Release 10.28

June 24, 2024

What’s New?

Qualys Vulnerability Management (VM)

View Multiple IP or IP Ranges in Asset Groups on a Separate Line   

Previously, when you viewed individual IP or IP ranges in an Asset Group, all were displayed on a single line. This created confusion about where an IP or IP range ended and where a new one started.

All IPs and IP range on one line

With this release, the Display each IP/Range on new line checkbox is added that, when selected, displays each IP address and an IP range on a separate line.

Single IP or IP range on one line

User Interface Enhancements

With this release, we have implemented the following User Interface (UI) enhancements:

Login Page - for PCP Customers

We have introduced a new login page for PCP customers that can be accessed with minimum internet connectivity.

Qualys login page for PCP customers

Account Activation Page

We have updated the account activation page for Qualys customers and partners.

Qualys customer's account activation page

Qualys customers account activation page

Qualys partner's account activation page

Qualys partners account activation page

Verify Your Information Page

We have updated the page where you enter your personal and company information and accept the service agreement. Previously, the fields Contact Number, Fax, and Zip Code supported alphanumeric characters. Now these fields accept only numeric characters.

Verify your information page

Change Password Page

We have updated the Change Password page.

 Change password page

The captcha field is now mandatory.

Captcha field made mandatory

Modified Appendix section in Scan Reports

Scan reports (in PDF format) consisted of Search Lists(s) in the Appendix section. These Search List(s) were generated using the options selected in the Options Profile (for scan reports) and Search Lists (for host reports). Previously, the QIDs resolved for the corresponding Search List(s) were displayed in this report. However, these QIDs consumed multiple pages in the scan reports, crashing the report generation process.

With this release, the Appendix section for the host-based, scan-based, and scan reference download or the scan results download reports (in PDF format) should display only the search list names included in the report's generation.

Search results in appendix displaying only the number of QIDs

Qualys Policy Compliance (PC)

Support for New Authentication Technologies

With this release, the following OS Authentication-Based Instance technologies are supported for Policy Compliance authenticated scans using scanners and Cloud Agent. Due to this support, you can now perform authenticated scans for the following VMware Horizon Connection Server, Horizon Agent, and Horizon Client:

  • VMware Horizon 7 Connection Server
  • VMware Horizon 8 Connection Server
  • VMware Horizon 7 Agent
  • VMware Horizon 8 Agent
  • VMware Horizon 7 Client
  • VMware Horizon 8 Client

These technologies are now available for use at the following places for both scanner and agent:

  • Policy Editor
    When you create or edit a compliance policy, these technologies are now available in the list of supported technologies.

    Create new policy window.
  • Search Controls
     Go to Policies > Controls > Search dialog box. The Technologies section lists all the currently supported technologies. 

    search control window.
  • Authentication Reports
    To display all OS auth-based instance technologies per host, including these newly supported technologies, in your authentication report, go to Reports > New > Authentication Report and enable the OS Authentication-based Technology option under the Appendix.

    Auth report.
  • Option Profile:
    Go to Scans, select Option Profiles > New > Compliance Profile > Instance Data Collection. The Application and Other Technologies section lists all the currently supported technologies.

     Ensure that you have selected the OS Authentication-based Technology checkbox.

    Option profile.
  • Middleware Asset
    If you are using Cloud Agent for Policy Compliance (PC), Horizon Connection Server, Horizon Agent, and Horizon Client instances are auto-discovered by the Cloud Agent. When the technology is detected on a host by the Cloud Agent scan, and it is displayed in the Middleware Technology column in the Middleware Assets tab.

    Middleware assets.

New Technologies Supported by Qualys OCA 

With this release, the following technologies are supported by the Qualys Out-of-Band Configuration Assessment (OCA) application for Policy Compliance:

  • Xerox VersaLink
  • Ivanti Connect Secure 22.x

 To get a complete list of supported technologies, view the Technologies tab in the OCA UI or use the Technology API. 

