- 3 Minutes to read
- Print
- PDF
Qualys SCA
- 3 Minutes to read
- Print
- PDF
About this document
This document provides the step-by-step procedure to integrate SAFE with Qualys Security Configuration Assessment (SCA) and Policy Compliance (PC).
Introduction
SAFE integrates with Qualys Security Configuration Assessment (SCA) and Policy Compliance (PC) to fetch the configuration assessment results based on CIS benchmarks into SAFE. Once configured, this integration onboards the Qualys SCA and PC assets in SAFE and automatically adds assets to Default groups based on the Operating System (OS) information from Qualys.
You can configure Qualys SCA and PC in SAFE from the Qualys SCA card available in SAFE Hooks.
Supported Asset Type
Qualys SCA and PC integration supports the configuration assessment for the following asset types:
- RHEL 7.x
- RHEL 8.X
- CentOS 7.x
- CentOS 8.x
- Ubuntu 22.x
- Ubuntu 20.x
- Suse Linux 12.x
- Suse Linux 15.x
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- If SAFE does not find the mapping for an asset, the asset will be added to the Others Default Group. However, you can move the asset manually to the best-suited Group.
- You can check the mapping using API “GET <SAFE_URL>/api/v3/settings/os-to-safe-asset-type-mapping”.
- To add a custom OS to Safe Asset Type mapping, use API “POST <SAFE_URL>/api/v3/settings”
- By default, the asset-matching criteria used for Qualys SCA is ["fqdn", "assetName", "ipAddress"]
Prerequisites
To configure Qualys, you need the following details:
- Qualys API URL - The URL should start with qualysapi, and not qualysguard.
- Qualys API Credentials
- Verifying that the SAFE Instance’s IP address is whitelisted in the user’s Qualys Instance.
Create a user in Qualys with API access
To connect Qualys SCA and PC with SAFE, you can use an existing user’s username and password, which has access to the Qualys API, or create a new user. The minimum access required for the user is Reader level, and the user should have both GUI and API access to set up the integration properly.
Create a new user in Qualys
- Log in to your Qualys instance.
- Scroll down and select Administration from the top-left dropdown.
- Click the Create User button on the Administration page and select CreateReaderUser.
- Select the user role as Reader (or a higher role) on the NewReaderUser page.
- Mark the API and GUI access checkboxes.
- Click Save. The new user will get an email to verify login and complete the user registration process. We can now use the credentials to connect SAFE with Qualys.
Configure Qualys SCA and PC
To configure Qualys SCA in SAFE:
- Navigate to the SAFE Hooks.
- Click the Qualys SCA card.
- Enter the Qualys API URL, Username, and Password.
- Enter the Policy IDs Filter. SAFE allows you to filter the assessment data being fetched from Qualys based on Qualys Policy IDs. If this field is blank, the system pulls the assessment data for all policies to which the user has access.
- Enter the Auto-Sync Frequency.
- Select the AutoOnbaordNewAssets checkbox to onboard the newly discovered assets in SAFE.
- Click the Test Connection button.
- Once the connection is verified, click Save Configuration.
- Click the Sync Now button to fetch the results in SAFE.
View Result
To view the onboarded Assets;
- Navigate to Technology > Assets.
- Filter the asset list for the source as security.safe.qualys-sca.
- The system displays the assets imported from Qualys SCA and PC.
- Clicking any assets displays the controls and their status.
- Further clicking a control displays the control’s details and MITRE ATT&CK mapping.
FAQs
Question 1. I do not see the expected number of assets in SAFE
Answer: This is normally as a result of incorrectly configured permissions for the Qualys user that has been configured in SAFE. To confirm the assets that can be seen by the Qualys user, you can use the following cURL to query the Qualys API and return the list of host ids that this user can view.
To use the below command you will need to:
- Update the FQDN for your Qualys endpoint - https://qualysapi.<host name>.apps.qualys.com
- Update the username/password with a BASE64 encoded string of the username/password for the Qualys user.
- For example the username "qualys1" and password "password123" encode the string "qualys1:password123" to give the output "cQB1AGEAbAB5AHMAMQA6AHAAYQBzAHMAdwBvAHIAZAAxADIAMwA=" which you would then substitute instead of <BASE_64_ENCODED_username:password>
curl --location --request GET 'https://qualysapi.<host name>.apps.qualys.com/api/2.0/fo/asset/host?action=list&details=None' \
--header 'X-Requested-With: QualysPostman' \
--header 'Authorization: Basic <BASE_64_ENCODED_username:password>'
The API should respond with the list of hosts the user can view similar to the example below.
<HOST_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2023-10-05T11:01:32Z</DATETIME>
<ID_SET>
<ID>222603114</ID>
<ID>222615064</ID>
<ID>222834012</ID>
<ID>223399088</ID>
<ID>228352379</ID>
<ID>237917698</ID>
<ID>237956085</ID>
<ID>247442977</ID>
<ID>251223661</ID>
<ID>251464069</ID>
</ID_SET>
</RESPONSE>
</HOST_LIST_OUTPUT>
If the number of hosts is less than expected then check in your Qualys Administration permissions that the user has a "Global Scope" configured with the expected asset group tags. You may wish to check the box "Allow user view access to all objects" to give complete asset visibility at the global level.
If the number of hosts is as expected, check the SAFE Hook and confirm that you have not configured any filters, and if there are errors in the transaction history:
If the issue persists, please contact SAFE Support.