Release 10.30
September 20, 2024
What’s New?
Qualys Vulnerability Management (VM)
Default Setting Enablement for a New VMDR Subscription
When a VMDR subscription is enabled, you may have opted for only a certain number of features. It may be the case that you are not aware of all the features VMDR offers. Once you become familiar with all available features, you would typically need to contact your Technical Account Manager (TAM) or Qualys support to enable additional ones. This process has a dependency on multiple stake-holders.
With this release, that dependency has been removed. All the features (given below) are now enabled by default for VMDR subscriptions.
The default setting enablement is only available for new VMDR subscriptions.
Following are the details of default settings that will be enabled for new VMDR subscriptions:
Default Setting Changes
Unique Asset Identifiers
- Agentless Identifier: Accept Agentless Tracking Identifier
- Agent Correlation Identifier: Accept Agent Correlation Identifier
Asset Merging:
- Cloud Agent Configure Agent Scan Merge to be enabled by default: "Merge data for a single unified view"
Scans Setup Page
- Accept Dissolvable Agent
- DNS Tracking
- Maximum Scan Duration per Asset
- Debug Scans
Report:
- CVSS Scoring
- OS CPE: Enable OS CPE Support
Address Management: For new VMDR subscriptions, when adding new IP addresses to the licensee container, Vulnerability Management (VM), Security Configuration Assessment (SCA), and Certview applications are enabled by default (Assets > Address Management > New > IP Tracked Addresses > Subscription IPs).
The following default settings are enabled for better product experience:
-
Enable PCAP Scan - With a PCAP Scan you will get vulnerability scan results plus a PCAP (Packet Capture) file that contains all TCP network traffic captured between the scanner and the target host. (VMDR > Scans > Scans > New > PCAP Scan)
- Enable Close Vulnerabilities on Dead Host - Option profile settings to close vulnerabilities when host is not found alive after set number of times. (VMDR > Scans > Option Profiles > New > Option Profile > Scan tab > Close Vulnerabilities on Dead Hosts)
- Enable Purge old host data when OS is changed - Settings to purge host data when we detect major change in host OS vendor. (VMDR > Scans > Option Profiles > New > Option Profile > Scan tab > Purge old host data when OS is changed)
- Enable exposing Threat Protection RTI
- Enable Customer QRDI Checks - Allow users to create their own vulnerabilities for QRDI checks. (VMDR > KnowledgeBase > KnowledgeBase > New > QRDI)
- Allow Scanner to Scan Multiple Slices in a Single Scan
- Enable Tag support in Authentication Records - Allows creation of authentication records using IP range in Tag Rule.
- Enable Cloud Perimeter Scan, Azure scan, and GCP Compute Engine scan- Allow users to create cloud perimeter scan jobs on public facing instances in their cloud environment, Azure, and GCP Compute Engine environment. (VMDR > Scans > Scans > New > Cloud Perimeter Scan/Azure/GCP Compute Engine)
- Enable Internal scanners for Cloud Perimeter Scans - Allow users to use internal scanner in addition to external scanner for cloud perimeter scan. (VMDR > Scans > Scans > New > Cloud Perimeter Scan)
- Enable Qualys Containerized Scanner Appliance (QCSA) for a subscription (VMDR > Scans > Appliances > New > Containerized Scanner Appliance)
- Enable Advanced Scan Tuning Options (to be available in the option profile)
- Enable Tag support in Authentication Records
- Asset Tag Scoping - Asset Tagging provides a flexible and scalable way to automatically discover and organize the assets in your environment
- Password Never Expires for API Access (VMDR > Users > Setup > Password Never Expires)
Qualys Recommended Option Profile
With this release, we have introduced the Qualys Recommended Option Profiles for all new VM/VMDR subscriptions. This enhancement enables the default settings from the Qualys Recommended Option Profile to be automatically applied when creating a new Option Profile. These applied settings are designed to improve scanning efficiency and ensure adherence to best practices.
The default settings are summarized as follows:
- The number of standard TCP Ports is increased from 1,900 to 2,800. Also, the number of additional TCP ports is increased from 12,500 to 20,500.
The following image illustrates the list of all 2,800 Standard TCP Ports:
- The Enable Parallel Scaling for Scanner Appliances setting is now enabled by default in Option Profiles, which enhances scan performance and reduces scan completion time.
- The profile purges old host data when the operating system is changed, enhances scan performance and improves record authentication. The purge action is initiated only when the operating system is accurately detected during the authenticated scans or by the Cloud Agent.
- Windows and Unix are now enabled by default when creating an Option Profile to help reduce issues encountered when profiles are not properly configured.
