System Privileges

The Qualys Cloud Agent offers multiple deployment methods to support an organization’s security policy for running third-party applications and least privilege configuration. As vulnerability and configuration assessments need to be comprehensive with authenticated scans, the Cloud Agent installs as a daemon with System-level privileges and does not require authentication records to access local system data and artifacts.

This can be updated to any of the following options.

Non-root Account with Sufficient Privileges

The Following are the specific privileges for non-root accounts.

• Privileges to execute rpm for automatic updates.
• Cloud Agent requires certain commands to operate depending upon the Cloud Agent Environment. Your system must have permissions for these commands.

Non-root users with limited access may not be able to access certain areas of the system, such as applications installed with root privileges, and may have insufficient results or lack of functionality.

Non-root Account with Sudo Root Delegation

The non-root user must have direct sudo privileges assigned either individually or through a group membership. Ensure that the NOPASSWD option is configured while assigning the direct sudo privileges.

The following is an example of a Cloud Agent user entry in a sudoers file.

%agentuser ALL=(ALL) NOPASSWD: ALL

Where, agentuser is the username for an account used to install a Cloud Agent.

You can also use secure Sudo. When you set UseSudo=1, the agent tries to find the custom path in the secure_path parameter located in the /etc/sudoers file. This can be used to restrict the path from where commands are picked up during data collection. If this parameter is not set, Cloud Agent refers to the PATH variable generated by sudo sh to locate the command.

Account with Root Privileges

Typically, you may start with privileged access for administrators and root users. This configuration provides the Cloud Agent with all the required privileges (for example, to access the RPM database) to conduct a a comprehensive assessment for vulnerabilities and misconfigurations. This helps you achieve high-fidelity assessments with less management overhead.

However, after the Qualys Cloud Agent is installed, it can be configured to run as a specific user and group context using our configuration tool. When you create a non-privileged user with full sudo, the user account is exclusive to the Qualys Cloud Agent, and you can disable Secure Shell (SSH)/ remote login for that user if needed.

The Qualys Cloud Agent does not require SSH. You can also assign user-specific permissions and categories of commands that the user can run. If the path is not provided in the command, the system provides it, and only a privileged user can set the PATH variables.

Selecting Privileges Option

The Qualys Cloud Agent uses multiple methods to collect metadata to provide asset inventory, vulnerability management, and Policy Compliance (PC) use cases. Some of these methods include running commands to collect a list of installed applications and versions, running processes, network interfaces, and so on.

Root access is required only for some detections. Most of the detections that are part of Policy Compliance require root privileges as they need to read global config files related to system-wide security settings and gather information from more than one user account.

An exceptionally low number of QIDs in the VM application require root privileges. However, those that do need elevated privileges are likely to result in False negatives if the user does not have the necessary privileges.

Qualys also provides a scan tool that identifies the commands that need root access in your environment. Connect with the Qualys support team to learn more about this scan tool. You can decide whether to elevate/grant the required permissions to run the commands or risk losing visibility to the information. You can grant permissions only for the specific commands/binaries that are failing.

Qualys sanitizes the PATH variable to remove any world-writable directory as a security measure designed to ensure that the Qualys Cloud Agent does not execute any custom-made scripts. This provides the option to harden or allow the path, where you can configure the set of allowed directories to execute the commands during our data collection.

Qualys uses the system-appended paths to run or assume root integrity. As per NIST SP 800-53 Revision 5, control for Vulnerability Monitoring and Scanning RA-5 indicates that in certain situations, the nature of the vulnerability scanning may be more intrusive and require privileged access authorization to selected system components to facilitate more thorough vulnerability scanning.

For PC scans, we require the sudo/root privilege. With non-root privilege, the PC report is unreliable and does not provide a complete covering of CIS & DISA policies. As per CIS benchmarks, root privileges are required for specific detections, including most detections that are part of the PC application. Refer to any CIS benchmark (for example, https://workbench.cisecurity.org/benchmarks/493) on Linux which broadly assumes that operations are being performed as the root user.

Following is the paragraph from the CIS benchmark document:

“The guidance within broadly assumes that operations are being performed as the root user. Non-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify the root user’s path integrity    and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark.”

For Patch Management, Endpoint Detection and Response (EDR), and File Integrity Monitoring (FIM) applications, use an account with root privileges to hook into a system, perform real-time monitoring, install patches, and so on as these applications are not dependent on any signatures/command execution.