Agent Deployment - Linux, BSD, Unix, MacOS
Click to view navigation pane

Home

Agent Deployment - Linux, BSD, Unix, MacOS

Good to Know Typically the agent installation requires root level access on the system (for example in order to access the RPM database). After the Cloud Agent has been installed it can be configured to run in a specific user and group context (using the agent configuration tool).

Looking for our agent configuration tool? Click here

Privileges- what are my options

Use account with root privileges (recommended) Learn moreLearn more

This is recommended as it gives the cloud agent enough privileges to gather the necessary information for the host system's evaluation.

Typically, you may start with a comprehensive assessment for vulnerabilities and misconfigurations, including privilege access for administrators and root. The agent configuration provides the Cloud Agent for Linux/ BSD/Unix/MacOSwith all the required privileges (for example to access the RPM database) to conduct a complete assessment on the host system and allows for high fidelity assessments with reduced management overheads.

However, after the Qualys Cloud Agent is installed, it can be configured to run as a specific user and group context using our Agent configuration tool. When you create a nonprivileged user with full sudo, the user account is exclusive to the Qualys Cloud Agent and you can disable SSH/ remote login for that user, if needed.

The Qualys Cloud Agent does not require SSH (Secure Shell). You can also assign a user with specific permissions and categories of commands that the user can run. If the path is not provided in the command, the system provides the path and only a privileged user can set the PATH variables.

Use non-root account with Sudo root delegation How do I configure "sudoers" file?How do I configure "sudoers" file?

Requirements:

The non-root user needs to have sudo privileges directly OR through a group membership. Be sure NOPASSWD option is configured.

Here is an example of agentuser entry in sudoers file (where "agentuser" is the user name for the account you'll use to install the Agent):   

%agentuser  ALL=(ALL)        NOPASSWD: ALL

You can also use secure Sudo. When you set UseSudo=1, the agent tries to find the custom path in the secure_path parameter located in the /etc/sudoers file. This can be used to restrict the path from where commands are picked up during data collection. If this parameter is not set, the agent refers to the PATH variable to locate the command by running sudo sh.

Use non-root account with sufficient privileges This is an option for VM agent only. What privileges are needed?What privileges are needed?

1) execute installation package for automatic update

2) commands required for data collection (see Sudo command list at the Community)

 

Linux/BSD/Unix Agent - How to enable proxy

Good to Know By default the Linux/BSD/Unix Agent will operate in non-proxy mode. The agent can be configured to use an HTTPS or HTTP proxy for internet access.

Options The Cloud Agent can be configured in one of these ways:

1) /etc/sysconfig/qualys-cloud-agent - applicable for Cloud Agent on Linux (.rpm)

2) /etc/default/qualys-cloud-agent - applicable for Cloud Agent on Linux (.deb)

3) /etc/environment - applicable for Cloud Agent on Linux (.rpm), Linux (.deb).

4) /usr/local/etc/qualys-cloud-agent - applicable for Cloud Agent on BSD (.txz)

Tip - Option 3) is a better choice for Linux/Unix if the systemwide proxy will be used by the Cloud Agent.

Tell me the stepsTell me the steps

Here are the steps to enable the Linux agent to use a proxy for communication with our cloud platform:

1) if /etc/sysconfig/qualys-cloud-agent file doesn't exist create it

2) add one of the following lines to the file:

https_proxy=https://[<username>:<password>@]<host>[:<port>]

or:

qualys_https_proxy=https://[<username>:<password>@]<host>[:<port>]

where <username> and <password> are specified if the https proxy uses authentication. If special characters are embedded in the username or password (e.g. @, :, $) they need to be url-encoded. where <host> is the proxy server's IPv4 address or FQDN. where <port> is the proxy's port number.

If the proxy is specified with the https_proxy environment variable, it will be used for all commands performed by the Cloud Agent. If the proxy is specified with the qualys_https_proxy environment variable, it will only be used by the Cloud Agent to communicate with our cloud platform.

3) change the permissions using these commands (not applicable for BSD/Unix):

Linux (.rpm)
chown root /etc/sysconfig/qualys-cloud-agent
chmod 600 /etc/sysconfig/qualys-cloud-agent

Linux (.deb)
chown root /etc/default/qualys-cloud-agent
chmod 600 /etc/default/qualys-cloud-agent

4) restart qualys-cloud-agent service using the following command:

Linux/BSD:

service qualys-cloud-agent restart

Unix:

/opt/qualys/cloud-agent/bin/qcagent.sh restart

 

MacOS Agent - How to enable proxy

Good to Know Qualys proxy configured in the .../QualysCloudAgent/Config/proxy file will take preference over any proxies set in System Preferences (including Automatic Proxy, Web Proxy (HTTP), or Secure Web Proxy (HTTPS)).

 

Agent Configuration Tool

Our tool for Linux, BSD, Unix, MacOS gives you many options: provision agents, configure logging, enable sudo to run all data collection commands, and configure the daemon to run as a specific user and/or group.. This tool is available with Linux Agent 1.3 and later, BSD Agent, Unix Agent, MacOS Agent.

You'll find this tool at /usr/local/qualys/cloud-agent/qualys-cloud-agent.sh

On Unix, the tool is located at /opt/qualys/cloud-agent/bin/qualys-cloud-agent.sh

Learn more

Cloud Agent for Linux Installation Guide PDF.

Cloud Agent for BSD Installation Guide PDF.

Cloud Agent for Unix Installation Guide PDF.

Cloud Agent for MacOS Installation Guide PDF.

Help me with troubleshooting