Cloud Agent

Lab Tutorial Supplement

1
Table of Contents
CLOUD AGENT DEPLOYMENT .................................................................................................................................4
AGENT ACTIVATION KEY .................................................................................................................................................................4
Add a Static Tag ......................................................................................................................................................................5
Application Module Support ..............................................................................................................................................5
Activation Key Limits ............................................................................................................................................................7
AGENT INSTALLATION COMPONENTS ...........................................................................................................................................7
Command Line Installation ................................................................................................................................................9
Validate CA Installation .................................................................................................................................................... 12
Locate Host ID ....................................................................................................................................................................... 12
View CA Log File (Log.txt) ................................................................................................................................................ 13
CA Log Analysis & Troubleshooting ............................................................................................................................. 13
Cloud Agent Installation Guides .................................................................................................................................... 14
AGENT PROXY CONFIGURATION.................................................................................................................................................. 14
TLS 1.2 Requirement .......................................................................................................................................................... 14
Windows Agent Proxy Configuration .......................................................................................................................... 14
Linux Agent Proxy Configuration.................................................................................................................................. 16
Cloud Agent Installation Guides .................................................................................................................................... 18
ASSET DETAILS & QUERIES.......................................................................................................................................................... 18
Windows Self-Protection Feature ................................................................................................................................. 20
CONFIGURATION AND TUNING ........................................................................................................................... 22
CLOUD AGENT CONFIGURATION PROFILE................................................................................................................................. 22
General Info ............................................................................................................................................................................ 23
Blackout Windows ............................................................................................................................................................... 23
Agent Performance Settings............................................................................................................................................ 24
Assign Hosts............................................................................................................................................................................ 26
Agent Scan Merge ................................................................................................................................................................ 27
VM, PC, and SCA Scan Intervals ..................................................................................................................................... 30
Scan On-Demand .................................................................................................................................................................. 30
FIM and EDR .......................................................................................................................................................................... 35
PM ............................................................................................................................................................................................... 35
Configuration Profile Precedence ................................................................................................................................. 35
DOWNLOAD MANIFEST ................................................................................................................................................................. 36
ACTIVATE, DEACTIVATE & UNINSTALL AGENTS ..................................................................................................................... 37
Activate & Deactivate Application Modules ............................................................................................................. 37
Uninstall Agents.................................................................................................................................................................... 39
Purge Rules ............................................................................................................................................................................. 39
Asset Housekeeping Enhancements for Cloud Assets ........................................................................................... 40
APPENDIX A: MAC OS AGENT INSTALLATION ............................................................................................... 41
COMMAND LINE INSTALLATION .................................................................................................................................................. 42
VALIDATE CA INSTALLATION ...................................................................................................................................................... 42
LOCATE HOST ID ............................................................................................................................................................................ 42
LOCATE CA LOG FILE (QUALYS-CLOUD-AGENT.LOG) ............................................................................................................. 43
CA LOG ANALYSIS & TROUBLESHOOTING................................................................................................................................. 43
APPENDIX B: RPM-BASED AGENT INSTALLATION ...................................................................................... 44
COMMAND LINE INSTALLATION .................................................................................................................................................. 45
VALIDATE CA INSTALLATION ...................................................................................................................................................... 45
LOCATE HOST ID ............................................................................................................................................................................ 46
LOCATE CA LOG FILE (QUALYS-CLOUD-AGENT.LOG) ............................................................................................................. 46

2
 CA LOG ANALYSIS & TROUBLESHOOTING................................................................................................................................. 46
APPENDIX C: DEBIAN/UBUNTU AGENT INSTALLATION ........................................................................... 47
COMMAND LINE INSTALLATION .................................................................................................................................................. 48
VALIDATE CA INSTALLATION ...................................................................................................................................................... 48
LOCATE HOST ID ............................................................................................................................................................................ 49
LOCATE CA LOG FILE (QUALYS-CLOUD-AGENT.LOG) ............................................................................................................. 49
CA LOG ANALYSIS & TROUBLESHOOTING................................................................................................................................. 49
APPENDIX D: SUPPORT FOR REDHAT OPENSHIFT ..................................................................................... 50
CLOUD AGENT FOR REDHAT OPENSHIFT INSTALLATION ..................................................................................................... 51
APPENDIX E: QUALYS TECHNICAL SUPPORT ................................................................................................. 52
WINDOWS HOST............................................................................................................................................................................. 52
LINUX/UNIX/MAC HOST ............................................................................................................................................................. 52
OTHER HELPFUL INFORMATION ................................................................................................................................................. 52

3
Cloud Agent Deployment
To successfully deploy Qualys Cloud Agent (CA), the target host must have Internet
access and a clear path to the Qualys Cloud Platform. Administrative or root access to the
target host is required for an Agent installation.

Agent Activation Key

Before deploying agents, you must generate an Activation Key in the Cloud Agent
application. Activation Keys allow you to manage and control the distribution of agents
throughout your organization.
Navigate to the following URL to view the "Create Activation Key" tutorial:

LAB 1- https://ior.ad/7fyC

Activation Key configuration options include: 1) Title, 2) Asset Tags assigned to

deployed Agent hosts, 3) Qualys application modules activated for deployed agents, and
4) Key limitations or restrictions.

4
Add a Static Tag
It's a "best practice" to configureAgentt Activation Keys with a static Asset Tag. The
predictable nature of a static tag will make it easy to identify or trackAgentt host assets
deployed with any Activation Key.

