/api/2.0/fo/compliance/control/
[GET] [POST]
View a list of compliance controls which are visible to the user. The user has the ability to select the amount of additional information to include for each control in the output. By default, this basic control information is included: the control ID, the control category, the control sub-category, the control statement, and a list of technologies.
Permissions - Click here to view permissions info
Parameter |
Description |
action=list |
(Required) Specifies the action type used to request a control list. |
echo_request={0|1} |
(Optional) Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
details={Basic|All|None} |
(Optional) Show the requested amount of host information for each host. A valid value is: Basic - (default) Includes all control details except framework mappings All - includes all control details None - includes control ID only |
ids={value} |
(Optional) Show only certain control IDs and/or ID ranges. One or more control IDs/ranges may be specified. A control ID range entry is specified with a hyphen (for example, 3000-3250). Valid control IDs are required. |
id_min={value} |
(Optional) Show only controls which have a minimum control ID value. A valid control ID is required. |
id_max={value} |
(Optional) Show only controls which have a maximum control ID value. A valid control ID is required. |
updated_after_datetime={value} |
(Optional) Show only controls updated after a certain date/time. See “Date Filters” below. |
created_after_datetime={value} |
(Optional) Show only controls created after a certain date/time. See “Date Filters” below. |
truncation_limit={value} |
(Optional) The maximum number of control records processed per request. When not specified, the truncation limit is set to 1,000 host records. If the requested list identifies more records than the truncation limit, then the XML output includes the <WARNING> element and the URL for making another request for the next batch of records. You can specify truncation_limit=0 for no truncation limit. This means that the output is not paginated and all the records are returned in a single output. WARNING: This can generate very large output and processing large XML files can consume a lot of resources on the client side. In this case it is recommended to use the pagination logic and parallel processing. The previous page can be processed while the next page is being downloaded. |
The date/time is specified in YYYY-MM-DD{THH:MM:SSZ] format (UTC/GMT), like “2010-03-01” or “2010-03-01T23:12:00Z”
If you specify a date but no time as for example 2010-03-01, then the service automatically sets the time to 2010-03-01T00:00:00Z (the start of the day).
When date filters are specified using both input parameters for a single API request, both date filters are satisfied (ANDed).
API request
https://qualysapi.qualys.com/api/2.0/fo/compliance/control/?action=list&details=All
XML output
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2010-03-16T22:53:05Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>1044</ID>
<UPDATE_DATE>2018-02-12T00:00:00Z</UPDATE_DATE>
<CREATED_DATE>2016-10-12T00:00:00Z</CREATED_DATE>
<CATEGORY>Access Control Requirements</CATEGORY>
<SUB_CATEGORY><![CDATA[Authorizations (Multi-user ACL/role)]]></SUB_CATEGORY>
<STATEMENT><![CDATA[Status of the 'O7_DICTIONARY_ACCESSIBILITY' setting in init.ora (ORACLE Data Dictionary)]]></STATEMENT>
<TECHNOLOGY_LIST>
<TECHNOLOGY>
<ID>7</ID>
<NAME>Oracle 9i</NAME>
<RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations. Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>8</ID>
<NAME>Oracle 10g</NAME>
<RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations. Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>9</ID>
<NAME>Oracle 11g</NAME>
<RATIONALE><![CDATA[The "O7_DICTIONARY_ACCESSIBILITY" setting allows control/restrictions to be placed on the user's SYSTEM privileges. If this parameter is set to TRUE, SYS schema access will be allowed, which is the default for Oracle operations. Restricting this system privilege with a setting of FALSE will allow users or roles granted SELECT ANY TABLE access to objects in the normal schema, but disallow access to objects in the SYS schema, unless access is specifically granted.]]></RATIONALE>
</TECHNOLOGY>
</TECHNOLOGY_LIST>
</CONTROL>
<CONTROL>
<ID>1045</ID>
<UPDATE_DATE>2018-03-03T00:00:00Z</UPDATE_DATE>
<CREATED_DATE>2016-10-12T00:00:00Z</CREATED_DATE>
<CATEGORY>OS Security Settings</CATEGORY>
<SUB_CATEGORY><![CDATA[System Settings (OSI layers 6-7)]]> </SUB_CATEGORY>
<STATEMENT><![CDATA[Status of the 'Clipbook' service (Guidance = Disabled)]]></STATEMENT>
<TECHNOLOGY_LIST>
<TECHNOLOGY>
<ID>1</ID>
<NAME>Windows XP desktop</NAME>
<RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text. The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access. As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>2</ID>
<NAME>Windows 2003 Server</NAME>
<RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text. The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access. As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>12</ID>
<NAME>Windows 2000</NAME>
<RATIONALE><![CDATA[The 'Clipbook' service is used to transfer Clipboard information across the LAN and is sent in clear text. The authentication required is a holdover from the 16-bit 'Network Dynamic Data Exchange' protocol, which is a 'network' password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access. As this Windows service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business.]]></RATIONALE>
</TECHNOLOGY>
</CONTROL_LIST_OUTPUT>
New Agent UDC Support will be announced soon via the Qualys Technology blog once remaining components are released.
