Policy Compliance Adds UDC Support for Cloud Agent
Last updated on: September 6, 2020
Qualys is extending the Cloud Agent capabilities for users of the Policy Compliance (PC) application by letting them define controls.
Until now, the Cloud Agent could only assess Qualys PC’s “out of the box” controls. By adding support for user defined controls (UDC), Qualys PC users now can use Cloud Agents to evaluate those types of controls. UDCs allows users to create their own controls dynamically, as needed, without having to submit control requests to Qualys development.
The UDC controls you’ve already defined in your Qualys Policy Compliance account for compliance scanning will also be evaluated by Qualys Cloud Agent with no action required from you.
We’ve added new Cloud Agent scan options in the following controls:
- Directory Search Check and Directory Integrity Check: The “Use agent scans only” option lets you specify that the control should only be evaluated using agent scans.
- Directory Integrity Check and File Integrity Check: The “Auto update expected value” option lets you update a control’s expected values with the actual values collected from agent scans.
Pre-requisites
- Agent UDC Support must be available on the Qualys Cloud Platform for your subscription
- Qualys PC must be enabled for your subscription
- Qualys Cloud Agent must be enabled for your subscription
- Cloud Agents must be activated for the PC application
- Windows Cloud Agent 2.1.x or later
- Linux & AIX Cloud Agent 2.3.x or later
Enabling UDC Support on Agents
New Agents
New agents will automatically support UDCs as long as they meet the minimum version requirement. No user action is required.
Existing Agents
To activate UDC support for an existing agent, go to Cloud Agent, identify the agent in your agents list and choose “Assign UDC Manifest” from the Quick Actions menu.
For bulk activation, select multiple agents in your list and choose “Assign UDC Manifest” from the “Actions” menu above the list.
Only evaluate controls using agent scans
You’ll see the option “Use agent scans only” in these Windows and Unix control types: Directory Search Check and Directory Integrity Check. When you select this option, the control will only be evaluated using agent scan data. You’ll also notice that you can enter wildcards in the Base Directory when defining the control’s scan parameters since this is supported by agents.
Auto Update expected values from agent scans
The option “Auto Update expected value” lets you update a control’s expected values with the actual values collected from each Cloud Agent scan. Enable this option in Directory Integrity Checks and File Integrity Checks. You must also enable “Use scan data as expected value” in the same control, located under Control Technologies.
Directory Integrity Checks
File Integrity Checks
API Support
When you list compliance controls or export controls and policies from your account, you’ll see elements in the XML output that correspond to agent scan options.
USE_AGENT_ONLY appears for these Windows and Unix control types: Directory Search Control and Directory Integrity Control. USE_AGENT_ONLY has a value of 1 in the XML output when the “Use agent scans only” option is enabled for the control. When enabled, we’ll evaluate the control using scan data collected from a Cloud Agent scan only. USE_AGENT_ONLY has a value of 0 when this option is not enabled for the control.
AUTO_UPDATE appears for these Windows and Unix control types: File Integrity Control and Directory Integrity Control. AUTO_UPDATE has a value of 1 in the XML output when the “Auto update expected value” option is enabled for the control. When enabled, we’ll replace the control’s expected value for posture evaluation with the actual value collected from the Cloud Agent scan. AUTO_UPDATE has a value of 0 when this option is not enabled for the control.
See the Qualys Cloud Suite 8.16 API Release Notes for API samples and DTD/XSD updates.