User-Defined Controls FAQs

Can I import controls from XML?

What is a registry key?

Tell me about control IDs

What do I enter for registry value name?

Tell me about scan parameters?

Regular expression for a Unix File Content Check

Tell me about controls with duplicate scan parameters

Are system variables supported on Windows?

Tell me about the data types

Tell me about remediation information

What is a hash type?

Digest calculation for empty file (Integrity Checks)

What is a registry hive?

Control status Pass returned from 1st scan (Integrity Checks)

On Demand Scan

 


Can I import controls from XML?

Yes, you can import and export user defined controls in XML format. Learn more

Tell me about control IDs

We automatically assign a unique control ID (CID) to each user-defined control, starting at 100000. For example, if you added 2 user-defined controls they would have the CIDs 100000 and 100001.

Tell me about controls with duplicate scan parameters

Creating controls using the UI: If a control exists in your account with the same scan parameters as a control you are adding, you'll be prompted to either assign the description in the existing control to the new control or to overwrite it. If you overwrite it, all controls with the same scan parameters will be updated with the new description.

Importing controls from XML: If a control exists in your account with the same scan parameters as controls being imported, we assign the DESCRIPTION parameter of the existing control to the DESCRIPTION parameter of all imported controls with the same scan parameters.

Tell me about scan parameters

The scan parameters are used by the scanning engine to gather data needed for compliance evaluation at scan time. Depending on the control type, one or more scan parameters will be required. The check's scan parameters combined make up a unique data point. Each data point must have a description, which will appear in compliance policies and reports.

Scan parameters differ for each control type. See the online help for each control to understand which scan parameters are required. 

Tell me about the data types

The data type is the type of data that's returned by scans for a control, These data types vary by control type:

Boolean - Returns a True or False value.

String - Returns a string value.

String List - Returns a  list of string values

Line List - Returns a list of line values

Integer - Returns an integer (whole number) value.

What is a hash type?

For File and Directory Integrity Checks, the hash type identifies the algorithm to be used for computing the file hash. The supported hash types are: MD5 (insecure  competitive matching only) 16-byte digest, SHA1 (insecure competitive matching only) 20-byte digest, and SHA256 (Secure) 32-byte digest.

What is a registry hive?

A registry hive is a top level registry key predefined by the Windows system to store registry keys, subkeys and values for specific objectives. All registry hives begin with HKEY and appear as file folders at the top level on the left hand side of the Registry Editor window.

These common hives are supported:

HKEY_CLASSES_ROOT (HKCR)HKEY_CLASSES_ROOT (HKCR)

This hive contains information about registered applications, such as Associations from File Extensions and OLE Object Class IDs tying them to the applications used to handle these items. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer. HKEY_CLASSES_ROOT is a subkey of HKEY_LOCAL_MACHINE\Software.

HKEY_CURRENT_USER (HKCU)HKEY_CURRENT_USER (HKCU)

This hive contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is referred to as a user's profile. HKEY_CURRENT_USER is a subkey of HKEY_USERS.

HKEY_USERS (HKU)HKEY_USERS (HKU)

This hive contains the root of all user profiles on the computer.

HKEY_LOCAL_MACHINE (HKLM)HKEY_LOCAL_MACHINE (HKLM)

This hive contains configuration information particular to the computer. The information stored here is general to all users on the computer.

What is a registry key?

A registry key appears as a file folder on the left side of the Windows Registry Editor window. Registry keys may contain registry sub-keys, which are keys within a key.

On Demand Scan

You can run an On Demand Scan to instruct the agent to immediately scan as long as the agent is not already scanning. The On Demand Scan runs independently of the interval scan that you configure in the Configuration Profile and will reset the scan interval on the local agent after a successful scan.

Prerequisite: The agent must be activated for that specific Qualys application for which you are running the On Demand Scan. When activated, the Agent downloads manifests for that application from the Qualys platform; if the manifest is not present for that type, On Demand Scan will not execute.

For more information, refer Qualys Cloud Agent for Windows Installation Guide and Qualys Cloud Agent for Linux Installation Guide.

What do I enter for registry value name?

A registry value is a string of data that appears on the right side of the Windows Registry Editor window for a selected key. A value entry has three parts: name, data type and the value itself. The name of the registry value is the part you want to enter in the Scan Parameters section. Note that you'll enter the expected value associated with the name in the Control Technologies section (after you've saved the scan parameters). A different expected value may be entered for each technology the control applies to.

The registry value name is optional when defining scan parameters for a registry value content check. If you do not specify a registry value name, then the service will check the content of the default value for the specified registry key. The default value appears as (Default) in the Name column in the Registry Editor window.

Regular expressions for a Unix File Content Check

A Unix File Content Check control includes 2 regular expressions:

- The first is entered in the Scan Parameters section and is used to filter results on the target file/directory at the time of the scan. This regular expressions must follow "Basic Regular Expression (BRE)" standard as supported by a "grep" command on specific Unix platforms.

In case you are scanning the same host using the scanner and the agent, you might get different compliance results. Agent supports the regex match on multiline text, whereas the scanner supports single line regex match. To get the same scan results, you can modify the regular expression in the Scan Parameters section to support single line regex match only.

- The second is entered as the default value in the Control Technologies section and is used to perform the pass/fail evaluation of the returned results. This regular expression must follow "Perl Compatible Regular Expressions (PCRE)" standard.

View sample controls

Are system variables supported on Windows?

Yes, these four system variables are supported:

%SystemRoot% %windir% %ProgramFiles% %CommonProgramFiles%

Tell me about remediation information

You can set the remediation information for each user-defined control. In order to view the remediation information in reports, you must enable the Remediation Info options in the policy compliance template. You'll see N/A in the reports when no remediation information is available.

Digest calculation for empty file

(Applicable to File Integrity Check, Directory Integrity Check)

There is a difference in how a digest of an empty file is calculated on Windows and Unix. On Windows the control does not return a digest on an empty file (calculates buffer size 0 and no digest is generated). On Unix a native digest command produces a digest on an empty file (i.e. digest of paddingblock).The difference between Windows and Unix means you’ll get different results when you change the digest algorithm in control settings (e.g. SHA-256 to MD5). Unix will return a Fail with a changed digest, and Windows will return Pass as no change is detected.

Control status Pass returned from 1st scan

(Applicable to File Integrity Check, Directory Integrity Check)

When the Use scan data as expected value option is enabled, the control returns Pass from the 1st scan of a target system. After that Pass/Fail status is calculated by comparing the expected and actual values (digest values).

After you create a user-defined control, Qualys Cloud Agent immediately picks it up for scans. This is what we call the first scan. If you add that control to a Policy after this first scan, and run the policy scan, control evaluation for the Use scan data as expected value fails. To get the evaluation as 'Passed,' you must wait for the next scan to be completed to get the expected posture evaluation.