The XML output may include the USE_AGENT_ONLY element for these Windows and Unix control types: Directory Search Control and Directory Integrity Control. This is set to 1 when the “Use agent scan only” option is enabled for the control.
The XML output may include the AUTO_UPDATE element for these Windows and Unix control types: File Integrity Control and Directory Integrity Control. This is set to 1 when the “Auto update expected value” option is enabled for the control.
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2018-10-05T10:23:54Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>100023</ID>
<UPDATE_DATE>2018-11-16T06:27:14Z</UPDATE_DATE>
<CREATED_DATE>2018-11-16T06:27:14Z</CREATED_DATE>
<CATEGORY>Access Control Requirements</CATEGORY>
<SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
<STATEMENT><![CDATA[Directory Integrity Check]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[SERIOUS]]></LABEL>
<VALUE>3</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[Windows Directory Integrity Check]]></CHECK_TYPE>
<COMMENT><![CDATA[test]]></COMMENT>
<USE_AGENT_ONLY>1</USE_AGENT_ONLY>
<AUTO_UPDATE>1</AUTO_UPDATE>
<IGNORE_ERROR>0</IGNORE_ERROR>
...
You can create custom controls for MSSQL, Oracle, Sybase, and PostgreSQL/ Pivotal Greenplum databases. To support database controls, we’ve added new elements to the XML output and DTDs for Control List Output and Policy Export Output.
You’ll see these changes:
- New database controls allow you to ignore errors and set the status to Pass or Fail. The new element ERROR_SET_STATUS indicates the Pass/Fail setting for each control. This appears in the XML output for Control List and Policy Export.
- The SQL query configured for a database control appears in the new DB_QUERY element, and the description configured for the control appears in the new DESCRIPTION element. These appear in the XML output for Control List and Policy Export.
API request
curl -u "username:password" -H "Content-type: text/xml" -X "POST"
-d "action=list&details=All&ids=100022" "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/">
MSSQLControlAPI.xml
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2019-05-08T18:31:17Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>100022</ID>
<UPDATE_DATE>2019-05-08T18:31:08Z</UPDATE_DATE>
<CREATED_DATE>2019-04-29T20:21:11Z</CREATED_DATE>
<CATEGORY>Access Control Requirements</CATEGORY>
<SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
<STATEMENT><![CDATA[CustomerData]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[URGENT]]></LABEL>
<VALUE>5</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[MSSQL Database Check]]></CHECK_TYPE>
<COMMENT><![CDATA[testComment]]></COMMENT>
<IGNORE_ERROR>1</IGNORE_ERROR>
<ERROR_SET_STATUS>PASS</ERROR_SET_STATUS>
<TECHNOLOGY_LIST>
<TECHNOLOGY>
<ID>22</ID>
<NAME>Microsoft SQL Server 2008</NAME>
<RATIONALE><![CDATA[select all from customer]]></RATIONALE>
<DB_QUERY><![CDATA[select * from customers;]]></DB_QUERY>
<DESCRIPTION><![CDATA[select all the rows from customers]]></DESCRIPTION>
</TECHNOLOGY>
</TECHNOLOGY_LIST>
</CONTROL>
</CONTROL_LIST>
</RESPONSE>
</CONTROL_LIST_OUTPUT>
API request
curl -u "username:password" -H "Content-type: text/xml" -X "POST"
-d "action=list&details=All&ids=100060" "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/">
OracleControlAPI.xml
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2019-05-08T18:32:46Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>100060</ID>
<UPDATE_DATE>2019-05-08T18:32:04Z</UPDATE_DATE>
<CREATED_DATE>2019-05-03T19:32:18Z</CREATED_DATE>
<CATEGORY>Database Settings</CATEGORY>
<SUB_CATEGORY><![CDATA[DB Access Controls]]></SUB_CATEGORY>
<STATEMENT><![CDATA[OracleselectAllCustomerData]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[MINIMAL]]></LABEL>
<VALUE>1</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[Oracle Database Check]]></CHECK_TYPE>
<COMMENT><![CDATA[Gather All Data ]]></COMMENT>
<IGNORE_ERROR>1</IGNORE_ERROR>
<ERROR_SET_STATUS>FAIL</ERROR_SET_STATUS>
<TECHNOLOGY_LIST>
<TECHNOLOGY>
<ID>7</ID>
<NAME>Oracle 9i</NAME>
<RATIONALE><![CDATA[GatherAllData]]></RATIONALE>
<DB_QUERY><![CDATA[SELECT * FROM Customers WHERE ROWNUM >= 3;]]></DB_QUERY>
<DESCRIPTION><![CDATA[select all the data]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>8</ID>
<NAME>Oracle 10g</NAME>
<RATIONALE><![CDATA[GatherAllData]]></RATIONALE>
<DB_QUERY><![CDATA[select * from Customers;]]></DB_QUERY>
<DESCRIPTION><![CDATA[select all the data]]></DESCRIPTION>
</TECHNOLOGY>
...
