Home

Create/Customize Controls

Controls are the building blocks of the policies used to measure and report compliance for a set of hosts. We provide many controls for you to choose from and you can customize them too. Controls play the key part in the compliance posture of resource.

System Controls

System-defined Control is a predefined control provided by Qualys. Few system-defined controls are customizable while few are not. The  control indicator icon tells us if the control is customizable or not. Show meShow me

Column that indicates if the control is customizable or not.

Icon for System Defined Controls - control cannot be customized.

Icon used to indicate that the control can be customized. - control can be customized to suit your need.

User-Defined Controls

Icon used to indicate that the control can be customized. You can copy any system-defined control to make your own user-defined controls that you can customize to meet your needs.

List of Customizable ControlsList of Customizable Controls

AWS

 2: Ensure console credentials unused for 90 days or greater are disabled

 3: Ensure access keys unused for 90 days or greater are disabled

 4: Ensure access key1 is rotated every 90 days or less

 5: Ensure access key2 is rotated every 90 days or less

 11: Ensure IAM password policy requires minimum length of 14 or greater

 12: Ensure IAM password policy prevents password reuse

 13: Ensure IAM password policy expires passwords within 90 days or less

 18: Avoid the use of the root account

 27: Ensure a log metric filter and alarm exist for unauthorized API calls

 45: S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users

 56: Ensure database Instance is not listening on to a standard/default port

Azure

50013: Ensure that default Auditing policy for a SQL Server is configured to capture and retain the activity logs

50024: Ensure that LogProfile for a subscription is configured properly

50029: Disable RDP access on Network Security Groups from Internet (ANY IP) NETWORK_SECURITY_GROUP

Controls Category: Execution Type

The column "Execution Type" on the Controls tab tells you the type of control. The categorization is done depending on the execution type of the control.

 - Run Time Controls are controls for evaluations on deployed cloud resources.

 -  Build Time Controls are controls for cloud resources that reside within the IaC templates.

 - Run & Build Time Controls are controls for evaluations on cloud resources in your environment and those which reside within the IaC templates.

Control Criticality

You can modify the criticality of any control to suit your need. If the control criticality needs to be changed to match your environment, you can select the control, select Change Criticality from quick action menu. Show meShow me

Quick Action menu displaying option to change criticality of the control.

Select the criticality you want to assign to the control and click Change Criticality. Show meShow me

Options to change the criticality of the control.

Note: When you change criticality, the revised control criticality for existing evaluations is effective on Monitor View upon next connector run.

Let us consider a scenario where a control with HIGH criticality evaluated three resources. Now, if you change the criticality of the control to LOW, the change in evaluation results reflects only after the connector run. During the connector run, assume that only two resources get detected. The control evaluation results for resources that get detected post connector run will reflect (LOW criticality). However, control evaluation result for the resource that did not get detected post connector run will be counted as HIGH criticality.

Copy Control and Customize

Go to Policy > Controls and select the control to be customized, select Copy Control from the quick action menu. The Icon used to indicate that the control can be customized. icon indicates that the control is customizable. 12 AWS and 2 Azure controls for customization. Show meShow me

Quick Action menu displaying option for creating copy of a control available for customization.

Note: This is available only when Manage Custom Control permissions is enabled in CloudView permissions.

You can then modify the parameters of the control as per your requirement and save the customized control. The customized control is available to associate with policy and evaluate the resources.

For example, let us modify the minimum password length to 10 for AWS CID 11.

(1) Select the control and click Copy Control from the quick action menu.

(2) Change the name of control and criticality if needed. Click Next

(3) Set the expected value in Evaluation Parameter to 10. Change other aspects such as Evaluation Description, Evaluation Message as per your need. Click Next.

(4) Update the Additional Details if needed. Click Create.

That's it! Your new custom control is ready to use.

Create Customized Control using QFlow

You can create a customized control using QFlows created in the Qualys Flow app.  For detailed steps, refer to Create User-Defined Controls.

Can I edit controls?

Yes. Choose the user-defined control to be edited and choose Edit from the quick action menu. You can edit only user-defined controls. You cannot edit system-defined control. For permissions on user-defined controls, refer to Manage Custom Control Permissions.

Can I delete controls?

Yes. Choose the user-defined control to be deleted and choose Edit from the quick action menu. You can delete only user-defined controls. You cannot delete system-defined control. For permissions on user-defined controls, refer to Manage Custom Control Permissions.

Refer to the Qualys training video to get started with creating and customizing controls. Learn more.