QualysGuard(R) Release Notes - Qualys Security Blog

4m ago
1.20 MB
19 Pages

Qualys 8.5 Release NotesJuly 10, 2015Qualys 8.5 is now available. This new release of the Qualys Cloud Suite of Security and ComplianceApplications includes improvements to Vulnerability Management and Policy Compliance.Qualys Cloud PlatformSelect Multiple Scanner Appliances for ScansSet Expiration Date for Excluded HostsLast Scan Date added to Authentication Record DetailsMore Host Info in Authentication ReportsSend Email Notifications to Bcc ListGet Notified Before Your Account ExpiresQualys Vulnerability Management (VM)SSL Labs Grade added to Certificates ListAlgorithm added to Certificates ListIdentify Vulnerabilities on Non-Running KernelsView QIDs Applicable to Report FiltersSelect time frame for Scorecard ReportsQualys Policy Compliance (PC/SCAP)Make Policies Active or InactiveHide TechnologiesNew Support for Tomcat Server AuthenticationNew Technologies Supported for UDCsMicrosoft SQL Server 2014 SupportExport policies in CSV formatEvidence added to SCAP Policy CSV ReportsQualys API EnhancementsImprovements for Managing Excluded IPsUser API Accepts Timezone CodesLaunch Report API Accepts Recipient GroupsVM - Create Reports with Non-Running Kernels in Vulnerability DetailsPC - New Tomcat Server Authentication APIPC - Make Policies Active or InactiveCopyright 2015 by Qualys, Inc. All Rights Reserved.1

Qualys Cloud PlatformSelect Multiple Scanner Appliances for ScansWith this release you can select multiple scanner appliances for your internal vulnerability andcompliance scans (PC and SCAP). This is especially useful when scanning a large number of hostsbecause it allows you to distribute the scan task across scanner appliances.Simply choose “Build my list” from the Scanner Appliance menu when making your scan settings. Thenselect the appliances you want to use for the scan task.Scheduling your scans? No problem, you can select multiple scanner appliances for scheduled scans too.Qualys Release Notes2

Set Expiration Date for Excluded HostsYou can now set an expiration date when adding IPs to the Excluded Hosts list. When the date is reached,the IPs are automatically removed from the list and made available again for scanning. We’ll send you anemail 7 days before removing the IPs, allowing you time to change the date if you want. To notify otherusers, simply add distribution groups and the email will be sent to them as well.How do I exclude hosts for a set number of days? Go to Scans Setup Excluded Hosts. Click Edit toadd IPs to the Excluded Hosts list. Enter the IPs you want to exclude, set a deadline and add distributiongroups. Then add comments and click Add.When viewing the Excluded Hosts list click the link “View excluded hosts with an expiration date set” tosee when each IP/IP range is set to expire. You can sort this list by expiration date and download it invarious formats like CSV and XML.Want to change the expiration date for a host? Add the host to the list again and set a new deadline. Theexpiration date will be updated.Qualys Release Notes3

Last Scan Date added to Authentication Record DetailsDrill down into authentication record details to see the date/time of the last authenticated scan for eachhost in the record. This is when the Pass/Fail status was last updated for the host.Check it outGo to Scans Authentication and click the Details link for any record. When in VM, you’ll see thevulnerability scan date. When in PC, you’ll see the compliance scan date.Tip – The Credentials Breakdown options (on the authentication dashboard) only consider hosts scannedin the last 30 days. Now you can easily identify hosts that aren’t being counted because they werescanned more than 30 days ago.Qualys Release Notes4

More Host Info in Authentication ReportsSelect the option “Additional Host Info” when running your report to include this information for eachhost: 1) the host’s operating system, 2) the last time you scanned the host with authentication, and 3) thelast time authentication was successful.Here’s a sample report with host information included.Qualys Release Notes5