Use Active Directory (AD) Secrets Engine or Database Secrets Engine in HashiCorp Authentication Records

You can now use Active Directory (AD) Secrets Engine or Database Secrets Engine while creating or updating authentication records with Authentication Type: vault based and Vault Type: HashiCorp. As a part of this enhancement, the following changes have been made:

  • UI Changes
    A new option on the Login Credentials tab to manage utilization of Active Directory (AD) Secrets Engine or Database Secrets Engine:
    • Use Active Directory (AD) Secrets Engine toggle: Switch to  YES  or NO.  Switch to YES to use Active Directory (AD) Secrets Engine while creating or updating authentication records (Cisco, Cisco_APIC, Infoblox). 
    • Use Database Secrets Engine toggle- Switch to YES or NO. Switch to YES to use Database Secrets Engine while creating or updating authentication records (PostgreSQL, MongoDB).
  • API Changes
    Due to this enhancement, we made a few changes to the following APIs. For more information, refer to Cloud Platform 10.28 API release notes.
    • /api/2.0/fo/auth/postgresql/
    • /api/2.0/fo/auth/mongodb/
    • /api/2.0/fo/auth/infoblox/
    • /api/2.0/fo/auth/cisco_apic/
    • /api/2.0/fo/auth/unix/

Support for Automated Debug Scan

With this release, you can perform an automated Debug Scan. To view the Debug Scan option while launching a new scan, select the Enable Debug Scan checkbox in the Debug Scan Setup dialog box.

Selecting Debug scan from PC scan setup.

Previously, when conducting a debug scan, a request needed to be sent to Qualys Support to change the scanner's operational mode to debug mode. With this enhancement, the scanner is now set to debug mode automatically when the debug scan is launched. Once the debug scan is completed, the scanner reverts to the standard operation mode.

Note: 

  • Debug scans do not support asset groups and tags.
  • Users with Debug Scan enabled for VM are now automatically enabled for PC Debug Scan.

New Columns in the Authentication Report

With this release, the following two columns are added to the authentication report:

  • Authentication record to display the name of the authentication record used to authenticate the host.
  • Authentication Scheme that displays the type of authentication scheme such as Basic, Vault, Private key/ certificate, and vCenter based.

This applies to all authentication report formats(CSV, PDF, XML, HTML, MHT). Earlier users were not able to identify the authentication record and scheme used for scanning. With these new columns, you can identify the authentication record and scheme used to authenticate a specific host, which helps in troubleshooting authentication issues.

  • Portable Document Format (PDF)

    Authentication record and scheme introduced in the reports.
  • Extensible Markup Language (XML) format

    Auth record and auth scheme visible in XML format.
  • Comma Separated Values (CSV) format

    Auth record and auth scheme visible in CSV format.

View Mandate Compliance

Mandates are regulatory or good practice standards, compliance framework designed by government organizations. With this enhancement, we provide you with the ability to view the compliance posture of your organization based on mandates.

  • Enhanced Posture tab to display mandate compliance information. You can now view the mandate compliance score and compliance posture details. Use the following Group by option to filter the posture records to understand the mandate compliance:
    • Group by Mandate: Displays compliance posture data based on the mandates.

      Group by mandate.
  • New search tokens to search and filter mandate compliance posture information. These search tokens are also available in the Query Settings for adding a PC dashboard widget to visualize mandate compliance data.
    • mandate.name- Use this token to search for controls associated with a particular mandate

      mandate name widget.
    • mandate.requirement- Use this token to search for controls associated with a particular mandate requirement.

      mandate requirement widget.
    • mandate.controlObjective- Use this token to search for controls associated with a particular mandate controlObjective.

      mandate control objective widget.
  • A new Group By option for adding a PC dashboard widget to visualize mandate compliance data:
    Group By mandate name: Displays compliance data based on mandates.

    Group by mandate name option for PC dashboard.

Generate Interactive Report with Multiple Controls

Previously, when generating a Control Pass/Fail report, you could select only one control for a policy and its details were displayed in the interactive report.

With this release, you can select multiple controls (maximum 25) while generating the Control Pass/Fail report and view details of the controls in the interactive report. With this enhancement, you can raise exceptions for multiple controls on multiple assets in one go. This improves efficiency and reduces the time required for raising exceptions on multiple controls. 

