Deploying Qualys Cloud Agent from Google Cloud Console

Document created by Sadanand Nerurkar Employee on Apr 16, 2020Last modified by Sadanand Nerurkar Employee on May 10, 2020
Version 5Show Document
  • View in full screen mode

Introduction

Customers can now install Qualys Cloud Agents (Windows and Linux) for GCP VM Instances via seamless integration of Qualys Cloud Agent solution in GCP Marketplace.  This integration is a Bring Your Own License (BYOL) where only Qualys customers can use as it requires them to use Cloud Agent Customer ID and Activation ID to configure the integration.

 

Using this solution, customers can configure Google Cloud to deploy the Qualys Cloud Agent on specified compute instances on Google Cloud Platform. Using the Cloud Agent, customers can activate multiple applications on the Qualys Cloud Platform (e.g. Vulnerability Management, Policy Compliance, File Integrity Monitoring) as supported for each operating system. Additionally customers can integrate these Qualys security findings (e.g. Vulnerabilities) directly into GCP by leveraging an additional integration which pushes these findings in Google Security Command Center.

 

Pre-requisites

  1. User should have active Qualys subscription. If you do not have active Qualys subscription, contact Support or Sign up on Qualys website.
  2. Ensure that you have 'Cloud Agent' module available and enabled in your subscription. The appropriate Customer ID and Activation ID are required to configure the installation.
    1. Also, other required application modules such as 'Vulnerability Management', 'File Integrity Monitoring', etc. should be available and enabled.
  3. Enable OS configuration Management API, Compute API and install the OS Configuration agent in your VMs. To know more, please check the documentation for Deploying Security Software Agents from Google Cloud Marketplace and Enabling an API. A user can enable these OS Config and Compute APIs also, using gcloud commands through Google Cloud SDK shell.
  4. As a next step, ensure OSConfig Agent should be enabled in Project metadata. To enable this, user can do by using gcloud commands. for eg. "gcloud compute project-info add-metadata --metadata=enable-osconfig=true" or "gcloud compute project-info add-metadata --metadata=enable-osconfig=true,enable-os-inventory=true,enable-guest-attributes=true,os-package-enabled=true,enable-os-config-debug=true,os-debug-enabled=true". Similarly, it can be done using Google cloud console: Compute metadata through GCP console. Setting the metadata values, enables OS inventory management, OS patch management and OS Configuration management which is a pre-requisite for this solution as this integration does works on OS configuration management feature from Google.
  5. Ensure the user has the following IAM permissions. In case, user doesn't have such permissions; it can be done by creating a custom role including the following permissions. To know more, please check for 'Creating Custom Roles' in the Related Links section. 

    osconfig.guestPolicies.create

    osconfig.guestPolicies.delete

    osconfig.guestPolicies.get

    osconfig.guestPolicies.list

    storage.buckets.create

    storage.buckets.get

    storage.objects.create

    storage.objects.delete

  6. Ensure, all the VM instances which will be included in the deployment process, must have Outbound connectivity to reach Qualys Cloud Platform.Check out GCP support page to learn more.

 

This document explains briefly, how to deploy Qualys cloud agent using the Qualys Cloud Agent solution available on GCP Marketplace on Google VM instances within a project.

 

How to get started

To get started with, users can subscribe and configure Qualys Cloud Agent solution available on GCP Marketplace to quickly deploy and install agents on multiple Google VM Instances with no software to maintain.

The configuration workflow follows a two-step process:

  1. Retrieve Qualys Customer Id, Activation Id, and Platform information from Qualys subscription.
  2. Configure Qualys Cloud Agent Solution in GCP Console.

 

 

1] Retrieving Customer ID and Activation Id from Qualys Subscription

The Qualys Customer Id, Activation Id, and Platform information are required fields for configuring Qualys Cloud Agent solution available on Google cloud console.

Please follow the steps as mentioned to retrieve Qualys Customer Id and Activation Id:

Login to your Qualys subscription. Navigate to "Cloud Agent" application module from the menu, then select "Activation Keys"

 

Click on "New Key" and generate a new activation key. Specify a name to identify it uniquely (example: GCP Cloud Agent) and select Vulnerability Management and/or other cloud agent supported modules depending on your licenses.

As a best practice, we recommend you to create a Tag for GCP key and use that tag to be dynamically associated with the assets identified via the key.

 

User will get an acknowledgment as "New activation key generated successfully" with actual 'Activation Key' 

Currently, this integrated deployment only supports Windows and Linux agents. Click 'Install Instructions' within Windows or Linux to retrieve Customer Id and Activation Id.

