Release 10.25.3

February 15, 2024

 

What’s New?

Qualys Policy Compliance (PC/SCAP/SCA)

HashiCorp Vault Authentication Updates

Key Field Now an Optional Field

The Key field used to input the key name for identifying a specific key-value pair is now no longer required when you are using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP record).

 

Oracle Record

The Key field does not appear when the toggle switch Use Database Secrets Engine is switched to yes while creating or updating HashiCorp Oracle authentication records.

New oracle record to show the toggle switch Use Database Engine.

 

Windows Record

The Key field does not appear when the Use Active Directory (AD) Secrets Engine is set to Yes while creating or updating HashiCorp Windows authentication records. 

Windows record.
HTTP Record

The Key field does not appear when the Use Active Directory (AD) Secrets Engine is set to Yes while creating or updating HashiCorp HTTP authentication records. 

HTTP record

Subtle UI Enhancements: Use Active Directory (AD) or Database Secrets Engines in HashiCorp Authentication Records
  • In 10.25.1 release, a toggle switch was introduced to manage the utilization of Database Secrets Engines while creating or updating HashiCorp authentication records. The previously named toggle Use Database Secrets Engines has been renamed to Use Database Secrets Engine.


    Oracle authentication record.
  • In the 10.25.1 release, an option was introduced to manage the utilization of Active Directory (AD) when creating or updating HashiCorp authentication records. The previously named option Use Active Directory (AD) has been renamed to Use Active Directory (AD) Secrets Engine. Instead of a checkbox, the option now provides Yes or No to manage utilization of Active Directory (AD). To use Active Directory (AD), select Yes.

    Windows record.

 

Support for OS Authentication-based Technology - Skype For Business Server

When you create or update the Windows authentication record (Scans > Authentication > New > Operating System > Windows), you must select only NTLMv2 under Choose Authentication Protocol. This provides a successful authentication scan using Skype for Business Server. 

showing the selection of NTLMv2 for windows auth record.

Skype for Business Server 2015 is now visible in the following places.

Policy Editor

When you create or edit a compliance policy, Skype for Business Server 2015 is now available in the list of supported technologies.

Screenshot of Create new Policy window highlighting Skype for Business Server.
 

Search Controls

When you search controls, you see Skype for Business Server 2015 in the list of technologies. Go to Policies > Controls > Search and select Skype for Business Server 2015 in the list.

Search controls that show Skype for Business Server in the Technologies list.

Authentication Reports

To display all OS auth-based instance technologies per host, including Skype for Business Server 2015, in your authentication report, go to Reports > New > Authentication Report. Enable the OS Authentication-based Technology option under the Appendix.

New authentication report showing OS authentication based technology.

Scroll down to the Appendix section of your authentication report to view Skype for Business Server 2015, mentioned under Targets with OS authentication-based technology.

Appendix section of Authentication report to see Skype for Business Server 2015.

Option Profile

Make sure you have enabled the OS Authentication-based Technology option. Under Scans, select Option Profiles > New > Compliance Profile > Instance Data Collection. Skype for Business Server 2015 is available under Application and Other Technologies.

New Compliance Profile that shows Skype for Business Server 2015 under Applications and Other Technologies.

Scan Results

Skype for Business Server 2015 is now listed under Application technologies found based on OS-level authentication in the Appendix section of a compliance scan result.

Compliance Scan Results window showing Skype for Business Server 2015.

Use HTTP Authentication Record to Scan the IP using AudioCode OVOC

You can now use an HTTP authentication record to perform authentication scanning of IPs/IP ranges using AudioCode OVOC (One Voice Operations Center). AudioCode OVOC uses an IP-based tracking method, which helps to scan the IPs/IP ranges and provide all the information related to the IPs. To create or update an HTTP authentication record, go to Policy Compliance (Scans > Authentication > New > Applications > HTTP). HTTP authentication record, also helps you to perform the scanning of web-based applications.

Screenshot to show the new option added in the authentication tab.

As a part of the enhancement, the following changes are made:

UI Changes

You can now select Basic Authentication or Authentication Vault while creating an HTTP authentication record,

  • Basic Authentication: Select the Basic Authentication button when you create or update an authentication record. Ensure to use the username of the HTTP account and specify the password for authentication.

    Screenshot to show the basic Authentication button.
  • Authentication Vault: When you create an HTTP authentication record using Vault, select the Authentication Vault. New buttons are added to manage the utilization of Active Directory(AD) Secrets Engine while creating HTTP authentication records.

    New button is added to use Active Directory Search Engine.

    Note: You can use AudioCode OVOC HTTP authentication through the Hashicorp vault using Active Directory Secrets Engine only after the ML version 12.17.1 release.
  • A new IP field is added, where you add IPs or IP ranges to scan the IPs using AudioCode OVOC, which has an IP-based tracking method.

    New IP field is added in the HTTP authentication record.

    Notes:
    • Ensure to enter the information in only one of the three fields (Virtual Host, Realm, IPs).
    • Enabling Send authentication over SSL only is optional. If you want to use AudioCode OVOC to perform scanning, you enable the Send authentication over SSL only by selecting the check box.
  • For the successful HTTP authentication scan results, select Standard Scan by going to Policy Compliance > Option profile and editing the compliance policy. A new window opens. Go to Scan, select Standard Scan under Ports, and save.

    Set standard scan to get the authenticated scan result.

    Under the Appendix section, you can view the scan result for the HTTP authenticated record created.

    Showing successful scan result under Appendix.
     
API Changes

A new ip parameter is added to the HTTP Record API. This parameter is optional. For more information, refer to the Cloud Platform 10.25.3 API Release Notes.

Issues Addressed

The following issues are fixed with this release.

Component/Category Application
 		 Description
PC - Reports Policy Compliance The authentication report created for a single or multiple database technology asset groups showed a discrepancy in IP count. The relevant code changes have been made to fix this issue.
PC - UI Policy Compliance The user noticed an increased number of pending asset group processing tasks. Relevant code changes have been made to fix this issue. 
VM - Scan Processing Vulnerability Management On executing the Scan Summary API with input parameter 'include_cancelled = 1, in the API request, the response displayed successful scans, which was not an expected response. The relevant code changes have been made to fix this issue.
Shared Services - AGMS Vulnerability Management When a user with an AGMS-enabled subscription added a duplicate IP address or IP address range to an asset group, a validation error occurred. The relevant code changes have been made to fix this issue. Now, users will not see 'Duplicate range start' and 'IP range inside another range' errors when performing add/remove IP operations to the asset group.