Release: QCSA 1.3

June 17, 2024 

What's New?

This release supports new features and enhancements in the following Linux Distributions.

• Product Name:  QCSA-1.3  
• Supported Linux Distribution: CentOS 8 | CentOS 9 | Oracle Linux 8 | Oracle Linux 9 | Ubuntu 24.04 | Debian 12.5

 QCSA supports deploying containerized scanners on Linux hosts running a 64-bit kernel with version 3.10 or later, regardless of the ia32_emulation setting. This includes systems with ia32_emulation enabled (enables 32-bit emulation for 32-bit binary execution requirements) as well as systems where it is disabled (pure 64-bit environments).

New Features

With this release, we have introduced a few features and logging improvements, such as a regular dump of system stats and metrics for better overload troubleshooting.

• A FIPS-enabled container runtime environment is now supported, which means QCSA containerized scanners can be created or run on a FIPS-enabled Docker/Podman Linux host.
  • By default, qCSA runs in 32-bit emulation-enabled mode to support most common use cases. Use -e ALLOW_32BIT=no for a pure 64-bit environment and for FIPS-enabled Docker/Podman hosts.

• New and Improved Logging:

  • At startup, the Qualys Containerized Scanner Appliance (QCSA) verifies the contents of its private directory. If the directory is empty or if the perscode, token, or scanner_ID files are missing, the scanner initiates a new personalization process.

    An empty private directory or missing files may occur in the following scenarios:

    • The container is newly deployed.

    • The private directory failed to remount during a container restart or rerun.

    To improve visibility, new log messages have been added. These messages indicate the start of the personalization process and display the personalization code and the contents of the private directory located at /usr/local/qualys/admin/etc/ within the container.

    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: No saved perscode in /usr/local/qualys/admin/etc directory, going to start personalization process with 70698763039178 code
    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: Content of /usr/local/qualys/admin/etc:
    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: total 12
    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: drwx--x--- 2 www www 4096 Jun  9 08:31 .
    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: drwx--x--- 8 www www 4096 Jun  9 05:16 ..
    2025-06-09T08:55:24+43411542 bbd916e0405d user.notice init: -rw------- 1 www www  111 Jun  6 13:29 .rpmmacros
          
        
    

    Missing api_token

    2025-06-09T09:09:35 f58e88272d05 user.notice init: Personalization code: 70698763039178
    2025-06-09T09:09:35 f58e88272d05 user.notice init: Required /usr/local/qualys/admin/etc/api_token file is missing
    2025-06-09T09:09:35 f58e88272d05 user.notice init: Content of /usr/local/qualys/admin/etc:
    2025-06-09T09:09:35 f58e88272d05 user.notice init: total 24
    2025-06-09T09:09:35 f58e88272d05 user.notice init: drwx--x--- 2 www www 4096 Jun  9 08:58 .
    2025-06-09T09:09:35 f58e88272d05 user.notice init: drwx--x--- 8 www www 4096 Jun  9 05:16 ..
    2025-06-09T09:09:35 f58e88272d05 user.notice init: -rw------- 1 www www  111 Jun  6 13:29 .rpmmacros
    2025-06-09T09:09:35 f58e88272d05 user.notice init: -rw-r--r-- 1 www www   45 Jun  9 08:58 api_url
    2025-06-09T09:09:35 f58e88272d05 user.notice init: -rw-r--r-- 1 www www   15 Jun  9 05:16 perscode
    2025-06-09T09:09:35 f58e88272d05 user.notice init: -rw------- 1 www www 3243 Jun  9 08:55 pkey.pem
          
        
    

    Missing scanner_id

    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: Personalization code: 70698763039178
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: Qualys POD URL: https://qualysguard.p06.eng.sjc01.qualys.com
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: Required /usr/local/qualys/admin/etc/scanner_id file is missing
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: Content of /usr/local/qualys/admin/etc:
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: total 28
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: drwx--x--- 2 www www 4096 Jun  9 09:11 .
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: drwx--x--- 8 www www 4096 Jun  9 05:16 ..
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: -rw------- 1 www www  111 Jun  6 13:29 .rpmmacros
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: -rw-r--r-- 1 www www   35 Jun  9 05:16 api_token
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: -rw-r--r-- 1 www www   45 Jun  9 08:58 api_url
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: -rw-r--r-- 1 www www   15 Jun  9 05:16 perscode
    2025-06-09T09:11:23+21915553 325268cf6059 user.notice init: -rw------- 1 www www 3243 Jun  9 08:55 pkey.pem
          
        
    

  • Qualys strongly recommends against running containerized scanner in rootless mode, as it may impact scan performance and the consistency of vulnerability results. New log messages have been added to warn users when the containerized scanner is run in rootless mode.

    It is strongly recommended to run this container in rootfull mode. Current UID=0 maps to external UID=1000
    Heads up: running in rootless container mode can impact scan performance and the consistency of vulnerability results
    That’s because the network stack is emulated and NAT happens in user space
    If you understand the risks and still want to go ahead, add: -e AUTHORIZE_ROOTLESS=yes      
        
    

  • A low cgroups PID limit on linux host, may prevent the QCSA containerized scanner from executing larger scans. New log messages have been introduced to alert users when this limit is detected and to offer options on either removing the PID restriction or bypassing the check by overriding it.

          
    cgroups pids.max value is set and it's too low (2048) for even a moderately sized scan job.
    Use --pids-limit -1 option to remove the limit, or -e DISREGARD_PID_LIMIT=yes option to override the check.
    

  • Vulnerability scanning requires RAW sockets. Containerized scanner in rootless mode with host networking configured, may affect vulnerability scanning abilities, as it cannot access RAW sockets due to insufficient privileges. To prevent this configuration, an intentional check has been introduced to block the use of rootless mode with host networking.

    Vulnerability scannning requires use of RAW sockets, but the socket() call test has failed.
    It may happen when a container runs in rootless mode while configured to use host networking.      
        
    

  • Prior to the QCSA-1.3 release, container logs for the containerized scanner displayed AUTOUPDATE logs only during initialization and only when a new RPM is available for update. Starting with QCSA-1.3, all AUTOUPDATE activities - both during and after personalization, including the periodic connects (by default every 30 mins) to Qualys platform will be logged as well.

    2025-06-04T19:27:43+36230102 94136551f001 user.info autoupdate[2997]: [start:iscan-8,qualys,prod]
    2025-06-04T19:27:43+36230102 94136551f001 user.info autoupdate[2997]: [lock]
    2025-06-04T19:27:50+36230102 94136551f001 user.info autoupdate[2997]: [unlock]
    2025-06-04T19:27:50+36230102 94136551f001 user.info autoupdate[2997]: [stop]      
        
    

     

Limitations

The following features are not supported.

• SCAP scan functionality  
• Split networking  
• Scanning of the following target technologies in 64-bit only mode:  
  • MySQL Database
  • MongoDB Database
  • CyberArk PIM vault support
  • Password auditing support for Windows