This guide will instruct you how to install a Qualys Cloud Agent on Linux to run internal scans through Autobahn Fit
Table of contents
- Installation requirements
- Request the Agent installer
- Download the Agent installer
- Installation steps for Agents
- Installation steps in Golden Images
- Relocation with Linux RPM Installer
- Troubleshooting
1. Installation requirements
To install a Cloud Agent on Linux, you must have root privileges, non-root with Sudo root delegation, or non-root with sufficient privileges. Proxy configuration is supported.
The following are minimum system requirements:
- Minimum of 512 MB of RAM for scan-based features such as Inventory, Vulnerability Management (VM), and Policy Compliance (PC).
- Minimum 100 MB of available disk space.
2. Request the Agent installer
Before starting, obtain the Cloud Agent installer file from your Customer Success Manager. Once obtained, proceed with the installation on your system.
If you encounter any difficulties during the process, feel free to contact us for further assistance.
3. Download the Agent installer
After the Customer Success Manager shares the Agent installer, you need to download the file.
1 - Once the Agent installer is downloaded to your local system, in the UI you will see the associated Activation key ID and Customer ID.
2 - Copy and paste the Activation key ID and Customer ID to a safe place, you will need it later to complete the installation.
4. Installation steps for Agents
1 - Copy the Qualys Cloud Agent installer onto the target host.
2 - Install the Qualys Cloud Agent using the following commands for x64. Depending on the package(x64 or ARM64), following commands vary.
Linux (.rpm)
> sudo rpm -ivh qualys-cloud-agent.x86_64.rpm
> sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh
ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/
Linux (.deb)
> sudo dpkg --install qualys-cloud-agent.x86_64.deb
> sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh
ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/
5. Installation steps in Golden images
These steps are similar to installing on Linux (.rpm) hosts, with an extra step to restart the Qualys Cloud Agent service and AMI instance.
1 - Start the Golden Image instance.
2 - Copy the Qualys Cloud Agent RPM onto the instance.
3 - Install the Qualys Cloud Agent RPM using the following command:
> sudo rpm -ivh qualys-cloud-agent.x86_64.rpm
4 - Run the Qualys Cloud Agent installation command:
> sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh
ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/
5 - Stop Qualys Cloud Agent service:
> sudo service qualys-cloud-agent stop
6 - Stop the instance and create an image out of the instance. This completes the bake-in process. When the instance is started it will activate the Cloud Agent which will provision itself and continue functioning as expected.
6. Relocation with Linux RPM Installer
Linux RPM installer now supports up to three relocation paths during the installation process if there is a need to install the Cloud Agents in locations different from the default locations.
Any/all of the following agent categories can be relocated:
- Binaries/Libraries/Data- Default location:
/usr/local/qualys relocated to /qualys.
- Configuration - Default location:
/etc/qualys relocated to /qualys.
- Log Files - Default location:
/var/log/qualys relocated to /qualys.
The relocation uses standard RPM relocation capabilities that specifies the default location (listed above) and the new location. Example installation argument:
rpm --relocate /usr/local=/opt/ --relocate /etc=/etc/opt/config
--relocate/var/log=/var/opt -ivh qualys-cloud-agent- x86_64.rpm
Same permissions as that of the default directories are set on the relocated directories. Symbolic links are used in each of the default locations to reference the new locations and are required to be present in the default locations
Relocation is only available for new agent installations. You cannot relocate an existing installation.
For relocating an existing installation, uninstall the existing installation completely and execute a new installation. Note: this creates a new agent UUID for the installation.
7. Troubleshooting
Please refer to this page to see the Qualys Cloud Agent troubleshooting.
7.1 Installation on RHEL 5.4
Cloud Agents installed on RHEL 5.4 may throw SSL communication errors while trying to communicate with the Qualys platform. This happens when the certificate files are not present on the host asset.
To fix this issue, you need to manually create the certificate files, and place them in the appropriate location on the host asset.
1 - Create the two cert files: cert1.crt and cert2.crt.
2 - Paste the contents in a text editor, then save the file with the extension “.crt”.
3 - Use the following commands to append the contents of cer1.crt and cert2.crt at the end of /etc/pki/tls/certs/ca-bundle.crt
cat cert1.crt >> /etc/pki/tls/certs/ca-bundle.crt
cat cert2.crt >> /etc/pki/tls/certs/ca-bundle.crt
4 - Now restart the QAgent Service
cert1.crt
subject= /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----
cert2.crt
subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
7.2 Installation on SUSE Linux Enterprise
Cloud Agents installed on SUSE Linux Enterprise 11 may throw a file not found error for the certificate ca-bundle.crt when trying to communicate with the Qualys platform. This happens when the certificate files are not present on the host asset.
To fix this issue, you must:
1 - Manually install the certificate files in the appropriate location on the host. You can either use the certificate files from your existing RHEL or CentOS assets or download the certificate files from the following location:
https://curl.haxx.se/docs/caextract.html
2 - Download the file cacert.pem and rename it to ca-bundle.pem.
3 - Copy the certificate files (ca-bundle.pem) at the following default location on SUSE Linux Enterprise 11:
/etc/ssl/
If you want to use a non-default location, ensure that the directory path is added in the /etc/qualys/cloud-agent/qagent.config file in the following manner:
{
"os": "Suse",
"cafile": "<CustomizedPath>"
}4 - Now restart the QAgent Service.