A policy is a collection of controls used to measure and report compliance for a set of hosts. Your compliance reports will show you host compliance status (pass or fail) with the policy controls.
Interested in SCAP Policies? Go to SCAP Policies
|
A few things to consider... |
|
When do I set up policies?When do I set up policies? You'll need a policy in order to create compliance reports. You can restrict a scan to a policy in the scan settings (option profile). In this case you have to create your policy before you scan. |
|
Can I create user-defined controls?Can I create user-defined controls? Yes, there are several types of controls you can create. In order to report on policies with user-defined controls, be sure to add these controls to your account before you scan. How do I add these controls to my account? Go to PC > Policies > Controls and select New > Control. |
|
What are Qualys Custom Controls?What are Qualys Custom Controls? Qualys Custom Control (QCC) is a predefined control type which is provided by Qualys when you import policies from the library. With this control type you are quickly provided new controls that are similar to user-defined controls. Once added to your account you can copy any QCC to make your own UDC that you can customize to meet your needs. |
|
Do you have PC Agent?Do you have PC Agent? Managers and Auditors can report on agent host compliance by adding agent host IPs to compliance policies. Edit the assets in the Policy Editor and select the check box "Include all hosts with PC agents". All hosts in your PC Agent license will be included. Note - This option only appears in accounts with PC Agent. |
|
Ways to get started |
|
Import from the libraryImport from the library Go to PC > Policies > New > Policy > Import from Library. Click on the policy you want and then click Next. Follow the wizard to give your policy a name and choose whether the policy should be locked or unlocked after import and whether to keep the policy active or inactive. Can I edit the imported policy?Can I edit the imported policy? You can edit the policy to change the assigned assets. If the policy is unlocked, you can also change the title, technologies, controls, etc. If the policy is locked, no other changes are allowed. You can, however, save a copy of any locked policy with a new name and edit it as needed. You can also lock a policy once you edit it, to prevent others from editing it further. Learn More Interested in CIS policies?Interested in CIS policies? You can import a CIS-certified policy from the library into your account, assign relevant assets to the policy and then use the policy to certify that you are meeting all requirements outlined in the CIS benchmark. |
|
Create a policy from scratchCreate a policy from scratch Go to PC > Policies > New > Policy > Create from Scratch. Follow the wizard to select policy technologies, assign assets to the policy, and give your policy a name. Choose whether to keep the policy active or inactive. When the Policy Editor appears, you can add controls to your policy and set control values. |
|
Create a policy based on a scanned hostCreate a policy based on a scanned host Go to PC > Policies > New > Policy > Create from Host. You'll select a host that has already been scanned for compliance, and give your policy a name. Choose whether to keep the policy active or inactive and click Create. We'll build the policy for you based on the latest compliance findings for the host. We'll add controls to the policy and organize them into sections. |
|
Import from an XML fileImport from an XML file Go to PC > Policies > New > Policy > Import from XML file. Follow the wizard to choose the XML file you want to import and give your policy a name. Choose whether to keep the policy active or inactive. How does it work?How does it work? When you import a policy from an XML file, we perform several validation checks on the XML. If validation is successful, the policy is saved to your policies list. If validation fails, an error appears and the policy cannot be imported. Fix the XML and try again. If the <EVALUATE> tag is present for any control, its checksum is validated to ensure that the evaluation logic hasn't been modified since the policy was exported. If the evaluation logic has changed then validation will fail. Note that you may remove the <EVALUATE> tag for any control. When the <EVALUATE> tag is not present for a control, the control is automatically assigned the default control value from the controls library. |
Check out these videos on the various policy creation options:
Check out these options: File Integrity Monitoring | Password Auditing | Windows user Rights Controls | Detailed Security Auditing for Windows | Control Criticality