Qualys Cloud Agent for Linux Intel 6.3

May 07, 2024

New Features 

FIPS Compliant Build for RPM-Based Operating Systems

With this release, Qualys is introducing the Federal Information Processing Standards (FIPS) compliant build for Qualys Cloud Agent on RPM-based operating systems.

This provides enhanced data integrity and interoperability with other security tools and systems. Also, with the FIPS-compliant build, Qualys Cloud Agent fulfills regulatory requirements for managing sensitive information.

For more information about this new feature, refer to Qualys Cloud Agent Moves to FIPS-Compliant Build on RPM-Based Operating Systems.

Change Activation Key using Cloud Agent User Interface

With this feature, you can change the activation key for existing single or multiple agents from the Cloud Agent user interface. Earlier, you could change the activation key locally using the command line utility.

Once the new activation key is assigned:

  • Applications activated with the newly assigned activation key are activated for the associated agent hosts.
  • The network ID and static tags associated with the newly assigned activation key are linked to the associated agent host.
  • Applications and tags associated with the earlier activation key are disassociated from the agent host.
  • Applications and static tags manually activated or assigned for the earlier agent host and not associated with the earlier activation key remain activated.
Required Application Version  Qualys Cloud Platform

Database Authentication and Assessment

With this feature, the Cloud Agent can be configured to fetch the password for the database instances through the CyberArk vault for database authentication. This is applicable only for policy compliance control assessment.

CyberArk is the external software through which Cloud Agent fetches the password of the Oracle database.

You can configure the database assessment options using the Cloud Agent user interface, with which the database credentials are directly fetched from the vault and the database assessment is launched.

For database assessment, Qualys is currently supporting the following combination:

Linus Platform Vault
(On Prem)
PVWA SDK Credential Provider Oracle Database
Red Hat Enterprise Linux 7.x 13.2.4 9.10 13.0.2 13.0.2 12cR2
Red Hat Enterprise Linux 9.x 13.2.4 9.10 13.0.2 13.0.2 19c
CentOS 7.x 13.2.4 9.10 13.0.2 13.0.2 12cR2
CentOS Stream 9.x 13.2.4 9.10 13.0.2 13.0.2 19c

 Qualys Cloud Agent currently supports only Oracle and SQL Server databases and uses CyberArk Vault.

Required Application Version  Qualys Cloud Platform

Cloud Agent Enhancements

Support for Scan Delay and Randomize for VM, PC, and SwCA Scan

With this release, you can add scan delay and randomization for SwCA scans. Also, the scan delay and randomization range is increased for VM and PC scans from 12 hours to 24 hours.

These parameters help spread the Cloud Agent scans over a configurable window and optimize resource consumption.

With the Scan Delay parameter, you can delay the scanning for the defined time interval. You can add randomization to the scan delay time with the Scan Randomize parameter. 

Required Application Version  Qualys Cloud Platform

Cloud Agent Health Check Tool 

The Cloud Agent Local Health Check tool assesses the health of the Qualys Agent on the specific host. The tool runs independently and does not require any parameters. 

The tool assesses the overall health status of the Cloud Agent based on the health of the scan-based applications— VM, PC, SCA, UDC, SwCA, and PM. 

Following are the commands to run Agent Health Check Tool:

  • If you set the proxy at etc/environment, use the following command to run the Agent Health Check Tool.
    source /etc/environment && export qualys_https_proxy && /usr/local/qualys/cloud-agent/bin/qualys-healthcheck-tool
  • If you set the proxy at /etc/sysconfig/qualys-cloud-agent, use the following command to run the Agent Health Check tool.
    source /etc/sysconfig/qualys-cloud-agent && export qualys_https_proxy && /usr/local/qualys/cloud-agent/bin/qualys-healthcheck-tool
  • If you set the proxy at /ect/default/qualys-cloud-agent, use the following command to run the Agent Health Check Tool.
    source /etc/default/qualys-cloud-agent && export qualys_https_proxy && /usr/local/qualys/cloud-agent/bin/qualys-healthcheck-tool

You can use any of the following variables for proxy configuration: 

Agent Health Status Evaluation

The tool assesses the overall health status of the Cloud Agent based on installation status, communication health, and application functionality. The applications assessed for health status are Vulnerability Management (VM), Policy Compliance (PC), Security Configuration Assessment (SCA), and Patch Management (PM).

