>true</DEFAULT_VALUE>
</DEFAULT_VALUES>
</DATAPOINT>
</TECHNOLOGY>
</TECHNOLOGIES>
<REFERENCE_LIST/>
</USER_DEFINED_CONTROL>
</CONTROLS>
</SECTION>
<SECTION>
<NUMBER>2</NUMBER>
<HEADING><![CDATA[SDC]]></HEADING>
<CONTROLS total="1">
<CONTROL>
<ID>1071</ID>
<CRITICALITY>
<LABEL><![CDATA[URGENT]]></LABEL>
<VALUE>5</VALUE>
</CRITICALITY>
<IS_CONTROL_DISABLE><![CDATA[0]]></IS_CONTROL_DISABLE>
<TECHNOLOGIES total="1">
<TECHNOLOGY>
<ID>80</ID>
<NAME>CentOS 7.x</NAME>
<EVALUATE><CTRL><DP><K>rh06.secman.system.logindefs-min-password-length</K><OP>ge</OP><V>0</V><FV set="1">161803399999999</FV><FV set="1">314159265358979</FV></DP></CTRL></EVALUATE>
<REMEDIATION/>
</TECHNOLOGY>
</TECHNOLOGIES>
</CONTROL>
</CONTROLS>
</SECTION>
</SECTIONS>
</POLICY>
</RESPONSE>
</POLICY_EXPORT_OUTPUT>
Policy Import API
Sample - Policy ImportSample - Policy Import
API Request
curl -k -s -S -H 'X-Requested-With:curl demo2' -u "username:Password#" -H Content-type:text/xml --data-binary "@/home/mprasad/Policy_export_V3sample.xml" "https://<qualys_base_url>/api/3.0/fo/compliance/policy/?action=import&title=V3sample"
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM "https://<qualys_base_url>/api/3.0/simple_return.dtd">
<SIMPLE_RETURN>
<RESPONSE>
<DATETIME>2025-06-27T12:04:53Z</DATETIME>
<TEXT>Successfully imported compliance policy</TEXT>
<ITEM_LIST>
<ITEM>
<KEY>ID</KEY>
<VALUE>5757988</VALUE>
</ITEM>
<ITEM>
<KEY>TITLE</KEY>
<VALUE>V3sample</VALUE>
</ITEM>
</ITEM_LIST>
</RESPONSE>
</SIMPLE_RETURN>