7 Replies Latest reply on May 23, 2012 3:22 AM by JHo

    Mobile clients scan

    JHo Level 1

      Hello, I like to ask for advice about how to scan mobile clients. I have quite large amout of laptop users, and I need to scan their computers for vulnerabilities let say once a month. Problem is that some of them are not regulary attended at the office, and my problem is how to schedule scans to the moment when they are connected.

       

      Thank you for your time.

       

      Jiri

        • Mobile clients scan
          Damian OHara Level 2

          Hi Jiri,

           

          I was considering this same question last week.

           

          I couldn't think of a way to do it through the WebUI without just blind scanning the client list twice a day - say 10:00 and 14:00.

           

          Using the API you could select an appropriate number of scanner appliances to run continual subnet discoveries and feed back the results to an "online" list.

          That list could be checked against a "not seen in 3 days (or whatever period)" list and all those that match are put into another API call to a different scanner appliance to VA scan them.

           

          Damian

          1 of 1 people found this helpful
            • Mobile clients scan
              JHo Level 1

              Hi Damien,

               

              you are definitely alright API and "not seen in one week list" will be the way to do it, so far I came up with two solutions, based on trigger mechanism, first one will be done trough DHCP server and second trough domain controller.

               

              When I will be done with testing , I will back here with script or "how to" post.

               

              Have nice day

               

              Jiri

            • Mobile clients scan
              Stephen Davis Lurker

              Having this same issue. Anyone else have an experience that they can share?

                • Mobile clients scan
                  jkent Level 4

                  I saw a fairly interesting Splunk usecase where the Splunk service looks at the VPN logs for new connections, asks the Qualys data if a new device has been scanned in X days and then if it hasn't it kicks off a scan down the tunnel.

                • Re: Mobile clients scan
                  JHo Level 1

                  Hello everyone,

                  I wrote little shellscript which do exactly what I was asking for in my original post.

                  Just make sure you have account with enabled API extention, fill the username,password,appliance name, option profile and you are good to go.

                   

                  Have nice day.

                   

                  J.

                   

                   

                   

                   

                   

                   

                  ##

                  # This is just a woking proof of concept script for testing mobile hosts.

                  #Simple script for scaning mobile users,this script is initiated by DHCP server.

                  #Work for Qualys EU, for US site please change the URL in qualysapi.qualys.eu to qualysapi.qualys.com

                  #run the script with parameters IP and MAC

                  #example:  qualys_test.sh 10.10.50.20 00:XX:XX:XX:XX:XX

                  #script stores records about last scan in "local cache" hosts.dat which is stored in same directory as a script.

                  #It does scan the mobile clients onece in 30 days, it possible to adjust this time by changing the +30 days value in DATUM30.

                  ###

                  HOSTIP=$1

                  HOSTMAC=$2

                  #####################

                  # QUALYS API

                  #####################

                  # QualysGuard user name

                  QUNAME=YourQualysGuardUsername

                  # QualysGuard password

                  QPASSWD=YourQualysGuardPASSWORD

                  ################

                  # Prametry

                  ################

                  # Option Profile

                  QOP=YOUR_OPTION_PROFILE

                  # Qualys Scanner Appliance

                  QSA=YOU_APPLIANCE_NAME

                  # API command

                  runTEST= curl "https://"$QUNAME":"$QPASSWD"@qualysapi.qualys.eu/msp/scan.php?scan_title=API&ip="$HOSTIP"&option=$QOP&iscanner_name=$QSA&save_report=yes"  > /dev/null 2>&1 &

                  #############

                  ADATUM=$(date --date "`date +"%D"`" +%s)

                  DATUM30=$(date --date "`date +"%D"` +30 days" +%s)

                  DATUMPT=$(cat hosts.dat|grep $HOSTMAC|cut -d " " -f2|tr -d " ")

                  if [ -z $DATUMPT ];

                  then

                  #echo "New host, adding record into hosts.dat and initiating the scan"

                  echo "$HOSTMAC $DATUM30" >> hosts.dat

                  $runTEST

                  elif [ "$DATUMPT" -gt "$ADATUM" ];

                  then

                  #echo "Scan is not required for this host"

                  exit 1

                  else

                  echo "Scan is required for this host"

                  cat ./hosts.dat| awk 'BEGIN{OFS=FS=" "}$1=="'"$HOSTMAC"'"{$2="'"$DATUM30"'"}{print}' > ./tmp_hosts.dat; cp ./tmp_hosts.dat ./hosts.dat

                  $runTEST

                  fi

                    • Re: Mobile clients scan
                      Brian Asplin Lurker

                      Hi All,

                       

                      I have discussed this same challenge with our Qualys SE over the past year.  We were trying to determine how best to satisfy the SANS Critical Security Control 04 called "Continuous Vulnerability Assessment and Remediation" for both mobile and non-mobile clients.  The solution here is very similar to what we discussed.  However, let me add a few thoughts to this issue.

                       

                      One of concerns was a means to provide a "safeguard" to Internet bandwidth.  For example, if there are 50 to 100 mobile clients on-line at the same time, we certainly do not want to start scans on all of them.  Would it be possible to modify the above script in such a way as to "queue" client scan status information by date/time of connection and "limit" the number of concurrent scans allowed to a maximum value to better manage impact on bandwidth?

                       

                      Also, as scans complete and new ones may be allowed to begin, it would make sense to confirm clients in the queue are still on-line via some PING or other means.  Knowing Qualys performance or service could be impacted by so many API calls, it would also make sense to "batch" the maximum allowed clients to scans into a single API call; again possibly through a recurring scheduled process - checking status of current/past scans, status of clients in queue, updating status and/or starting new scans every 15 minutes.

                       

                      I drafted the attached diagram last year as an "idea" to this overall.  I welcome your thoughts on this challenge, or how it could be perfected further and implemented in a secure manner.

                       

                      -Brian

                       

                      CSC04-AutoScan-P1.jpg

                      CSC04-AutoScan-P2.jpg

                        • Re: Mobile clients scan
                          JHo Level 1

                          Hi Brian

                           

                           

                          well I see your point, but  there are two major flaws in your idea of "waiting list" host scans and reducing concurent scans.

                           

                          Queues (waiting lists)

                          First of all since the host are mobile there is a good chance that they will be present at the site only for limited time period, so that is why I kicking off the scan right away. There is a another reason,  while the host is in "waiting list" he may disconect and the IP may be assigned to different host, which may not require to be scanned. (this is the reason why the script require both IP and the MAC address)

                           

                          Concurent scans

                          The second issues is that every Qualys API user has a limited count of API commands which may be executed per day (If I remember well the number is 300/day) . If you would check periodicaly count of the currently running scans (it's not a problem API can do that) you would run out the amount of allowed API commands very fast. If you will use any other trigger machanism other than periodic check you are risking that host will be disconected before you will have chance to run a scan.

                           

                          I will take a look into API manual and if I will find some way to address your ideas I will adjust the original script.

                           

                          Regars

                           

                          Jiri