Reporting by Running and Non-Running Kernels - VM Detection API Options and Results Explained

Document created by DMFezzaReed Employee on Feb 16, 2018Last modified by DMFezzaReed Employee on Feb 16, 2018
Version 5Show Document
  • View in full screen mode

Supporting Online Documentation:

 

Use Case:  It would be great if we could differentiate between Running and Non-running kernels in the output from an API call.

 

Excerpt from APIv2 User Guide:

Identify vulnerabilities related to running and nonrunning kernels in the output in the tag .

Good to Know - It’s possible that multiple kernels are detected on a single Linux host.

You’ll notice the scan results report the running kernel on each Linux host in Information Gathered QID 45097.

When unspecified, vulnerabilities are not filtered based on kernel activity. does not appear in the output for kernel related vulnerabilities.

 

I used the following cURL command to test the API option active_kernels_only= {0|1|2|3} which is described above.

 

curl -u "User:Password" -H "X-Requested-With: Curl" -X "POST" -d "action=list&max_days_since_last_vm_scan=45&show_results=1&show_igs=0&show_reopened_info=1&output_format=CSV&suppress_duplicated_data_from_csv=0&truncation_limit=0&status=New,Active,Re-Opened,Fixed&active_kernels_only=0" "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/"  > D:\Qualys\Downloads\API_Doc\API_Tests\activekernel_0.csv

 

I ran the command four times, changing the option each time from 0 > 1 > 2 > 3 and I have attached the results for you to review.

 

  • In each of the four reports, in column AL, is a data element labelled "Affect Running Kernel". 
    • If Affect Running Kernel is blank – the vulnerability reporting in that row is not kernel related – it is some other kind of vulnerability.
    • If Affect Running Kernel contains a '0' – the vulnerability reporting in that row is kernel related, and is on a NON-RUNNING kernel
    • If Affect Running Kernel contains a '1' – the vulnerability reporting in that row is kernel related and is on a RUNNING kernel

 

  • activekernel_0.csv contains all of the vulnerabilities: those not kernel related, those on NON-RUNNING kernel and those on RUNNING kernel.

When set to 0, vulnerabilities are not filtered based on kernel activity. appears in the output for kernel related vulnerabilities.

 

  • activekernel_1.csv contains all vulnerabilities that are not kernel related and kernel vulnerabilities on only the RUNNING kernel.

When set to 1, exclude vulnerabilities found on non-running Linux kernels. appears in the output for kernel related vulnerabilities.

 

  • activekernel_2.csv contains ONLY the vulnerabilities on a NON-RUNNING kernel.

When set to 2, only include vulnerabilities found on nonrunning Linux kernels. appears in the output with a value of 0 for all vulnerabilities.

 

  • activekernel_3.csv contains ONLY the vulnerabilities on a RUNNING kernel.

When set to 3, only include vulnerabilities found on running Linux kernels. appears in the output with a value of 1 for all vulnerabilities.

 

If you are unfamiliar with the process of testing API commands, I would recommend our Instructor Led - Advanced Vulnerability Management training as it is well worth the time invested.

2 people found this helpful

Outcomes