Qualys Cloud Agent for Linux Intel Release 7.2.7
Limited Customer Release
September 04, 2025 (Updated November 05, 2025)
With this release, we are introducing the following new upgrades to Cloud Agent for Linux Intel.
Qualys Cloud Agent for Linux Intel 7.2.7 supports all features, enhancements, and fixes available with Cloud Agent 7.0.3, 7.1.7, and 7.2.3.
Enhancements for FHS Compliance
We have updated the locations of Cloud Agent log data and configuration files to /var/opt and /etc/opt for Cloud Agents installed in /opt directory. This enhancement makes Cloud Agent, File System Hierarchy Standard (FHS) compliant.
Phase 1 of the FHS-compliant Cloud Agent was released with Cloud Agent for Linux Intel 7.0.3.
The following table illustrates the changes to the storage locations of log data and configuration files.
| Data/Files | New Storage Location | Old Storage Location |
|---|---|---|
| Cloud Agent log data | /var/opt | /var |
| Configuration files | /etc/opt | /etc |
This enhancement does not update the location of the Cloud Agent HostID file. The HostID file will be available at — /etc/qualys/hostid.
- We recommend only manual upgrades while upgrading previous Cloud Agents to version 7.2.7.
- We recommend configuring the Agent Version Control profile with version 7.2.7 to prevent the Cloud Agent from auto-upgrading to a non-FHS-compliant version.
Enhancements for FIPS Compliance
We have upgraded the Cloud Agent for Linux Intel binary with SHA256 signing to ensure secure data transmission.
With these enhancements, Cloud Agents for the RPM-based platforms meet Federal Information Processing Standards (FIPS) and System V Application Binary Interface (SysVABI) compliance requirements.
Updated Default Folder for Cloud Agent Installation
With this release, we have updated the default folder for Cloud Agent installation to /opt. Earlier, /usr/local/ was the default folder for Cloud Agent installation. This enhancement makes Cloud Agent File System Hierarchy Standard (FHS) compliant.
Use the following commands to manage the Cloud Agents installed in the /opt folder:
- Installation command:
rpm -ivh qualys-cloud-agent.rpm - Provisioning command:
/opt/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx CustomerId=dxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx ServerUri=<platform_url>/CloudAgent/ - Upgrade command:
rpm -Uvh qualys-cloud-agent-7.0.3-8.x86_64.rpm
The upgraded Cloud Agent is installed in the/optfolder.When you upgrade a Cloud Agent installed in
/usr/local, new directories are created in the/optfolder, but directories present in the/usr/localfolder are not deleted. If required, you can delete these directories manually.
Limitations of Installing Cloud Agent in /opt Folder
The following are the limitations for Cloud Agents installed in the /opt folder:
- The following Qualys applications are not supported for Cloud Agents installed in the
/optfolder:- Endpoint Protection Platform (EPP)
- Host Isolation
- Mitigation
- Cloud Agent installed in the
/optfolder does not support auto-upgradation.We recommend you do not upgrade Cloud Agents installed in the
/optfolder to the/usr/localfolder. - Cloud Agent does not delete the directories present in the
/usr/localfolder automatically. You have to delete these directories manually.
Use Cases for Upgrading Cloud Agents
The following table illustrates the different scenarios when a Cloud Agent installed in /usr/local is upgraded using the upgrade command:
| Cloud Agent Version | Installation Location | Installation Type | Manual Upgrade |
|---|---|---|---|
| Newly installed Cloud Agent 6.2 and lower versions relocated to /opt | /opt/qualys | Symlinks are present in /usr/local/qualys | YES |
| Cloud Agents 6.2 and lower versions upgraded to v6.4 | /opt/qualys | Symlinks are present in /usr/local/qualys | YES |
| Newly installed Cloud Agent v6.4 | /opt/qualys | No symlinks are available | YES |
Control SwCA Installation
The Linux Intel Cloud Agent is upgraded to control the Software Composition Analysis (SwCA) installation. With this feature, you can control whether to install SwCA or to prevent it from downloading while installing or updating a Cloud Agent.
Run the following command to allow or prevent the SwCA binary download.
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh DisableSwcaPackageDownload={0|1}
Where, DisableSwcaPackageDownload is the parameter to control the SwCA binary download.
- Set
DisableSwcaPackageDownload=0to allow SwCA binary download. - Set
DisableSwcaPackageDownload=1to prevent SwCA binary download.
By default, Linux Intel Cloud Agent downloads the SwCA binary. Set DisableSwcaPackageDownload=1 to prevent SwCA binary download.