- The Dissolvable Agent option is enabled for all VMDR users by default. For existing VMDR users, the option Dissolvable Agent can be enabled from Scan > Setup.
- The Save As option is disabled when editing an existing Option Profile. The option is disabled to avoid duplication of existing option profiles.
For more details on the changes to the default settings, refer to blog - Qualys Recommended Option Profile – Upcoming Important Changes
Qualys API Support
For this enhancement, we have updated the API /api/2.0/fo/subscription/option_profile/vm/. For more information, refer to Cloud platform 10.30 API Release Notes.
View Patch Published Date for a QID
When a vulnerability is identified, it is crucial to address it with a solution. Each day that a vulnerability remains active, it poses a potential risk. To resolve this, companies release patches designed to fix the issue. The Patch Published Date field shows the date when a company released a patch for users to address the vulnerability. Previously, the patch published date information was not easily accessible. You were required to enter asset information details to view the patch published date for a particular QID.
With this release, we have added the Patch Published Date to the Vulnerability Information window for a QID. This enables you to identify the date on which the patches were first released for the QID.
Qualys API Support
For this enhancement, we have implemented the versioning for the API /api/3.0/fo/knowledge_base/vuln/. For more information, refer to Cloud platform 10.30 API Release Notes.
User Interface Enhancements
With this release, we have implemented the following User Interface (UI) enhancements:
- Enhancement in Change Password Page
- Change Password Enabled for all New Subscriptions
- Enhancement for Password Field Visibility
Enhancement in Change Password Page
We have enhanced the Change Password page for a better user experience. It now displays all the mandatory fields, including the captcha, at a glance to help you complete every step. Even when the error message is displayed on the Change Password page, the field alignment remains unchanged.
Change Password Enabled for all New Subscriptions
When you login to the Vulnerability Management (VM) or Policy Compliance (PC) application for the first time with the default password, you are now prompted to change to a password of your choice. We have made the change password step mandatory for all users, irrespective of the subscription. Users who log into their accounts for the first time must now verify their information, accept the service agreement, and then change their default login passwords. Previously, there was a dependency in the VM and PC application to change the system default password. This dependency is now removed.
Enhancement for Password Field Visibility
When entering a password, there are chances that the password may have been entered incorrectly. Therefore, it is important to have an option that enables you to view the password you have entered. We have thus introduced an eye icon to the password field across various screens.
This feature improves usability in the following ways:
- Accuracy and Transparency: With the icon, you have visibility to the password that you are entering, and this prevents login errors due to mistypes.
- User Empowerment: By allowing you to see your password, you gain better control over the interactions with the product.
The icon is now available on the following screens:
- Qualys login page
- Change Password (for both current and new passwords)
- Forget Password > Change Password dialog box in Forgot Password Workflow
The icon is available when on selecting the password field.
Login page:
Change Password:
Forgot Password:
Qualys Policy Compliance (PC)
Enhanced Data Limit for Actual Result and Extended Evidence in Policy Report
The limit for displaying Extended Evidence and Actual results in the Policy report for Active Directory (AD) System Defined Controls (SDC) has been increased to 100000 rows. Previously, the limit was 5000 rows, which resulted in incomplete data being displayed in the Extended Evidence and Actual result sections. The enhanced data limit of 100000 rows now allows the full extended evidence and actual data to be displayed in the Policy report. To learn more about extended evidence and actual result, refer to Policy Compliance Reporting- The Basics.
This enhanced data limit only applies to AD SDCs. For other SDCs, the limit is 5000 rows.
Contact Qualys support to enable this feature for your subscription.
CSV Report Format Enhancement for Policy Report
We have improved the CSV report format to include a new section Possible reason for empty report under RESULTS. This section displays the reason for an empty report, along with the corresponding reason code. Knowing the reason helps you to identify and address any issues from your end. Depending on the type of problem causing no data in the report, this section will display different reasons and their corresponding reason codes:
Reason Code | Reason |
R001 | No HostIDs resolved. |
R002 | No HostIDs matching with policy technology. |
R003 | No posture data available. |
R004 | Template setting may not be configured properly. Please verify the template setting. |
The following image illustrates the empty report displaying the reason and reason code:
Control Chaining and CIS Data-Driven Reports for CIS Policies
With this release, to evaluate your CIS policies precisely against the CIS benchmarks, the controls are now chained logically in the context of CIS references.
You can now generate a dedicated policy compliance report that organizes compliance data according to the CIS references. This report offers insight into control chaining conditions for CIS references and presents the compliance data in diverse ways, providing you with a comprehensive view of your CIS compliance.