</RESPONSE>
</CONTROL_LIST_OUTPUT>
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&details=All&ids=101335" "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/"
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2020-10-15T16:59:13Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>101335</ID>
<UPDATE_DATE>2020-10-14T20:11:29Z</UPDATE_DATE>
<CREATED_DATE>2020-10-14T19:46:01Z</CREATED_DATE>
<CATEGORY>Access Control Requirements</CATEGORY>
<SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
<STATEMENT><![CDATA[prePostGreSQL_selectStatement]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[URGENT]]></LABEL>
<VALUE>5</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[PostgreSQL Database Check]]></CHECK_TYPE>
<COMMENT><![CDATA[comments]]></COMMENT>
<IGNORE_ERROR>0</IGNORE_ERROR>
<ERROR_SET_STATUS></ERROR_SET_STATUS>
<TECHNOLOGY_LIST>
<TECHNOLOGY>
<ID>114</ID>
<NAME>PostgreSQL 9.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>143</ID>
<NAME>PostgreSQL 10.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>192</ID>
<NAME>PostgreSQL 11.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>201</ID>
<NAME>Pivotal Greenplum 5.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>228</ID>
<NAME>PostgreSQL 12.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
<TECHNOLOGY>
<ID>230</ID>
<NAME>Pivotal Greenplum 6.x</NAME>
<RATIONALE><![CDATA[Rationale]]></RATIONALE>
<DB_QUERY><![CDATA[select name, setting from pg_catalog.pg_settings where name='log_min_duration_statement']]></DB_QUERY>
<DESCRIPTION><![CDATA[Description]]></DESCRIPTION>
</TECHNOLOGY>
</TECHNOLOGY_LIST>
</CONTROL>
</CONTROL_LIST>
</RESPONSE>
</CONTROL_LIST_OUTPUT>
You have an option in Unix File Content custom controls to evaluate scan results as a string instead of string list. Once the <EVALUATE_AS_STRING> parameter is enabled (1), the scan result is evaluated as a single string. By default the option is disabled (0).
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With:curl" -X POST -d "action=list&ids=102090&details=All"
"https://qualysapi.qualys.com/api/2.0/fo/compliance/control/"
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2021-04-06T11:14:08Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>102090</ID>
<UPDATE_DATE>2021-04-01T11:59:40Z</UPDATE_DATE>
<CREATED_DATE>2021-04-01T11:59:40Z</CREATED_DATE>
<CATEGORY>Web Application Services</CATEGORY>
<SUB_CATEGORY><![CDATA[Web Server/Tier Settings]]></SUB_CATEGORY>
<STATEMENT><![CDATA[FC_New Option Enabled _With String list]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[URGENT]]></LABEL>
<VALUE>5</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[Unix File Content Check]]></CHECK_TYPE>
<COMMENT><![CDATA[String list]]></COMMENT>
<IGNORE_ERROR>1</IGNORE_ERROR>
<IGNORE_ITEM_NOT_FOUND>1</IGNORE_ITEM_NOT_FOUND>
<SCAN_PARAMETERS>
<FILE_PATH><![CDATA[/home/testscan/samram]]></FILE_PATH>
<FILE_QUERY><![CDATA[.*]]></FILE_QUERY>
<DATA_TYPE>String List</DATA_TYPE>
<EVALUATE_AS_STRING>1</EVALUATE_AS_STRING>
<DESCRIPTION><![CDATA[with string list]]></DESCRIPTION>
</SCAN_PARAMETERS>
<TECHNOLOGY_LIST>
...
