Understand the logs in Containerized Scanner

All the containerized scanner logs can be seen using the following command. This command gives an output of all logs from the containerized scanner since startup.

docker logs -f <containerized scanner name>
Use the following sample:

Containerized Scanner Logs

      
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Version:    qCSS-1.0.47-1
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Hostname:   d5f65c6bc15e
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host memory in MiB: 7940
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host swap in MiB:   15257
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host CPU(s):        4
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host CPU Model:     Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Hypervisor vendor:  VMware
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host uname: Linux d5f65c6bc15e 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 x86_64 x86_64 GNU/Linux
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Host cmdline        BOOT_IMAGE=/vmlinuz-6.1.0-21-amd64 root=UUID=69935025-dcb8-4d6a-b9e0-1ebc53b9166e ro security=selinux quiet
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container Env:      docker
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container ID:       d5f65c6bc15e
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container memory in MiB:    7940
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container swap in MiB:      15257
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container CPU(s):   4
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container CPU quota:        unlimited
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: IPv4: 172.17.0.2:255.255.0.0 gw=172.17.0.1
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: IPv6: no
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Nameservers:        10.0.100.10 10.0.100.11
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Job service polling interval: 30 sec
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Update service polling interval 30 min
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Platform info service polling interval: 10 min
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container initial limits:
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Limit                     Soft Limit           Hard Limit           Units
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max cpu time              unlimited            unlimited            seconds
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max file size             unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max data size             unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max stack size            8388608              unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max core file size        unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max resident set          unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max processes             unlimited            unlimited            processes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max open files            1048576              1048576              files
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max locked memory         8388608              8388608              bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max address space         unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max file locks            unlimited            unlimited            locks
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max pending signals       31513                31513                signals
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max msgqueue size         819200               819200               bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max nice priority         0                    0
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max realtime priority     0                    0
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max realtime timeout      unlimited            unlimited            us
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Container current limits:
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Limit                     Soft Limit           Hard Limit           Units
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max cpu time              unlimited            unlimited            seconds
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max file size             unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max data size             unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max stack size            8388608              unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max core file size        unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max resident set          unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max processes             unlimited            unlimited            processes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max open files            1024                 10240                files
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max locked memory         8388608              8388608              bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max address space         unlimited            unlimited            bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max file locks            unlimited            unlimited            locks
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max pending signals       31513                31513                signals
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max msgqueue size         819200               819200               bytes
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max nice priority         0                    0
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max realtime priority     0                    0
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Max realtime timeout      unlimited            unlimited            us
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: Securebits: 00/0x0/1'b0
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities:  secure-noroot: no (unlocked)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities:  secure-no-suid-fixup: no (unlocked)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities:  secure-keep-caps: no (unlocked)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: uid=0(root)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: gid=0(root)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice capabilities: groups=0(root)
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Personalization code: 70676785206617
2024-06-06T09:46:47+37205152 d5f65c6bc15e user.notice init: Qualys POD URL: https://qualysguard.p06.eng.sjc01.qualys.com
  • Version indicates QCSA Image Version.
  • Hostname and Container ID can be different. They do not necessarily need to be the same.
  • Host memoryHost swapHost CPU and Host CPU Model, these Linux host resources are printed in logs.
  • Hypervisor vendor indicates the hypervisor responsible for virtualizing Linux host.
  • Host uname indicates Linux host Kernel details.
  • Container Env shows the environment in which the Containerized Scanner is created.
  • Container memory, Container Swap, Container CPU, and Container CPU Qcontainer resources are printed in logs. Container CPU(s) shows the number of CPU(s) allocated to the Containerized Scanner, and Container CPU Quota shows the restricted CPU(s) for the Containerized Scanner. Unlimited specifies that CPU(s) are not limited, and all allocated CPU(s) are used.
  • IPv4, IPv6 & Nameservers are network configurations for Containerized Scanner.
  • The Job service polling interval, Update service polling interval & Platform info service polling interval show the configured values for the said intervals.
  • Next section of logs shows Container Limits and Capabilities.
  • Personalization code describes the Personalization code used for personalizing Containerized Scanner.
  • Qualys POD URL describes the Qualys Enterprise TruRisk™ Platform Server's Security Operations Center (SOC) URL.
  • Qualys strongly recommends against running a containerized scanner in rootless mode, as it may impact scan performance and the consistency of vulnerability results. The following log messages warn users when the containerized scanner is run in rootless mode.
    It is strongly recommended to run this container in rootfull mode. Current UID=0 maps to external UID=1000
    Heads up: running in rootless container mode can impact scan performance and the consistency of vulnerability results
    That’s because the network stack is emulated, and NAT happens in user space
    If you understand the risks and still want to go ahead, add: -e AUTHORIZE_ROOTLESS=yes      
        
    
  • The following log messages can be used to indicate the UID mode (rootful or rootless) in which the QCSA containerized scanner is running.
    Rootfull mode:
    2025-07-02T23:32:02+30375229 2532724bd68f user.notice init: UID info:   uid=0(root) gid=0(root) groups=0(root)
    2025-07-02T23:32:02+30375229 2532724bd68f user.notice init: UID mapping:
    2025-07-02T23:32:02+30375229 2532724bd68f user.notice init:          0          0 4294967295
    2025-07-02T23:32:02+30375229 2532724bd68f user.notice init: UID mode: Rootfull
    

    Rootless mode:

    2025-07-02T23:48:03+52042601 21702a34d842 user.notice init: UID info:   uid=0(root) gid=0(root) groups=0(root)
    2025-07-02T23:48:03+52042601 21702a34d842 user.notice init: UID mapping:
    2025-07-02T23:48:03+52042601 21702a34d842 user.notice init:          0       1000          1
    2025-07-02T23:48:03+52042601 21702a34d842 user.notice init:          1     100000      65536
    2025-07-02T23:48:03+52042601 21702a34d842 user.notice init: UID mode: Rootless, host user ID=1000
    
  • A low cgroups PID limit on the Linux host may prevent the QCSA containerized scanner from executing larger scans. Below log messages alert users when this limit is detected and to offer options on either removing the PID restriction or bypassing the check by overriding it.
    cgroups pids.The max value is set and it's too low (2048) for even a moderately sized scan job. Use the --pids-limit -1 option to remove the limit, or the -e DISREGARD_PID_LIMIT=yes option to override the check.
    
  • Vulnerability scanning requires RAW sockets. Containerized scanner in rootless mode with host networking configured, may affect vulnerability scanning abilities, as it cannot access RAW sockets due to insufficient privileges. Below intentional check has been introduced blocks the use of rootless mode with host networking.
    Vulnerability scannning requires use of RAW sockets, but the socket() call test has failed.
    It may happen when a container runs in rootless mode while configured to use host networking.