Create a Qualys Containerized Scanner
This section provides detailed procedures for creating a Containerized Scanner. Before creating a Containerized Scanner, ensure that all the prerequisites are met.
Linux Host System Requirements
To manage and run QCSA Qualys Containerized Scanner Appliance efficiently, the following requirements must be met:
- The QCSA containerized scanners are tested and qualified for use on the following Linux distributions: CentOS 8, CentOS 9, Oracle Linux 8, Oracle Linux 9, Ubuntu 24.04, and Debian 12.5.
Containerized Scanner can be deployed on Linux distributions that are comparable to those listed under Qualified Linux Distributions.
- Linux host must have a 64-bit kernel version 3.10 or newer installed.
- Linux host must have at least 4 CPU Cores and 16 GB RAM memory.
-
The Linux host must have container runtime tools, such as Docker Engine or Podman, installed, enabled, and actively running. QCSA supports these tools in rootful mode.
- To ensure full scanning capabilities, it is recommended to enable ia32_emulation & turn off FIPS mode on the Linux host. If ia32_emulation is turned off or FIPS mode is enabled, the containerized scanner operates in 64-bit only mode, which limits support for certain target technologies.
- The Linux host must meet the following storage requirements for successful & efficient operation of QCSA Containerized Scanners.
- Shared Directory Storage: Allocate at least 20 GiB for the shared directory that stores the QCSA scanning engine (used across all containerized scanners on the host). Additionally, reserve at least 10 GiB of storage per scanner instance to accommodate scan data during execution. For example, if deploying 2 scanners, ensure the shared directory has a minimum of 20 GiB + 10 GiB + 10 GiB = 40 GiB of available space.
Note: Storage needs may increase depending on the size and complexity of the scan. Heavier scans will produce more scan data and require additional space. - /var Storage Considerations: Container logs are typically stored under `/var`, e.g.,
`/var/lib/docker/containers/<container-id>/<container-id>-json.log` for Docker deployments. Ensure the `/var` mount point has sufficient available space to handle scan logs and container storage. - Continuously monitor the host's storage usage and follow Linux Host Maintenance Practices provided to avoid scan disruptions or data loss due to insufficient space.
- Shared Directory Storage: Allocate at least 20 GiB for the shared directory that stores the QCSA scanning engine (used across all containerized scanners on the host). Additionally, reserve at least 10 GiB of storage per scanner instance to accommodate scan data during execution. For example, if deploying 2 scanners, ensure the shared directory has a minimum of 20 GiB + 10 GiB + 10 GiB = 40 GiB of available space.
- The containerization environment's backing filesystem must have File-locking support.
- Ensure that SELinux policies and firewall rules are configured to allow containers to run on Linux Hosts without restrictions
- To ensure the efficient operation of the QCSA containerized scanner, it is important to allocate the recommended storage on the Linux Host for the following purposes:
- Scanning Engine RPMs: Downloaded to the Linux Host prior to installation.
- Scan Data: Stored locally on the Linux Host.
- Scan Core Files: Generated by the containerized scanner and saved on the Linux Host.
-
Adequate storage on the Linux Host is essential for the containerized scanner to perform these operations effectively.
For details on the docker setup, refer to the official Docker documentation's Install Docker Engine section. In the documentation, choose the correct Linux OS version to get the steps for Docker configuration.
Prerequisites
The following are the prerequisites for creating a containerized Scanner:
- Obtain a personalization code from your Qualys subscription and set the scanner name to the Containerized Scanner name.
- Must have privileged user access with 'sudo' permissions on the Linux host.
- Create two directories on the Linux Host for the containerized scanner to store and manage its data:
<user-preferred-path>/qualys/shared<user-preferred-path>/qualys/private
These directories facilitate data storage and operational functionality for the containerized scanner.
- Download and configure the QCSA image on the Linux Host. For details, refer to QCSA Image Configuration.
The containerized scanner stores and manages its data as follows:
- Qualys strongly recommends against running a containerized scanner in rootless mode, as it may impact scan performance and the consistency of vulnerability results.
- Shared Directory: /qualys/shared
This directory can be shared across multiple qCSA scanners on the same host, enabling the reuse of common RPMs and binaries to accelerate initialization and future updates. It also provides a common storage space for all containers to store scan data during scans. Users have the flexibility to configure separate shared directories per container, though this may result in additional initialization time. - Private Directory: /qualys/private
Each containerized scanner creates a directory unique to its container in this location, named after its personalization code. This directory contains container-specific security keys and tokens. Deleting this directory from the Linux Host prevents the containerized scanner from being re-run.
Quick Steps to Create Containerized Scanner
Perform the following steps to create a Qualys Containerized Scanner:
- Configure QCSA Image.
- Generate Personalization Code.
- Get Qualys URL.
- Create Containerized Scanner.
- Custom Parameters for Containerized Scanner.
- Stop and Re-run Containerized Scanner.