Application Module Support

Select the Qualys application modules to be activated during Agent dAgentment. Any
application module not selected can be activated at a later time.
Qualys Cloud Agent collects and provides data for multiple Qualys Platform applications,
including:
▪ Global AssetView (GAV) or Cyber Security Asset Management (CSAM) - can
provide access to inventory and vulnerability data collected by Cloud Agent
▪ Vulnerability Management (VM) - allows you to continuously monitor assets for
an operating system, application, and certificate vulnerabilities – includes Threat
Protection (TP) & Continuous Monitoring (CM)
▪ Policy Compliance (PC) and/or Security Configuration Assessment (SCA) -
allows you to continuously evaluate assets against standard(s) and benchmark(s)
▪ File Integrity Monitoring (FIM)* - allows you to detect, log, and track file
changes, allowing you to identify critical changes, incidents, and risks resulting
from normal and malicious events
▪ Endpoint Detection & Response (EDR)* and Extended Detection & Response
(XDR)* - allow you to hunt for threats, detect suspicious activity and confirm the
presence of known and unknown malware from devices both on and off the
network
▪ Patch Management (PM)* - deploys detected patches to your systems

NOTE: CSAM is enabled by default. Threat Protection (TP) and Continuous Monitoring
(CM) are supported via activation of the VM module.
FIM, EDR, XDR, and PM are Agent exclusive applications (i.e., they require Cloud
Agent).

5
 qualys.com/documentation/

§ Consult the “Platform Availability Matrix”

for specific OS version and application
support details.

Qualys, Inc. Corporate Presentation

Please contact your Qualys Technical Account Manager to access a copy of this
whitepaper.

6
Activation Key Limits
Create keys that are unlimited, or choose the option to set limits.

If both limits are selected, the key will expire when the first limit is reached.

Agent Installation Components

While this lab tutorial highlights the components of a Windows Agent installation, the
basic principles and concepts apply equally to other agent-supported OS installations.
You'll find specific instructions for Mac OS installations, RPM-based OS installations,
and Debian/Ubuntu OS installations in Appendix A, B, and C, respectively.
The installation steps that follow support Windows XP SP3 or greater. Older versions of
Windows that do not support TLS 1.2 will need to connect to the Qualys Cloud Platform
through a proxy or the Qualys Gateway Service (QGS).
To successfully perform a Cloud Agent installation, you must have administrative access
to the target Windows host
Navigate to the following URL to view the "Agent Installation Components" tutorial:

LAB 2 - https://ior.ad/91E0

7
Use an Activation Key's "Quick Actions" menu to select the "Install Agent" option.

To download an Agent installation program and acquire its associated installation

command, click the "Install Instructions" button that matches your targeted OS.

8
To install Cloud Agent on a Windows host, click the "Install instructions button against
the "Windows (.exe)" option.
See Appendix A, B, and C for Mac OS, RPM, and Debian installation instructions.

1. Copy and paste the installation command into a plain text document.
2. Click the "Download .exe file" button and save the Cloud Agent installation file
(.exe).

The installation command contains your unique CustomerId and an ActivationId that
identifies its associated Activation Key.
These two components should be included when using third-party applications to build
custom deployment packages for hundreds and thousands of hosts.

Command Line Installation

Although this lab uses a simple 'command line' technique to install Cloud Agent, other
techniques and/or third-party applications can be leveraged to automate your Cloud
Agent deployments.
Navigate to the following URL to view the "Command Line Installation" tutorial:

LAB 3 - https://ior.ad/91E3

Open a "Command Prompt" window on a target Windows host.

9
Navigate to the directory that contains the Cloud Agent installation program
(QualysCloudAgent.exe).
Use the "dir" command to verify the existence of the installation program file. If you do
not see the file "QualysCloudAgent.exe" navigate to its correct location before executing
the installation command.
Copy and paste the Cloud Agent installation command into the "Command Prompt"
window and press the "Enter" key. The Agent installation program will execute with your
Activation Key and Customer ID.

MSI Extract Installation

To extract MSI from the downloaded exe file, run the following command:
QualysCloudAgent.exe ExtractMSI=<value>
For ExtractMSI, use the following values (value) as per host architecture:
For example, if you want to install cloud agent on 64-bit machine, you need to extract the
MSI package with value ExtractMSI=64.
- 32: Extracts 32-bit MSI Installer

- 64: Extracts 64-bit MSI Installer

10
- BOTH: Extracts both (32-bit and 64-bit) the MSI Installers

- AUTO: Extracts the appropriate MSI based on the OS architecture. It extracts 32-bit
MSI on a 32-bit machine and 64-bit MSI on a 64-bit machine

-Installing the MSI package

Copy the Qualys Cloud Agent installer onto the host where you want to install the agent.
Run the command or use a systems management tool to install the agent per your
organization's standard process for installing software.
Following is the sample command for installing the MSI package for 32-bit installer:

Msiexec.exe /i CloudAgent_x86.msi CustomerId={12345678-1234-1234- 1234-

123456789012} ActivationId={12345678-1234-1234-1234- 123456789012}
Here CloudAgent_x86.msi is the extracted MSI file for 32-bit installer.

11
Validate CA Installation
To verify the success of your installation, look for the Cloud Agent process within
Windows Task Manager.

Open the Windows Task Manager and verify Qualys Cloud Agent is running
(Ensure you are viewing processes from all users).

Locate Host ID
All agent host assets are automatically assigned a Universally Unique ID (UUID) by
Qualys. For a Windows host, this Host ID can be found in the Windows Registry.

Open the Windows Registry Editor (i.e., regedit.exe) and navigate to

HKLM\SOFTWARE\Qualys. The "HostID" registry value contains a universally unique ID
(UUID) to track the vulnerability findings for its host.

12
View CA Log File (Log.txt)
You can use the Cloud Agent log file to monitor agent activity. You will find the log file
for a Windows host in the "ProgramData" (hidden) folder.

Use Windows Explorer or a Command Prompt window to navigate to the following

directory path: C:\ProgramData\Qualys\QualysAgent
Open the file 'Log.txt' to view Cloud Agent log file entries.

