Agent Deployment - Linux, AWS Bottlerocket, BSD, Unix, MacOS

This is recommended as it gives the cloud agent enough privileges to gather the necessary information for the host system's evaluation.

Typically, you may start with a comprehensive assessment for vulnerabilities and misconfigurations, including privilege access for administrators and root. The agent configuration provides the Cloud Agent for Linux/ BSD/Unix/MacOSwith all the required privileges (for example to access the RPM database) to conduct a complete assessment on the host system and allows for high fidelity assessments with reduced management overheads.

However, after the Qualys Cloud Agent is installed, it can be configured to run as a specific user and group context using our Agent configuration tool. When you create a nonprivileged user with full sudo, the user account is exclusive to the Qualys Cloud Agent and you can disable SSH/ remote login for that user, if needed.

The Qualys Cloud Agent does not require SSH (Secure Shell). You can also assign a user with specific permissions and categories of commands that the user can run. If the path is not provided in the command, the system provides the path and only a privileged user can set the PATH variables.

Requirements:

The non-root user needs to have sudo privileges directly OR through a group membership. Be sure NOPASSWD option is configured.

Here is an example of agentuser entry in sudoers file (where "agentuser" is the user name for the account you'll use to install the Agent):   

%agentuser  ALL=(ALL)        NOPASSWD: ALL

You can also use secure Sudo. When you set UseSudo=1, the agent tries to find the custom path in the secure_path parameter located in the /etc/sudoers file. This can be used to restrict the path from where commands are picked up during data collection. If this parameter is not set, the agent refers to the PATH variable to locate the command by running sudo sh.

1) execute installation package for automatic update

2) commands required for data collection (see Sudo command list at the Community)

Here are the steps to enable the Linux agent to use a proxy for communication with our cloud platform:

1) if /etc/sysconfig/qualys-cloud-agent file doesn't exist create it

2) add one of the following lines to the file:

https_proxy=https://[<username>:<password>@]<host>[:<port>]

or:

qualys_https_proxy=https://[<username>:<password>@]<host>[:<port>]

where <username> and <password> are specified if the https proxy uses authentication. If special characters are embedded in the username or password (e.g. @, :, $) they need to be url-encoded. where <host> is the proxy server's IPv4 address or FQDN. where <port> is the proxy's port number.

If the proxy is specified with the https_proxy environment variable, it will be used for all commands performed by the Cloud Agent. If the proxy is specified with the qualys_https_proxy environment variable, it will only be used by the Cloud Agent to communicate with our cloud platform.

3) change the permissions using these commands (not applicable for BSD/Unix):

Linux (.rpm)
chown root /etc/sysconfig/qualys-cloud-agent
chmod 600 /etc/sysconfig/qualys-cloud-agent

Linux (.deb)
chown root /etc/default/qualys-cloud-agent
chmod 600 /etc/default/qualys-cloud-agent

4) restart qualys-cloud-agent service using the following command:

Linux/BSD:

service qualys-cloud-agent restart

Unix:

/opt/qualys/cloud-agent/bin/qcagent.sh restart