Custom Parameters for Containerized Scanner 

Customize the following parameters for Containerized Scanner:

Containerized Scanner with Custom Root CA

  1. Create a directory on the Docker host to store certificate files with custom root CA.
  2. Rename the certificate file to rootcert.pem.
    In the following example, we have created a rootcert directory with a certificate file.

    Sample

    [root@localhost ~]# ls -l /usr/local/rootcert/
total 24
-rw-r--r--. 1 root root 22785 Aug  3  2024 rootcert.pem
[root@localhost ~]#
  3. Mount the directory with rootcert.pem while creating a containerized scanner. 
  4. Use the parameter -v ~/<Path to Directory with rootcert.pem with custom root CA>:/usr/local/bin.
  5. UseThe  the following example, 
    /root/rootcert is the directory where rootcert.pem is present, and /usr/local/bin is where the certificate file with custom CA must be mounted on the Containerized Scanner.

    Sample

    [root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -v /root/rootcert:/usr/local/bin:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 23c136aa4fa1

Containerized Scanner with Proxy 

Using -e https_proxy='<user>:<password>@<proxy ip/fqdn>:<proxy port>' or -e HTTPS_PROXY='<user>:<password>@<proxy ip/fqdn>:<proxy port>' parameters with docker run command, user can configure proxy on containerized scanner.

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdirThe  -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e HTTPS_PROXY='user:pass@10.11.12.13:8080' -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
3946fc3b161bdff54d1d4a50ebbfb37261ab94d8fb5a1f57850f7e36fe13cf9a
[root@localhost ~]#

In the above example, the containerized scanner is configured to use proxy IP 10.11.12.13 with port 8080 with proxy user authentication.

Proxy Password with Special Characters

QCSA depends upon libcurl library for proxy configuration. The proxy parsing mechanism is also a part of it. With curl, special characters needs to be hex encoded and passed with % sign.

Example,

If you want to pass -e HTTPS_PROXY='user:qu@lys@10.10.10.10:8080', and the proxy password is qu@lys.  Curl does not accept special character written in plain text. You need to encode "@". Hex encoded value for special character "@" is 40. This Hex encoded valude along with a precendent "%" is replaced with "@". Your password becomes qu%40lys. After encoding, the proxy configuration for user becomes -e HTTPS_PROXY='user:qu%40lys@10.10.10.10:8080'.

Refer the source ASCII Table to hex encode the special characters.

Custom Job Service Polling Interval

Containerized Scanner's default Job service polling interval is 30 seconds. Every 30 seconds, the Containerized Scanner syncs with Qualys Platform Servers and checks for Containerized Scanner jobs (scan, shutdown). This default frequency can be changed with the parameter, SCAND_POLL_INTERVAL_SEC, specified in units of seconds. The minimum limit for Job service polling interval is 30 Seconds and maximum limit is 180 seconds.

Use Environment Variables : -e SCAND_POLL_INTERVAL_SEC=<Interval in Seconds>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e SCAND_POLL_INTERVAL_SEC=60 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
400c1022a7d5c2f1f47cca5df4dc0a81ae18348276f7b27392fa4b8b51bf39aa
[root@localhost ~]#

The above example creates a Containerized Scanner with a Polling Interval of 60 Seconds.

Custom Updates Query Frequency

Containerized Scanner's default Update service polling interval is 30 minutes. Every 30 minutes, the Containerized Scanner checks for Qualys Scanning Engine Packages updates. If new updates are available, Containerized Scanner downloads them and installs them on the Docker Host's common or shared storage for Containerized Scanners. This default frequency can be changed with the parameter, UPDATE_INTERVAL_MIN, specified in units of minutes. The minimum limit for Update service polling interval is 30 Minutes and maximum limit is 240 Minutes.

Use Environment Variables : -e UPDATE_INTERVAL_MIN=<Interval in Minutes>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e UPDATE_INTERVAL_MIN=31 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
ff9b7a5cbce5acfa6b7ac2c761415f8fc83cb2ad0d7c4ae195f01ff027109b00
[root@localhost ~]#

The above sample creates a Containerized Scanner with an update service polling interval of 31 Minute.

Custom Platform Info Service Polling Interval

Containerized Scanner's default Platform info service polling interval is 10 minutes. Every 10 minutes, the Scanner syncs with the Qualys Platform. This is a keep-alive frequency for the scanner. At this frequency, the scanner communicates with the Qualys platform server to stay active and maintain its validity. This default frequency can be changed by the parameter REFRESH_INTERVAL_MIN, specified in units of minutes. The minimum limit for Platform info service polling interval is 10 Minutes and maximum limit is 360 Minutes.

Use Environment Variables: -e REFRESH_INTERVAL_MIN=<Interval in Minutes>

Sample

[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e REFRESH_INTERVAL_MIN=11 -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412                       
1d4b2649bb2e3d23a6def1f60561701ddb1c25969f237d705e492df8c0efae57
[root@localhost ~]#

In above example, Containerized Scanner will be created with Platform info service polling interval of 11 Minutes.

Containerized Scanner with IPv6

Supports IPv6 Networking on containerized scanners.
For details on IPv6 documentation, refer to Enable IPv6 support section of the official Docker IPv6 Documentation. Once the IPv6 network is created, it can be assigned to the Container Scanner using --network <IPv6 Network/Subnet name>.

Sample

[root@bhp-docker ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
ae4f1f41d022   bridge    bridge    local
ee96e6fb83c9   host      host      local
959ceb01ca0e   ip6net    bridge    local
a41e0d5cb73e   none      null      local
[root@bhp-docker ~]#
[root@bhp-docker ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" --network ip6net -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com a5c67a0d6756
51a3ac7f05a80f8bffd91d71709edb5078bbeee76e5cf416e0c1849b4ce3baea
[root@bhp-docker ~]#

Next Step

Understand the logs in Containerized Scanner

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.