NOTE: Windows XP uses a different directory path for its agent log file:
C:\Documents and Settings\All Users\Application Data\Qualys\QualysAgent

CA Log Analysis & Troubleshooting

Visit the Qualys Training Video Library (https://www.qualys.com/training/library/cloud-
agent/) for more information and details on Agent log analysis and troubleshooting:
▪ Introduction to Troubleshooting & Log Analysis (https://vimeo.com/412764672)
▪ Troubleshooting & Log Analysis – Common Errors (https://vimeo.com/412762742)
▪ Troubleshooting & Log Analysis – Unix/Linux Distribution (https://vimeo.com/418215691)
▪ Common Errors and Their Solutions – Unix/Linux Distribution (https://vimeo.com/418218290)

13
Cloud Agent Installation Guides

Also, In the getting started guide, you will find information on managing your assets
within the cloud agent application.

Agent Proxy Configuration

By default, Qualys Cloud Agent communicates directly with the Qualys Platform on
TCP/443. Agents can also be configured to communicate through a proxy server,
including Qualys Gateway Server (QGS). QGS also provides a patch download cache for
the Qualys Patch Management (PM) application.

TLS 1.2 Requirement

To successfully communicate with the Qualys Platform, TLS 1.2 must be enabled on
agent hosts. Agent host assets that do not meet this requirement will need to
communicate to the Qualys Platform through a proxy server capable of converting host
communications to the required TLS protocol. Use Qualys Gateway Server (QGS) to
meet this TLS 1.2 requirement.

Windows Agent Proxy Configuration

By default, agent proxy settings on Windows clients are not configured to talk through a
proxy, and the agent attempts to detect a Windows Proxy Auto-Discovery (WPAD) auto-
proxy.
Windows agent proxy configuration can be accomplished by creating and editing the
Qualys Proxy registry key (HKLM\SOFTWARE\Qualys\Proxy). The Qualys Proxy
utility (QualysProxy.exe) will automatically generate this key if it is not present.

14
Steps to use QualysProxy.exe:
From an elevated command prompt, execute QualysProxy.exe to:
▪ Configure Proxy Server(s) and port(s)
▪ Configure proxy username and password if authentication is required
▪ Configure Proxy Auto-Configuration (PAC) file URLs (when WPAD is not
available)
▪ Enable/disable WPAD for agent hosts
QualysProxy.exe works with third-party software management and distribution tools.
Any application accessing the Remote Registry Service (including Group Policy
Management Console, Group Policy, WMI, etc.) can create or modify Agent proxy
configuration settings.
Use third-party software management and distribution tools or the Windows Remote
Registry Service to set the proxy configuration for agents during or after an Agent
installation.
QualysProxy.exe can be used by third-party systems and software management tools.

You'll find QualysProxy.exe in the "\Program Files\Qualys\QualysAgent" folder of a

Windows host. It must be executed from an elevated command prompt.

15
Qualys Proxy Options

QualysProxy Examples
1. Set proxy and port number.
QualysProxy /u http://my-proxy:8080

2. Define multiple proxy servers (for failover).

QualysProxy /u http://my-proxy-1:8080;http://my-proxy-2:8080

3. Define multiple ports on the same proxy server for failover

QualysProxy /u http://my-proxy:8080;http://my-proxy:1080

This can also be used to configure the Cloud Agent to use the Cache Port first and
Proxy Port second (as failover) on a single Qualys Gateway Appliance.

4. Set proxy and credentials

QualysProxy /u http://my-proxy /n ProxyUsername /p ProxyPassword

5. Tell Agent to use PAC file

QualysProxy /a http://my-pac-file-server/QualysAgent.pac

6. Specify credentials for use with PAC file.

QualysProxy /n ProxyUsername /a ProxyPassword /a http://my-
pacfile-server/QualysAgent.pac

Linux Agent Proxy Configuration

1. Agents can be configured for proxy communications using the' Qualys-cloud-
agent' proxy configuration file:
/etc/sysconfig/qualys-cloud-agent (.rpm)
/etc/default/qualys-cloud-agent (.deb)
16
 If this file does not already exist, you must create it. Both .rpm and .deb
environments support proxy configuration in the /etc/environment file.
2. Add one of the following lines to the file (one line only):
• https_proxy=https://[<username>:<password>@]<host>[:<port>]

• qualys_https_proxy=https://[<username>:<password>@]<host>[:<port>]

Where <username> and <password> are specified if the https proxy uses
authentication. Where <host> is the proxy server's IPv4 address or FQDN. Where
<port> is the proxy's port number.
If the proxy is specified with the https_proxy environment variable, it will be used
for all commands performed by the Cloud Agent. If the proxy is specified with
the qualys_https_proxy environment variable, it will only be used by the Cloud
Agent to communicate with our cloud platform.
Now, this configuration is extended to support Proxy Auto-Configuration (PAC)
files for Linux agents.
The URL to the PAC file must be set in http_proxy or https_proxy in the
following format in the same file:
https_proxy=pac+http://url.to/proxy.pac

3. Restart qualys-cloud-agent service (e.g., service qualys-cloud-agent restart)

Temporarily Bypass Proxy
If agents operate in proxy mode and need to switch to non-proxy mode, you can
configure agents to use no_proxy in /etc/environment.
Environment variable 'no_proxy' is used to bypass proxy. Curl library honors' no_proxy'
environment variable. If 'no_proxy' is set, curl will not use proxy even if a proxy
environment variable is set.
To enable Linux agents to use no_proxy for communication with our cloud platform, Edit
the /etc/environment file and add the following line:
qualys_https_proxy=https://[<username>:<password>@]<host>[:<port>] no_proxy=<POD domain name>

Note: For init.d based systems, you must prefix 'export' to the 'qualys_https_proxy' line.

