Create, update, list and delete MS SQL records for authenticated scans of MS SQL Server instances. Compliance scans are supported (using PC).
Requirement - You must configure authentication credentials on target hosts.
Download Qualys User Guide - MS SQL Server 2000 Authentication (.pdf)
Download Qualys User Guide - MS SQL Server 2005-2022 Authentication (.pdf)
|
Parameter |
Required/Optional |
Data Type |
Description |
|---|---|---|---|
|
action={action} |
Required | String |
Specify create, update, delete (using POST) or list (using GET or POST). See List Auth Records for type |
|
echo_request={0|1} |
Optional | Integer |
Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
|
ids={value} |
Required to update or delete record | Integer |
Record IDs to update/delete. Specify record IDs and/or ID ranges (for example, 1359-1407). Multiple entries are comma separated. |
|
title={value} |
Required to create record | String |
A title for the record. The title must be unique. Maximum 255 characters (ascii). |
|
comments={value} |
Optional | String |
User defined comments. Maximum 1999 characters. |
|
Login Credentials |
|||
| login_type={basic|vault} | Optional | The login type is basic by default. You can choose vault (for vault based authentication). | |
|
username={value} |
Required to create record, optional to update record | String |
The user account to be used for authentication. May include 1-128 characters. |
|
password={value} |
Required to create record, optional to update record | String |
The password corresponding to the user account defined in the record for authentication. May include 1-128 characters. |
| vault_type={value} | (Required if login_type=vault) | The third party vault to be used to retrieve the password for login. Certain vaults support this capability. See Vault Support Matrix in the API user guide. |
|
| use_ad_hashicorp{0|1} | Optional | Use to manage the utilization of Active Directory (AD) Secrets Engine in HashiCorp authentication records. Specify 1 to use Active Directory(AD) Secrets Engine in the authentication records. |
|
| vault_id={value} | (Required to create record, optional to update record). | The vault ID from where you want to retrieve the password. Certain vaults support this capability. | |
| {vault parameters} | (Required to create record when login_type=vault) | Vault specific parameters required depend on the vault type you’ve selected. See Vault Definition. | |
|
db_local={0|1} |
Optional to create or update record | Integer |
Set to 1 when login credentials are for a MS SQL Server database account (for Windows or Unix). Set to 0 when login credentials are for a Microsoft Windows operating system account that is associated with a MS SQL Server database account. For create record, if the db_local parameter is unspecified, the flag is set to 1. |
|
windows_domain={value} |
Required when db_local=0, otherwise invalid | Integer |
The domain name where the login credentials are stored when the login credentials are for a Microsoft Windows operating system account that is associated with a MS SQL Server database account. The domain name may include 1-256 characters (ascii). For an update request when the credentials for the record are for a Microsoft Windows account (db_local=0) and you want to change the record to use credentials for a MS SQL Server account (db_local=1) note the following. You must set windows_domain=’’ (the empty string) to clear the current parameter setting. |
|
auth_os_type={unix|windows} |
Optional when db_local=1 | Integer |
Specify “unix” when the OS type is Unix and “windows” when the OS type is Windows. |
|
mssql_unix_insta_path={value} |
Optional when auth_os_type=unix | String |
Specify the path to the MS SQL Server instance directory on Unix hosts. Sample value: /var/opt/mssql |
|
mssql_unix_conf_path={value} |
Optional when auth_os_type=unix | String |
Specify the path to the MS SQL Server configuration file on Unix hosts. Sample value: /var/opt/mssql/mssq.conf |
|
instance={value} |
Optional to create or update record for Windows, Required to create record for Unix and Optional to update record for Unix | String |
The name of the database instance to be scanned. This is the instance name assigned to the TCP/IP port. Important: This is not the host name that is assigned to the MS SQL Server instance name (see “MS SQL Server Instance Name” in the Qualys online help for information). The instance name may include a maximum of 128 characters (ascii). If the instance parameter is not specified for Windows, the instance name is set to “MSSQLSERVER”. These parameters are mutually exclusive: instance and auto_discover_instances=1. |
