Creating Custom QID Scripts
The CAR application is now closely integrated with the VM/VMDR application. The integration between CAR and VMDR allows you to create custom QIDs for vulnerabilities unique to your environment. You can identify potential risks in first-party and open-source software using VM/VMDR and CAR integration. You can create custom vulnerability definitions using detection scripts in CAR application, providing a comprehensive overview of all vulnerabilities in your environment.
You an create a custom QID script using the following ways:
- Manually enter a script
- Upload script from local machine
- Import from GitHub
- Import a predefined script
You can create up to 5000 Custom QIDs per subscription.
You can execute the Custom QID scripts only on the assets enabled for the VM/VMDR application.
Let us take an example of creating a Custom QID by providing the script manually and choosing Windows as a platform.
Creating Custom QID Scripts
To create a Custom QID script, follow these steps:
- Navigate to Scripts > Scripts > Create > New Script.
The Create New Script page is displayed.
- Enter a Name and Description for the script.
The Name of the script serves as the QID title by default. However, it can be customized.
The Description is a script description that serves as a vulnerability description. It is a part of 'Detection Summary' under 'Vulnerability Details'.
- Click Next to view the Script Details page is displayed.
- Select the Type of Script as Custom QID.
The Detection QID option is automatically selected.
- Select Platform (Unix, Windows, Linux, MAC).
- Complete the following QID details:
Fields Description Title Provide a title to your QID. QID Severity It is a QID Severity. You can select from values 1 to 5. Vulnerability Type Select the vulnerability type as Confirmed, Potential, or Information Gathered. For Vulnerability Type, Potential and Confirmed, you can provide the TruRisk QDS Score. However, for Vulnerability Type, Information Gathered, you can not provide the TruRisk QDS Score.
TruRisk Qualys Detection Score (QDS) Provide TruRisk QDS score. Impact Provide the details of the possible outcome if the vulnerability is exploited. Solution Provide a verified solution for the impact. CVE IDs Provide a CVE ID that is associated with a specific QID. Additional References Provide a URL or an ID as an additional reference. - From Add Script, select the Scripting Language from the list.
- Select the Scripting language in which you want to write the script.
The list of scripting languages for Windows, Unix, and Linux is different. When you select Linux or Unix as a Platform, you get scripting languages such as Lua, Perl, Python, and Shell in the drop-down list. Similarly, for Windows, we support scripting languages such as PowerShell-Command, PowerShell-Script, Python, and VBScript.
- Select a Category to label the script based on the use case.
- Specify the Timeout Limit in seconds, minutes, or hours.
The Timeout Limit lets you define how long a script must be in execution.
The Timeout Limit for all Windows, Linux, and Unix assets ranges from one second to 48 hours. The default value is 300 seconds.
- In the Scripts section, select Enter Script and manually enter the script by typing or copy-pasting it from another source.
You also have the following options to provide the script:
- Select the Create Script in the Approved state checkbox.
This option is available only for the manager role.
The user with any other user role must get the script approved by the authorized user. You can view the details on Qualys CAR RBAC.
- Enter the Return Code, Status, and Description based on the provided script.
You can provide multiple return codes for multiple scenarios. We recommend to avoid using the reserved operating system return codes.
QID is marked detected or not detected based on the exit code returned by the script you provide. We recommend you customize the script to return different exit codes based on your requirements.
You may want to use multiple exit codes in a custom QID script for detection. Therefore, we added the capability to add multiple return code mappings while creating a custom QID.
Example script for the Return CodeExample script for the Return Code
#!/bin/bashSECONDS=0lib_openssl_ver(){lib_list=$(find/ -name $1 -xdev ! -fstype nfs ! -fstype nfs4 ! -fstype cifs ! -fstype smbfs ! -fstype gfs ! -fstype gfs2 ! -fstype safenetfs ! -fstype secfs ! -fstype gpfs ! -fstype smb2 ! -fstype vxfs ! -fstype vxodmfs ! -fstype afs ! -fstype acfs 2>/dev/null)foriin$lib_listdoif!command-vstrings &>/dev/nullthenver=$(grep--text -o'OpenSSL [[:digit:]][^ ]*'$i 2>/dev/null|sort|uniq|tail-n 1|awk'{print $2}'2>/dev/null)if[[ -n $ver ]]thenecho"Path: $i"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullecho"Version(s): $ver"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullecho"----------------------------------------"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullver_chk=$(echo"$ver"|grep-E"3\.0\.[0-6]"2>/dev/null)if[[ -n $ver_chk ]]thenflag=$((flag+1))fifielsever=$(strings $i 2>/dev/null|grep-i -E"^openssl[[:blank:]]+[[:digit:]][^ ]*"2>/dev/null|sort|uniq|tail-n 1|awk'{print $2}'2>/dev/null)if[[ -n $ver ]]thenecho"Path: $i"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullecho"Version(s): $ver"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullecho"----------------------------------------"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullver_chk=$(echo"$ver"|grep-E"3\.0\.[0-6]"2>/dev/null)if[[ -n $ver_chk ]]thenflag=$((flag+1))fififidone}echo"Detecting OpenSSL version in libssl.so* and libcrypto.so*"|tee/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullecho"----------------------------------------"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullflag=0#Finding OpenSSL version in libssl.so*lib_openssl_ver libssl.so*#Finding OpenSSL version in libcrypto.so*lib_openssl_ver libcrypto.so*echo"vulnerabilitiesFound: $flag"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/nullduration=$SECONDSecho-e"\n$(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed in script execution"|tee-a/usr/local/qualys/cloud-agent/openssl_findings.stdout 2>/dev/null(ls/usr/local/qualys/cloud-agent/openssl_findings.stdout >>/dev/null2>&1 &&echo-e"\nScan Result File: /usr/local/qualys/cloud-agent/openssl_findings.stdout") ||echo-e"\nCan not create output file: /usr/local/qualys/cloud-agent/openssl_findings.stdout"if[ $flag -gt 0 ]thenexit99elseexit100fiReturn Code:99:Detected
100: Not Detected
- Click Next to view the Review and Confirm page.
- Review the details and click Save, or you can click Save and Create Schedule to create a QID scan schedule.
To create a schedule, refer to Scheduling Scripts.
A unique QID number is generated. Additionally, the Custom QID Script is created and is available for viewing under the Scripts tab for easy access and management.
Once created, you can edit the script. However, you can not edit the Vulnerability Type while editing the script.
After the custom QID script is created you can execute the script. For more information, refer to Executing Scripts.
Modify the Approved Script Content
The manager role can edit the content of the approved script.
To modify the approved script, follow these steps:
- Navigate to the Scripts tab.
- To edit a script, select an approved QID script and click Edit on the Quick Actions menu.
The Basic Information page is displayed.
-
Click Next to view the Scripts Details page.
- Modify the editable content as required.
- Provide the Reason for Edit.
- Click Next to view the Review and Confirm page.
- Review the script and click Update to save the changes to the script.