Qualys Scanner Appliance and Qualys Guard Service Tips and Tricks
Uninstall Cloud Agent / Recycle Related Licenses
Assetview & Tags
1.1 DashboardSome customized widgets :
- Authentication Failed Assets : vulnerabilities.vulnerability.qid:105015 or vulnerabilities.vulnerability.qid:105053 or vulnerabilities.vulnerability.qid:105296 or vulnerabilities.vulnerability.qid:105297
- Not Found 90 Days Assets : not tags.name:"Found in 90 days" and activatedForModules:"VM"
- Tag Rule:
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<LAST_SCAN_DATE>
<SEARCH_TYPE>WITHIN</SEARCH_TYPE>
<DAYS>90</DAYS>
</LAST_SCAN_DATE>
</TAG_CRITERIA>
- OS Not Identified Assets: not operatingSystem: "windows" and not operatingSystem: "HP" and not operatingSystem: "Ricoh" and not operatingSystem: "Linux" and not operatingSystem: "VMware" and not operatingSystem: "Xerox" and not operatingSystem: "Cisco" and not operatingSystem: "Power Supply"
YouTube Video: Using Qualys Free Community Edition to Scan Home Network
1.2 Tags
Asset Search - Dynamic Rule
Search all assets found / scanned in last 90 days:
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<LAST_SCAN_DATE>
<SEARCH_TYPE>WITHIN</SEARCH_TYPE>
<DAYS>90</DAYS>
</LAST_SCAN_DATE>
</TAG_CRITERIA>
Enable Agentless Tracking
To reduce / suppress the duplicated assets because of dhcp, one of effective methods is to enable agentless tracking.
2.1. VM > Scans > Setup > Agentless Tracking > Accept
2.2. VM > Scans > Authentication > Edit [Your Authentication Record] > Login Credentials > "Enable Agentless Tracking"
2.3. VM > Users > Setup > Cloud Agent Setup > "Show unified view of hosts"
Note: QID 45179 for successfully checked tracking
QID 45180 - for failed
Change IP Tracked Host Assets to DNS Tracking
Qualys provides multiple mechanisms for tracking assets in your environment; IP, DNS, NetBIOS, Agent, and EC2. In Qualys IP tracking is the default mechanism. DNS and NetBIOS tracking are most useful for DHCP networks.
Note:
- Qualys Article Number: 000002856
- Understanding IP, DNS, and NetBIOS Tracking and Scan by Hostname
- Change IP tracking method from IP to DNS, it will require to remove all hosts assets. Basically remove all assets then start it from beginning. It will also bring one small issue to those DNS hostname could not be resolved.
If you have some hosts which DNS hostname could not be resolved by your DNS servers, they will not be scanned. Here is a screenshot for those DNS hostname could not be resolved.
Solution:
You will need to manually change them from DNS tracking to IP tracking.
Purge Assets Older than 90 Days
The idea is to find all assets not scanned in last 90 days then purge them all.
4.2 Automatically Purge
From your Scans -> Option Profiles, enable the option to Close Vulnerabilities on Dead Hosts.
Delete Older / Obsolete Assets
- Create an asset group called “ToBeDeleted”
- Add all available IP’s in your subscription to it and save the AG
- Now go to Asset search
- Run an Asset search on the AG “ToBeDeleted”. Just select the AG and hit search. This returns a list of All IP’s in your subscription that has been scanned at-least once. (If it has been scanned at-least once, it isn't a dead host). You may modify this search to suit your meaning of "Dead host"
- On this asset search result, select all IP’s and select “Launch a scan” (Don't run the scan, just hit launch) option from the action menu
- In the Launch Vulnerability scan window, copy the target IP range
- Now go back to the Asset group tab and select to edit the Asset group you created called the “ToBeDeleted”
- In the Edit AG window, go to the IP’s tab, click Manually.
- In the manual entry IP window, paste the range you have copied and click “Remove"
- Now save your asset group again
- Delete or do whatever you want to do to the list of IP’s now in “ToBeDeleted"
Best Practice to Maintain Timely and Effective Qualys Report
from Qualys Community:Reduce Asset Duplication
- Authenticated scanning
- Agentless tracking (Run scans using Agentless Tracking)
- For our agent-installed assets for servers we created a network scanning job that defaults the agent as the authority. Basically it scans for everything the agent doesn't track (port-related)
- Before this, we were scanning full network scan and agents were reporting in. This caused a lot of fighting between network scans and agent scans. We drank the Qualys Kool-Aid and created this scan and it has been working pretty good since then. It has definitely cut down the QID flapping (scan fighting each other).
Scan a New Subnet
Lets assume I have a new subnet to scan - 192.168.0.0/24
Step 1 - Add 192.168.0.0/24 to the none domain and approved hosts list
Step 2 - Set up a MAP Scan to map that subnet. (Lets assume the map scan found 30 Windows laptops)
Step 3 - In the MAP Report, select all those assets and "ADD" to my subscription. This adds the asset by IP Tracking.
Step 4 - I perform an authenticated scan (Standard profile, Agentless Tracking enabled, Unified View enabled, Dissolvable agent enabled) using a Domain Admin account for the domain the assets are a member of.
Step 5 - I now have 30 laptops with vulnerability information gathered as relevant to an authenticated scan. They are all tracked by IP at this stage.
Step 6 - I now search for those assets in Assets>Asset Search>IP Range>192.168.0.0/24. I see 30 laptops. IP Tracked, complete with DNS Names and NetBIOS Names
Step 7 - I select all 30 assets. Edit>Tracking>DNS. The report refreshes to show the same assets but now they are tracked by DNS.
The above steps are exactly what I did many months ago for all our subnets and assets (Relevant tracking as per asset).
Use Light Inventory Scan across whole subnets to capture, tag and then full rescan new assets.
No comments