Send Email Notifications to Bcc ListIt’s easy to do. Just select “Send as Bcc” in your distribution group settings. We’ll hide the list ofrecipients any time the distribution group is selected for a notification - scan notifications, reportnotifications, vulnerability notifications, etc.Get Notified Before Your Account ExpiresThe Manager Primary Contact (for the subscription) will now receive an email notification when theaccount is going to expire with details on how to renew. The email is sent 45 days, 30 days, 14 days and7 days before the expiration date, and every day after that until the expiration date.Qualys Release Notes6

Qualys Vulnerability Management (VM)SSL Labs Grade added to Certificates ListWe’re excited to announce that we’ve integrated SSL Labs with Qualys VM. When enabled, you’ll get aletter grade (A , A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. Grades areupdated automatically each time new vulnerability scan results are processed for your hosts.Important – The SSL Labs Grade feature must be enabled for your subscription. Please contact yourTechnical Account Manager or Support to get this feature.Go to VM Assets Certificates to see grades for your certificates. Not seeing a grade? Be sure to runnew vulnerability scans on your hosts in order for grades to be calculated.You’ll notice that if the same certificate is found multiple times on the same host (on different ports), theneach instance of the certificate will now be listed and the Port column will show the port number. Eachinstance of the certificate can have a different grade.How are grades calculated?We first look at the certificate to verify that it is valid and trusted. Then we inspect SSL configuration inthree categories: 1) Protocol Support, 2) Key Exchange and 3) Cipher Strength. Each category is given ascore and we combine these scores for an overall score of 0-100. (A zero in any category results in anoverall score of zero.) The overall numerical score is translated into a letter grade (A-F) using a look-uptable. Your A grade will be upgraded to A for exceptional configurations, and downgraded to A- whenthere are one or more warnings. Other grades you might see: T (certificate is not trusted), M (certificatename mismatch), and NA (not applicable, SSL server information not retrieved).Want to know more? Go to x.htmlQualys Release Notes7

Can I update the grade without a new scan?Yes. From your certificates list, choose Certificate Info from the Quick Actions menu and then go to theHosts tab. The grade is automatically calculated based on the most recent host scan data. Optionally, clickon the host’s IP address in your certificates list and go to the Certificates tab to get a grade for anycertificate on the host.Click on the grade to view the SSL Grade Summary page. Here you’ll see certificate information plus thescore and details for these three categories: 1) Protocol Support, 2) Key Exchange and 3) Cipher Strength.The Certificate score is either 0(not trusted) or 100 (trusted). Thisscore is not used when calculatingthe overall grade.Qualys Release Notes8

Algorithm added to Certificates ListFor each certificate you’ll see the algorithm (sha1WithRSA, md5WithRSA, etc) in the new Algorithmcolumn. Just go to VM Assets Certificates to see it.How do I show the new Algorithm column?This column is hidden initially. Simply select it in theTools menu (as shown on the right) to show it in the list.Will the algorithm appear in downloaded reports?Yes. When the column is shown in the UI, then it willalso appear when you download the Certificate’s report.Go to New Download and choose a report format(XML, CSV, etc).Qualys Release Notes9

Identify Vulnerabilities on Non-Running KernelsWith this release, users can create reports that show non-running kernels in the vulnerability details. Thisway you can identify vulnerabilities found on a kernel that is not the active running kernel.A new option “Display non-running kernels” has been added under “Non-Running Kernels” on the Filtertab of report templates for scan, patch, and scorecard reports.Here’s a sample report with vulnerabilities on non-running kernels for host – When you run this report in CSV format you’ll see a new column “Non-running Kernel” with avalue of Yes or No for each vulnerability to indicate whether it was found on a non-running kernel.Qualys Release Notes10

View QIDs Applicable to Report FiltersWith this release you can identify the vulnerabilities that apply to these report template filters: “ExcludeQIDs on non-running services” and “Exclude QIDs not exploitable due to configuration”. These filtersappear in templates for scan reports, patch reports and scorecard reports.In your report template, click the View QIDs link to see the list of the QIDs that may be filtered out wheneach filter option is selected.You can also find these QIDs in the KnowledgeBase and create a search list based on these options. Go toKnowledgeBase, click Search, and select the options “Not exploitable due to configuration” and “Nonrunning services” to find the QIDs applicable to the report filters.Qualys Release Notes11

