Upload
trananh
View
220
Download
1
Embed Size (px)
Citation preview
Copyright 2016 by Qualys, Inc. All Rights Reserved. 1
Qualys 8.8 Release Notes
This new release of the Qualys Cloud Suite of Security and Compliance Applications includes
improvements to Vulnerability Management and Policy Compliance.
Qualys Cloud Platform
Improvements to Asset Search
Choose Kerberos, NTLM protocols for Authentication
Select SMB Version for Windows Authentication
Better Explanation for Authentication Not Attempted
New Replace Scanner Options
Increased Storage Option
New Locale Tab in User Profile
Create IPv6 Asset Groups without a Scanner Appliance
Qualys Vulnerability Management (VM)
New Scan Option – Close Vulnerabilities on Dead Hosts
Display CVSS v3 scores in reports
New Operand in Dynamic Search List for CVSS
KnowledgeBase Download shows more QID attributes in XML and CSV
Vulnerability Notification shows more QID attributes in CSV file
Qualys Policy Compliance (PC/SCAP)
New Support for Oracle WebLogic Server Authentication
New Support for Checkpoint Firewall Authentication
IBM HTTP Server 8 Support
IBM WebSphere Application Server 8 Support
Improvement to Exception Assignments
Support Agent IPs in Compliance Policy
User Defined Controls: New Reporting Option for “Item not found” Error
New Windows UDC: Group Membership Check
New Technologies Supported for WMI Query Check UDC
Qualys API Enhancements
See the Qualys API Release Notes 8.8 for details. You can download the release notes and our user guides
from your account. Just go to Help > Resources.
Qualys Release Notes 2
Qualys Cloud Platform
Improvements to Asset Search
You can now generate and download the Asset Search Report from the Reports tab. Go to Reports > New
> Asset Search Report to generate the report.
Select a report format: CSV, XML, HTML, PDF and MHT, provide search attributes, and then click Run
to generate the report. The Asset Search Report in specified format is saved to your reports list where you
can share it and download it, just like other reports.
Qualys Release Notes 3
Asset Search Report: Action on all Hosts
Want to launch a vulnerability scan or remove a tag on all the hosts in your asset search report? You can
do it in a jiffy. Select an action and click Apply.
The action menu includes
options like Edit All, Purge
All, and Add All to Asset
Groups.
Asset Search Report: Services search enhanced
You can now enter the name of the services to be searched on the hosts. You can enter up to ten comma
separated values. Either type the name of the services or select from the existing list of services.
Qualys Release Notes 4
Choose Kerberos, NTLM protocols for Authentication
You can now choose the authentication protocols you want to use for authentication to Windows and MS
SQL Server target hosts. Your options are Kerberos, NTLMv2 and NTLMv1. You’ll choose
authentication protocols when defining login credentials for your authentication records.
Windows Domain Level Authentication
All three authentication protocols are supported. Kerberos and NTLMv2 are enabled by default in new
records. If NTLM was enabled in a record prior to this release, then NTLMv1 is enabled.
Windows Local Host Level Authentication
NTLMv2 and NTLMv1 protocols are supported. NTLMv2 is enabled by default in new records. If NTLM
was enabled in a record prior to this release, then NTLMv1 is enabled.
Qualys Release Notes 5
MS SQL Server Authentication (PC only)
All three authentication protocols are supported. Kerberos and NTLMv2 are enabled by default in new
records. MS SQL records created prior to this release will have all three protocols enabled.
Select SMB Version for Windows Authentication
You can now select a minimum SMB protocol version, such as version 1, 2.0.2, 2.1, etc, and we’ll require
that each Windows target has that version or later. If the target has an older version of the SMB protocol,
authentication will fail and the host will not be scanned.
How do I set up a minimum SMB version?
Go to Scans > Authentication > Windows Records and navigate to the Login Credentials section. Select
the minimum SMB version for your Windows host authentication. Authentication will fail for target hosts
that have an SMB version that is older than the minimum version selected. For example, if you set a
minimum of 2.0.2 and you scan a Windows host with version 1.0 authentication will fail and the host will
not be scanned.
Tip - You can set a minimum
SMB version without also
requiring SMB signing.
Qualys Release Notes 6
Better Explanation for Authentication Not Attempted
When you see the Not Attempted authentication status you’ll also see an explanation in the Cause
column. There are multiple reasons you can get this status and the explanation provided will depend on
the reason.
Authentication status appears in the authentication records list. Go to Scans > Authentication and click
the Details link. In this example, the host 10.10.10.215 has a status of N/A (Not Attempted) because this
is a Windows host in a Unix record.
You can also run an Authentication Report to see authentication status for your hosts. In this example, the
host 10.10.30.159 has a status of Not Attempted. This is a Unix host and there are Unix records in the
account but this host doesn’t match any of those records.
Tip – If you’re in VM, authentication information is based on vulnerability scan data. If you’re in PC,
authentication information is based on compliance scan data. Let’s say you scanned a host in PC but
you didn’t scan it in VM. You’ll see a Pass/Fail status in PC and Not Attempted in VM.