This enhancement offers you a structured framework for assessing your adherence to the CIS benchmarks. Also, it ensures that all relevant controls are considered and assessed logically.
Important to know!
- This enhancement is exclusive to PC subscriptions and not available for SCA subscriptions.
- Only CSV report format is supported.
- The following controls are skipped from the Policy report:
- Controls that are chained logically in the context of CIS references but are not part of the policy that is being evaluated
- Inactive controls
Benefits
Here are some benefits offered by this enhancement:
- Systematic Approach: Control chaining allows you to evaluate compliance with CIS benchmarks and controls in a structured and systematic manner.
- Consistency and Standardization: Chaining policy compliance controls based on CIS references ensures consistency in evaluating compliance across the organization.
- Dependency Handling: Control chaining considers dependencies or relationships between controls. This ensures a more accurate assessment of compliance
- Simplified Compliance Reporting: A dedicated report template for CIS compliance makes it easier to review the adherence to CIS benchmarks and controls.
- Improved Remediation: The dedicated CIS compliance report facilitates remediation efforts by identifying areas of non-compliance more precisely.
- Enhanced Security Posture: As the security controls are now evaluated in a systematic manner, it reduces the probability of overlooking critical aspects of compliance. This, in turn, helps you improve the overall security posture.
Prerequisites
- To enable this feature for your subscription, contact your Technical Account Manager or Quays Support.
- The Qualys Cloud Platform version 10.30.0.0 or later.
- PCRS enabled subscription along with the PCRS version PCRS-1.16.0 or later.
- Import a CIS benchmark policy for which control chaining is implemented and run a compliance scan using it. To know the policies for which control chaining is implemented, refer to Online Help.
Support for DataStax Database Authentication
With this release, we have added support for DataStax (5.x/6.x) authentication for compliance scans using Policy Complaince (PC) and Security Configuration Assessment (SCA) applications for Unix and Windows platforms. You can create a DataStax authentication record with your credentials to authenticate to a DataStax database instance running on a host and perform a compliance scan.
Qualys API Support
For this enhancement, we added a new api /api/2.0/fo/auth/datastax/. For more information, refer to Cloud platform 10.30 API Release Notes.
Adding SSL Verification to Sybase Authentication Record
When scanning a Sybase database, the authentication method was limited to certificate based authentication. We have now added support for SSL verification to the Sybase Authentication Record. This allows you to scan and authenticate the Sybase databases using SSL verification in the Policy Compliance application.
Qualys API Support
For this enhancement, we have implemented the versioning for the API /api/3.0/fo/auth/sybase/. For more information, refer to Cloud platform 10.30 API Release Notes.
Activate or Deactivate Policies using an SCA account
With this release, we have provided permissions to all Security Configuration Assessment (SCA) accounts to activate or deactivate policies. This can be done to either an individual policy or multiple policies. You can also filter out policies that are active or inactive from the list of policies displayed in the Policies tab.
You can view which policies are active or deactivated, using the eye icon. Here, indicates the policy is active, whereas indicates the policy is deactivated.
Support to Sort the Compliance Criticality in the Scorecard Report Template
With this release, we have added two new options under Overall Compliance by Criticality in the Compliance Scorecard Report Template. You can now sort the compliance criticality in the Compliance Scorecard Report Template in ascending or descending order. Earlier, criticality was sorted by percentage, which made it challenging to determine the criticality of the compliance accurately.
With this, when you select sorting in the following:
- Ascending order, the report displays Medium criticality at the first position, followed by Serious, Critical, and Urgent levels.
- Descending order, the report displays the Urgent criticality at the first position, followed by Critical, Serious, and Medium levels.
This helps to identify the criticality of the compliance and take further action. When you have not selected any options, the report displays the criticality based on the percentage.
This is applicable to all the scorecard report formats like PDF, HTML, and XML.
Improve Deletion of Stale PC Technology/Instances
With this release, the following issues related to stale PC Technology/Instances deletion have been resolved:
- Previously, the deletion of posture data for instance-based technologies such as Tomcat, Apache HTTP, and many more led to a scenario where reports were missing data when OS authentication failed. With this release, the posture data for such instance-based technologies is skipped if the OS authentication fails.
- Previously, processing a full scan resulted in the deletion of posture data of instances that were reported via agent middleware scan. This was possible when the host merge feature was enabled for unified view/smart merging. Such deletions are now restricted. However, the instances that are reported by the same scan source are considered for deletion. The posture data can still be deleted if the technology/instance is found to be stale. This is possible by enabling the setting from Policy Compliance > Scan > Setup > Inactive Purge Instance. Once a value is specified in this field, it removes data for instances that haven't been updated in a certain number of days.
