Release 10.25.3
February 15, 2024
What’s New?
Qualys Policy Compliance (PC/SCAP/SCA)
HashiCorp Vault Authentication Updates
Key Field Now an Optional Field
The Key field used to input the key name for identifying a specific key-value pair is now no longer required when you are using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP record).
Oracle Record
The Key field does not appear when the toggle switch Use Database Secrets Engine is switched to yes while creating or updating HashiCorp Oracle authentication records.
Windows Record
The Key field does not appear when the Use Active Directory (AD) Secrets Engine is set to Yes while creating or updating HashiCorp Windows authentication records.
HTTP Record
The Key field does not appear when the Use Active Directory (AD) Secrets Engine is set to Yes while creating or updating HashiCorp HTTP authentication records.
Subtle UI Enhancements: Use Active Directory (AD) or Database Secrets Engines in HashiCorp Authentication Records
- In 10.25.1 release, a toggle switch was introduced to manage the utilization of Database Secrets Engines while creating or updating HashiCorp authentication records. The previously named toggle Use Database Secrets Engines has been renamed to Use Database Secrets Engine.
- In the 10.25.1 release, an option was introduced to manage the utilization of Active Directory (AD) when creating or updating HashiCorp authentication records. The previously named option Use Active Directory (AD) has been renamed to Use Active Directory (AD) Secrets Engine. Instead of a checkbox, the option now provides Yes or No to manage utilization of Active Directory (AD). To use Active Directory (AD), select Yes.
Support for OS Authentication-based Technology - Skype For Business Server
When you create or update the Windows authentication record (Scans > Authentication > New > Operating System > Windows), you must select only NTLMv2 under Choose Authentication Protocol. This provides a successful authentication scan using Skype for Business Server.
Skype for Business Server 2015 is now visible in the following places.
Policy Editor
When you create or edit a compliance policy, Skype for Business Server 2015 is now available in the list of supported technologies.
Search Controls
When you search controls, you see Skype for Business Server 2015 in the list of technologies. Go to Policies > Controls > Search and select Skype for Business Server 2015 in the list.
Authentication Reports
To display all OS auth-based instance technologies per host, including Skype for Business Server 2015, in your authentication report, go to Reports > New > Authentication Report. Enable the OS Authentication-based Technology option under the Appendix.
Scroll down to the Appendix section of your authentication report to view Skype for Business Server 2015, mentioned under Targets with OS authentication-based technology.
Option Profile
Make sure you have enabled the OS Authentication-based Technology option. Under Scans, select Option Profiles > New > Compliance Profile > Instance Data Collection. Skype for Business Server 2015 is available under Application and Other Technologies.
Scan Results
Skype for Business Server 2015 is now listed under Application technologies found based on OS-level authentication in the Appendix section of a compliance scan result.
Use HTTP Authentication Record to Scan the IP using AudioCode OVOC
You can now use an HTTP authentication record to perform authentication scanning of IPs/IP ranges using AudioCode OVOC (One Voice Operations Center). AudioCode OVOC uses an IP-based tracking method, which helps to scan the IPs/IP ranges and provide all the information related to the IPs. To create or update an HTTP authentication record, go to Policy Compliance (Scans > Authentication > New > Applications > HTTP). HTTP authentication record, also helps you to perform the scanning of web-based applications.
As a part of the enhancement, the following changes are made:
UI Changes
You can now select Basic Authentication or Authentication Vault while creating an HTTP authentication record,
- Basic Authentication: Select the Basic Authentication button when you create or update an authentication record. Ensure to use the username of the HTTP account and specify the password for authentication.
- Authentication Vault: When you create an HTTP authentication record using Vault, select the Authentication Vault. New buttons are added to manage the utilization of Active Directory(AD) Secrets Engine while creating HTTP authentication records.
Note: You can use AudioCode OVOC HTTP authentication through the Hashicorp vault using Active Directory Secrets Engine only after the ML version 12.17.1 release. - A new IP field is added, where you add IPs or IP ranges to scan the IPs using AudioCode OVOC, which has an IP-based tracking method.
Notes:- Ensure to enter the information in only one of the three fields (Virtual Host, Realm, IPs).
- Enabling Send authentication over SSL only is optional. If you want to use AudioCode OVOC to perform scanning, you enable the Send authentication over SSL only by selecting the check box.
- For the successful HTTP authentication scan results, select Standard Scan by going to Policy Compliance > Option profile and editing the compliance policy. A new window opens. Go to Scan, select Standard Scan under Ports, and save.
Under the Appendix section, you can view the scan result for the HTTP authenticated record created.
API Changes
A new ip parameter is added to the HTTP Record API. This parameter is optional. For more information, refer to the Cloud Platform 10.25.3 API Release Notes.
Issues Addressed
The following issues are fixed with this release.
Component/Category | Application |
Description |
PC - Reports | Policy Compliance | The authentication report created for a single or multiple database technology asset groups showed a discrepancy in IP count. The relevant code changes have been made to fix this issue. |
PC - UI | Policy Compliance | The user noticed an increased number of pending asset group processing tasks. Relevant code changes have been made to fix this issue. |
VM - Scan Processing | Vulnerability Management | On executing the Scan Summary API with input parameter 'include_cancelled = 1, in the API request, the response displayed successful scans, which was not an expected response. The relevant code changes have been made to fix this issue. |
Shared Services - AGMS | Vulnerability Management | When a user with an AGMS-enabled subscription added a duplicate IP address or IP address range to an asset group, a validation error occurred. The relevant code changes have been made to fix this issue. Now, users will not see 'Duplicate range start' and 'IP range inside another range' errors when performing add/remove IP operations to the asset group. |