AnsweredAssumed Answered

How to ensure Unit Managers/Scanners/Readers can see Cloud Agent assets

Question asked by Edward Luck on Apr 2, 2019

Currently if your subscription is based primarily around the use of Cloud Agents, with some use of IP-tracked assets, your users within a Business Unit will not be able to see those Cloud Agent assets in the VM module.  They cannot see the Host Asset entries, and they cannot find the assets in an asset search, even if the asset tag you are searching for is in the user's scope.

 

Until Qualys change the permissions model, you will need to ensure that the IP addresses of all your Cloud Agents are added to your subscription, and then to an Asset Group that is within the Business Unit.   Speak to Qualys if you are concerned about this essentially doubling your license costs. (Cloud Agent VM license and IP-address VM license needed just to see the one Cloud Agent asset).  The process below avoids having to add masses of IP addresses to your subscription by only adding the individual IP addresses of active cloud agents.  Naturally, this process is of no use for any host whose IP address is constantly changing, such as a workstation/laptop.  It only helps with static IP addresses.

 

This can be performed by repeating the following process on a daily or weekly basis (API examples are shown but this can be done in the GUI).

Download the list of all current Cloud Agent IP addresses:

curl -u "<username>:<password>" -H "X-Requested-With: curl" https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/host/?action=list&truncation_limit=10000&details=Basic&use_tags=1&tag_set_by=id&tag_set_include=<Tag ID of Cloud Agents>

 

Take the list output and keep only the IP address XML.  Strip out the XML tags and convert the list of IP addresses into a comma-delimited list and place in a CSV file.

 

Download the list of all current IP addresses in the subscription

curl -u "<username>:<password>" -H "X-Requested-With: curl" https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=list 

This command returns an XML formatted list of IP addresses and any contiguous IP address ranges.   

For example: 

<IP>192.168.82.178</IP> 

 <IP_RANGE>192.168.82.185-192.168.82.186</IP_RANGE> 

When using this data to compare the list of all Cloud Agent IPs against IP addresses already in the subscription, logic will need to be written that checks each Cloud Agent IP if it directly matches an IP address as above or matches an IP address within a range as above. 

 

Compare the list of Cloud Agent IP addresses with subscription IP addresses

Using a scripting language of your choice, any IP addresses from the cloud agent IP list which are not in the subscription IP list should be output to a list of new IP addresses to add. 

curl -u "<username>:<password>" -H "X-Requested-With: curl" -H "Content-Type:text/csv" --data-binary @new_ips_list.csv "https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=add&enable_vm=1&enable_pc=1&tracking_method=IP" 

 

Add the New IP addresses to your Asset Group

You must add the list of new IP addresses to an asset group created by a Manager account that was added to the Business Unit.  This opens up the boundary of the Business Unit to include these Cloud Agent IP addresses.

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "id=<Asset Group ID>&add_ips=<CSV list of IPs>" “https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/group/?action=edit" 

 

Outcomes