Qualys Cloud Agent for Linux Intel Release 7.2
June 11, 2025
With this release, we bring the following new features and enhancements to Qualys Cloud Agent for Linux Intel.
New Feature — Launch Patch Jobs for Non-Security Updates
The Cloud Agent for Linux Intel now has the support to launch the patch jobs for non-security updates. Earlier, we only supported the patch jobs for security updates to fix the vulnerabilities and launch OS patches for Linux assets.
The missing non-security patches are discovered during the scheduled Cloud Agent scans. To fix these patches, you can create custom patch jobs in the Patch Management user interface.
The option to launch a patch job for non-security updates is available for the following Linux platforms.
- Redhat Enterprise Linux version (RHEL) 8.x - 9.x
- Oracle Enterprise Linux (OEL): 8.x - 9.x
- SuSE Linux Enterprise Server (SLES): SLES 12, 13, 15.x, 15.x SP1 - SP6
- OpenSuSE Linux: 15.x
- Alma Linux: 8.x-9.x
- Rocky Linux: 8.x-9.x
Required Application Version | Patch Management 3.6.0.0 |
Isolate Linux Host Assets
We are introducing a feature to isolate vulnerable Linux assets from your network. The isolated assets can not interact with other assets in your network except for the excluded IP addresses, applications, and domains. Isolating assets from your network helps in preventing the exploitation of vulnerabilities present on them.
Earlier, we had the capability to isolate assets from the Qualys Endpoint Detection and Response (EDR). With this release, we have extended the isolation capabilities to Vulnerability Management Detection and Response (VMDR).
You must have TruRisk Eliminate™ activated for your account to access this feature.
Supported Platforms for Host Isolation Feature
Currently, the host isolation feature is supported only for the following Linux platforms:
- Redhat Enterprise Linux 9.x and later
- Ubuntu Linux 22.04 LTS and later
- Amazon Linux 2 2023 and later
Support for Isolation Exclusion Rules
By default, we have added exclusions for Cloud Agent processes but not for the child process hierarchy launched by them. This means the Cloud Agent processes will work for isolated assets but not for the child processes launched by Cloud Agent processes.
The following points describe the exclusion rule behavior:
- While configuring the exclusion rule for isolated assets, you can use the IP addresses, IP range, subnet masks, applications, and domain names.
Ensure that you add the absolute path of the installer application while adding an application-based exclusion for patch and mitigation jobs to work. For example, yum, dpkg, zypper — according to your OS platform. Also, ensure that you add the absolute path for all the locations where an application is located, as the symlinks are not supported for this feature. For example, if a yum installer is located at
/bin/yum
and/usr/bin/yum/,
add both of these paths to the exclusion rule. - The excluded IP addresses and applications support both ingress (incoming) and egress (outgoing) communication.
We only support IPv4 addresses for IP-based exclusion. Currently, this feature does not support IPv6-based exclusion.
- The excluded domains only support egress communication.
Domain isolation does not work through proxy connection if you have configured a system-wide proxy.
- The excluded IP addresses, applications, and domains can communicate with other assets in your network. This allows you to deploy the mitigation and patch jobs and perform other remediation actions as required.
The connections established before an asset is isolated remain unaffected. These pre-established connections are not terminated after isolating an asset.
Required application version | Patch Management - 3.4.0.0 Vulnerability Management Detection and Response - 2.2.0 |
Cloud Agent Enhancements Release 7.2
Optimized CPU Throttle for CEP Process
We optimized the CPU Throttle to ensure the minimum CPU utilization for Command Execution Pipeline (CEP) process (qualys-cep
process). Cloud Agent is upgraded to execute a maximum of 5 manifests simultaneously by qualys-cep
process. This enhancement ensures the smooth Cloud Agent operations on the host assets.
Qualys FIM Support for New Linux Platforms
With this release of Cloud Agent, we have added support for Qualys File Integrity Monitoring (FIM) to the following Linux platforms:
- Mariner Linux 1
- Mariner Linux 2
- Azure Linux 3.0
GPG Signing Key Update for Linux Agents
We have updated the GPG (GNU Privacy Guard) Signing Key for Linux RPM and DEB packages to SHA-256. This update aligns with the industry best practices for security and a higher standard of package integrity verification.
Behavioral Change
The following behavioral change is observed for Cloud Agent.
Download or Delete Manifests when Suspend Scan is Enabled
The Cloud Agent for Linux Intel now supports downloading and deleting manifests when the suspend scan feature is enabled. This ensures that Cloud Agent uses the latest available manifest.
Platform Coverage Support
No new platform coverage is added in this release.
Issues Addressed in Cloud Agent for Linux Intel Release 7.2
The following notable and important issues are fixed in this release.
Category/Component | Issue Description |
---|---|
Configuration Assignment | We fixed an issue where a Cloud Agent installed on a new virtual machine (VM) using a Gold Image did not update the configuration assignment status. The Cloud Agent could not download the configuration after re-provisioning. Now, the Cloud Agent downloads the configuration after re-provisioning, and the updated assignment status is displayed on the Cloud Agent user interface. |
Cloud Agent Permissions | We fixed an issue where a few Control IDs (CID) failed during a scan even though the affected assets had the correct configuration. This issue was caused by the Cloud Agent's inability to read some file permissions correctly. Now, we have updated the Cloud Agent permissions to correctly find the CID settings. |
UDC Scans | We fixed an issue where UDC scans caused momentary spikes for Cloud Agents by limiting the CPU Throttle for these scans. |
Cloud Agent CEP Processes | We fixed an issue where the Cloud Agent CEP Processes caused high CPU utilization due to the execution of multiple CEP processes simultaneously. |
Cloud Agent Upgrades | We fixed an issue where Cloud Agent was not restarting when it was manually upgraded to the new version on Ubuntu platforms. Now, the Cloud Agent is restarted automatically after it is manually updated on Ubuntu platforms. |
Asset Identification | We fixed an issue where duplicate Cloud Agent records were observed even when the asset identification rules were created. It was caused as the Cloud Agent could not fetch the FQDN correctly. Now, we fetch the correct FQDN for Cloud Agent hosts. |
Known Issues, Limitations, and Workarounds
When a large number of Custom Assessment and Remediation (CAR) Scripts are assigned to the Cloud Agent using an API, the Cloud Agent may skip downloading some of these scripts if the CAR script manifest gets stuck in a pending state. To learn more, refer to Optimization of Asset Job Handling in CAR.