Multiple controls selected in the select control window

We have also added a new column, CONTROL_ID  to the report that displays the ID of that control.

Control ID column added to the interactive report

Support for MarkLogic Database Authentication

Qualys supports MarkLogic (9.x/10.x) authentication for compliance scans using Qualys applications PC and SCA for Unix and Windows platforms. You can create a MarkLogic authentication record with your credentials to authenticate to a MarkLogic database instance running on a host and perform a compliance scan. 

Selecting the MarkLogic database from Authentication tab.

Qualys API Support

For this enhancement, we added a new api /api/2.0/fo/auth/marklogic.  For more information, refer to Cloud Platform 10.28 API Release Notes.

New Note Specifying Behavior of Dissolvable Agent

When creating a new Compliance Profile, the Scan by Policy checkbox is selected by default for Security Configuration Assessment (SCA) accounts. This disables all options under Dissolvable Agent, including the Enable the Dissolvable Agent checkbox.

With this release, we have added a note that specifies this behavior.

Enable the dissolvable agent checkbox selected

View Policies Locked at Import 

When filtering the list of policies, you could filter based on various options such as Compliance, Active, Locked, and so on. However, there was no option to display the policies that were locked at import. With this release, we have added the filter option Locked at Import. When you select this filter, only those policies that were locked during import are displayed.

The Locked at Import option is also available in the Search dialog box, where we can search for policies locked at import.

 

Issues Addressed

The following issues are fixed with this release:

Component/Category Application
 
Description
VM - User Management Vulnerability Management When the users logged in to their SAML accounts, they were redirected to the old VM dashboard instead of the new dashboard. They had to manually switch to their default dashboard. Relevant code changes have been made to fix this issue.  
VM - Vulnerability Scan UI/API Vulnerability Management When the users tried to launch the scan through the API, they observed a wait time of 5 minutes before the actual scan job started. Relevant code changes have been made to fix this issue.
VM - Host List Detection API Vulnerability Management When the users executed an HLD API endpoint /api/2.0/fo/asset/host/vm/detection/, the hostname was displayed as null for DNS with a substring of 0 on the first dot (0.abc.com) in the HLD API response. Relevant code changes have been made to fix this issue. Now, the hostname is displayed for DNS with a substring of 0 on the first dot.
VM - Remediation Vulnerability Management When the users closed their tickets manually, they were not able to view their ticket's due date. Relevant code changes have been made to fix this issue. For more information, refer to the Online help document under Remediation - The Basics Section.
VM-QWEB Vulnerability Management When users opened asset groups in edit mode on their browsers, they received an error message stating, 'Not enough memory to process this page.' This error was caused by the number of IPs in an asset group. Relevant code changes have been made to fix this issue.
PC - New UI Policy Compliance When the users executed any query or refreshed the UI by going to the PC > Posture tab, they observed that the Criticality categorization was changing automatically under the Posture tab. Relevant code changes have been made to fix this issue.
PC - Reports Policy Compliance When the users imported the policy, SM-UDC  was not being evaluated correctly, as there was a trailing whitespace character in the expected field under Scan Parameter. Relevant code changes have been made to fix this issue.
PC - QWEB Policy Compliance When the user is generating an interactive report - Control Pass/Fail, they can at a time generate details for only one Control ID. If they want to generate an interactive report - Control Pass/Fail for multiple Control IDs, they will have to perform the report generation process multiple times. Relevant code changes have been made to fix this issue. You can now select multiple controls (maximum 25) whose details will be displayed in the interactive report.
PC - New UI Policy Compliance When the users changed the script name and generated a policy compliance report for a particular Script Manager - User Defined Control (SM-UDC), the script name displayed in the report was not the updated name. This is because any changes to the name of the script does not reflect in the policy compliance report. Relevant code changes have been made to fix this issue.
PCUI Policy Compliance When users tried to search for compliance posture information for assets by their operating system using partial text like "Windows" or "2016," the information did not appear. To resolve this issue, relevant code-level changes have been made to include operating system information, enabling partial text searches. Newly created assets will immediately support partial text search. For existing assets, users should either wait for the next scan to complete (recommended) or manually trigger a policy evaluation (not recommended for policies with large assets).