Privilege Management for CEP Processes
We enhanced the Command Execution Pipeline (CEP) to optimize the process default privileges.
When Cloud Agent runs with root access and useSudo=0 configuration, CEP commands will be executed without sudo privileges. Previously, CEP commands were executed with sudo privileges, despite having a useSudo=0 configuration, because useSudoForCep=1 is the default configuration for the Cloud Agent.
This enhancement ensures the consistent CEP process behavior and prevents redundant privilege escalation.
Refer to Qualys Cloud Agent for Linux Intel 7.2.3 Release Notes for more details.
Behavior Change
There are no behavior changes in this release.
Platform Coverage Support
There are no behavior changes in this release.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Cloud Agent Migration | We fixed an issue where a Cloud Agent migrated between subscriptions on same platform was not displayed in the new subscription. |
| Manifest Download | We fixed an issue where the Cloud Agent stopped performing vulnerability scans after the Prevent Manifest Update option was enabled in the Manifest Version Control profile. Now, the Cloud Agent uses the previously downloaded manifest to perform vulnerability scans, even when the Prevent Manifest Update option is enabled.
The Manifest Version Control feature has limited availability. Contact Qualys support or TAM to get it enabled. |
| Provisioning | We fixed an issue where Cloud Agent cloned from master nodes were not displayed in the Qualys platform as they were assigned the same instance ID as that of master node. |
| Installation | We fixed an issue where an incorrect error message was displayed after the patch installation failure. Now, we display the correct error message to help in troubleshooting. |
| Installation | We fixed an issue where the Cloud Agent service stopped when the hostid file was missing on host assets. |
| SwCA Installation | We fixed an issue where the SwCA installer was getting deleted without successfully installing the SwCA application. Now, we will delete the installer only after the successful installation of SwCA. |
| SwCA Scan | We fixed an issue where the Cloud Agent could not perform SwCA scans due to the missing SwCA binary. To fix this issue, we have corrected the SwCA installation workflows. |
| Cloud Agent Storage | We fixed an issue where Cloud Agent functions were crashing because of the dump files generated during the execution of GET request. |
| Cloud Agent Parsing Error | We fixed an issue where AWS Instance and Linux Cloud Agent could not merge due to an IMDS Instance ID parsing error. |
| Control ID Error | We fixed an issue where the users were getting function errors for CIDs due to undetected OS versions for Ubuntu platforms, causing inconsistencies in the actual OS version and OS version displayed on the Cloud Agent user interface. Now, we have implemented the code changes to detect the latest Ubuntu platform versions to resolve this issue. |
| Un-trusted Search Path Vulnerability | The shell scripts packaged with the Cloud Agent installer execute multiple system utilities without an absolute path or resetting a path to a safe value. This allows a malicious actor to place harmful files on your assets when the shell scripts are executed with elevated privileges. We have updated this behavior by setting up the fixed paths for shell script execution. This enhancement prevents the infiltration of malicious files on your assets and prevents you from any potential security threats. The updated shell script behavior also helps in mitigating the Untrusted Search Path Vulnerability (CWE-426). |
Known Issues, Limitations, and Workarounds
The following are the known issues for Linux Intel Cloud Agent 7.2.7:
- The Linux Intel Cloud Agent versions 6.4 and 7.0 installed in the
/optdirectory do not support auto-upgrade to version 7.2.7. If the auto-upgrade is enabled for these Cloud Agents, the agent upgrade will fail.
The older Cloud Agents do not support auto-upgrade as they use the--relocateparameter along with-Uvhin the auto-upgrade command. As the RPM-based platforms do not support relocation to the same directory, hence the older Cloud Agents could not be auto-upgraded to version 7.2.7.
To upgrade these Cloud Agents to version 7.2.7, perform a manual upgrade using the following command:
rpm -Uvh qualys-cloud-agent.rpm- For Cloud Agent version 7.2.7, we have removed the
--relocateparameter from the auto-upgrade command. Hence, Linux Intel Cloud Agent 7.2.7 installed in the/optdirectory supports the auto-upgrade to higher versions. - The Cloud Agents that have the symbolic links created support auto-upgrade to higher versions.
- For Cloud Agent version 7.2.7, we have removed the
- TruRisk Mitigation and TruRisk Isolate applications are not supported for Linux Intel 7.2.7 Cloud Agent.
- When an older Cloud Agent is upgraded to version 7.27, the
/usr/local/qualysand/var/log/qualysdirectories are not removed from the host after the upgraded Cloud Agent is uninstalled. We keep these directories to ensure that no important data, such as configuration files, is deleted unintentionally.