Hoping someone on here has been down this track already and can assist me in relation to cloud agent within AWS.
So the story so far:
- Setup a connector to VPC and got cloud engineers to sort out iAM role etc and also created a custom tag to capture all assets for this specific VPC.
- Setup a virtual scanner within the VPC to capture the list of QID's not covered currently by agent.
- Setup an authentication record with agentless tracking on for this scanner to work with the assets within this VPC.
- Cloud engineers rolled out Agent to assets (unix/linux) within the VPC that can use agent (this would be most of them outside of the scanner itself).
- Connector picking up assets and scheduled scan setup with specific option profile set on scan to pick up QID's not covered.
Now in a normal world i am pretty sure we have captured everything based on Qualys documentation that we need to but.... am seeing the following.
- Connector is reporting on instances that are no longer valid, some don't even exist anymore but still showing up within the system as running ?
- When i run reports on the tag it brings me back lots of vulnerabilities for assets no longer present or that exist , i have got our cloud guys to verify this.
Am i going crazy or is qualy's agent not smart enough to recognize that an agent is no longer valid and should be marked as terminated ?
Also for our vulnerability reporting i see this as being a big issue as we will now be reporting on stuff that should no longer be captured , it will greatly throw off our vulnerability counts and trending.
Just wondering if anyone out there is experiencing this and if you guys have any suggestions on if there is something i should be doing to capture this, seems to me agent as a dynamic type of service is not as dynamic as it should be or perhaps i am missing a vital step.
Would appreciate any advice or help anyone can give me.