Create a Qualys Containerized Scanner

This section provides detailed procedures for creating a Containerized Scanner. Before creating a Containerized Scanner, ensure that all the prerequisites are met.

Linux Host System Requirements

To manage and run QCSA Qualys Containerized Scanner Appliance efficiently, the following requirements must be met:

The QCSA containerized scanners are compatible with containerization environments with the following Linux distributions: CentOS 8, CentOS 9, Oracle Linux 8, Oracle Linux 9, Ubuntu 24.04, and Debian 12.5.
Linux host must have a 64-bit kernel version 3.10 or newer installed.
Linux host must have at least 4 CPU Cores and 16 GB RAM memory.
The Linux host must have container runtime tools, such as Docker Engine or Podman, installed, enabled, and actively running. QCSA supports these tools in rootful mode.
To ensure full scanning capabilities, it is recommended to enable ia32_emulation on the Linux Host. If ia32_emulation is disabled, the containerized scanner operates in 64-bit only mode (Beta), which limits support for certain target technologies within its scanning capabilities.
The containerization environment's backing filesystem must have at least 100GB of available storage on the Linux host.
The containerization environment's backing filesystem must have File-locking support.
The containerization environment's backing filesystem must have Bridged networking.
Podman is currently supported in rootful mode, rootless mode is not yet supported.
Ensure that SELinux policies and firewall rules are configured to allow containers to run on Linux Hosts without restrictions
To ensure the efficient operation of the QCSA containerized scanner, it is important to allocate the recommended storage on the Linux Host for the following purposes:
- Scanning Engine RPMs: Downloaded to the Linux Host prior to installation.
- Scan Data: Stored locally on the Linux Host.
- Scan Core Files: Generated by the containerized scanner and saved on the Linux Host.
Adequate storage on the Linux Host is essential for the containerized scanner to perform these operations effectively.

For details on the docker setup, refer to the official Docker ipv6 documentation's Install Docker Engine section. In the documentation, choose the correct Linux OS version to get the steps for Docker configuration.

Prerequisites

The following are the prerequisites for creating containerized Scanner:

Obtain a personalization code from your Qualys subscription and set the scanner name to the Containerized Scanner name.
Must have privileged user access with 'sudo' permissions on the Docker host.
Create two directories on the Linux Host for the containerized scanner to store and manage its data:
- <user-preferred-path>/qualys/shared
- <user-preferred-path>/qualys/private
These directories facilitate data storage and operational functionality for the containerized scanner.
Download and configure the QCSA image on the Docker Host. For details, refer to QCSA Image Configuration.

The containerized scanner stores and manages its data as follows:

Shared Directory: /qualys/shared
This directory can be shared across multiple qCSA scanners on the same host, enabling the reuse of common RPMs and binaries to accelerate initialization and future updates. It also provides a common storage space for all containers to store scan data during scans. Users have the flexibility to configure separate shared directories per container, though this may result in additional initialization time.
Private Directory: /qualys/private
Each containerized scanner creates a directory unique to its container in this location, named after its personalization code. This directory contains container-specific security keys and tokens. Deleting this directory from the Linux Host prevents the containerized scanner from being re-run.

Quick Steps to Create Containerized Scanner

Perform the following steps to create a Qualys Containerized Scanner:

Next Step

Step 1: Configure QCSA Image