Creating Custom QID Scripts

The CAR application is now closely integrated with the VM/VMDR application. The integration between CAR and VMDR allows you to create custom QIDs for vulnerabilities unique to your environment. You can identify potential risks in first-party and open-source software using VM/VMDR and CAR integration. You can create custom vulnerability definitions using detection scripts in CAR application, providing a comprehensive overview of all vulnerabilities in your environment.

There are three ways to create a Custom QID script. You can either enter a script manually. You can upload a script from your local machine, or you can also import it from GitHub.

You can create up to 2000 Custom QIDs per subscription.

Note: You can execute the Custom QID scripts only on the assets enabled for the VM/VMDR application.

Let us take an example of creating a Custom QID by providing the script manually and choosing Linux as a platform.

Creating Custom QID Scripts

Let us view the steps to create a Custom QID,

1. Navigate to Scripts > Scripts > Create > New Script.

After clicking on New Script you are navigated to Create New Script.

2. In the Create New Script, provide Name, Description, and Severity.

Name of the script serves as the QID title by default. However, it can be customized.

Description is script description that serves as vulnerability description. It is a part of 'Detection Summary' under 'Vulnerability Details'.

3. From the Severity drop-down list, select the severity value from 1 to 5.

The severity level defines the criticality of the script. You can know more about severity levels on VM/VMDR online help.

4. Click Next to navigate to Script Details.

5. On the Script Details page, select Custom QID from the Type of Script.

The Detection QID is automatically selected.

6. Select Platform (Unix, Windows, or Linux).

7. Provide the inputs for QID Details,

Title: Provide a title to your QID.
Qualys Detection Score (QDS): Provide QDS score.
Vulnerability Type: Select the Vulnerability Type as Confirmed, Potential, or Information Gathered.
QID Severity: Select QID Severity from values 1 to 5.
CVE ID: Provide CVE ID that is associated with a specific QID.
Additional References: Provide a URL or an ID as an additional reference.

8. From Add Script, select the Scripting Language and Category from the respective drop-down lists.

9. Select the Scripting language in which you want to write the script.

Note: For Windows, Unix, and Linux, the list of Scripting Languages is different.

On selecting Linux or Unix as Platform, you get the scripting languages such as Lua, Perl, Python, and Shell in the drop-down list.

Similarly, for Windows, we support scripting language such as PowerShell-Command, PowerShell-Script, Python, and VBScript.

10. Select Category to label the script based on the use case.

11. Specify the Timeout Limit in seconds, minutes, or hours. The Timeout Limit lets you define how long a script must be in execution.

The Timeout Limit for all Windows assets, Linux assets, and Unix assets range from one second to 48 hours. The default value is 300 seconds.

12. In Scripts, manually provide the script by typing or copying and pasting it from another resource.

You can also upload the script from a local machine.

Or you can import the script from GitHub by directly connecting to your public or private repository.

13. Select Create Script in Approved state.

Note: This option is available only for the manager role.

Important: The user with any other user role must get the script approved by authorized user. You can view the details on Qualys CAR RBAC.

14. Enter the Return code and the Status based on the script you provide.

QID is marked detected or not-detected based on the exit code returned by the script you provide. We recommend you customize script to return different exit codes based on your requirement.

Click here to view the script example for Return CodeClick here to view the script example for Return Code

#!/bin/bash

SECONDS=0

lib_openssl_ver(){

lib_list=$(find / -name $1 -xdev ! -fstype nfs ! -fstype nfs4 ! -fstype cifs ! -fstype smbfs ! -fstype gfs ! -fstype gfs2 ! -fstype safenetfs ! -fstype secfs ! -fstype gpfs ! -fstype smb2 ! -fstype vxfs ! -fstype vxodmfs ! -fstype afs ! -fstype acfs 2>/dev/null)

for i in $lib_list

do

if ! command -v strings &> /dev/null

then

ver=$(grep --text -o 'OpenSSL [[:digit:]][^ ]*' $i 2>/dev/null |sort|uniq|tail -n 1|awk '{print $2}' 2>/dev/null)

if [[ -n $ver ]]

then

echo "Path: $i" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

echo "Version(s): $ver" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

echo "----------------------------------------" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

ver_chk=$(echo "$ver"|grep -E "3\.0\.[0-6]" 2>/dev/null)

if [[ -n $ver_chk ]]

then

flag=$((flag+1))

fi

else

ver=$(strings $i 2>/dev/null| grep -i -E "^openssl[[:blank:]]+[[:digit:]][^ ]*" 2>/dev/null|sort|uniq|tail -n 1|awk '{print $2}' 2>/dev/null)

if [[ -n $ver ]]

then

echo "Path: $i" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

echo "Version(s): $ver" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

echo "----------------------------------------" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

ver_chk=$(echo "$ver"|grep -E "3\.0\.[0-6]" 2>/dev/null)

if [[ -n $ver_chk ]]

then

flag=$((flag+1))

fi

done

}

echo "Detecting OpenSSL version in libssl.so* and libcrypto.so*" | tee /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

echo "----------------------------------------" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

flag=0

#Finding OpenSSL version in libssl.so*

lib_openssl_ver libssl.so*

#Finding OpenSSL version in libcrypto.so*

lib_openssl_ver libcrypto.so*

echo "vulnerabilitiesFound: $flag" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

duration=$SECONDS

echo -e "\n$(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed in script execution" | tee -a /usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null

(ls /usr/local/qualys/cloud-agent/openssl_findings.stdout >> /dev/null 2>&1 && echo -e "\nScan Result File: /usr/local/qualys/cloud-agent/openssl_findings.stdout") || echo -e "\nCan not create output file: /usr/local/qualys/cloud-agent/openssl_findings.stdout"

if [ $flag -gt 0 ]

then

exit 99

else

exit 100

fi

Return Code:

99:Detected

100: Not Detected

Note: We recommend to avoid using the reserved operating system return codes.

15. Click Next to navigate to Review and Confirm.

16. From Review and Confirm, click Confirm & Save.

A QID number is generated.

Your Custom QID Script is created and you can view it on the Scripts Details.

Next Step,

Execute the script. A job is created when you execute a script. For more information, refer to Executing Scripts.

Creating Custom QID Scripts

Creating Custom QID Scripts

Related Topics