Configure Zero-touch Snapshot-based Scan for Azure
Qualys Zero-touch Snapshot-based scanning is an agentless scanning technique that helps customers detect risk, vulnerabilities, and compliance posture for virtual machine/compute instances without affecting their current workload.
Snapshot-based assessment offers greater security by using a service account for running scans. The service account will be independent of the target Azure account, where most of your workload operates. The service account can perform scans on multiple target accounts, allowing for bulk scans. This ensures no disruptions and more cost-effective, faster, and reliable scans.
The below Qualys and Azure console configurations are required from the customer to enable Snapshot-based assessment on TotalCloud. With agentless scans, you can enable zero-touch Snapshot-based scans to assess vulnerability on your new assets.
Prerequisites for Snapshot-based Scan
- Qualys Cloud Platform subscription with full TotalCloud Subscription.
- Enable Zero-touch Snapshot-Based Scan to your subscription. Contact your Qualys Technical Account Manager (TAM) to enable it.
- The Azure user deploying the service subscription should have Owner access over the role boundary.
OS Compatibility
The following section lists the OS versions and supported platforms for Qualys Zero Touch Snapshot-based scan. Refer to Azure Snapshot-based Scan OS Compatibility Matrix.
Azure Services Created for Snapshot-based ScanAzure Services Created for Snapshot-based Scan
The following services are created as part of Snapshot-based scanning deployments.
azurerm_application_insights
azurerm_cosmosdb_account
azurerm_cosmosdb_sql_container
azurerm_cosmosdb_sql_database
azurerm_cosmosdb_sql_role_assignment
azurerm_cosmosdb_sql_role_definition
azurerm_eventgrid_event_subscription
azurerm_eventhub
azurerm_eventhub_namespace
azurerm_eventhub_namespace_authorization_rule
azurerm_key_vault_secret
azurerm_logic_app_action_custom
azurerm_logic_app_trigger_custom
azurerm_logic_app_workflow
azurerm_monitor_diagnostic_setting
azurerm_resource_group
azurerm_role_assignment
azurerm_role_definition
azurerm_service_plan
azurerm_servicebus_namespace
azurerm_servicebus_queue
azurerm_storage_account
azurerm_storage_blob
azurerm_storage_container
azurerm_user_assigned_identity
azurerm_windows_function_app
azurerm_virtual_network
(depending on the number of target locations)-
azurerm_eventgrid_system_topics
(depending on the number of target subscriptions) -
azurerm_key_vault
(depending on the number of target locations) -
azurerm_key_vault_key
(depending on the number of target locations) -
azurerm_network_security_group
(depending on the number of target locations)
Enable Snapshot-based Scan for Your Account
This section explains the required configuration on the Qualys Connectors application for enabling Snapshot-based scan on your account.
Navigate to the Connectors application > Create a new connector (or edit an existing one) > Navigate to the Tags and Activation step.
You can find the downloadable binary file in the "Snapshot-based Vulnerability Assessment" description box to the right.
You can see that, when you select the "Automatically activate all assets for VM Scanning application" checkbox, the snapshot-based scan checkbox is still unresponsive. You will need to configure the downloaded binary on your Azure as a Service and Target subscription for this option to be responsive.
Let's see how to configure your binaries.
Configuration at Microsoft Azure
- Navigate to https://portal.azure.com, log in, and click the icon next to the search bar; this opens the cloud terminal.
- Upload your binary file to the Azure terminal.
- Unzip the binary file using the command:
unzip azure-snapshot-scanner-linux-x64.zip
- Navigate to configs folder and open user-config.json on the editor.
- The config JSON contains several parameters for which you must provide values. We can go through the parameters below.
- Scanner Account Details
- Tenant ID: Obtain the Tenant ID from the Azure portal.
- Scanner Account Subscription ID: The Azure subscription ID for deploying Terraform as a scanner account.
- Scanner Account Preferred Location: The primary location for deploying all scanner-related resources.
- Scanner Account Subscription ID
- Target Account Management Groups: The list of management group names to be scanned. Provide each value in quotes and separate them by commas. For example, ["QF-3", "QF-2", "QF-1"].