You have an option to disable the case-sensitive search in Unix agent UDCs (Directory Search and Directory Integrity). Once the <DISABLE_CASE_SENSITIVE_SEARCH> parameter is enabled (1), the search result lists all possible combinations in the upper and/or lowercase file name. By default the option is disabled (0).
API request
curl -u USERNAME:PASSWORD" -H "X-Requested-With:curl" -X POST -d "action=list&ids=102154&details=All"
"https://qualysapi.qualys.com/api/2.0/fo/compliance/control/"
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd">
<CONTROL_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2021-04-06T11:14:08Z</DATETIME>
<CONTROL_LIST>
<CONTROL>
<ID>102154</ID>
<UPDATE_DATE>2021-07-21T07:02:43Z</UPDATE_DATE>
<CREATED_DATE>2021-07-07T06:38:30Z</CREATED_DATE>
<CATEGORY>Access Control Requirements</CATEGORY>
<SUB_CATEGORY><![CDATA[Account Creation/User Management]]></SUB_CATEGORY>
<STATEMENT><![CDATA[DS UDC case sensitive with new option]]></STATEMENT>
<CRITICALITY>
<LABEL><![CDATA[MINIMAL]]></LABEL>
<VALUE>1</VALUE>
</CRITICALITY>
<CHECK_TYPE><![CDATA[Unix Directory Search Check]]></CHECK_TYPE>
<COMMENT><![CDATA[DI UDC case sensitive disabled]]></COMMENT>
<USE_AGENT_ONLY>1</USE_AGENT_ONLY>
<IGNORE_ERROR>0</IGNORE_ERROR>
<SCAN_PARAMETERS>
<BASE_DIR><![CDATA[/home/qa]]></BASE_DIR>
<SHOULD_DESCEND><![CDATA[true]]</SHOULD_DESCEND>
<DEPTH_LIMIT><![CDATA[10]]<</DEPTH_LIMIT>
<FOLLOW_SYMLINK><![CDATA[true]]></FOLLOW_SYMLINK>
<FILE_NAME_MATCH><![CDATA[*]]></FILE_NAME_MATCH>
<FILE_NAME_SKIP><![CDATA[]]></FILE_NAME_SKIP>
<DIR_NAME_MATCH><![CDATA[*]]></DIR_NAME_MATCH>
<DIR_NAME_SKIP><![CDATA[]]></DIR_NAME_SKIP>
<PERMISSIONS>
<SPECIAL>
<USER>any</USER>
<GROUP>any<GROUP>
<DELETION>any</DELETION>
</SPECIAL>
<USER>
<READ>any</READ>
<WRITE>any</WRITE>
<EXECUTE>any</EXECUTE>
</SPECIAL>
<READ>any</READ>
<WRITE>any</WRITE>
<EXECUTE>any</EXECUTE>
</GROUP>
<OTHER>
<READ>any</READ>
<WRITE>any</WRITE>
<EXECUTE>any</EXECUTE>
</OTHER>
</PERMISSIONS>
<PERM_COND><![CDATA[all]]></PERM_COND>
<TYPE_MATCH><![CDATA[d,f,l,p,b,c,s,D]]></TYPE_MATCH>
<USER_OWNER><![CDATA[Any User]]></USER_OWNER>
<GROUP_OWNER><![CDATA[Any Group]]></GROUP_OWNER>
<TIME_LIMIT><![CDATA[300]]></TIME_LIMIT>
<MATCH_LIMIT><![CDATA[50]]></MATCH_LIMIT>
<DISABLE_CASE_SENSITIVE_SEARCH><![CDATA[true]]></DISABLE_CASE_SENSITIVE_SEARCH>
<DATA_TYPE>String List</DATA_TYPE>
<DESCRIPTION><![CDATA[/home/qa desc]]></DESCRIPTION>
</SCAN_PARAMETERS>
...
</CONTROL_LIST>
</RESPONSE>
</CONTROL_LIST_OUTPUT>
<platform API server>/api/2.0/fo/compliance/control/control_list_output.dtd