Scribd
Upload
350 views20 pages

Qualys Doc v1

This document discusses deploying the Qualys virtual scanner appliance on Google Cloud Platform (GCP) and installing Qualys Cloud Agents on workloads (servers). It provides instructions for deploying the virtual scanner via the GCP Marketplace or using a custom image. It also covers prerequisites, installation steps, and configuration for installing Cloud Agents on Linux and Windows servers and integrating them with asset tags in Qualys.

Uploaded by

Napster King
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
350 views20 pages

Qualys Doc v1

This document discusses deploying the Qualys virtual scanner appliance on Google Cloud Platform (GCP) and installing Qualys Cloud Agents on workloads (servers). It provides instructions for deploying the virtual scanner via the GCP Marketplace or using a custom image. It also covers prerequisites, installation steps, and configuration for installing Cloud Agents on Linux and Windows servers and integrating them with asset tags in Qualys.

Uploaded by

Napster King
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 20

Deployment of Qualys Virtual Scanner in GCP and Cloud Agents for

Workloads

1
Table of Contents
Deployment of Qualys Virtual Scanner in GCP and Cloud Agents for Workloads..................................1
Deployment of Qualys Virtual scanner appliance in Google Compute Engine (Google Cloud Platform)
...............................................................................................................................................................3
Background........................................................................................................................................3
Prerequisites......................................................................................................................................3
Generation of Personalization code..............................................................................................3
Deployment of Qualys Virtual Scanner Appliance.................................................................................5
Via Google Cloud MarketPlace..........................................................................................................5
Custom Image deployment for Customers on Private Cloud Platforms.............................................8
Important Pointers..........................................................................................................................10
Qualys UI view.................................................................................................................................10
Qualys Scanner Readiness...............................................................................................................10
Deployment of Qualys Cloud Agents for Workloads (Servers)............................................................12
Introduction.....................................................................................................................................12
Pre-requisites..................................................................................................................................12
Installation steps..............................................................................................................................12
Linux specific Installation.................................................................................................................14
Windows..........................................................................................................................................15
Install Agents in Gold Images...........................................................................................................15
Linux:...........................................................................................................................................15
Windows......................................................................................................................................15
Alternative approach Install agent from Microsoft AD................................................................16
Implement Rules for Agent Access..................................................................................................16
What is Asset Tag in Qualys?.......................................................................................................16
Qualys Asset Tag Use Case...........................................................................................................17

2
Deployment of Qualys Virtual scanner appliance in Google Compute
Engine (Google Cloud Platform)
Background
There are two ways of scanning (Vulnerability Assessment - VA) in a cloud environment. Either install
a Qualys Cloud agent on each of the servers (workloads) or install a Qualys Scanner. In case of public
clouds, with hundreds of workloads it is usually feasible to have a scanner doing the VA and the
related heavy weight-lifting.

Prerequisites
1. A Qualys subscription would be required to complete the deployment successfully.
2. Get a personalization code from the Qualys subscription to register every new appliance
instance

Generation of Personalization code


1. Log into the Qualys UI.
2. Choose Vulnerability Management or Policy Compliance, depending on the need.
3. Go to Scans > Appliances and select New > Virtual Scanner Appliance.

4. Choose 'I have my image'. Specify a name for the scanner (note: GCP expects lowercase
letters, numbers, and hyphens.)

3
5. Click Next to walk through the wizard. Copy the personalization code.

6. Leave the window open and switch to GCP to launch the appliance. The activation status can
be checked on the same window after deployment.

4
Deployment of Qualys Virtual Scanner Appliance

There are two ways to deploy the Qualys Virtual Scanner Appliance:

1. Via Google Cloud MarketPlace


2. Custom Image deployment for Customers on Private Cloud Platforms

Via Google Cloud MarketPlace

1. Login to Google cloud account (GCP console) and navigate to Marketplace


2. Search for Qualys and select Qualys Virtual Scanner Appliance

3. Click “Launch”

5
4. The following details must be provided for the virtual scanner appliance (mandatory)

Deployment Name:  It is advised to specify the same name used in Qualys UI while generating a
personalization code.

Zone: Select a zone that will co-locate the scanner instance with scan target instances. For the
scanner to reach other zones, setup connectivity with appropriate network configurations is
needed.

Perscode: Provide the 14 digit Personalization code generated from Qualys UI.

Proxy URL:  Add the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy.
Qualys supports both IP and FQDN for the proxy server configuration. Specify the proxy server
URL as username:password@proxyhost:port

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The
appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core
to memory in the ratio of 1:3.5.