17
Cloud Agent Installation Guides

Asset Details & Queries

It typically takes a few minutes for a new Agent Host to appear under the "Agents" tab
post-installation.

The "Quick Actions" menu of any host will allow you to view its asset details.
Navigate to the following URL to view the "Asset Details & Queries" tutorial:

LAB 4 - https://ior.ad/91E5

All Agent hosts are listed under the "Agents" tab. You can use the CA "Search" field to
help you quickly find the Agent host you are looking for.

18
For example, you may find it helpful to search your asset database for agents that have
not checked in for several days.
Queries you create can be saved for future use, and query results can be downloaded and
imported into spreadsheets and other documents.
If you start typing in the "Search" field, a list of search terms will be displayed that
contain the characters you type.

Detail is provided in the right pane for any search term highlighted in the left pane.

Tip: Clear the "Search" field and enter any character (" a", "e", "i", "o", "u", etc...) to
identify search parameters that contain the character you typed.
Click the "?" icon in the search field for help and instruction on creating queries.

Examples are provided for common search scenarios.

19
All Agent hosts are labeled with the "Cloud Agent" tag (system generated; Agent assets
will be tagged as soon as the Cloud Agent is installed on the asset and communicates
with the platform), making the "tags.name" query token very useful, when attempting to
"single-out" Agent hosts in other Qualys applications.

The example above was taken from the CSAM application. When attempting to find
Agent hosts, search on the "Cloud Agent" Asset Tag (i.e., tags.name: "Cloud Agent").

Windows Self-Protection Feature

Bad actors like to disable your security software's features to get easier access to your
data, making you lose visibility of the updated security posture.
The Cloud Agent Self-protection feature helps prevent non-trusted processes from
making unwanted changes to the file directories and registry entries used by the Qualys
Cloud Agent.

It also prevents:
▪ Uninstallation of Cloud Agent
▪ Termination of Cloud Agent processes
▪ Tampering with Cloud Agent driver
▪ Tampering with Cloud Agent registry keys
▪ Prevents the debugger from attaching to the Qualys Agent service
▪ Prevents user-defined scripts, i.e., the scripts uploaded by Qualys Custom
Assessment and Remediation and Patch Management, from changing the
protected areas.

However, On-Demand Scan configuration, which requires a registry change on the host,
will still work, and proxy tool can still be used to configure a proxy for the Agent with
Self-Protection enabled.

20
To get this feature enabled in your account, please contact your Qualys TAM or engage
Qualys support.

The Features by Agent Version section in the Cloud Agent Platform Availability Matrix
displays the operating system platforms and the Agent versions supported by the Self-
protection feature.

Navigate to the following URL to view the "Windows Self-Protection Feature" tutorial:

LAB 5 - https://ior.ad/90gg

21
Configuration and Tuning
The Cloud Agent application is your command and control center for deploying and
managing Cloud Agent.

Cloud Agent Configuration Profile

The Cloud Agent Configuration Profile provides options to control the performance and
behavior of each Agent instance.

Navigate to the following URL to view the "CA Configuration Profile" tutorial:

LAB 6 - https://ior.ad/7fAw

22
General Info

The General Information settings establish things like the profile name and description,
along with some default data collection and update options:
▪ Only one profile can be designated as the default profile for your subscription. If
an Agent host does not meet the host assignment criteria for any other
configuration profile, the default will be used.
▪ The option to suspend data collection from agents will effectively stop the Agent
from performing VM, PC, SCA, and Inventory scans. Although scanning has
stopped, agents will continue to receive manifest updates, configuration updates,
and Agent version updates.
▪ Windows agents with SQLite In-Memory Databases enabled consume slightly
higher memory while using slightly less CPU and disk space resources.
▪ Enable the "Prevent auto-updating of the Agent binaries" option if you intend to
use third-party software management and distribution tools (e.g., SCCM, RPM,
BigFix, Casper, Altiris, etc.....…) to perform Agent upgrades.

Blackout Windows
You can add blackout windows to stop communication between the Agent and the
Qualys Cloud Platform at specified times each day of the week.

This can be especially useful when coordinating the communication flows for different
groups of agents or simply using this option to stop Agent communications during
expected times of peak network traffic.

23
Agent Performance Settings
To control the amount of system or network resources used by each Agent, you can use
the preset performance settings of (LOW, NORMAL, or HIGH).

Or use the "Customize" option for more granular control.

Network Performance
Moving down through the "Performance" options, the "Delta Upload Interval" and
"Chunk sizes for file fragment uploads" settings work together to control how VM and
PC data is transmitted to the Qualys Cloud Platform (FIM and EDR settings are specified
in a separate place).

Chunk sizes for file fragment uploads - Specifies the maximum payload size for data
transmissions. If the total amount of transmission data exceeds this value, it will be
broken up (or fragmented) into appropriate chunks not to exceed this value.
Example: if "Chunk sizes for file fragment uploads" is set to 1024KB, a 4MB data
transmission will be broken up into four separate chunks, each 1024KB in size.
Delta Upload Interval - Specifies the time (or delay) between separate transmissions of
"chunks" of data.
These two settings will have the greatest impact on network performance during Agent
scan data transmissions (specified in the Scan Interval settings).

24
CPU Performance
It's the CPU performance settings that determine how long it will take an Agent to
complete the task of collecting inventory and scan data from its Agent host.
The more CPU resources you provide to an Agent, the sooner it will complete its tasks.
Separate CPU performance settings are provided for Windows and Linux/MacOS agents.

CPU Limit - The CPU configuration setting for a windows Agent is called the "CPU
Limit" and is expressed as a percentage of CPU usage.
Higher percentages will provide greater CPU resources to a Windows agent, allowing it
to complete its data collection tasks in less time. Lower percentages will reduce Agent
performance, and more time will be required for the Agent to complete its tasks.
CPU Throttle - The CPU configuration for a Linux or Mac host is called CPU Throttle.
It is expressed in milliseconds, which represents the delay between metadata collection
commands executed by the Agent.
Lower CPU Throttle settings improve Agent performance by minimizing the delay
between Agent tasks. Higher values for CPU throttle will slow Agent performance.

