Configure Qualys Agent Scan

Supported Cloud Providers:  

Qualys Cloud Agent enables instant, global visibility of IT assets —even occasionally connected mobile and virtual devices, with latest asset configuration data for security and compliance.

Qualys Cloud Agent, a low-footprint agent installed on endpoints, brings the high-performance functionality of all Qualys Cloud Platform services to all IT assets in the global enterprise.

You require the below configurations to enable Qualys Agent Scan on TotalCloud. With Qualys network sensors, you can enable Agent Scan to perform vulnerability assessments on your new assets. 

OS Compatibility

The following section lists the OS versions and supported platforms for Qualys Agent scan.  Refer to Qualys Agent Scan Compatibility Matrix.

Pre-requisites

Qualys ConsoleQualys Console

  • Qualys Cloud Platform subscription with Cloud Agent.

  • Fetch the activation key details from Qualys Agent-

    • ActivationId

    • CustomerId

  • WebServerUrl (<Cloud Agent Server URL>/CloudAgent/, Cloud Agent Server URL can be found at https://www.qualys.com/platform-identification/ e.g., for US POD2 - https://qagpublic.qg2.apps.qualys.com/CloudAgent).

  • Qualys API Username

  • Password

  • On the Qualys Admin Portal - 

    • Create an API user in the Qualys portal with the below permission

AWS ConsoleAWS Console

  • SSM Agent on the EC2 instance should be installed and running.

    • EC2 IAM instance should have proper SSM role attached.

    • Endpoints need to be created from SSM to the subnet of the EC2 instances.

SSM Document Provisioning

Qualys OwnedQualys Owned

Customers can use the Public SSM document provided by the Qualys to set up an agent scan.
Go to AWS System Manager > Documents > All Documents and search for the QualysCloudAgentSSMDocument document.

Customer OwnedCustomer Owned

Customers can also provision the SSM Document using QFlow templates.

 The document provisioned in one account can be shared across all the customer’s AWS accounts.

Go to AWS System Manager > Documents > Search for the document and select Modify Permissions.

Next, add the AWS Account numbers for which you want to share this SSM Document.

SSM Run Command

Run using QFlowRun using QFlow

QFlow provides out-of-the-box templates to run the SSM Document on the EC2 instance.

Navigate to the QFlow application and go to edit. On the search field, pass the "Run" parameter.

Execute the “Run SSM Command” QFlow template.

Run using SSM State ManagerRun using SSM State Manager

SSM State Manager allows running the SSM document on the EC2 instances based on tags or resource groups or on all the EC2 instances based on schedule.

Go to AWS System Manager > State Manager and create an association on the SSM Document of Qualys or self-provisioned.  

Verification

Once all the prerequisites are cleared, by using QFlow of SSM State Manager, the SSM document will run on the EC2 instances, then the Qualys Cloud Agent deployed immediately and it will start showing on Qualys Cloud Platform.

And when Qualys Cloud Agent performs scan, the Vulnerabilities section starts reflecting vulnerabilities.

Additional Information

List of AWS SSM supported OS - https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-operating-systems.html

Connector Permissions to be added –

  • cloudformation:CreateStack

  • ssm:SendCommand

  • ssm:ListTagsForResource

  • ssm:GetDocument

  • ssm:ListDocuments

  • ssm:DeleteDocument

  • ssm:CreateDocument

Related Topics

Configure Zero-touch API-based Assessment

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.