Custom Parameters for Containerized Scanner

The following section describes how to customize the parameters for the Containerized Scanner for SCP and PCP users.

SCP (Shared Cloud Platform) Users

• Containerized Scanner with proxy
• Custom Job Sync Interval
• Custom Updates Query Frequency
• Custom Config Sync Interval
• Containerized Scanner with IPv6
• Scanner in 64bit Only Mode (Beta)

Containerized Scanner with Proxy 

Users may need to use a proxy to establish a connection with Qualys Platform Servers. Proxy configuration is supported in QCSA. Using -e https_proxy='<user>:<password>@<proxy ip/fqdn>:<proxy port>' or -e HTTPS_PROXY='<user>:<password>@<proxy ip/fqdn>:<proxy port>' parameters with docker run command, user can configure proxy on containerized scanner.

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir  -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e HTTPS_PROXY='user:pass@10.11.12.13:8080' -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
3946fc3b161bdff54d1d4a50ebbfb37261ab94d8fb5a1f57850f7e36fe13cf9a
[root@localhost ~]#

In the above example, the containerized scanner is configured to use proxy IP 10.11.12.13 with port 8080 with proxy user authentication.

Proxy Password with Special Characters

QCSA depends upon libcurl library for proxy configuration. The proxy parsing mechanism is also a part of it. With curl, special characters needs to be hex encoded and passed with % sign.

Example,

If you want to pass -e HTTPS_PROXY='user:qu@lys@10.10.10.10:8080', and the proxy password is qu@lys.  Curl does not accept special character written in plain text. You need to encode "@". Hex encoded value for special character "@" is 40. This Hex encoded valude along with a precendent "%" is replaced with "@". Your password becomes qu%40lys. After encoding, the proxy configuration for user becomes -e HTTPS_PROXY='user:qu%40lys@10.10.10.10:8080'.

Refer the source ASCII Table to hex encode the special characters.

Custom Job Sync Interval

Containerized Scanner's default Job Sync Interval is 30 seconds. Every 30 seconds, the Containerized Scanner syncs with Qualys Platform Servers and checks for Containerized Scanner jobs (scan, shutdown). This default frequency can be changed with the parameter, SCAND_POLL_INTERVAL_SEC, specified in units of seconds. The minimum limit for Job service polling interval is 30 Seconds and maximum limit is 180 seconds.

Use Environment Variables : -e SCAND_POLL_INTERVAL_SEC=<Interval in Seconds>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e SCAND_POLL_INTERVAL_SEC=60 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
400c1022a7d5c2f1f47cca5df4dc0a81ae18348276f7b27392fa4b8b51bf39aa
[root@localhost ~]#

The above example creates a Containerized Scanner with a Job Sync Interval of 60 Seconds.

Custom Updates Query Frequency

Containerized Scanner's default Update service polling interval is 30 minutes. Every 30 minutes, the Containerized Scanner checks for Qualys Scanning Engine Packages updates. If new updates are available, Containerized Scanner downloads them and installs them on the Docker Host's common or shared storage for Containerized Scanners. This default frequency can be changed with the parameter, UPDATE_INTERVAL_MIN, specified in units of minutes. The minimum limit for Update service polling interval is 30 Minutes and maximum limit is 240 Minutes.

Use Environment Variables : -e UPDATE_INTERVAL_MIN=<Interval in Minutes>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e UPDATE_INTERVAL_MIN=31 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
ff9b7a5cbce5acfa6b7ac2c761415f8fc83cb2ad0d7c4ae195f01ff027109b00
[root@localhost ~]#

The above sample creates a Containerized Scanner with an update service polling interval of 31 Minutes.

Custom Config Sync Interval

Containerized Scanner's default Config Sync Interval is 10 minutes. Every 10 minutes, the Scanner syncs with the Qualys Platform. This is a keep-alive frequency for the scanner. At this frequency, the scanner communicates with the Qualys platform server to stay active and maintain its validity. This default frequency can be changed by the parameter REFRESH_INTERVAL_MIN, specified in units of minutes. The minimum limit for Config Sync Interval is 10 Minutes and maximum limit is 360 Minutes.

Use Environment Variables: -e REFRESH_INTERVAL_MIN=<Interval in Minutes>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e REFRESH_INTERVAL_MIN=11 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412                       
1d4b2649bb2e3d23a6def1f60561701ddb1c25969f237d705e492df8c0efae57
[root@localhost ~]#

In the above example, Containerized Scanner is created with a Config Sync Interval of 11 Minutes.

Containerized Scanner with IPv6

Supports IPv6 Networking on containerized scanners.
For details on IPv6 documentation, refer to Enable IPv6 support section of the official Docker IPv6 Documentation. Once the IPv6 network is created, it can be assigned to the Container Scanner using --network <IPv6 Network/Subnet name>.

Sample

[root@bhp-docker ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
ae4f1f41d022   bridge    bridge    local
ee96e6fb83c9   host      host      local
959ceb01ca0e   ip6net    bridge    local
a41e0d5cb73e   none      null      local
[root@bhp-docker ~]#
[root@bhp-docker ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" --network ip6net -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com a5c67a0d6756
51a3ac7f05a80f8bffd91d71709edb5078bbeee76e5cf416e0c1849b4ce3baea
[root@bhp-docker ~]#

Scanner in 64bit Only Mode (Beta)

To run the containerized scanner in 64-bit mode only, users must set the environment variable by including "-e ALLOW_32BIT=no" in the containerized scanner creation command.

Sample

[root@localhost ~]# PERSONALIZATION_CODE=70631574310463; NAME=Qualys_Container; mkdir -p /root/qcss/private/$PERSONALIZATION_CODE; docker run -d -v /root/qcss/common:/usr/local/qualys:z -v /root/qcss/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name $NAME -e ALLOW_32BIT=no -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com -it 77ad0fe1702e
9b65d34279e224320f30b39f2d5c57bb6efc47d578d5e5b676ebb59d8c6eacfe
[root@localhost ~]#

This feature is in Beta. Containerized scanner in this mode limits support for certain target technologies within its scanning capabilities.

PCP (Private Cloud Platform) Users

PCP users must provide the Root CA when they run the containerized scanner creation command. This ensures the scanner can establish a secure connection with Qualys Platform Servers. If you need assistance with the Root CA, contact Qualys Technical Support.

Containerized Scanner Creation with Custom Root CA (PCP Users)

Follow these steps to create a containerized scanner:

1. Create a directory on the Linux Host to store the Root CA certificate file.
2. Rename the Root CA certificate file to rootcert.pem.

   Sample

   [root@localhost ~]# ls -l /root/rootcert/
   total 24
   -rw-r--r--. 1 root root 22785 Aug  3  2024 rootcert.pem
   [root@localhost ~]#

   In the above example, a rootcert directory is created to store the certificate file. Users can select their preferred directory and file path based on their requirements.

3. Mount the directory with rootcert.pem while creating a containerized scanner. 
4. Use the parameter -v ~/<Path to Directory with rootcert.pem with custom Root CA certificate file>:/usr/local/bin.
   Refer the following example, 

   Sample

   [root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -v /root/rootcert:/usr/local/bin:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 23c136aa4fa1
   

   /root/rootcert is the directory where rootcert.pem is present, and /usr/local/bin is where the certificate file with Root CA Certificate file must be mounted on the Containerized Scanner.

Next Step

Step 6: Stop and Re-run Containerized Scanner