- Previously, when processing results of Scan-By-Policy (SBP), at least one instance was required to be present in the scan results for deleting stale technologies/instances. Deletion is now supported even if no instance is reported in the latest scan.
- We have expanded posture data deletion for all technologies covered via agent middleware scan.
Support for New Authentication Technologies
With this release, the following technologies are now supported for Policy Compliance authenticated scans:
Oracle 23ai (Multitenant)
With this release, the Oracle 23ai (Multitenant) technology is supported for Policy Compliance authenticated scans using scanners and Cloud Agent. The technology is now available for use at the following places for both scanner and agent:
Policy Editor
When you create or edit a compliance policy, Oracle 23ai (Multitenant) is now available in the list of supported technologies.
Search Controls
When you search controls, you see Oracle 23ai (Multitenant) in the list of technologies. Go to Policies > Controls > Search and select Oracle 23ai (Multitenant) in the list.
Authentication Report
To display all OS authentication-based instance technologies per host, including Oracle 23ai (Multitenant), in your authentication report, go to Reports > New > Authentication Report and under Appendix, enable OS Authentication-based Technology option.
Oracle 23ai (Multitenant) is now listed under application technologies in the Result section of a compliance scan report.
Scroll down to the Appendix section of your authentication report to view the Oracle 23ai (Multitenant) mentioned under Targets with OS authentication-based technologies.
Scan Results
Sample Report
The sample report displays the tracking method and the instances for both scanner and agent. You can view the instances of Oracle 23ai (Multitenant) for scanned hosts in compliance reports.
- Scanner
The sample report displays the tracking method for the scanner as IP with an instance of oracle23cdb.
- Agent
The sample report displays the tracking method for the scanner as AGENT with an instance of oracle23cdb.
When you use a cloud agent for Policy Compliance, the cloud agent auto-discovers Oracle 23ai (Multitenant). When an agent scan detects Oracle 23ai (Multitenant) on a host, it is displayed at PC > Assets > Middleware Asset.
For more information, see Authentication Technologies Matrix.
Windows 2022 Active Directory
Windows 2022 Active Directory optimizes traffic and enhances overall performance in an environment with numerous groups. You need a Windows record to authenticate Windows 2022 Active Directory and scan it for compliance. You can scan, create policies with desired controls, and run reports like authentication, policy, interactive, and so on using Windows 2022 Active Directory. It supports both scanner and agent.
Windows 2022 Active Directory is now available for use at the following places for both scanner and agent:
Policy Editor
When you create or edit a compliance policy, Windows 2022 Active Directory is now available in the list of supported technologies.
Search Controls
When you search controls, you see Windows 2022 Active Directory in the list of technologies. Go to Policies > Controls > Search and select Windows 2022 Active Directory in the list.
Authentication Report
To display all OS authentication-based instance technologies per host, including Windows 2022 Active Directory, in your authentication report, go to Reports > New > Authentication Report and enable OS Authentication-based Technology option under the Appendix.
Scroll down to the Appendix section of your authentication report to view the Windows 2022 Active Directory mentioned under Targets with OS authentication-based technologies.
Scan Results
Windows 2022 Active Directory is now listed under Application technologies found based on OS-level authentication in the Result section of a compliance scan result.
When you use a cloud agent for Policy Compliance, the cloud agent auto-discovers Windows 2022 Active Directory. When an agent scan detects Windows 2022 Active Directory on a host, it displays on PC > Assets > Middleware Asset.
Sample Report
The sample report displays the tracking method and the instances for both scanner and agent. You can view the instances of Windows 2022 Active Directory for scanned hosts in Compliance Reports.
- Scanner
The sample report displays the tracking method for the scanner as IP with an instance of ad2022.
- Agent
The sample report displays the tracking method for the scanner as AGENT with an instance of ad2022.
For more information, see Authentication Technologies Matrix.
Support UDC for Agent on MacOS X
With this release, we are supporting the UDC type for the Script Result Check option for MacOS X under Unix Script UDC. Earlier, support was only for the Windows platform type for Windows script UDC and the Linux platform for Unix script UDC. This helps you validate the script against MacOS X technologies.
