CyberSecurity Memo

Learning, Sharing, Creating

Qualys

Qualys Scanner Appliance and Qualys Guard Service Tips and Tricks

ByJonny

Nov 10, 2019 #Qualys

The Qualys Cloud Platform and its integrated apps can simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Qualys Scanner Appliance is an option with the Qualys Cloud Platform. With the Qualys Scanner Appliance, you can easily assess internal network devices, systems and web applications.  This post summarize some of my experience with Qualys Guard service from Qualys Scanner Appliance.

Uninstall Cloud Agent / Recycle Related Licenses

Assetview

1.1 Dashboard

Some customized widgets :

  • Authentication Failed Assets : vulnerabilities.vulnerability.qid:105015 or vulnerabilities.vulnerability.qid:105053 or vulnerabilities.vulnerability.qid:105296 or vulnerabilities.vulnerability.qid:105297
  • Not Found 90 Days Assets : not tags.name:”Found in 90 days” and activatedForModules:”VM”
    • Tag Rule:

<?xml version=”1.0″ encoding=”UTF-8″?>
<TAG_CRITERIA>
 <LAST_SCAN_DATE>
  <SEARCH_TYPE>WITHIN</SEARCH_TYPE>
  <DAYS>90</DAYS>
 </LAST_SCAN_DATE>
</TAG_CRITERIA>

  • OS Not Identified Assets: not operatingSystem: “windows” and not operatingSystem: “HP” and not operatingSystem: “Ricoh” and not operatingSystem: “Linux” and not operatingSystem: “VMware” and not operatingSystem: “Xerox” and not operatingSystem: “Cisco” and not operatingSystem: “Power Supply”

YouTube Video: Using Qualys Free Community Edition to Scan Home Network

1.2 Tags

Asset Search – Dynamic Rule
Search all assets found / scanned in last 90 days:

<?xml version=”1.0″ encoding=”UTF-8″?>
<TAG_CRITERIA>
 <LAST_SCAN_DATE>
  <SEARCH_TYPE>WITHIN</SEARCH_TYPE>
  <DAYS>90</DAYS>
 </LAST_SCAN_DATE>
</TAG_CRITERIA>

Enable Agentless Tracking

To reduce / suppress the duplicated assets because of dhcp, one of effective methods is to enable agentless tracking.

In order to support Agentless Tracking capabilities, QualysGuard will write a unique host ID on your Windows and/or Unix hosts during authenticated scans with agentless tracking enabled. Once the Manager primary contact has accepted this feature, agentless tracking may be enabled in Windows and/or Unix authentication records. For additional help, please visit the online help .

2.1. VM > Scans > Setup > Agentless Tracking > Accept

2.2. VM > Scans > Authentication > Edit [Your Authentication Record] > Login Credentials > “Enable Agentless Tracking”

2.3. VM > Users > Setup > Cloud Agent Setup > “Show unified view of hosts”

Note: QID 45179 for successfully checked tracking
QID 45180 – for failed

Change IP Tracked Host Assets to DNS Tracking

Qualys provides multiple mechanisms for tracking assets in your environment; IP, DNS, NetBIOS, Agent, and EC2. In Qualys IP tracking is the default mechanism. DNS and NetBIOS tracking are most useful for DHCP networks.

Note:

To change all ip tracking method machines to dns hostname tracking, I will need to search all assets with DNS name is not empty and tracking method is IP, then put them into a new group to do whatever you need to do, or edit all of them to change tracking method.
Issues with DNS tracking:
If you have some hosts which DNS hostname could not be resolved by your DNS servers, they will not be scanned. Here is a screenshot for those DNS hostname could not be resolved.
Solution:
You will need to manually change them from DNS tracking to IP tracking.

Purge Assets Older than 90 Days

4.1 Manual Purge
The idea is to find all assets not scanned in last 90 days then purge them all.

4.2 Automatically Purge
From your Scans -> Option Profiles, enable the option to Close Vulnerabilities on Dead Hosts.

Delete Older / Obsolete Assets

  • Create an asset group called “ToBeDeleted”
  • Add all available IP’s in your subscription to it and save the AG
  • Now go to Asset search
  • Run an Asset search on the AG “ToBeDeleted”. Just select the AG and hit search. This returns a list of All IP’s in your subscription that has been scanned at-least once. (If it has been scanned at-least once, it isn’t a dead host). You may modify this search to suit your meaning of “Dead host”
  • On this asset search result, select all IP’s and select “Launch a scan” (Don’t run the scan, just hit launch) option from the action menu
  • In the Launch Vulnerability scan window, copy the target IP range
  • Now go back to the Asset group tab and select to edit the Asset group you created called the “ToBeDeleted”
  • In the Edit AG window, go to the IP’s tab, click Manually.
  • In the manual entry IP window, paste the range you have copied and click “Remove”
  • Now save your asset group again
  • Delete or do whatever you want to do to the list of IP’s now in “ToBeDeleted”

Best Practice to Maintain Timely and Effective Qualys Report

from Qualys Community:

1) Purge any assets that have not been scanned in some reasonable number of days.  Depending on your scanning schedule this might be 30, 60, or 90 days.
2) Determine if this is DHCP and set the tracking method for the network range appropriately.  NOTE: To convert to DNS or NetBIOS tracking all assets must have a DNS or NetBIOS name on them already.  So, there may be some clear up and rescanning required to make that happen.
3) Configure and test authentication records, ensure Agentless Tracking enabled in the authentication record.
4) Review your scheduled scan jobs and make any adjustments necessary in option profiles, authentication records etc
5) Scan your ranges
6) It is always a good practice to have a regular purge process.  This can be accomplished in numerous ways, but for good VM practice, it is imperative that the vulnerability data be accurate, timely, and actionable.  

Youtube Video:

By Jonny

Related Post

Qualys

QualysGuard Scan Finding- “Subject Common Name Does Not Match Server FQDN”

Mar 27, 2020 Jonny
Qualys

Qualys Guard Tips and Tricks

Nov 30, 2018 Jonny

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

%d