Qualys Cloud Agent for Linux Intel Release 7.2.3
October 07, 2025
With this release, we are introducing the following enhancements for Cloud Agent for Linux Intel.
Enhanced Qualys Command Execution Pipeline (CEP)
The Qualys Command Execution Pipeline (CEP) has been enhanced to provide greater flexibility and control over command execution. This update introduces configurable Sudo access and user-level execution permissions, allowing administrators to define who can execute commands and at what privilege level.
The command execution pipeline is used for executing custom scrips, remote log collection, on demand scan, certificate validation, activation key change, troubleshooting, and so on.
Key Enhancements:
- New Configuration Variable: UseSudoForCep
Enables or disables Sudo access specifically for CEP commands. - Default Behavior:
Sudo access for CEP is enabled by default (UseSudoForCep=1).
Example:
To configure Sudo access for a specific user, use the following command.
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh UseSudoForCep={0|1} UseSudo={0|1} User={username} Group={user_group}
Parameter Overview:
| Parameter | Description |
|---|---|
| UseSudoForCep=1 | Enables Sudo access for CEP commands. |
| UseSudoForCep=0 | Disables Sudo access; CEP runs without elevated privileges. |
This enhancement empowers organizations to tailor command execution policies to meet their security and operational requirements.
Vault Connection Profile — Bypass Proxy and Server SSL Verification
The vault connection profiles are used to fetch the credentials for database assessment. We have introduced the following new options — Bypass Proxy and Bypass Server SSL Verification, in the database authentication Vault Connection profiles.
Bypass Proxy: When multiple proxies are configured, Cloud Agent routes all its outbound connections via a proxy. If you enable the Bypass Proxy option, Cloud Agent attempts a direct connection to the CyberArk Vault, bypassing the configured proxies. By default, this feature is enabled for all vault configuration profiles, meaning, the Cloud Agent attempts a direct connection to the CyberArk Vault.
Bypass Server SSL Verification: Select this checkbox to bypass the server SSL verification. You can use this option when the server authentication can not be done due to some environmental issues, such as HTTPS certificate expiration. By default, this option is disabled, meaning the Cloud Agent will follow normal authentication process while connecting to the CyberArk vault.
These options help in reducing the CyberArk Vault connection failure instances by avoiding vault connections with failed proxies and skipping server authentication for expired SSL certificates.
To learn more, refer to Database Assessment and Vault Configuration for Database Assessment.
Patch Management Enhancements
Improved Logging for Patch Management Pre/Post Actions
Previously, the standard error (stderr) logs from patch management pre-actions and post-actions were appended to the standard output (stdout) file if the log size was under 1KB. This limitation often led to incomplete error logs, making troubleshooting difficult.
With this enhancement, up to 100KB of error logs from stderr are now captured and included in the combined output file. This ensures more comprehensive logging of script failures and improves the efficiency of diagnostics and troubleshooting.
Support Patch Management on RHEL 10 Platforms
With this release of Cloud Agent, we are extending the Qualys Patch Management support to Redhat Enterprise Linux version RHEL 10.x platforms. Now, you can use the Patch Management capabilities, such as patch scans, and patch jobs.
Display Previous Scan Date
Previously, in the non-security update scans (NSU scans), we did not record the previous scan date. Now, we capture the previous scan date in the scan results and display it on the patch management user interface. This helps in troubleshooting the failed scans.
Behavior Change
There are no behavior changes in this release.
Platform Coverage Support
There is no new platform coverage added in this release.
Issues Addressed
The following important and notable issues are fixed in this release:
| Component/Category | Description |
|---|---|
| Cloud Agent Migration | We fixed an issue where a Cloud Agent migrated between subscriptions on same platform was not displayed in the new subscription. |
| Manifest Download | We fixed an issue where the Cloud Agent stopped performing vulnerability scans after the Prevent Manifest Update option was enabled in the Manifest Version Control profile. Now, the Cloud Agent uses the previously downloaded manifest to perform vulnerability scans, even when the Prevent Manifest Update option is enabled.
The Manifest Version Control feature has limited availability. Contact Qualys support or TAM to get it enabled. |
| Provisioning | We fixed an issue where Cloud Agent cloned from master nodes were not displayed in the Qualys platform as they were assigned the same instance ID as that of master node. |
| Installation | We fixed an issue where an incorrect error message was displayed after the patch installation failure. Now, we display the correct error message to help in troubleshooting. |
| Installation | We fixed an issue where the Cloud Agent service stopped when the hostid file was missing on host assets. |
| SwCA Installation | We fixed an issue where the SwCA installer was getting deleted without successfully installing the SwCA application. Now, we will delete the installer only after the successful installation of SwCA. |
| SwCA Scan | We fixed an issue where the Cloud Agent could not perform SwCA scans due to the missing SwCA binary. To fix this issue, we have corrected the SwCA installation workflows. |
| Cloud Agent Storage | We fixed an issue where Cloud Agent functions were crashing because of the dump files generated during the execution of GET request. |
| Cloud Agent Parsing Error | We fixed an issue where AWS Instance and Linux Cloud Agent could not merge due to an IMDS Instance ID parsing error. |
| Control ID Error | We fixed an issue where the users were getting function errors for CIDs due to undetected OS versions for Ubuntu platforms, causing inconsistencies in the actual OS version and OS version displayed on the Cloud Agent user interface. Now, we have implemented the code changes to detect the latest Ubuntu platform versions to resolve this issue. |
| Un-trusted Search Path Vulnerability | The shell scripts packaged with the Cloud Agent installer execute multiple system utilities without an absolute path or resetting a path to a safe value. This allows a malicious actor to place harmful files on your assets when the shell scripts are executed with elevated privileges. We have updated this behavior by setting up the fixed paths for shell script execution. This enhancement prevents the infiltration of malicious files on your assets and prevents you from any potential security threats. The updated shell script behavior also helps in mitigating the Untrusted Search Path Vulnerability (CWE-426). |
Known Issues, Limitations, and Workarounds
There are no known issues or limitations in this release.