Qualys Release Notes 7
New Replace Scanner Options
New options in the Replace Scanner Appliance workflow give you more control over which
configurations are updated.
Go to Scans > Appliances > New > Replace Scanner Appliance. Select the appliance you want to replace
and the one you want to use. Then go to the Replace Scanner Options section to choose these options:
Do not copy Configurations from Old Scanner to New Scanner – Select this option if you do not want
us to transfer appliance settings from the old appliance to the new one. Settings include the polling
interval, heartbeat checks, scanning options, VLANs and static routes.
Do not remove New Scanner from Business Objects – Select this option if you do not want us to
remove the new appliance from asset groups and schedules it was already associated with.
Increased Storage Option
You can now keep scan and map results
for up to 13 months when using the auto
delete feature.
Go to Scans > Setup > Storage to tell us
how long to store your results, or clear
this setting if you do not want results
automatically deleted.
Qualys Release Notes 8
New Locale Tab in User Profile
We moved the Language and Time Zone settings to a new Locale tab in your user profile. Just choose
User Profile below your user name or edit any user from the users list to see it for yourself.
Create IPv6 Asset Groups without a Scanner Appliance
IPv6 Scanning must be enabled for your subscription. Contact your Account Manager or Support to get it.
This makes it easier for you to create asset groups with IPv6 hosts. You’ll select a scanner appliance for
scanning your IPv6 hosts later, at scan time. Keep in mind the appliance must be enabled for IPv6
scanning. To create IPv6 asset groups: Go to Assets > Host Assets and choose Filters > IPv6 to IPv4
Mappings. Mark the check box next to each host you want to add to the asset group and select “Add to a
new Asset Group” from the Actions menu. You can also create asset groups from an Asset Search report.
Qualys Release Notes 9
Qualys Vulnerability Management (VM)
New Scan Option – Close Vulnerabilities on Dead Hosts
This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.
Choose this option to quickly close vulnerabilities for hosts that are not found alive after a set number of
scans. You configure this option in your scan option profile. When enabled, we’ll mark existing tickets
associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed.
Qualys Release Notes 10
Display CVSS v3 scores in reports
We now display the CVSS v3 scores for vulnerabilities assigned to CVEs by NIST, in vulnerability
reports and KnowledgeBase QIDs. Two new fields are added to display the CVSS v3 scores: CVSS3
Base Score and CVSS3 Temporal Score. You can view these fields in all formats of the reports.
Here are some sample reports where you can see the CVSS v3 scores:
Scan Report
Patch Report
KnowledgeBase
You can also specify CVSS v3 scores as criteria in your dynamic search lists. Go to KnowledgeBase >
Search Lists and specify the CVSS3 Base Score and CVSS3 Temporal Scores that you want to search on.
Qualys Release Notes 11
New Operand in Dynamic Search List for CVSS
You can now search for a score less than the specified CVSS and CVSS3 (Base and Temporal) scores. Go
to KnowledgeBase > Search Lists > Dynamic List. Choose the “less than” option and specify the desired
value. The search results will list all vulnerabilities that have scores less than the specified value.
Tip - You’ll see these same options when searching for QIDs in the KnowledgeBase.
KnowledgeBase Download shows more QID attributes in XML and CSV
We’ve added these attributes to XML and CSV formats if applicable to the QID – Remote
Discovery (i.e. can be exploited through remote discovery), Patch Available, and Exploit Available.
These attributes are represented by icons next to the vulnerability title in the KnowledgeBase.
Choose New > Download to download a KnowledgeBase report to CSV or XML format. You’ll see the
additional attributes under Sub Category.
Qualys Release Notes 13
Vulnerability Notification shows more QID attributes in CSV file
The Vulnerability Notification email is sent from the Qualys Cloud Platform when we’ve added and/or
updated vulnerabilities in the Qualys KnowledgeBase. We’ve added the attributes Remediation Link and
Product Affected to the attached CSV file.
Vulnerability Notification email (no changes):
CSV file: This shows the QID Remediation Link and Product Affected when available.
Qualys Release Notes 14
Qualys Policy Compliance (PC)
New Support for Oracle WebLogic Server Authentication
We now support compliance scans for Oracle
WebLogic servers running on Unix hosts. Simply
create a new Oracle WebLogic Server authentication
record with details about your installation and the
server domain. Unix authentication is required so
you’ll also need a Unix record for the host running the
server.
Which technologies are supported?
- Oracle WebLogic Server 11g
- Oracle WebLogic Server 12c
How do I get started?
- Go to Scans > Authentication.
- Check that you have a Unix record already defined
for each host running an Oracle WebLogic Server.
- Create an Oracle WebLogic Server record for the
same host. Go to New > Application Records > Oracle WebLogic Server (as shown on the right).
Your Oracle WebLogic Server Record
You’ll need to tell us where the server is installed. Then specify a single domain or use the Auto Discover
option (the default setting) and we’ll find all the domains for you.
Qualys Release Notes 15
New Support for Checkpoint Firewall Authentication
We now support compliance scans for Checkpoint Firewall devices.
Simply create a new Checkpoint Firewall authentication record.
