Qualys authenticated scanning

Let’s see how authenticated scanning works in Qualys. Nessus stores scanning credentials in related Scan Policy (see “Tenable Nessus: registration, installation, scanning and reporting“). Iit’s not always convenient. In Qualys you can set up a scanning record and configure for which hosts it will be used.

Login Credentials

I downloaded Qualys Virtual Scanning Appliance VirtualBox image¬† and configured it as it was described in “Using Qualys Virtual Scanner Appliance“. The only difference: I configured second network device as VirtualBox “Host Only Adapter” to scan virtual machines on my host. You can see how to configure VirtualBox “Host Only Adapter” in my post here.

I also have a CentOS target virtual machine with IP 192.168.56.101.

First of all, let’s check that we can make an unauthenticated scan of the host. I created an authenticated scan like I showed in “Qualys Vulnerability Management GUI and API”:

CentOS Scan

Scan results:

Qualys Scan Results

It’s fun to see “BlueCoat” and “AIX” in OS Detection. But it shows how hard is to detect remote host type correctly without authentication. And without correct OS Detection you will probably have some problems with Vulnerability Detection.

Now let’s add scanning account in “Vulnerability Management -> Scans -> Authentication” tab:

Qualys Authentication

Here you can see what authentication options Qualys support. For ssh/telnet scanning you need Unix Record:

Authentication Options

Main authentication records Qualys supports:

  • Windows Record
  • Unix Record
  • Oracle Record
  • Oracle Listener Record
  • SNMP Record
  • MS SQL Record
  • Cisco IOS Record
  • IBM DB2 Record
  • VMware Record
  • MySQL Record
  • Sybase Record
  • Checkpoint Firewall
  • HTTP Record
  • Application Records

This gives an idea of how many types of systems Qualys can asses efficiently.

Title: “CentOS Auth”. Adding user name, password and ports for authentication.

Login Credentials

For root delegation Qualys supports only

  • Sudo
  • PowerBroker
  • Pimsu

Why not “login with unprivileged user, then make su”? Maybe such authentication method seems to be less secure.¬† I chose to delegate with sudo, so I edited /etc/sudoers:
...
#Allow root to run any commands anywhere
root ALL=(ALL) ALL
vmuser ALL=(ALL) ALL
...

Here you can set the IPs (Ranges) or Asset Group for which this authentication record will be used:

Qualys Credentails IPs

New Unix Authentication record appeared:

Qualys Unix Authentacation

During the scan configuration I chose standard Authenticated Scan profile:

Authenticated Scan Config

As you can see, comparing with previous unauthenticated scan, the results are much more reliable and OS was detected correctly:

Authenticated Scan Results

Leave a Reply

Your email address will not be published. Required fields are marked *