Do not change "Boot disk type" or "Size (GB)" unless instructed by Qualys Support (default value
- 56GB)

6
5. Click "Deploy" and follow to the section “Post-deployment Progress and monitoring”

7
Custom Image deployment for Customers on Private Cloud Platforms

Equifax is expected to build a Qualys scanner image specific to its private platform.
1) Download the qVSA image file (tar.gz) using the SAS link provided by Qualys Operations.
2) Create a Google Storage Bucket.
3) Upload the downloaded qVSA image file to your storage bucket.
4) Create the Qualys Scanner Image using the uploaded QVSA Image file (tar.gz) file.

Name: Provide the unique name to identify the Qualys Scanner appliance Image
Source: Select “Cloud Storage File” which will allow you to select the Qualys Scanner image file
stored in Storage Bucket. In the image, qualys-scanner is a bucket name and qVSA-GCE-
xxxxxxx.tar,gz is the Qualys scanner image file.

8
5) Generate a Personalization code. Follow the steps on how to generate a personalization code
earlier in this document. 
6) Deploy Qualys Virtual Scanner Appliance Instance. 

Deployment name: It is advised to specify the same name used in Qualys UI while generating a
personalization code.

Zone: Select a zone that will co-locate the scanner instance with scan target instances. For the
scanner to reach other zones, setup connectivity with appropriate network configurations is needed.

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The
appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core to
memory in the ratio of 1:3.5.

Boot Disk: Change the boot disk to the newly created Qualys Scanner appliance image disk.

Do not change "Boot disk type" or "Size (GB)" unless instructed by Qualys Support (default value -
56GB)

9
Metadata:
Perscode: Provide the 14-digit Personalization code generated from Qualys UI.

7) Click the Create button.

Important Pointers
1. The deployment can take upto 10 minutes.
2. Post successful deployment the scanner appliance connects to Qualys Cloud Platform to
complete registration.
3. Post connection with Qualys Cloud Platform the appliance will download the latest software
and vulnerability signatures.

Qualys UI view

The activation of scanner appliance can be checked from Qualys UI. “Check activation” as below:

Qualys Scanner Readiness

1. Go to Qualys UI
2. Click on Scans >> Appliances and find the scanner (installed in GCP) from the list.
3. The green icon on the left of the scanner shows that the scanner is ready for starting internal
scans.

Note: Post initial installation of the new appliance, it usually takes 20-30 minutes for the scanner
to be visible on the Qualys UI.

10
11
Deployment of Qualys Cloud Agents for Workloads (Servers)

Introduction
Qualys Cloud Agent helps secure the Virtual Machine environment over cloud or private data center
infrastructure. Qualys Cloud Agent is lightweight application which runs on a monolithic Operating
System (eg. Windows, Linux etc.) as a silent application. The agent analyzes and collates data
pertaining to system information and security and shares with the Qualys Cloud Platform. The
product offers monitoring of system, be it standalone servers, virtual machines, desktop, shared
servers or cloud instances.

Pre-requisites
1. There must be no filtering between the machine running the Qualys Agent and Qualys Cloud
platform.
2. In order to accomplish this, go to VPC network >> firewall and enable the ports for Qualys
Private Cloud Platform (port 443). The aim is to ensure bi-directional communication
between the Agent and Qualys Cloud.
3. The Cloud Agent requires a minimum of 512 MB RAM if using VM/PC. And a minimum of
1GB RAM is required for VM/PC + FIM. - Minimum 200 MB of disk space is required.

Installation steps

1. Log into the Qualys Cloud Platform and create activation key for agent. Download the
relevant platform agent software from the portal.

12
2. Download the agent installable as per the OS that needs to be monitored.

13
3. User should have either of the permissions on a linux OS:
a. Root / Administrator login (After the agent installation, it can be configured to run
under different user. Group to restrict its access, if required)
b. Non-root with Sudo root delegation (The non-root user needs to have sudo
privileges directly or through a group membership, be sure NOPASSWD option is
configured)
c. Non-root with sufficient privileges on respective machine.
4. Qualys Cloud (along with the Agent) also supports monitoring of system in non-internet zone
provided a proxy gateway is available and configurable for agent to contact Qualys Cloud
Platform.
5. The Cloud Agent requires a minimum of 512 MB RAM if using VM/PC. And a minimum of
1GB RAM is required for VM/PC + FIM. - Minimum 200 MB of disk space is required.

