Qualys Cloud Agent for Linux Intel Release 7.2.2
Limited Customer Release
September 26, 2025
With this release, we are introducing the following enhancements for Cloud Agent for Linux Intel.
Enhanced Qualys Command Execution Pipeline (CEP)
The Qualys Command Execution Pipeline (CEP) has been enhanced to provide greater flexibility and control over command execution. This update introduces configurable Sudo access and user-level execution permissions, allowing administrators to define who can execute commands and at what privilege level.
The command execution pipeline is used for executing custom scripts, remote log collection, on demand scan, certificate validation, activation key change, troubleshooting, and so on.
Key Enhancements:
- New Configuration Variable: UseSudoForCep
Enables or disables Sudo access specifically for CEP commands. - Default Behavior:
Sudo access for CEP is enabled by default (UseSudoForCep=1).
Example:
To configure Sudo access for a specific user, use the following command.
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh UseSudoForCep={0|1} UseSudo={0|1} User={username} Group={user_group}
Parameter Overview:
| Parameter | Description |
|---|---|
| useSudoForCep=1 | Enables Sudo access for CEP commands. |
| useSudoForCep=0 | Disables Sudo access; commands run without elevated privileges. |
This enhancement empowers organizations to tailor command execution policies to meet their security and operational requirements.
Vault Connection Profile — Bypass Proxy and Server SSL Verification
The vault connection profiles are used to fetch the credentials for database assessment. We have introduced the following new options — Bypass Proxy and Bypass Server SSL Verification, in the database authentication Vault Connection profiles.
Bypass Proxy: When multiple proxies are configured, Cloud Agent routes all its outbound connections via a proxy. If you enable the Bypass Proxy option, Cloud Agent attempts a direct connection to the CyberArk Vault, bypassing the configured proxies. By default, this feature is enabled for all vault configuration profiles, meaning, the Cloud Agent attempts a direct connection to the CyberArk Vault.
Bypass Server SSL Verification: Select this checkbox to bypass the server SSL verification. You can use this option when the server authentication can not be done due to some environmental issues, such as HTTPS certificate expiration. By default, this option is disabled, meaning the Cloud Agent will follow normal authentication process while connecting to the CyberArk vault.
These options help in reducing the CyberArk Vault connection failure instances by avoiding vault connections with failed proxies and skipping server authentication for expired SSL certificates.
To learn more, refer to Database Assessment and Vault Configuration for Database Assessment.
Patch Management Enhancements
Improved Logging for Patch Management Pre/Post Actions
Previously, the standard error (stderr) logs from patch management pre-actions and post-actions were appended to the standard output (stdout) file if the log size was under 1KB. This limitation often led to incomplete error logs, making troubleshooting difficult.
With this enhancement, up to 100KB of error logs from stderr are now captured and included in the combined output file. This ensures more comprehensive logging of script failures and improves the efficiency of diagnostics and troubleshooting.
Support Patch Management on RHEL 10 Platforms
With this release of Cloud Agent, we are extending the Qualys Patch Management support to Redhat Enterprise Linux version RHEL 10.x platforms. Now, you can use the Patch Management capabilities, such as patch scans, and patch jobs.
Display Previous Scan Date
Previously, in the non-security update scans (NSU scans), we did not record the previous scan date. Now, we capture the previous scan date in the scan results and display it on the patch management user interface. This helps in troubleshooting the failed scans.
Behavior Change
There are no behavior changes in this release.
Platform Coverage Support
There is no new platform coverage added in this release.
Issues Addressed
The following important and notable issues are fixed in this release.
| Component/Category | Description |
|---|---|
| Cloud Agent Migration | We fixed an issue where a Cloud Agent migrated between subscriptions on same platform was not displayed in the new subscription. |
| Provisioning | We fixed an issue where Cloud Agent cloned from master nodes were not displayed in the Qualys platform as they were assigned the same instance ID as that of master node. |
| Installation | We fixed an issue where an incorrect error message was displayed after the patch installation failure. Now, we display the correct error message to help in troubleshooting. |
| Installation | We fixed an issue where the Cloud Agent service stopped when the hostid file was missing on host assets. |
| SwCA Installation | We fixed an issue where the SwCA installer was getting deleted without successfully installing the SwCA application. Now, we will delete the installer only after the successful installation of SwCA. |
| SwCA Scan | We fixed an issue where the Cloud Agent could not perform SwCA scans due to the missing SwCA binary. To fix this issue, we have corrected the SwCA installation workflows. |
| Cloud Agent Storage | We fixed an issue where Cloud Agent functions were crashing because of the dump files generated during the execution of GET request. |
| Cloud Agent Parsing Error | We fixed an issue where AWS Instance and Linux Cloud Agent could not merge due to an IMDS Instance ID parsing error. |
| Control ID Error | We fixed an issue where the users were getting function errors for CIDs due to undetected OS versions for Ubuntu platforms, causing inconsistencies in the actual OS version and OS version displayed on the Cloud Agent user interface. Now, we have implemented the code changes to detect the latest Ubuntu platform versions to resolve this issue. |
Known Issues, Limitations, and Workarounds
There are no known issues or limitations in this release.