  • Agent communication health is evaluated based on proxy settings and connection to Qualys Server end points.
  • The health of the scan-based applications is evaluated based on scan interval, upload interval, and last scan/last upload time.
  • For Patch Management health, the tool initiates the patch download from specified URLs and verifies the file hash. If a patch fails to download, patch health is flagged as bad; however, if the patch is successfully downloaded but fails verification, it does not impact Patch Management health. Instead, an entry is recorded in the error section of the JSON file to indicate the failed patch verification.

Agent Health Status Output

The Agent Health Status tool provides a console output, a user-friendly text summary, and a detailed JSON report. The text report and the JSON report are generated in the HealthCheck directory, located in the same directory where the tool is executed.

The following table presents the health status and description. 

Health Status Description
Good Agent Health is good.
  • Qualys Cloud Agent is facing some communication problems.
  • Qualys Cloud Agent Service is down.
  • None of Qualys Cloud Agent’s applications are functioning properly.
Poor Some, but not all applications of the Qualys Agent are functioning correctly. 
Not Installed Qualys Agent is not installed on the asset. 
Not Provisioned Qualys Agent is installed but not provisioned.
Tool Error The Agent Health Status tool encountered a critical error while retrieving Agent Health.  

Enhancement for Endpoint Detection and Response (EDR)

Support for RemoteShell Commands

Using this feature, you can connect to the remote host using a Remote shell interface. You can use the RemoteShell commands on the remote system to retrieve detailed information about the system and perform required actions if the system is suspected to be under malware attack.

Currently, the following commands are supported by RemoteShell:

  • date: Returns the date on the system.
  • whoami: Returns the user details.
  • ps: Lists all running processes.
  • dpkg: DPKG package manager.
  • ls: Lists all running packages and directories.
  • run: Runs an executable on a remote host.
  • auditctl: Utility to assist for controlling the kernels audit system 
  • delete: Deletes all files
  • shares: Lists modified shares or mounted drives.
  • cat: Gets file contents (Supported file formats: .conf, .config, .properties, .yml).
  • copy: Copies file from source to destination.
  • mkdir: Creates a directory.
  • cd: Changes the directory.
  • restart: Restarts the system.
  • cls: Clears screen.
  • history: Returns the history of executed commands.
  • env: Lists all environment variables.
  • kill: Kills the process with specified pid or name.
  • netstat: Lists active TCP connections and network statistics.
  • rpm: RPM package manager.
  • users: Lists the users.
  • stop: Stops the RemoteShell session. 
  • nslookup: Resolve DNS Namespace or IP.
  • ipconfig: Lists the IP configuration.
  • drivers: Lists all the mounted drivers.
  • shutdown: To shut down the system.
  • hash: Displays the hash of a file.

This feature can be used the access the asset regardless of its location.

Required Application Version  Endpoint Detection and Response (EDR)

Enhancement for File Integrity Monitoring (FIM)

Support for Monitoring SymLinks using FIM

With this enhancement, FIM supports monitoring symbolic links, or symlinks, within the specified directory.

  To enable monitoring Symlinks, select Symlink as the Rule Type for the Symlink directory path and events to be monitored in the FIM monitoring profile. When this rule type is set, the Cloud Agent will resolve symlinks present under the base directory and monitor the resolved locations.

FIM Symlink does not support the monitoring of files or subdirectories present under the base path.

  • If the symlink resolves to a directory, then all the filters defined in the monitoring profile are applied to that directory.
  • If the symlink resolves to a file, then only the filters defined for the file are applied.

When the target directory is deleted, monitoring is stopped. Even when that directory is added again, FIM starts monitoring the directory only after restarting the Cloud Agent.

Required Application Version  File Integrity Monitoring (FIM)

Behavior Changes

There are no behavior changes in this release.

Platform Coverage Support

There is no new platform coverage added in this release.

Issues Addressed

There are no fixed defects included in this release.

Known Issues, Limitations, and Workaround 

Activation Key Change from Cloud Agent UI

  • Activation key change from Cloud Agent UI is not supported for Cloud Agents with Azure and OCI extensions.

FIM Symlink

  • FIM does not report any read event when you try to read a path using the Symlink path associated with it. However, write and other events are captured for these paths.
  • In case of a rename event, Cloud Agent sends an incorrect new path to the FIM when you use newer versions of coreutils.
  • Cloud Agent can not resolve a symlink path when it is associated with an already resolved base path.
  • FIM does not report the rename event on some operating systems with old kernel and audit versions if the FIM Symlink path has special characters in it. For example, OS: Ubuntu 14.04, Kernel: 3.13.0-24-generic, Audit: 2.3.2.
  • FIM does not report any event except create and delete events, when actions are performed on FIM Symlink itself.