Linux specific Installation

1. Copy the Qualys Cloud Agent installer onto the target host.
2. Install the Qualys Cloud Agent using the following commands for x64. Depending on the
package (x64 or ARM64), following commands varies. Linux (.rpm)
3. >sudo rpm -ivh qualys-cloud-agent.x86_64.rpm (or x86_64.deb)  For Intel based CPUs
OR
>sudo rpm –ivh qualys-cloud-agent.arm64.rpm (or arm64.deb)  For ARM based CPUs
4. >sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=xxxxxxxx-xxxx-
xxxx-xxxx-xxxxxxxxxxxxCustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

14
Windows

1. Copy QualysCloudAgent.exe to the host which needs to be monitored and run command
(highlighted in Step 2, point d), or use group policy or a systems management tool onto the
target host.
2. Install the Qualys Cloud Agent on the Microsoft Windows Client or Microsoft Windows
Server using the following instructions for x86-32/64.
a. To install the agent local administrator privileges are a MUST on the host.
b. Your host must be able to reach the Qualys Cloud Platform or the Qualys Private
Cloud Platform over HTTPS port 443.
c. Open Command Prompt and Go To File Uploaded location (QualysCloudAgent.exe).
d. QualysCloudAgent.exe CustomerId={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
ActivationId={ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
3. Program Files: The agent executables are installed here:
C:\Program Files (x86)\QualysAgent\Qualys
4. On Windows XP, the agent executables are installed here: C:\Program
Files\QualysAgent\Qualys
5. Program Data: The agent manifest, configuration data, snapshot database and log files are
stored here:
C:\Program Data\Qualys\QualysAgent\*

Install Agents in Gold Images


Linux:
These steps are similar to installing on Linux (.rpm) hosts, with an extra step to restart the Qualys
Cloud Agent service and AMI instance.

1. Start the Gold Image instance.


2. Copy the Qualys Cloud Agent RPM onto the instance.
3. Install the Qualys Cloud Agent RPM using the following command:
>sudo rpm -ivh qualys-cloud-agent.x86_64.rpm
4. Stop Qualys Cloud Agent service:
>sudo service qualys-cloud-agent stop
5. Run the Qualys Cloud Agent installation command:
>sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh
ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxCustomerId=xxxxxxxx-xxxx-xxxx-xxxx-
6. Stop the instance and create an image out of the instance. This completes the bake-in
process. When the instance is started it will activate the Cloud Agent which will provision itself and
continue functioning as expected.

Windows

1. Create a snapshot of VM into Gold Image before proceeding.


2. Verify that there is no network connectivity on the Gold Image instance to the Qualys Cloud
Platform or deployed Private Cloud Platform(s) for the installation process of the Cloud Agent.

15
3. Turn off networking to the Gold Image from the virtualization manager
4. Manage the Gold Image in a network that does not have network connectivity
5. Create a entry in the local hosts file (located at C:\Windows\System32\drivers\etc\hosts) for the
DNS name of the public POD or PCP that the agent connects to, e.g. 127.0.0.1 (make sure to
remove this entry before the Gold Image is cloned)
o Access the folder C:\Windows\System32\drivers\etc\hosts
o Create an entry as below, at the end of the document and save the file.
127.1.1.1 pod.example.domain.com

6. Create a temporary Windows firewall rule to block the Cloud Agent process from communicating
over the network (make sure to remove this entry before the Gold Image is cloned)
7. The registry key "HostID" must not exist at: HKEY_LOCAL_MACHINE\SOFTWARE\Qualys
8. If the registry key exists, the agent in the Gold Image was provisioned and thus will not be
suitable for cloning. In this case, revert the image snapshot to prior to the installation of the
Cloud Agent and start the process again,
9. If this is not the last application or service to be installed in the Gold Image, shut down the Cloud
agent service and set its auto-start to "Disabled" so that the agent doesn't start and provision
itself during the remainder of the Gold Image configuration; make sure to set the Cloud Agent
service to "Automatic" start before cloning the Gold Image.
10. Shut down the Gold Image and make it available for cloning.