25
Assign Hosts
In the first lab tutorial, the "CA Lab" tag was added to the CA Lab Activation Key. This
ensures all agents created with the CA Lab Activation Key will receive the "CA Lab" tag.

The "CA Lab" tag can now be used to assign your Agent host to the correct
Configuration Profile.

Hosts with the "CA Lab" tag will be assigned to this Configuration Profile automatically.

26
Agent Scan Merge
Qualys Scanner Appliances produce SCAN data. Qualys Agents produce AGENT data.
When a Qualys Scanner is used to scan a host that already has a Qualys Agent installed,
both SCAN data and AGENT data records are collected and stored.
SCAN data (for both authenticated and unauthenticated scans) and AGENT data can be
successfully merged when both records contain a common field or attribute. The Agent
Correlation Identifier provides this common attribute.
When Agent Scan Merge is enabled in a Configuration Profile, the Agent Correlation
Identifier is exposed on TCP ports 10001-10005.

By default, the lowest available port number will be used. Use the "Bind All" option to
bind on all five ports simultaneously. Configure "On-Premise Detection" to expose the
Agent Correlation Identifier only on a trusted network. An IP address range configured
to: 0.0.0.0/0 enables this feature for all Agent hosts.

27
Once Agent Scan Merge is enabled, the 'agentid-service' can be viewed from Windows
Task Manager.

The 'agentid-service' can also be viewed within a Unix/Linux process list.

Execute the 'netstat' command (below) to view the agentid-service's assigned port
number(s).

28
 Once the Agent Correlation Identifier is accepted, within the "Asset Tracking and Data
Merging Setup" options (Path: Qualys VM or VMDR -> Assets -> Setup), Qualys
Scanners will attempt to read the Agent Correlation Identifier from Agent hosts.

When Qualys Scanner Appliances scan Agent hosts (that have the Agent Correlation
Identifier enabled), they return QID 48143 – Qualys Correlation ID Detected.

AGENT data and SCAN data can be successfully merged using the Agent Correlation
Identifier attribute.

For a detailed understanding of the Asset Tracking and Data Merging options, please see
our Scanning Strategies & Best Practices and Reporting Strategies & Best Practices
courses.

29
 Reporting Strategies & Best Practices Training

For a detailed discussion of Asset Tracking & Data Merging options, see the
Qualys “SSBP” and “RSBP” self-paced training courses.
VM, PC, and SCA Scan Intervals
The VM, PC, and SCA Scan Interval setting determines how often Cloud Agent collects
93

vulnerability and compliance assessment data. Configured at its minimal and default
value, data collections will occur every four hours.

Scan On-Demand
Manually perform VM, PC, SCA, UDC, and inventory scans on Windows and Linux
Agent hosts. You can run an on-demand scan as long as the Agent is not already
scanning. The on-demand scan runs independently of the interval scan you configure in
the Configuration Profile and will reset the scan interval on the local Agent after a
successful scan.

There are two ways of launching on-demand scans:

• from within the Agent host
• using the Cloud Agent User Interface

Launching Windows On-Demand Scan from the Host

This capability is introduced to primarily support patch management use cases where one
needs to verify that newly installed patches have remediated the associated local host
vulnerabilities.
30
Scan on demand is a single-use execution that is initiated manually on the host itself,
using locally or remotely executed scripts or GPO or from software distribution tools at
the end of a patch deployment job.
On-demand scans for Windows are configured in the Windows System Registry.

For Cloud Agent for Windows version 4.8 or later, when a module is activated, the Agent
creates the registry structure and subkeys (i.e., Inventory, Vulnerability, Policy
Compliance, UDC, or SCA) for on-demand scan automatically. For versions earlier than
4.8, only root keys are created, and the subkeys, data, and values to configure and execute
the scans need to be set manually, using scripts or registry configuration tools.
Setting a data value of "1" will initiate the on-demand scan. The data value will change to
"2" when the scan progresses. The data value will change to "0" when the scan is
complete.

Alternatively, use the "ScanOnStartup" registry value to launch a scan at the next system
start-up. ScanOnStartup can be very useful for validating vulnerability patches that
require a reboot; just set the ScanOnStartup value to '1' and then deploy your patches.
In addition to initiating a scan on demand or setting the scan on start-up, you can select
the CPU Limit to a performance value for the on-demand or start-up scans. This CPU
31
Limit is only for the on-demand or start-up execution and is separate from the CPU Limit
set in the Configuration Profile. The most common use case is setting a high CPU Limit
or no throttle (100%) for this scan so that the Agent portion of the processing can be run
as fast as possible. This allows for fast collection as part of patch deployment jobs during
change management windows while keeping a low performance profile for normal
production usage.

Note: This feature only manages when the Agent initiates a manifest scan to collect the
requisite metadata. After collection, the Agent calculates the delta changes and sends any
changes to the platform for processing. Platform processing is per the normal assessment
pipeline for assessments to be available in VM reports, API, VM dashboard, PC Reports,
and AssetView. The Scan on Demand feature does not change or accelerate the normal
assessment pipeline for assessment processing on the platform.

Network Blackout Windows take precedence:

- ScanOnDemand or ScanOnStartup, when the Agent is in a network blackout window,
will still execute. Still, the delta will not upload to the Qualys platform until the Agent is
out of a network blackout window.
- If the Agent is in a network blackout window that is preventing the previous scan's delta
from being uploaded, then ScanOnDemand or ScanOnStartup will not execute until the
last scan's delta upload is fully completed.
- The Agent will not execute an on-demand or on-startup scan for a manifest type that is
not assigned (activated).
Launching Linux On-Demand Scan from The Host
Prerequisite: The Agent must be activated for that specific Qualys application for which
you run the On-Demand Scan. When activated, the Agent downloads the manifest for
that application from the Qualys platform; if the manifest is not present for that type, On-
Demand Scan will not execute.