Issues Addressed
The following reported and notable customer issues have been fixed in this release:
Component/Category | Application |
Description |
VM - Report Schedule | Vulnerability Management | When user attempted to schedule report on report generated from API, an error message stating, "An error has occurred and the Qualys Server cannot process your request," was displayed. This happened because report schedules were not being set up fpr reports created using the API. The relevant code changes have been made to address this issue. You can now schedule API reports and any other on demand reports successfully. |
VM - Reports General | Vulnerability Management | When users generated an authentication report, the operating system did not appear in the Operating System section of the report. This issue occurred because the OS value was retrieved from the wrong column in the table. Relevant code changes were made to fix this issue. |
VM - Feature Request | Vulnerability Management | Data related to Host Application was gettting processed in QWEB as well as Portal. Considerable time was getting spent on processing the data in QWEB. Relevant tweaks were added at the platform level to resolve this issue. Now when you enable the tweak, the host application data will not be processed, and data will not be inserted/updated in the host application table at QWEB. |
VM - User Management | Vulnerability Management | When the user, without GUI access, tried to access the Qualys user interface, an expected login failure occurred. However, in the login failure logs, that highlighted the login attempt, displayed the role of the user incorrectly. Relevant code changes have been made to resolve this issue. The failure logs now display the correct user role. |
VM | Vulnerability Management | When the users referred to the Qualys Vulnerability Management - Scanning for Default Credentials & Commonly Used Passwords document, they observed certain QID credentials missing. Relevant changes have been made to resolve this issue. The document Vulnerability Management - Scanning for Default Credentials & Commonly Used Passwords is now updated with the list of QID credentials. For more information refer to the Vulnerability Management - Scanning for Default Credentials & Commonly Used Passwords document. |
VM - Knowledge Base | Vulnerability Management | When the users were trying to create a Dynamic search list, they entered "CVE-" in CVE Id field with "Contains", an error was displayed. This is because when performing a validation for CVE ID field, the provided value must be either a valid CVE ID pattern or must contain the value as entered in the field. Relevant code changes have been made to resolve this issue. The CVE ID filter value is now selected before applying the regex validation on CVE ID field. |
VM - Remediation |
Vulnerability Management | When the users were using an asset group configured with DNS in a remediation policy, the policy evaluation process failed. Therefore, the remediation tickets were not being created. This was an expected behavior. The backend service (AGMS) resolves only IPs from the asset groups, not DNS. Due to this, policy evaluation fails for such assets, and remediation tickets do not get created. This is now updated in the Online Help in Remediation - The Basics. |
VM - Reports | Vulnerability Management | When the users created a scan report template through API by passing 0 values for exploitability and malware in the request or through UI by unchecking the options of exploitability and malware, users were still able to view the exploitability and malware columns in the report XML format. The relevant code changes have been made to resolve this issue. |
VM - Assets | Vulnerability Management | When users tried to view the Existing Excluded Host (Scans > Setup > Excluded Hosts > Existing Excluded Hosts) in the Excluded Hosts Setup, it was taking a considerable amount of time to open. The relevant code changes have been made to resolve this issue. |
PC | Policy Compliance | We now support Windows 2022 Active Directory Instance for Policy Compliance authenticated scans. Windows 2022 Active Directory enhances performance and optimizes traffic in large environments. It supports both scanners and agents, allowing for compliance scanning, policy creation, and report generation. You can use it with Policy Editor, Search Controls, Authentication Reports, and Scan Results. |
PC - Reports | Policy Compliance | Previously, posture data for instance-based technologies like Tomcat and Apache HTTP was deleted when OS authentication failed, leading to missing data in reports. Processing a full scan also resulted in the deletion of instances reported via agent middleware when host merging was enabled. Additionally, deleting stale instances in Scan-By-Policy (SBP) required at least one instance in the results, and posture data deletion was limited for some technologies. Relevant code changes have been made to resolve these issues, preventing unnecessary deletions, expanding support for agent middleware, and improving stale instance management. |
PC - Feature Request | Policy Compliance | When the users executed the Policy Compliance report for Active Directory (AD) SDC (System defined Controls), users were able to view incomplete data displayed in the Extended Evidence and Actual result sections. Relevant code changes have been made to resolve the issue. Now, you can view the full extended evidence and actual data in the report. |
PC - Authentication Records | Policy Compliance | When users edited an MS SQL Server Authentication Record, they entered the member domain details and proceeded to save it. An error asked for IPs, though the expected behavior is to enter either IPs or member domains. Relevant code changes have been made to resolve this issue. |
PC-Policy Editor | Policy Compliance | When the user attempted to copy a control from one technology to another and proceeded to save it, an error was displayed. This was because a single quote was present in the expected value field. Relevant code changes have been made to resolve this issue. |
SCA - Reports | Policy Compliance | When the users executed a Compliance Policy Report by selecting Group By Controls and unchecking the Asset Tag option in the Compliance Policy Report Template, users were able to view the Asset Tag details below each control section in the report. The relevant code changes have been made to resolve this issue. Now you can view the Asset Tag for CSV Reports Only under Group By Control selection instead of Asset Tag. |