Alternative approach Install agent from Microsoft AD

1. Cloud Agent can be installed into instances in domain join script(s) as part of the final
installation/provision for hosts.
2. This approach greatly simplifies the gold image installation but requires additional processing
during the domain join.
3. Can create duplicate host records in the Qualys Platform. When there are two host records of
the same hostname, one record has the old Agent UUID,
4. If this occurs, usually checks the “Last Checked In" date of the old Agent UUID record is the date
when the provisioning occurred with the agent now using the new Agent’s UUID. All new
vulnerability, compliance, and asset inventory information is associated with the new
5. Agent UUID and host record. If there are duplicate host records due to different Agent UUIDs
being generated, you can remove the old host records / Agent UUIDs by uninstalling them via
the Cloud Agent Module user interface or the API. This does not affect the functionality of the
agent communicating using the new Agent UUID.

Implement Rules for Agent Access

What is Asset Tag in Qualys?

An Asset Tag is a way of sequestering the assets based upon different parameters such as Operating
Systems. For eg. If there are 100 Windows workstations, 50 Linux workstations and few others, Asset
Tag can dynamically label these workstations and separate them into different groups. Based upon

16
the requirements / compliance, a separate scan catered towards that particular OS, can be run,
depending upon the periodicity that the frequency of patching etc. demands.

Qualys Asset Tag Use Case

A common use case for performing host discovery is to focus scans against certain operating
systems. This can be done through number of ways, historically via maps or light scans followed by a
manual workflow. Asset tagging can be leveraged to automate this very process. By dynamically
tagging hosts by their operating system, one can split up scanning into the following:
1. Frequent light scans that update with the current mapping of your network via dynamic
asset tags.
2. Targeted complete scans against tags which represent hosts of interest.
3. We step through how to set up your Qualys Cloud Agent to do exactly this below.
4. Asset tag rule are used to discover the grouping of asset. The asset is grouping of resource
for example OS, IP range, Groovy script, which describes the advantages for each type of
Asset Tag Rule Engines. It describes how or why a particular tag rule engine should be used. 
For example, when is it better to use an asset search vs groovy script?
5. Rule engines for discovering the asset using multiple keywords are listed below.

6. If remediation by OS is required, then Operating System Regular Expression can play a


phenomenal role for reporting.  Same goes for Software Installed.
7. If security team wishes to track high-risk QIDs, the Vuln(QID) Exist can help them focus.  
8. It is preferable to have a clear hierarchy of Asset Tags. Let’s create a top-level parent static
tag named ‘Operating Systems’.

17
9. Click Finish to create the parent tag.
10. We will create the sub-tags of our Operating Systems tag from the same Tags tab. These sub-
tags will be dynamic tags based on the fingerprinted operating system.

11. Name this Windows server. The parent tag should auto populate with Operating Systems tag
name.

18
12. From the Rule Engine dropdown, select Operating System Regular Expression. From
our Asset tagging regular expression library, input the following into the Regular
Expression textbox:
^Windows .*Server((?!\/).)*$
13. Also, check the Re-evaluate rule on save and Ignore Case checkboxes.

14. Click Finish. Our Windows servers tag is now created and being applied retroactively to all
existing identified Windows server hosts. Feel free to create other dynamic tags for other
operating systems.
15. Scan in breadth for host discovery
16. Qualys is now set to automatically organize our hosts by operating system. We can discover
what assets are in our environment by frequently running a lightweight scan to populate
these tags.

Follow the steps below to create such a lightweight scan:

17. Open the module picker and select the Vulnerability Management module.


18. We will need operating system detection from the top bar, click on Scans, and then Search
Lists from the blue bar.
19. Click on New…and then Static List… button. Title this search list Operating System
Detected and add QID, 45017, Operating System Detected. Click Save.
20. Let’s import a lightweight profile. Click Option Profiles from the blue bar.

19
21. Click on New…, and then Import from Library… button.
22. Select the Light Inventory Scan v.1, and then click Import. Making this global is optional.
23. Add the Operating Systems Detected static list to this option profile.
24. The last step is to schedule a re-occurring scan using this option profile against your
environment. You can even have a scan run continuously to achieve near real time visibility
— see How to configure continuous scanning for more info.
25. Scan in depth against tags
26. After processing scan data in order to apply tags, Qualys will have an up-to-date inventory of
operating systems in your environment. You can now run targeted complete scans against
hosts of interest, e.g. those tagged with specific operating system tags.
27. This dual scanning strategy will enable you to monitor your network in near real time like a
boss. For more reading on the trend towards continuous monitoring, see New Research
Underscores the Importance of Regular Scanning to Expedite Compliance.

Note: The above types of scans should not replace maps against unlicensed IPs, as vulnerability
scans, even light scans, can only be across licensed IPs.

20

You might also like