On-demand scans for Linux are executed from the command line. Use the
cloudagentctl.sh script to run the on-demand scan. You'll find this script at
/usr/local/qualys/cloud-agent/bin/.

▪ The action and type parameters are mandatory.

▪ The value for the "action" parameter is "demand" for an "on-demand" scan.
▪ The value for the "type" parameter is the targeted application module.
▪ The default value for the "cputhrottle" parameter is 0, i.e., no throttling.
Example:

32
 For example, to initiate an On-Demand Scan for the Vulnerability Management
application (VM) with no throttling:
># ./cloudagentctl.sh action=demand type=vm

The script calls the Agent to run asynchronously in the background and returns to the
shell prompt. The script prints a ControlId that you can track in the log file. The
ControlId is the timestamp of the script initiation, e.g., On-Demand-Request ControlId:
20200427151136.0
The On-Demand Scan logs to the same log file as the Agent at
/var/log/qualys/qualyscloud-agent.log. You can find the logging for the scan initiation
and completion in the log file:
2020-04-27 15:11:36.474 [qualys-cloud-
agent][9710]:[Information]:[140048573286144]:OnDemandRequest Params:
ControlID=20200427151136.0, Action=OnDemand, Type=VM, CPUThrottle=0"

If the Agent is currently performing an interval scan for the same type, the On Demand
Scan will delay waiting for the currently running scan to finish. The script will print a
log line with this status:
2020-04-27 15:11:36.474 [qualys-
cloudagent][9710]:[Information]:[140048573286144]:Interval Event of same type
is in progress with state INTERVAL_EVENT_SCAN
2020-04-27 15:11:36.474 [qualys-
cloudagent][9710]:[Information]:[140048573286144]:OnDemand request for Control
ID : 20200427151136.0 will be delayed.

If the script errors due to the manifest file not being present, check whether the Cloud
Agent is activated for that particular application. If an agent is activated, but you still get
manifest-related errors while running the On-Demand Scan command, the Agent may not
have downloaded the manifest for that application. You can manually force a manifest
download by deactivating and then reactivating the Agent for that application from the
Cloud Agent user interface module. If that doesn't correct the issue, contact Qualys
Support.

Once an on-demand Scan is complete, the results are logged in the log file at
/var/log/qualys/qualys-cloud-agent.log.

Launching On-Demand Scans from the Qualys Cloud Platform

You can also initiate and centrally manage on-demand scans from the Cloud Agent user
interface from the Qualys Cloud Platform.

To do so:
• Navigate to the Agents tab under the Cloud Agent module
• Launch the quick actions menu for an Agent host and select 'on-demand scan.'
This can be done for multiple hosts in bulk as well.

33
You can initiate VM, PC, Inventory, UDC, or an SCA scan. Choose the appropriate
application here to initiate the scan. Note that the modules required for the selected
scan type must be activated for the Agent host, irrespective of the method used to
launch an on-demand scan.

By default, Cloud Agent for Windows uses a throttle value of 100, and Cloud Agent for
Linux uses a value of 0, i.e., no throttling.

If you want to use the values in the configuration profile assigned to the host, select the
"Use CPU Throttle limits set in the respective Configuration Profile for agents" check box.

Click submit to initiate the job.

After some time, you should see information about scan completion.

Currently, you can initiate 1000 on-demand scans concurrently for each subscription.
And you can send a maximum of 15000 on-demand scan requests per day.

Navigate to the following URL to view the "Launch On-Demand scan" tutorial:

LAB 7 - https://ior.ad/91E7

34
FIM and EDR
FIM and EDR use an event-driven data collection model, where events are captured and
logged as they occur. Logged events are transferred to the Qualys Platform at frequent
intervals, i.e., Payload Threshold Time (30 – 1800 seconds for FIM and 180-1800
seconds for EDR).

PM
Patch assessment scans (configured in the PM application) are performed every 4 hours
to every 30 days.

Configuration Profile Precedence

You can use your mouse to grab and drag any profile to a new position in the list.

If a deployed Agent host is assigned to multiple profiles, the matching profile closest to
the top of the list will take precedence.
Always keep generic configuration profiles at the bottom and more specific profiles at the
top of the list.

35
Download Manifest
A "manifest" identifies the tasks to be performed and data to be collected by the Agent.
Qualys Application Modules have their own separate manifests.

When a new application module is activated for an Agent host, the Agent receives a new
manifest, and data collection begins. Data collection also begins after an Agent gets an
updated manifest.

36
Activate, Deactivate & Uninstall Agents
Using the "Quick Actions" menu of any Agent, you can activate or deactivate modules
and uninstall agents according to the licenses within your Qualys subscription.

Navigate to the following URL to view the "Activate, Deactivate, and Uninstall Agents"
tutorial:

LAB 8 - https://ior.ad/91E6

Activate & Deactivate Application Modules

To deactivate an Agent Module, select "Deactivate Agent" from the "Quick Actions"
menu. Then turn off the targeted module before clicking the "Deactivate" button.

37
A deactivated module can also be re-activated using the "Activate Agent" option from the
"Quick Actions" menu.
An effective technique for activating or deactivating application modules in bulk is
provided within Agent Activation Keys.

Open an Activation Key and check the modules to be activated or uncheck the modules
to be deactivated. Select the "Apply changes to all the existing agents" option and save.
All existing agents (deployed with the modified key) will be updated at their very next
Agent Status Interval.

