Command Line Options
The qualys-cloud-agent.sh
supports the following command line options.
Configuration option |
Description |
---|---|
ActivationId |
A valid activation key ID (UUID). This value is obtained from the Cloud Agent UI (go to Activation Keys, select a key then View Key Info). This parameter is required to provision an agent. |
CustomerId |
A valid customer ID (UUID). This value is obtained from the Cloud Agent UI (go to Activation Keys, select a key then Install Agent). This parameter is required to provision an agent. |
LogLevel |
A log level (0-5). A higher value corresponds to more verbosity. Default is, mapped to information (3). 0 - mapped to fatal 1 - mapped to error 2 - mapped to warning 3 - mapped to information 4 - mapped to debug 5 - mapped to trace In a debug/trace mode, the log file may contain sensitive command-line parameters or passwords for configuration files if the passwords are in clear-text format. Storing passwords in configuration files can result in non-compliance with ISO, SOC, PCI-DSS, HIPAA, and FedRAMP guidelines. Qualys recommends using a password vault or token-based authentication instead of storing passwords in the configuration file. |
LogFileDir |
A full path to the log file. By default, the path is |
UseSudo |
Set to 1 to run all data collection commands using the sudo escalation method. By default, sudo is not used (0). |
SudoCommand |
A command for privilege escalation such as |
User |
A valid username is required if you want the daemon to run as a certain user. The daemon starts as root but later drops to the specified user and continues running as that user. |
Group |
A valid group name if you want the daemon to run as a certain group. The daemon switches to the specified group (if any). |
HostIdSearchDir |
(Available using Linux Agent 1.3.3 and later) The directory where the host ID file is located. This file contains a host ID tag assigned to the system by Qualys. By default, the directory is |
LogDestType |
(Available using Linux Agent 1.3.3 and later) The destination of log lines generated by Linux Agent. Set this to
|
ServerUri |
Use this option to migrate the agent from one Qualys subscription to another (on the same POD or PCP). ServerUri takes the URL of the Qualys shared Pod or PCP you want to migrate the Cloud Agent, in the following format: ServerUri=<http_url>/CloudAgent where If the subscription is on the same POD, the ServerUri is the same. Use this option along with ActivationId and CustomerId in order to move the agent to another Qualys shared POD or PCP. The Cloud Agent requires the appropriate Activation ID and Customer ID for the new subscription/platform. The original IDs cannot be used as they are unique per subscription. |
CmdMaxTimeOut |
Execution of a command is dropped if the time taken to execute is more than the specified value. The default timeout is 1800 seconds (30 minutes). |
ProcessPriority |
Specify the Linux niceness scale between -20 and 19 to set a priority for the Qualys cloud agent process. The lower the number, the higher the priority the agent process gets. The default value is zero. |
UseAuditDispatcher |
Set Use Agent version 2.0.2 required |
QualysProxyOrder |
If you are using multiple proxies, set the proxy order to be sequential or random. For sequential order: For random order: |
MaxRandomScanInterval |
(This is supported for Cloud Agent versions between 2.6.4 to 3.3) If you enable this option, it adds a random time to the VM Scan Interval to upload the scan data. The default value is 0. Range: 0 to 4294967295. |
ScanDelayVM |
(This is supported for Agent version greater than or equal to 4.6) The time added to the start of VM scanning for new installs and new manifest downloads. The default value is 0 (zero). Range: 0 to 43200. |
ScanDelayPC |
(This is supported for Agent version greater than or equal to 4.6) The time added to the start of PC scanning for new installs and new manifest downloads. The default value is 0 (zero). Range: 0 to 43200. |
MaxRandomScanIntervalVM |
(This is supported for Agent version greater than or equal to 4.6) If you enable this option, it adds a random time to the VM Scan Interval to upload the scan data. The default is 0. Range: 0 to 43200 |
MaxRandomScanIntervalPC |
(This is supported for Agent version greater than or equal to 4.6) If you enable this option, it adds a random time to the PC Scan Interval to upload the scan data. The default is 0. Range: 0 to 43200
|
ProxyFailOpen |
Set the This is applicable for the Cloud Agent for Linux version 6.2 and later. |
LogCompression | Set the LogCompression=1 to enable the log compression for your Cloud Agent. The default value for this parameter is 0, meaning the log compression is not enabled for the Cloud Agent. If you enable Log Compression, Cloud Agent compresses the log files when it is rolled over and keeps the five most recent archived zip files, each with 10 MB of log data. |
Limitations of using UseSudo=1
If you configure the cloud agent for UseSudo=1
to run commands using the sudo escalation method, you may face any of the following issues:
- Commands run by the cloud agent or any script added in the cloud agent manifest fail to get the custom path set in the PATH environment.
- Scan results show empty values for
service_list
,bios_info
, andservice_info
, when the agents fail to find related paths in the PATH environment.
This happens because when you set UseSudo=1, the Cloud Agent tries to find the custom path in the secure_path
parameter located in the /etc/sudoers
file. If this parameter is not set, the agent then tries to find the custom path in the path that is used when you run sudo sh
.
To resolve this issue, add your custom path or the path used by the Cloud Agent while scanning for service_list
, bios_info
, and service_info
, to the secure_path
parameter. If you have disabled the secure_path
parameter, add the respective paths to the path that is used when you run sudo sh
.
Alternatively, you can configure the agent for UseSudo=0
.
For RHEL platforms, if you run the argument UseSudo=0
with the agent configuration tool and do revocation, the qualys-cloud-agent
process still continues running in the background. Ideally, qualys-cloud-agent
process should have stopped after revocation. This is a known limitation with UseSudo=0
, while it works for UseSudo=1.