Qualys Cloud Platform 8.21.6 New Features

Update Nov 19, 2019: This blog post was updated with additional detail about the new features in 8.21.6.

The 8.21.6 release adds several new features in Qualys Cloud Platform, Policy Compliance, and Vulnerability Management. Apart from various other new features, this release adds support for Apple Safari 11.x/12.x in compliance scans for Unix hosts, and extends UDC support for multiple new technologies for Qualys PC; whereas, new features for VM includes added support for HashiCorp vaults in DB Auth Records and Sybase authentication for vulnerability scanning.

Feature Highlights

Qualys Cloud Platform

• New options to download and purge vCenter and ESXi Mapping Data – To enable customers to validate if each ESXi server is connected from the correct vCenter, Qualys Cloud Platform now has an option to download the vCenter and ESXi Mapping data in CSV format.In the VM user interface, go to Scans > Authentication > New > vCenter Mapping and then click on Download CSV.

In the vCenter ESXi Mapping Data page, use the Search option to search for a particular IP and click the Download CSV option to download all the records related to searched IP in CSV format.

Customers also have the option to delete the vCenter and ESXi mapping data. To purge mapping data, select a vCenter mapping, click Purge, and then select the appropriate option from the Purge page.

• User creation without a gender-specific prefix – Qualys customers can now create user accounts without specifying a gender-specific prefix for the username. The Prefix drop-down list in the Personal Information section of the Welcome screen now has a new option – None. If the prefix is set to None, email communications will not have a gender-specific prefix to the customer’s name.

• Platform and asset tags information made optional for Cloud perimeter scans – Customers can now launch a Cloud perimeter scan job without specifying the platform, region code, VPC ID, or asset tags. A new Cloud perimeter scan job can be created using only the connector. If no assets are resolved from the connector and for the optional “platform” and “asset tags” selections, the scan is launched on the load balancer DNS names. If no load balancer DNS names are specified, then the scan will fail and get terminated.
• EC2 instances with public IP addresses are now scannable – It’s now possible to launch Cloud perimeter scans on EC2 instances that do not have public DNS hostnames, but have public IP addresses. When a Cloud perimeter scan is launched, all the EC2 assets that have public IPs but do not have public DNS will be included. If both public DNS and public IP address exist for the EC2 assets, the scan will be launched using public DNS.

Qualys continues to support only DNS names for load balancers. Note that of all the EC2 hosts that have public IPs and are included for scan, only those assets will be scanned that are activated for PC and VM scan.

To create a Cloud perimeter scan job, go to VM for a vulnerability scan (or PC for a compliance scan) and select New > Cloud Perimeter Scan. Create an asset tag for your EC2 assets that have only public IPs and select this tag when creating a cloud perimeter scan job.

Qualys Policy Compliance (PC)

• Support for Oracle HTTP Server authentication – Users can now create an Oracle HTTP Server record to authenticate to an Oracle HTTP Server running on a Unix or Windows host and scan it for compliance. This record type is only available with PC or SCA and is supported for compliance scans only.
  Following are the currently supported versions:
  – Oracle HTTP Server 11g
  – Oracle HTTP Server 12c
• New File Content Check for Windows – Customers can now configure a File Content Check control to check the content of a Windows file. This control is only supported for Cloud Agents. So, this control will be evaluated using only agent scan data.

To configure, in the Policy Compliance user interface, navigate to Policies > Controls > New > Control and in the Windows Control Types tab, select File Content Check (Agent Only).

Provide required information such as Scan Parameters, Control Technologies and so on to create the check.

File location can be specified in the Scan Parameters using any of the path types: Registry Key, File Search, and File Path.

• UDC support for new technologies – Qualys PC now supports UDCs for the following technologies:
  – Oracle 18c
  – Oracle 19c
  – openSUSE 15.x
  – Red Hat Enterprise Linux
• Support for instance-based reporting for IBM WAS – Prior to this release, WebSphere scanning was only supported for a single instance per target and instance report was without WebSphere installation path. With this release, users can initiate authenticated scans for multiple auth records and multiple instances of IBM WAS on a single host. Installation directory path is now shown with instance.
• Support for Apple Safari 11.x/12.x in compliance scans for Unix hosts – Users can now initiate compliance scans for Apple Safari 11.x and Safari 12.x instances on Unix platforms. Scan reports show information for Safari 11.x /12.x instances only if they are found on the Unix host during the compliance scan.

Note: Users must have a Unix authentication record with “sudo” as root delegation for the hosts running Safari 11.x/12.x instances.

• Expanded support for instance discovery and auto-record creation – With this release, instance discovery and auto-record creation are supported for Apache Tomcat Server.

Qualys Vulnerability Management (VM)

• CVSS3 vector strings in scan reports – Scan reports will now display the CVSS3 base and temporal vector strings along with the CVSS2 base and temporal vector strings. Vector strings help to process CVSS metrics for the various compliance programs.

Note: Users can see the CVSS scores and vector strings in the subscription only when CVSS scoring is enabled by a user with a Manager’s role.

The CVSS3 base and temporal vector string are displayed on the Info/Edit Vulnerability window for all QIDs that have a CVSS3 score.

• Support for HashiCorp vaults in DB Auth Records – Qualys has extended the support for HashiCorp vaults to all database auth records. Users can now configure authentication records for Oracle, MS SQL, MySQL, MariaDB, Sybase, PostgreSQL, MongoDB and DB2 to use HashiCorp vaults.
• Support for Sybase authentication – Sybase authentication was already supported for PC and now it is also supported in VM for vulnerability scanning.