38
Uninstall Agents
Selecting the "Uninstall Agent" option from the "Quick Actions" menu of any Agent, will
remove the Agent from its host the very next time it checks in.

Uninstall agents in bulk using the CA Application Program Interface (API) or create
Agent Purge Rules within the Qualys CyberSecurity Asset Management/Global
AssetView application.

Purge Rules
You can configure purge rules for cloud Agent assets (assets in public cloud using cloud
provider metadata or otherwise).

Purge agent hosts that match

one or more conditions

Purge Rules run daily. All assets matching your rule will be purged:
39
 ▪ Assets and associated asset data will be removed from your account.
▪ Agents will be uninstalled, and licenses will be freed-up.
You can also activate, deactivate, and uninstall agents in bulk by selecting multiple Agent
hosts and using the Actions menu.

Asset Housekeeping Enhancements for Cloud Assets

We now support better identification of stale or terminated assets by collecting the
following additional information in the Agent provisioning call:
o For AWS instance – accountID
o For Azure instances – subscriptionId
o For GCP instances - projectId or project number
Account reconciliation is performed in addition to the connector reconciliation to identify
the stale assets for the account ID associated with the connector that was not discovered
in the connector run.
This helps in reporting up-to-date asset information to the Qualys Cloud Platform.
This is currently supported for AWS, Azure, and GCP environments.

40
Appendix A: Mac OS Agent Installation
The installation steps that follow support Mac OS 10.13 or higher.
You must have root or root-equivalent access to the target Mac host to successfully
perform the Cloud Agent installation steps that follow.
1. From the Cloud Agent (CA) application, navigate to the "Agent
Management" section, and click the "Activation Keys" tab.
2. Use the "Quick Actions" menu of your activation key to select the "Install
Agent" option.

3. Click the "Install Instructions" button next to the "Mac (.pkg)" option.

4. Copy and paste the installation command into a plain text document.
5. Click the "Download .pkg" button and save the Cloud Agent installation file
(.pkg).

41
Command Line Installation
Although this lab uses a simple 'command line' technique to install Cloud Agent, other
techniques and/or third-party applications can be leveraged to automate your Cloud
Agent deployment.
The Mac Agent installation file (.pkg) must be installed from a "Terminal" window. Do
NOT attempt to install this file using the Mac graphical user interface (GUI).
1. Open a "Terminal" window on the target Mac host.
2. Navigate to the directory that contains the Cloud Agent installation file
(.pkg).

3. Use the "ls" command to verify the existence of the installation package.
If you do not see file "qualys-cloud-agent_x86_64.pkg", navigate to its correct
location before executing the installation command.
4. Copy and paste the installation command into the "Terminal" window and
press the "Enter" key.
This first part of the command unpacks and installs the Cloud Agent package.
This second part of the command runs a shell script that restarts the Cloud Agent
service and activates your license key.

Validate CA Installation
To verify the success of your "command line" installation, look for the Cloud Agent
process.
5. Use the "ps" command to verify 'qualys-cloud-agent' is running.
ps -e | grep qualys

Locate Host ID
All agent host assets are automatically assigned a Qualys Host ID (UUID). For a Mac
host, this Host ID can be found at /etc/qualys/hostid.
6. From a Terminal window, execute the following command:
42
 sudo cat /etc/qualys/hostid
If the HostID is not displayed, your newly installed
Agent may still complete some preliminary tasks within
its manifest.

Locate CA Log File (qualys-cloud-agent.log)

You can use the Cloud Agent log file to monitor agent activity. You will find the log file
for a Mac host in the /var/log/qualys directory.
7. From a Terminal window, execute the following command:
sudo cat /var/log/qualys/qualys-cloud-agent.log

CA Log Analysis & Troubleshooting

Visit the Qualys Training Video Library for more information and details on Agent log
analysis and troubleshooting:
▪ Introduction to Troubleshooting & Log Analysis (https://vimeo.com/412764672)
▪ Troubleshooting & Log Analysis – Common Errors (https://vimeo.com/412762742)
▪ Troubleshooting & Log Analysis – Unix/Linux Distribution (https://vimeo.com/418215691)
▪ Common Errors and Their Solutions – Unix/Linux Distribution (https://vimeo.com/418218290)

43
Appendix B: RPM-Based Agent Installation
RPM-based Linux operating systems include Red Hat Enterprise Linux, CentOS, Fedora,
OpenSuSE, SuSE, Amazon Linux, and Oracle Enterprise Linux.
You must have root or root-equivalent access to the target host to successfully perform
the Cloud Agent installation steps that follow.
1. From the Cloud Agent (CA) application, navigate to the "Agent
Management" section, and click the "Activation Keys" tab.

2. Use the "Quick Actions" menu of your activation key to select the "Install
Agent" option.

3. Click the "Install instructions" button next to the "Linux (.rpm)"

option.

4. Copy and paste the installation command into a plain text document.
5. Click the "Download. rpm file" button and save the Cloud Agent installation
file.
44
Command Line Installation
Although this lab uses a simple 'command line' technique to install Cloud Agent, other
techniques and/or third-party applications can be leveraged to automate your Cloud
Agent deployment.
1. Open a "Terminal" window on the target Unix host.
2. Navigate to the directory that contains the Cloud Agent installation file
(.rpm).

3. Use the "ls" command to verify the existence of the installation file.
If you do not see file "qualys-cloud-agent_x86_64.rpm" navigate to its correct
location before executing the installation command.
4. Copy and paste the installation command into the "Terminal" window and
press the "Enter" key.
The first part of the command unpacks and installs the Cloud Agent package.
The second part of the command runs a shell script that restarts the Cloud Agent
service and activates your license key.

Validate CA Installation
To verify the success of your "command line" installation, look for the Cloud Agent
process.