|
auto_discover_instances={0|1} |
Optional when auth_os_type=windows | Integer |
Set auto_discover_instances=1 and we’ll find all MS SQL Server instance names on each Windows host. Note that Windows authentication is required in order for us to auto discover instance names. Set up Windows authentication records for the hosts running MS SQL Servers. These parameters are mutually exclusive: instance and auto_discover_instances=1. |
|
database={value} |
Optional to create or update record | String |
The database name of the database to be scanned. The database name may contain a maximum of 128 characters. For a create request, if the database name is unspecified, the database name is set to “master”. |
|
auto_discover_databases={0|1} |
Optional to create or update record | Integer |
Set auto_discover_databases=1 and we’ll find all MS SQL Server database names on each host. These parameters are mutually exclusive: database and auto_discover_databases=1. |
|
port={value} |
Required to create record, optional to update record | Integer |
The port number assigned to the database instance to be scanned. To create a record you must specify one of these parameters: port or auto_discover_ports=1. These parameters are mutually exclusive. |
|
auto_discover_ports={0|1} |
Integer |
Set auto_discover_ports=1 and for each host we’ll find all ports MS SQL Server is running on. Note that Unix/Windows authentication is required for us to auto discover ports. Set up Unix/Windows authentication records for your hosts running MS SQL Server. To create a record you must specify one of these parameters: port or auto_discover_ports=1. These parameters are mutually exclusive. |
|
|
Target Hosts |
|||
|
ips={value} |
Optional to update record | Integer |
You may enter a combination of IPs and IP ranges to identify compliance hosts. Multiple entries are comma separated. Overwrites (replaces) the IP list for the authentication record. The IPs you specify are added and any existing IPs are removed. For create request, it is required to specify either this parameter or member_domain parameter. For update request, this parameter and the add_ips or remove_ips or member_domain parameter cannot be specified in the same request. |
|
add_ips={value} |
Optional to update record | Integer |
You may enter a combination of IPs and IP ranges to identify compliance hosts. Multiple entries are comma separated. This parameter is used to update an existing IP list in an existing authentication record. Specifies one or more IP addresses to add to the IP list for the authentication record. This parameter and the ips or member_domain parameter cannot be specified in the same request. |
|
remove_ips={value} |
Optional for update request only | Integer |
IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. This parameter and the ips or member_domain parameter cannot be specified in the same request. |
|
network_id={value} |
Optional and only valid when the networks feature is enabled | Integer |
The network ID for the record. |
|
member_domain={value} |
Optional and only valid for Windows | String |
Defines the domain of the MS SQL server for the authentication record. For create request, it is required to specify either this parameter or ips or add_ips parameter. For update request, this parameter and the ips or add_ips or remove_ips parameter cannot be specified in the same request. |
|
Protocols (Windows only) |
|||
|
kerberos={0|1} |
Optional to create or update record | Integer |
When not specified, Kerberos is enabled allowing the scanning engine to try Kerberos when negotiating authentication to target hosts. Specify kerberos=0 if you do not want Kerberos attempted. |
|
ntlmv2={0|1} |
Optional to create or update record | Integer |
When not specified, NTLMv2 is enabled allowing the scanning engine to try NTLMv2 when negotiating authentication to target hosts. Specify ntlmv2=0 if you do not want NTLMv2 attempted. |
|
ntlmv1={0|1} |
Optional to create or update record | Integer |
When not specified, NTLMv1 will not be attempted. Specify ntlmv1=1 to try NTMLv1 when negotiating authentication to target hosts. |
