Does anyone have a dump of all QID's that are OS-level vulnerabilities?
There are two problems with this question.
Lets address the easy part first. The CPE used in the KB is not generated by Qualys, we are simply providing the CPE information from MITRE. This information is missing on many CVEs, and of course we have no way to validate the accuracy of what is being provided. There are a lot of CVEs that simply have no CPE information, and are unlikely to ever have them. So, if you use CPE to filter your reports or in other ways, make sure you have a "catch all" group that includes those items with no CPE value.
Now, the more difficult part of this is that the definitions of "OS" and "application" are somewhat arbitrary and will vary from organization to organization. For example, is .net framework OS or application? What about Apache, Tomcat, or PHP? I would consider them applications, but if they are installed from your RHEL image, and you are applying RedHat patches and updates, possibly your platform/OS team manages these. Its a guarantee that if we found some way to make that somewhat arbitrary decision about OS vs app (and what about the endless list of "other" categories) that our decision would not match every one of our customers decision criteria.
I dump the Qualys Knowledge Base everyday with the API Calls.
I would need to check the API for an OS Specific flag but I don't believe this exists. I think and would need to check, but I think the QID Numbers change to over 100,000 for the WAS detections.
Let me know if you want a dump I can post or post the snippets of the API Commands to download.
Specifically looking for the VM module, not WAS. I am trying to build a Search List for a Template to report on OS level vulnerabilities. I could not figure out a way to do it other than manually inputting the QIDs. So the QID's are what I'd ideally like to get. Thanks David!
If you really need to do this here is the option.
Create a Search List and when you do try the search by just highlighting the following:
That should give you what you want and if you make it dynamic then it will be updated as new signatures are updated.
Please let me know if that works for you, David
Doesn't the Cloud Agent (CA-*) options give a Dynamic Search List for *all* VM QIDs (both OS and Applications) supported by the QAgent on that OS? In fact I thought the only QIDs the CA-* options would not list was the delta between network scan and Cloud Agent scan (ie any remote detection or port scan related QIDs)?
We've only been using this option with the GUI, which doesn't support dumping a list of QIDs (for detailed comparison). The GUI does not provide any "NOT" option, so we have not been able to analyze the delta between CA & Network Scan to verify this (hence the question).
If your interested I could probably generate the list one time using some VENN logic.
To return only those vulnerabilities within the Knowledge Base that are associated with Operating System, please do the following:
Debra, would you need to turn that feature on? I think I saw it under Policy Compliance but I don't recall the CPE of the OS being on by default.
If you are not seeing the CPE option in the Vulnerability Management search list criteria, you may have to enable CPE reporting by navigating to Vulnerability Management > Reporting > Setup > OS CPE. Please reference image below for step-by-step navigation.
We require this functionality also.
As far as we can tell, there is no way to automatically assign remediation work via Dynamic Search List based upon "OS" QIDs vs. "Application" QIDs. Additionally there is no way to assign remediation work based upon a QID instance's TCP Port value (ex OS RDP/3389 vs Application HTTP/443, etc).
To compare the list that you provided (CPE="Operating System") with ours, I added filters by Vendor=Microsoft and Severity [2,3,4,5]. Using Dynamic Search list "Test" feature, I see only 366 vulns for all MS OSes?? Perhaps I'm doing something wrong, or perhaps this is somehow subscription specific, but this seems very low.
When we initially research this, we tried to use vendor/product fields, however many patches have product=none. (There is no way to choose "none" in the GUI, you need instead to use the "NOT" field, meaning two Search Lists instead of one). In the end, for windows, we have vendor=microsoft; product=all (all includes none); which of course will pull all MS products, including MS applications (non-OS). We use "Category" values ("windows", "Internet Explorer", "Security Policy") to attempt filtering out the other MS applications, but both Microsoft and some other vendor applications are still present. Currently I see 1458 for a comparable search to yours (this is high, due to applications showing in the list also). Below are the first 20 QIDs I see in our list but not in yours (I manually filtered out application related QIDs based on title value, uncertain I removed all, I didn’t look closely at the details).
90019 Detected LanMan/NTLMv1 Authentication method
90034 Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
90047 Microsoft Windows Kernel Elevation of Privilege Vulnerability (MS15-063)
90052 Microsoft Active Directory Federation Services Privilege Escalation Vulnerability (MS15-062)
90057 Microsoft Windows Terminal Server Service (RDP Protocol) Denial of Service Vulnerability (MS01-040)
90058 Microsoft Windows Malformed Links
90060 Microsoft Windows 2000 RDP Denial of Service Vulnerability (MS01-006)
90067 Microsoft Windows NetBIOS Name Service Reply Information Leakage Weakness (MS03-034)
90072 Microsoft ListBox/ComboBox Control User32.dll Function Buffer Overrun Vulnerability (MS03-045)
90073 Microsoft Windows Help And Support Center URI Handler Buffer Overflow Vulnerability (MS03-044)
90075 Unchecked Buffer in Microsoft Content Management Server Could Enable Server Compromise (MS02-041)
90078 Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability (MS03-049)
90079 Microsoft Unchecked Buffer in Data Access Components MDAC (MS03-033)
90082 Microsoft Windows DHCP Server Configured To Evade Rogue Detection
90083 Microsoft Windows Encrypted RDP Packet Information Leakage Vulnerability (MS02-051)
90089 Microsoft MDAC Function Broadcast Response Buffer Overrun Vulnerability (MS04-003)
90103 Microsoft Windows ASN.1 Library Integer Handling Vulnerability (MS04-007)
90104 Microsoft WINS Buffer Overflow Vulnerability (MS04-006)
90108 Multiple Microsoft Windows Vulnerabilities (MS04-011)
90123 Microsoft ISA Server 2000 Service Pack 2 is Missing
I have read your post above and have asked a couple of my colleagues to review this post (in its entirety) as well. I will keep you posted on what I learn.
I appreciate your taking the time to contribute to this post and sharing your findings. Helping us to help you is critical. Keep up the great work!
I've been trying the option to work with the CPE, but I can see quite some QID's which are clearly OS related, like a Red Hat Update, are in the category none. So as long as loads are filled with no CPE value, it isn't really sufficient.
I agree and I have raised this issue internally for review.
Agree completely. Additionally, due to inconsistencies in vulnerability definitions in Qualys KnowledgeBase (ie Product, Category), building custom lists of products to implement “OS” vs “Application” seems impossible.
It seems unlikely that any Qualys Customer can be doing automatic remediation assignment based on product or product type. Is there a recommended 3rd party product which better supports Dynamic Search Lists (and Search Lists containers to AND/OR multiple lists into one config)?
The closest I have seen any company come to something like this is to split a vulnerability by stack trying to separate things from the OS .vs. application.
Unfortunately there is just no clear common distraction that any of us can use at this point.
For example; if you download a basic Linux Operating system like Ubuntu you will see a ton of software installed. Games clearly fall in the application category but was about the CUPS Service for printing; or Network Time Protocol. They are tightly coupled with the Operating system but I would consider them as sort of a middle layer between the Operating System and an "Application". However; that is still no standard. Part of a standard hardening process could incorporate this assessment. If I can remove a service, software, feature whatever from a device and it still boots up and runs then maybe you then have the core OS. But you may need to add something like Bluetooth, and wireless drivers. Well those I would put in that middle ground. It is not required for the OS to function at a base level; however without some of those services you really will not get much done.
I wish you the best of luck with your efforts.
However; you can download the Knowledge base and look for things like CPE if you have turned it on and it maybe "good enough"; 100% is very difficult so you may need to try for 80% or 90%
If you want a KB dump I can give the command.
Retrieving data ...