Does anyone have a dump of all QID's that are OS-level vulnerabilities?
I dump the Qualys Knowledge Base everyday with the API Calls.
I would need to check the API for an OS Specific flag but I don't believe this exists. I think and would need to check, but I think the QID Numbers change to over 100,000 for the WAS detections.
Let me know if you want a dump I can post or post the snippets of the API Commands to download.
Specifically looking for the VM module, not WAS. I am trying to build a Search List for a Template to report on OS level vulnerabilities. I could not figure out a way to do it other than manually inputting the QIDs. So the QID's are what I'd ideally like to get. Thanks David!
If you really need to do this here is the option.
Create a Search List and when you do try the search by just highlighting the following:
That should give you what you want and if you make it dynamic then it will be updated as new signatures are updated.
Please let me know if that works for you, David
Doesn't the Cloud Agent (CA-*) options give a Dynamic Search List for *all* VM QIDs (both OS and Applications) supported by the QAgent on that OS? In fact I thought the only QIDs the CA-* options would not list was the delta between network scan and Cloud Agent scan (ie any remote detection or port scan related QIDs)?
We've only been using this option with the GUI, which doesn't support dumping a list of QIDs (for detailed comparison). The GUI does not provide any "NOT" option, so we have not been able to analyze the delta between CA & Network Scan to verify this (hence the question).
If your interested I could probably generate the list one time using some VENN logic.
To return only those vulnerabilities within the Knowledge Base that are associated with Operating System, please do the following:
Debra, would you need to turn that feature on? I think I saw it under Policy Compliance but I don't recall the CPE of the OS being on by default.
If you are not seeing the CPE option in the Vulnerability Management search list criteria, you may have to enable CPE reporting by navigating to Vulnerability Management > Reporting > Setup > OS CPE. Please reference image below for step-by-step navigation.
We require this functionality also.
As far as we can tell, there is no way to automatically assign remediation work via Dynamic Search List based upon "OS" QIDs vs. "Application" QIDs. Additionally there is no way to assign remediation work based upon a QID instance's TCP Port value (ex OS RDP/3389 vs Application HTTP/443, etc).
To compare the list that you provided (CPE="Operating System") with ours, I added filters by Vendor=Microsoft and Severity [2,3,4,5]. Using Dynamic Search list "Test" feature, I see only 366 vulns for all MS OSes?? Perhaps I'm doing something wrong, or perhaps this is somehow subscription specific, but this seems very low.
When we initially research this, we tried to use vendor/product fields, however many patches have product=none. (There is no way to choose "none" in the GUI, you need instead to use the "NOT" field, meaning two Search Lists instead of one). In the end, for windows, we have vendor=microsoft; product=all (all includes none); which of course will pull all MS products, including MS applications (non-OS). We use "Category" values ("windows", "Internet Explorer", "Security Policy") to attempt filtering out the other MS applications, but both Microsoft and some other vendor applications are still present. Currently I see 1458 for a comparable search to yours (this is high, due to applications showing in the list also). Below are the first 20 QIDs I see in our list but not in yours (I manually filtered out application related QIDs based on title value, uncertain I removed all, I didn’t look closely at the details).
90019 Detected LanMan/NTLMv1 Authentication method
90034 Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
90047 Microsoft Windows Kernel Elevation of Privilege Vulnerability (MS15-063)
90052 Microsoft Active Directory Federation Services Privilege Escalation Vulnerability (MS15-062)
90057 Microsoft Windows Terminal Server Service (RDP Protocol) Denial of Service Vulnerability (MS01-040)
90058 Microsoft Windows Malformed Links
90060 Microsoft Windows 2000 RDP Denial of Service Vulnerability (MS01-006)
90067 Microsoft Windows NetBIOS Name Service Reply Information Leakage Weakness (MS03-034)
90072 Microsoft ListBox/ComboBox Control User32.dll Function Buffer Overrun Vulnerability (MS03-045)
90073 Microsoft Windows Help And Support Center URI Handler Buffer Overflow Vulnerability (MS03-044)
90075 Unchecked Buffer in Microsoft Content Management Server Could Enable Server Compromise (MS02-041)
90078 Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability (MS03-049)
90079 Microsoft Unchecked Buffer in Data Access Components MDAC (MS03-033)
90082 Microsoft Windows DHCP Server Configured To Evade Rogue Detection
90083 Microsoft Windows Encrypted RDP Packet Information Leakage Vulnerability (MS02-051)
90089 Microsoft MDAC Function Broadcast Response Buffer Overrun Vulnerability (MS04-003)
90103 Microsoft Windows ASN.1 Library Integer Handling Vulnerability (MS04-007)
90104 Microsoft WINS Buffer Overflow Vulnerability (MS04-006)
90108 Multiple Microsoft Windows Vulnerabilities (MS04-011)
90123 Microsoft ISA Server 2000 Service Pack 2 is Missing
I have read your post above and have asked a couple of my colleagues to review this post (in its entirety) as well. I will keep you posted on what I learn.
I appreciate your taking the time to contribute to this post and sharing your findings. Helping us to help you is critical. Keep up the great work!
I've been trying the option to work with the CPE, but I can see quite some QID's which are clearly OS related, like a Red Hat Update, are in the category none. So as long as loads are filled with no CPE value, it isn't really sufficient.
I agree and I have raised this issue internally for review.
There are two problems with this question.
Lets address the easy part first. The CPE used in the KB is not generated by Qualys, we are simply providing the CPE information from MITRE. This information is missing on many CVEs, and of course we have no way to validate the accuracy of what is being provided. There are a lot of CVEs that simply have no CPE information, and are unlikely to ever have them. So, if you use CPE to filter your reports or in other ways, make sure you have a "catch all" group that includes those items with no CPE value.
Now, the more difficult part of this is that the definitions of "OS" and "application" are somewhat arbitrary and will vary from organization to organization. For example, is .net framework OS or application? What about Apache, Tomcat, or PHP? I would consider them applications, but if they are installed from your RHEL image, and you are applying RedHat patches and updates, possibly your platform/OS team manages these. Its a guarantee that if we found some way to make that somewhat arbitrary decision about OS vs app (and what about the endless list of "other" categories) that our decision would not match every one of our customers decision criteria.
Agree completely. Additionally, due to inconsistencies in vulnerability definitions in Qualys KnowledgeBase (ie Product, Category), building custom lists of products to implement “OS” vs “Application” seems impossible.
It seems unlikely that any Qualys Customer can be doing automatic remediation assignment based on product or product type. Is there a recommended 3rd party product which better supports Dynamic Search Lists (and Search Lists containers to AND/OR multiple lists into one config)?
Retrieving data ...