5. Use the "ps" command to verify 'qualys-cloud-ag' is running.

ps -e | grep qualys
45
Locate Host ID
All agent host assets are automatically assigned a Universally Unique ID (UUID) by
Qualys. For a Unix host, this Host ID can be found at /etc/qualys/hostid.
6. From a Terminal window, execute the following command:
sudo cat /etc/qualys/hostid
If the HostID is not displayed, your newly installed
Agent may still complete some preliminary tasks within
its manifest.

Locate CA Log File (qualys-cloud-agent.log)

You can use the Cloud Agent log file to monitor agent activity. You will find the log file
for a Unix host in the /var/log/qualys directory.
7. From a Terminal window, execute the following command:
sudo cat /var/log/qualys/qualys-cloud-agent.log

CA Log Analysis & Troubleshooting

Visit the Qualys Training Video Library for more information and details on Agent log
analysis and troubleshooting:
▪ Introduction to Troubleshooting & Log Analysis (https://vimeo.com/412764672)
▪ Troubleshooting & Log Analysis – Common Errors (https://vimeo.com/412762742)
▪ Troubleshooting & Log Analysis – Unix/Linux Distribution (https://vimeo.com/418215691)
▪ Common Errors and Their Solutions – Unix/Linux Distribution (https://vimeo.com/418218290)

46
Appendix C: Debian/Ubuntu Agent
Installation
You must have root or root-equivalent access to the target host to successfully perform
the Cloud Agent installation steps that follow.
1. From the Cloud Agent (CA) application, navigate to the "Agent
Management" section, and click the "Activation Keys" tab.
2. Use the "Quick Actions" menu of your activation key to select the "Install
Agent" option.
3. Click the "Install instructions" button next to the "Linux (.deb)" option.

4. Copy and paste the installation command into a plain text document.
5. Click the "Download. deb file" button and save the Cloud Agent installation
file.

47
Command Line Installation
Although this lab uses a simple 'command line' technique to install Cloud Agent, other
techniques and/or third-party applications can be leveraged to automate your Cloud
Agent deployment.
1. Open a "Terminal" window on the target Unix host.
2. Navigate to the directory that contains the Cloud Agent installation file
(.deb).

3. Use the "ls" command to verify the existence of the installation file.
If you do not see file "qualys-cloud-agent_x86_64.deb" navigate to its correct
location before executing the installation command.
4. Copy and paste the installation command into the "Terminal" window and
press the "Enter" key.
The first part of the command unpacks and installs the Cloud Agent package.
The second part of the command runs a shell script that restarts the Cloud Agent
service and activates your license key.

Validate CA Installation
To verify the success of your "command line" installation, look for the Cloud Agent
process.

5. Use the "ps" command to verify 'qualys-cloud-ag' is running.

ps -e | grep qualys

48
Locate Host ID
All agent host assets are automatically assigned a Universally Unique ID (UUID) by
Qualys. For a Unix host, this Host ID can be found at /etc/qualys/hostid.
6. From a Terminal window, execute the following command:
sudo cat /etc/qualys/hostid
If the HostID is not displayed, your newly installed
Agent may still complete some preliminary tasks within
its manifest.

Locate CA Log File (qualys-cloud-agent.log)

You can use the Cloud Agent log file to monitor agent activity. You will find the log file
for a Unix host in the /var/log/qualys directory.
7. From a Terminal window, execute the following command:
sudo cat /var/log/qualys/qualys-cloud-agent.log

CA Log Analysis & Troubleshooting

Visit the Qualys Training Video Library for more information and details on aAgentlog
analysis and troubleshooting:
▪ Introduction to Troubleshooting & Log Analysis (https://vimeo.com/412764672)
▪ Troubleshooting & Log Analysis – Common Errors (https://vimeo.com/412762742)
▪ Troubleshooting & Log Analysis – Unix/Linux Distribution (https://vimeo.com/418215691)
▪ Common Errors and Their Solutions – Unix/Linux Distribution (https://vimeo.com/418218290)

49
Appendix D: Support For RedHat OpenShift

Qualys full-stack security for Red Hat OpenShift adds visibility, actionable intelligence,
and security auditing for Red Hat Enterprise Linux CoreOS, the operating system that
underpins OpenShift deployments for running containers securely.

Qualys provides the ability to scan directly into Red Hat Enterprise Linux CoreOS in Red
Hat OpenShift so that you can manage and reduce risk at both the host OS and container
levels.

Built on the Qualys Cloud Platform, Qualys' solution seamlessly integrates with
customers' vulnerability management workflows, reporting, and metrics to help reduce
risk.

The solution enables:

• Continuous visibility of installed software and packages, open ports, and Red Hat Security
Advisories (RHSA)
• Vulnerability management and patch verification for Red Hat OpenShift
• Easy deployment via container to secure the host operating systems without requiring
modifications to the host, opening ports, or dealing with credentials
• Seamless operation with Qualys Container Security to provide security from the host through the
container level

50
Cloud Agent for RedHat OpenShift Installation
Within the activation key, select install instructions for CoreOS from the list and follow the steps for
installation.

51
Appendix E: Qualys Technical Support
When contacting Qualys Technical Support to report observed Agent issues or errors, you may be asked
to provide the following information:

Windows Host
1. Make a copy of the following folder and all of its subfolders:
\ProgramData\Qualys\QualysAgent\

2. Use Windows Explorer or your favorite archive utility to move the contents of this folder into a
single compressed (.zip) file.

Linux/Unix/Mac Host
1. Make a copy of the following directory and all of its subdirectories:
/var/log/qualys/

2. Use an archive utility to move the contents of this directory into a single compressed or tarball
file.

Other Helpful Information

When possible, provide other log files (from other applications and services running on the suspect
Agent host) that correlate to the events recorded within the Agent log file. This type of information is
especially useful for identifying potential conflicts between Cloud Agent and other applications or
services.

52