Checkpoint Firewall is a sub-type of Unix authentication, similar to Cisco
IOS. An IP address in the Checkpoint Firewall record cannot also exist in a
Unix or Cisco IOS record.
How do I get started?
Go to Scans > Authentication, and choose New > Checkpoint Firewall (as
shown on the right). This authentication type is supported for compliance
scans only.
Your Checkpoint Firewall Record
You’ll notice that the settings in this record are the same as Cisco IOS
records with the exception of Expert Password. This is the password
required for executing the “expert” command on the target hosts.
Qualys Release Notes 16
IBM HTTP Server 8 Support
We’ve extended our support for Apache Web
Server authentication to include IBM HTTP Server
8.x. These technologies are already supported:
IBM HTTP Server 7.x, Apache HTTP Server 2.2
and 2.4, and VMware vFabric Web Server 5.x.
You’ll need an Apache Web Server record to
authenticate to your server, and scan it for
compliance.
How do I get started?
- Go to Scans > Authentication.
- Check that you have a Unix record already
defined for the host running the web server.
- Create an Apache Web Server record for the
same host. Go to New > Application Records >
Apache Web Server (as shown on the right). This
authentication type is supported for compliance
scans only.
IBM WebSphere Application Server 8 Support
We’ve extended our support for IBM WebSphere
Application Server to include Version 8. We
already supported WebSphere Application Server
7.x.
You’ll need an IBM WebSphere App Server record
to authenticate to your application server, and scan
it for compliance.
How do I get started?
- Go to Scans > Authentication.
- Check that you have a Unix record already
defined for the host running the application server.
- Create an IBM WebSphere App Server record for
the same host. Go to New > Application Records >
IBM WebSphere App Server. This authentication
type is supported for compliance scans only.
Qualys Release Notes 17
Improvement to Exception Assignments
When assigning exceptions in bulk (either during batch request or bulk edit) we’ll now restrict the list of
possible assignees to only those users who have access to all of the selected exceptions, meaning they
have access to the hosts those exceptions apply to. This is to prevent an exception from being assigned to
a user who can’t take action on it.
Support Agent IPs in Compliance Policy
Now you can report on agent host compliance by adding agent host IPs to your policies. Managers and
Auditors have permission to add agent IPs to policies, view and report on agent IPs.
It’s easy to do. Open your policy in the Policy Editor, edit the assets for the policy and select the new
option “Include all hosts with PC agents”. All hosts in your PC Agent license will be included.
Note – This option only appears
in accounts with PC Agent.
Qualys Release Notes 18
Reporting on Agent Hosts
Easily identify agent hosts in your reports and data lists by looking for the tracking method AGENT.
You’ll also notice that we’ve added the policy evaluation date to your policy reports, interactive reports,
and to the policies list.
Policy Summary
Control View
Qualys Release Notes 19
Policy Report
You must choose the option
“All Assets in policy” to
include agent hosts in your
policy report.
Qualys Release Notes 20
Interactive Reports
Exceptions List
Tip – Be sure you’re showing the Tracking column to see this in your list.
Policies List - Policy Last Evaluated Date
We evaluate the policy when there are new scan results available, updates to the policy, or updates to the
hosts in the policy.
Qualys Release Notes 21
User Defined Controls: New Reporting Option for “Item not found” Error
This new option allows you to pass or fail the control in cases where it returns error code 2 “item not
found” (e.g. scan did not find file, registry, or related data, as appropriate for the control type). When
selected, we’ll add a checkbox to the control in the policy where you’ll set the status you prefer Passed
(default) or Failed.
Enable in Control Settings
Select the new option (highlighted below) in your control settings to return the status Passed or Failed
instead of Error when error code 2 “item not found” is returned. Here’s an example of a Windows
Registry Permission control.
Tip – The Ignore errors setting
is not applied to controls that
return the “item not found”
error. Those controls will be
evaluated according to your
policy and status will be set to
Passed or Failed.
Edit Control in Policy Editor
Choose the status you’d like to return in the policy’s control settings.
In this example, we’ll get the
status Passed if the registry key
is not found. Clear the option to
get a status of Failed instead.
Qualys Release Notes 22
New Windows UDC: Group Membership Check
Set up a Group Membership Check UDC to list the members of a local group. It’s easy to do. Go to
Policies > Controls > New > Control, and select Group Membership Check on the Windows tab. Tell us
the group name and the maximum number of results you want returned.
After saving your
control, add it to a
policy in order to
report the list of
members for the
group.
In your reports, the Actual value lists all the group members including users, aliases and groups. The
Extended Evidence shows group statistics and indicates whether the limit set in the control was reached.
Qualys Release Notes 23
New Technologies Supported for WMI Query Check UDC
These technologies are now supported: Windows 2003 Active Directory and Windows 2008 Active
Directory.
Want to create a WMI Query Check for these technologies? Go to Policies > Controls > New > Control,
and select WMI Query Check. Tell us the namespace to be evaluated and the WMI query you want to use.
Scroll down to the Control Technologies section to provide a rationale statement and expected value for
each technology you’re interested in.