- Target Account Subscriptions: The list of subscription IDs to be scanned. Provide each value in quotes and separated by commas. For example, ["d408f97e-xxxx-xxxx-xxx-50bbff759a5d", "4f1f9d77-xxx-xxxx-xxxx-1393d18aa43e"]
- Target Account Locations: The list of Azure locations the discovered VMs must belong to. Provide each value in quotes and separate them by commas.
- Target Role Boundary: Provide the subscription name to be scanned if the target is only a single subscription. Provide root management group name if there are multiple subscriptions.
- Qualys Parameters
- Qualys Endpoint: The URL of the Qualys endpoint where scanner reports will be shared or uploaded.
- Qualys Endpoint Token: The authentication token required for Qualys Endpoint.
- VM Filter Rules
- Must-have Tags: All tags from the list must be present and considered during VM discovery. Add multiple values in a comma-separated format.
- At least One Tag: At least one tag from the list must be present and considered during VM discovery. Add multiple values in a comma-separated format.
- None of the Tag: No tag from the list must be present and considered during VM discovery. Add multiple values in a comma-separated format.
- Scanner Settings - You can keep the default value to proceed.
- Scan Interval: The scan frequency where the scanner performs scans on an individual VM at the specified interval. Provide a value between 1 day and 30 days.
- Poll Interval: The polling frequency where the scanner fetches all VMs from the target subscriptions to scan them at specified intervals. Provide a value between 1 hour to 24 hours.
- Scanner Pause Interval: The scanner waits a specified number of minutes before executing a scan on the discovered VMs. The scanner will be paused for a designated period to accommodate new VMs for scanning. Provide a value between 1 minute to 30 minutes.
- Number of Concurrent Scanner Machines Per Location: The number of scanner machines to execute scans on a single location. You can provide a value from 1 to 30 VMs. Consider the VMs to consume for scanning when allocating vCPU quotas in Azure storage. For Quotas allocations, refer to the Azure Quotas documentation.
- Concurrency: The number of locations to be concurrently scanned. The value must be between 1 and 25.
- Network Settings - You can keep the default value to proceed.
- Public Virtual Network CIDR: The CIDR value for the scanner machine.
- Public Subnet CIDR: The CIDR value for the scanner machine.
- Scanner Account Details
- Once all the above parameters are filled, you are ready to run the deployment. Run the following command from the root of the unzipped folder.
./azure-snapshot-scanner-linux-x64 -c config/user-config.json -s qualys/terraform
This command deploys the entire stack.
You can find the below snippets in the outcome.
info: Validating configuration
info: Following resources will be deployed.
info: Total resources to be deployed: xxx
info: Deploying using terraform ...
info: This will take anywhere from 10 to 20 mins.
info: Plan: xxx to add, 0 to change, 0 to destroy.
info: Apply complete! Resources: xxx added, 0changed, 0 destroyed.
info: Deploy completed.
info: Running update-logic-apps. -
The user-config.json can be overwritten if the installer is unzipped again (with a newer version of binary) over an existing directory.
To avoid this, move the user-config to a different location or rename it and specify the same path in the deployment path. This way, customers will be using the same deployment and avoid having multiple new deployments with each version of the new binary released.
Configuration at Qualys Console
Once your stack is successfully deployed, the "Enable Snapshot-based scan" checkbox will be active on the connector app. Let's enable a Snapshot-based scan for your account.
- Navigate to the Connector app.
- Click Create Connector or Edit an existing connector
- Navigate to the Tags and Activation step.
- Select the Automatically activate all assets for VM Scanning checkbox.
- Select the Enable Zero-touch Snapshot Based Scan checkbox.
Deregister the Service Account
To deregister the service account and remove all the resources and stack, run the following command.
./azure-snapshot-scanner-linux-x64 -c config/user-config.json -s qualys/terraform --destroy
To remove the stack and resources alone while keeping the registration of the service account intact, use the following commands.
./azure-snapshot-scanner-linux-x64 -c config/user-config.json -s qualys/terraform --destroy-stack
./azure-snapshot-scanner-linux-x64 -c config/user-config.json -s qualys/terraform --destroy-resources