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d "action=create&title=MSSQL_UNIX&username=root&password=root&db_local=1&ips=10.10.10.10&auto_discover_ports=1&auto_discover_databases=1&auth_os_type=unix&instance=mssql&mssql_unix_conf_path=/var/opt/mssql/mssql.conf&mssql_unix_insta_path=/var/opt/mssql" "https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/"
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd"> <BATCH_RETURN> <RESPONSE> <DATETIME>2021-05-17T08:26:31Z</DATETIME> <BATCH_LIST> <BATCH> <TEXT>Successfully Created</TEXT> <ID_SET> <ID>103473</ID> </ID_SET> </BATCH> </BATCH_LIST> </RESPONSE> </BATCH_RETURN>
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d"action=list&echo_request=1&ids=13907""https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/"
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE AUTH_MS_SQL_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/auth_ms_sql_l ist_output.dtd"> <AUTH_MS_SQL_LIST_OUTPUT> <REQUEST> <DATETIME>2017-09-20T05:34:37Z</DATETIME> <USER_LOGIN>user_john</USER_LOGIN> <RESOURCE> https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/ </RESOURCE> <PARAM_LIST> <PARAM> <KEY>action</KEY> <VALUE>list</VALUE> </PARAM> <PARAM> <KEY>echo_request</KEY> <VALUE>1</VALUE> </PARAM> <PARAM> <KEY>ids</KEY> <VALUE>13907</VALUE> </PARAM> </PARAM_LIST> </REQUEST> <RESPONSE> <DATETIME>2017-09-20T05:34:37Z</DATETIME> <AUTH_MS_SQL_LIST> <AUTH_MS_SQL> <ID>13907</ID> <TITLE><![CDATA[mssqlvt4]]></TITLE> <USERNAME><![CDATA[administrator]]></USERNAME> <NTLM_V2>1</NTLM_V2> <KERBEROS>1</KERBEROS> <INSTANCE><![CDATA[MSSQLSERVER]]></INSTANCE> <DATABASE><![CDATA[master]]></DATABASE> <PORT>8012</PORT> <DB_LOCAL>1</DB_LOCAL> <MEMBER_DOMAIN><![CDATA[sitedomain.com]]></MEMBER_DOMAIN> <NETWORK_ID>0</NETWORK_ID> <CREATED> <DATETIME>2017-09-20T05:26:31Z</DATETIME> <BY>user_john</BY> </CREATED> <LAST_MODIFIED> <DATETIME>2017-09-20T05:26:31Z</DATETIME> </LAST_MODIFIED> <COMMENTS><![CDATA[authcreated]]></COMMENTS> </AUTH_MS_SQL> </AUTH_MS_SQL_LIST> </RESPONSE> </AUTH_MS_SQL_LIST_OUTPUT>
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d"action=create&title=mssqlvt1&username=administrator&password=abc123&db_local=1&port=8012&member_domain=sitedomain.com&echo_request=1&comments=aut hcreated&instance=MSSQLSERVER&database=master" "https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/"
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd"> <BATCH_RETURN> <REQUEST> <DATETIME>2018-03-20T05:26:31Z</DATETIME> <USER_LOGIN>user_john</USER_LOGIN> <RESOURCE> https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/</RESOURCE> <PARAM_LIST> <PARAM> <KEY>action</KEY> <VALUE>create</VALUE> </PARAM> <PARAM> <KEY>title</KEY> <VALUE>mssqlvt4</VALUE> </PARAM> <PARAM> <KEY>username</KEY> <VALUE>administrator</VALUE> </PARAM> <PARAM> <KEY>password</KEY> <VALUE>abc123</VALUE> </PARAM> <PARAM> <KEY>db_local</KEY> <VALUE>1</VALUE> </PARAM> <PARAM> <KEY>port</KEY> <VALUE>8012</VALUE> </PARAM> <PARAM> <KEY>member_domain</KEY> <VALUE>sitedomain.com</VALUE> </PARAM> <PARAM> <KEY>echo_request</KEY> <VALUE>1</VALUE> </PARAM> <PARAM> <KEY>comments</KEY> <VALUE>authcreated</VALUE> </PARAM> <PARAM> <KEY>instance</KEY> <VALUE>MSSQLSERVER</VALUE> </PARAM> <PARAM> <KEY>database</KEY> <VALUE>master</VALUE> </PARAM> </PARAM_LIST> </REQUEST> <RESPONSE> <DATETIME>2018-03-20T05:26:31Z</DATETIME> <BATCH_LIST> <BATCH> <TEXT>Successfully Created</TEXT> <ID_SET> <ID>13907</ID> </ID_SET> </BATCH> </BATCH_LIST> </RESPONSE> </BATCH_RETURN>
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d"action=update&echo_request=1&ids=13907&member_domain=webdomain.com""https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/"
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd"> <BATCH_RETURN> <REQUEST> <DATETIME>2018-03-20T05:37:13Z</DATETIME> <USER_LOGIN>user_john</USER_LOGIN> <RESOURCE>https://<qualys_base_url>/api/2.0/fo/auth/ms_sql/ </RESOURCE> <PARAM_LIST> <PARAM> <KEY>action</KEY> <VALUE>update</VALUE> </PARAM> <PARAM> <KEY>echo_request</KEY> <VALUE>1</VALUE> </PARAM> <PARAM> <KEY>ids</KEY> <VALUE>13907</VALUE> </PARAM> <PARAM> <KEY>member_domain</KEY> <VALUE>webdomain.com</VALUE> </PARAM> </PARAM_LIST> </REQUEST> <RESPONSE> <DATETIME>2018-03-20T05:37:13Z</DATETIME> <BATCH_LIST> <BATCH> <TEXT>Successfully Updated</TEXT> <ID_SET><ID>13907</ID> </ID_SET> </BATCH> </BATCH_LIST> </RESPONSE> </BATCH_RETURN>
<platform API server>/api/2.0/batch_return.dtd
<platform API server>/api/2.0/fo/auth/ms_sql/auth_ms_sql_list_output.dtd