In the KnowledgeBase, QIDs that apply to the filter “Not exploitable due to configuration” are flaggedwith . QIDs that apply to the filter “Non-running services” are flagged with .Select time frame for Scorecard ReportsWe have now enabled time frame selection for Scorecard reports. This means only the scan results duringthe period defined by you will be displayed in the Scorecard Report.In the Edit Scorecard Report, the new option “Only include scan results from the specified time frame” isadded so that only the scan results for the period of time you select from “Host Scan Date” are displayed.Using the Host Scan Date you have options like today, all dates before, all dates after, date range, in theprevious day, week, month, year, etc, to define the time frame.Qualys Release Notes12

Qualys Policy Compliance (PC)Make Policies Active or InactiveEvery policy in your account will now either be in an active or inactive state. The policies that are ininactive state will not be scanned or reported on. By default your polices are marked active.You may want to hide a new policy while you’re working on it and then publish it at a later time. Or let’ssay a policy has become out of date and you want to edit the policy before republishing it. In such casesyou mark the policy inactive and make the required changes. Only after you activate the policy, it will beavailable for scanning and reporting.You can easily mark an existing policy inactive. Go to your list of policies, identify the policy and selectDeactivate from the Quick Actions menu. (Use Actions menu to select multiple policies at one go.)meansactivemeansinactiveYou can also choose to Deactivate your policy using the Policy Editor.Qualys Release Notes13

What happens when I deactivate a policy?- No posture evaluation will take place for the policy- The policy will be hidden from your dashboard, reports and exceptions- Any policy report schedules for the policy will be deactivated- The policy will be removed from compliance scorecard reports- The policy will be removed from option profiles (with the Scan by Policy option enabled)What happens if I re-activate the policy?Posture evaluation will resume and the policy will be available again for scanning and reporting. You’llneed to manually re-activate report schedules and add the policy back to your scorecard reports andoption profiles. For policy report schedules, the policy will be selected for you.Hide TechnologiesYou can now hide the technologies that you do not use on a regular basis. By hiding these technologies,you no longer need to go through the whole list of all the available technologies to select the ones youwant. This is especially useful while searching controls by technologies. Only the controls related to thepreferred technologies are displayed and are available for search.Go to Policies Setup Technologies and create a list of preferred technologies that should be displayed.For example, let’s say you’re interested only in Windows. You add all the Windows technologies to yourpreferred list. All other technologies like Unix, Sybase, Solaris, etc will be hidden.Qualys Release Notes14

New Support for Tomcat Server AuthenticationWe now support compliance scans for tomcat servers running on Unix hosts. Simply create a new TomcatServer authentication record with details about your Tomcat installation and instance. Unix authenticationis required so you’ll also need a Unix record for the host running the server.Which technologies are supported?- Apache Tomcat 6.x and 7.x- VMware vFabric tc Server 2.9.x- Pivotal tc Server 3.xHow do I get started?- Go to Scans Authentication.- Check that you have a Unix record already definedfor each host running a tomcat server.- Create a tomcat server record for the same host. Goto New Application Records Tomcat Server (asshown on the right).Your Tomcat Server RecordYou’ll need to tell us where the tomcat server is installed. You may also need to tell us where the tomcatserver instance(s) are installed – if different than the installation directory. Have multiple instances? Usethe Auto Discover option and we’ll find the instances for you (applies to VMware vFabric and Pivotal).Qualys Release Notes15

New Technologies Supported for UDCsThese Windows technologies are now supported for user defined controls: Windows 8.1 and WindowsServer 2012 R2. These Unix technologies are now supported: Mac OS X 10.10, Mac OS X 10.9, Red HatEnterprise Linux 7.x, Oracle Enterprise Linux 7.x, CentOS 7.x and Ubuntu 12.x.Want to create controls for these technologies? Go to Policies Controls, and choose New Control.Then select