 

2] Configure Qualys Cloud Agent solution on GCP console.

The Integration leverages telemetry from the Qualys cloud agent and security findings from other Qualys apps including Vulnerability Management, Policy Compliance, FIM, IOC, Patch management and Asset Inventory. To configure the Qualys Cloud Agent solution available in the GCP Marketplace, follow the process as mentioned. Also, ensure you have already followed points 3, 4 and 5 mentioned in Pre-requisites and enabled the required, before proceeding with the following process.

 

  1. Go to GCP Marketplace and search for ‘Qualys.

     

     

  2. Click on 'Qualys Cloud Agent'. It will navigate another sign-up page.

  3. Click VISIT QUALYS, INC. SITE TO SIGN UP’.

  4. If you have already enabled Cloud OS Config API, then it will redirect to the main configuration page.

  5. In case, if OS Config API is not enabled, you will be redirected to Cloud OS Config API library page on GCP console. To enable OS Config API, click ‘ENABLE’. Also, make sure, then you do follow points 4 as mentioned in pre-requisite.

  6. Next, you will be redirected to the main Qualys Cloud Agent configuration page.
  7. Specify an appropriate name as Guest Policy ID. For eg. ‘qualys-demo’. Guest policy id will be used to uniquely identify a specific policy.

    NOTE: Guest Policy Id should contain only lowercase letters, numbers and dashes.

  8. It will automatically create Guest policies.
  9. Enter the Customer ID & Activation ID retrieved from the Qualys portal.
  10. Select the desired Qualys Platform from a dropdown list to which the data should be reported. Click What's your Qualys Platform? to verify your Qualys platform.

  11. Select the VM Assignment. By selecting this, the guest policy gets updated and ensures that the agent is installed on any new or existing VM instances that match the assignment. If no assignments are added, it will apply to all instances. Here, you can add a label for VM instances or a VM Instance name prefix. To add a VM label click on 'ADD A VM LABEL' and to add a VM Instance name prefix, click 'ADD A VM INSTANCE NAME PREFIX'. Once the assignment is configured, the guest policy will ensure that Qualys cloud agent is installed on all those VM instances with specific labels or name prefix.

  12. Select the region for the Cloud storage bucket in the ‘Storage Bucket Details’ section and click ‘DEPLOY’. This will deploy the Qualys cloud agent on the VM instances which matches the VM assignment. A cloud storage bucket will be automatically created in user's project. This bucket is created to reduce the load on original source of installers i.e the storage buckets which will be created as a part of this configuration, will be synched with the original source of installers and will automatically copy the installers into this storage bucket from original source so that they are available to all the VM  instances within the project. Only one storage bucket will be created in the specified region (the regional parameter is a legal requirement to satisfy regulations on data localization) and can be reused by the user to launch subsequent deployments.

 

 

FAQS

1. Which organizations can leverage this new natively integrated solution?

   -   Only the organizations that already have an existing Qualys subscription that uses a Bring Your Own (Qualys) License can use this integration.

2. Can activate other Qualys modules for assets.

   -   Yes, customers can activate multiple applications on Qualys cloud platform including Vulnerability Management,  Policy Compliance, File Integrity Monitoring, Indication Of Compromise, Patch Management and Asset Inventory. But, only Vulnerability Management security findings will be available in the Security Command Center in Google Cloud, if Qualys Integration with Google cloud security command center is configured.

3. What are the Operating Systems supported by this integration?

   -   Qualys Integration supports Windows and Linux OS. For List of windows and linux OS, see here. check for the Cloud Agent Platform Availability Matrix for Windows and Linux. Operating Systems supported by Google Cloud OS Config.

4. How agent installer upgrades are handled?

  -   Qualys does updates agent installers in the original source which will be available to customer-specific storage buckets created during the Qualys cloud agent solution configuration. Even though, customer-specific buckets are synched with the original source, Qualys needs to inform Google for any upgrades/updates in original source, so that Google will trigger manual synch to update customer storage buckets with updated Qualys installers.

5. Does this integration and deployment model support proxy or Cloud Agent Gateway Service?

 -   Proxy configuration or Cloud Agent gateway service is not included as part of this deployment model/integration. But, proxy configuration can be set after the agent has been installed.

6. Does this deployment model support a Qualys PCP?

 -   No, this deployment model only supports utilization of the Qualys Cloud Shared Platform. 

 

Related Links

2 people found this helpful

Attachments

    Outcomes