Qualys Sensor User Guide

The Qualys Sensor User Guide provides instructions for deploying and operating the Qualys Sensor within the Keyfactor AgileSec Platform. This guide covers supported authentication methods, execution methods, configuration options, and troubleshooting.

Refer to Sensors Architecture and Overview for additional details on sensor architecture, data flows, incremental scanning, and auto-resolution.

Overview

The Qualys Sensor integrates the Qualys Cloud Platform with Keyfactor's AgileSec Platform. This sensor retrieves vulnerability scan reports from Qualys and extracts cryptographic protocol findings, bringing protocol and cipher visibility into the AgileSec ecosystem.

Key Features

Automated Report Retrieval: Fetches completed scan reports from the Qualys API.
Title-Based Filtering: Only processes reports whose title includes a configurable keyword (default: "agilesec").
Protocol Analysis: Extracts TLS/SSL protocol versions, cipher suites, and key exchange algorithms from vulnerability findings.
Template Initialization: Supports a one-time template mode to set up search lists and report templates in Qualys.

What Gets Scanned

The sensor retrieves and parses Qualys scan reports to discover:

TLS/SSL Protocol Versions: Identifies which protocol versions are in use on scanned hosts
Cipher Suites: Extracts cipher suite information from protocol scan results
Key Exchange Algorithms: Identifies key exchange algorithms observed during scans
Host Information: Captures IP addresses, DNS names, operating systems, and tracking metadata

Prerequisites

Qualys Requirements

Requirement	Details
Protocol	HTTPS required for API access.
Access	Network connectivity from the sensor machine to the Qualys API. See Qualys Platform Identification for your base URL.
API Access	Qualys user credentials with API access.
Reports	At least one completed scan report in XML format with a title containing the configured keyword.

Remote Execution Requirements

If running the unified sensor remotely using CLI:

Component	Requirement
Operating System	Linux (x86_64, x86_64): Ubuntu 18.04+, RHEL 9+, CentOS 8+, Debian 10+ Windows (x64): Windows Server 2016+, Windows 10+ macOS (Intel, Apple Silicon): macOS 10.15+
RAM	3 GB minimum, 4 GB recommended for large repositories
Disk Space	Minimum 2x Size of your repository.
Permissions	Read/Write access to working directory

Supported Authentication Methods

The Qualys sensor uses Basic Authentication (username and password):

Use the same credentials you would use to log into the Qualys Cloud Platform
The user must have API access enabled in Qualys

Required Access Rights

The Qualys user account must have the following permissions:

Permission	Purpose	Required
API Access	Required to call Qualys REST API endpoints	✅ Yes
Report Access	Required to list and download scan reports	✅ Yes
Search List Mgmt	Required only for template initialization	❌ No

Running the Sensor

The Qualys sensor can be executed using the following methods:

Platform Scan Execution: Configure and execute scans directly though the Keyfactor AgileSec web UI with on-demand or scheduled execution options.
Using API: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.
Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:
1. Scanning air-gapped or internal instances the platform cannot directly reach
2. Customers wanting to manage their own scheduling and execution environment.

Refer to Sensors Architecture and Overview: Running the Sensor for additional execution and flow details.

Platform Scan Execution

Running the sensor through the user interface is the simplest and fastest way to get started. The platform enables running on-demand or scheduled scans in a dedicated environment.

Platform Scan Configuration

Step 1: Navigate to Sensors Setup Page

1.1 Open your browser and navigate to the Keyfactor AgileSec Platform Web URL

1.2 Log in with your credentials

1.3 Click on "Sensors" in the navigation bar.

Step 2: Select Qualys Sensor

2.1 Click the "Choose a Sensor" button.

2.2 Browse or search for "Qualys"

Click on the Qualys sensor card.

This will open the sensor configuration interface.

Step 3: Configure Sensor Parameters

3.1 Fill in the required configuration parameters:

Platform Scan Configuration Fields

Field Name	Display Name	Type	Required	Description
`url`	Qualys API URL	Single-line text	✅ Yes	The base URL for your Qualys platform. See Qualys Platform Identification
`username`	Username	Single-line text	✅ Yes	Qualys account username with API access
`password`	Password	Password field	✅ Yes	Qualys account password
`report_title`	Report Title	Single-line text	❌ No	Case-insensitive keyword to match report titles. Only reports containing this keyword are scanned. Default: `agilesec`

Scan Execution Using API

Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.

Note: For complete API reference, see the API document.

API Access Token

Open your browser and navigate to the AgileSec Platform UI.
Log in with your Keyfactor credentials.
Click "Access Tokens" in the main navigation menu.
Click "Generate Token".
Set Token Type to API Token and provide the required details.
Click "Generate" and copy the generated token.

API Endpoint

CODE

POST https://<platform-url>/v3/scan/create

Request Format

Headers

CODE

Content-Type: application/json
isg-api-token: <your-api-token>

Request Body

The complete request body contains sensor configuration in the sensorConfig field, i.e:

JSON

  {
    "sensorName": "<sensor name>",
    "sensorType": "Qualys Network",
    "sensorConfig": {
       "url": "<qualys api url>",
       "username": "<qualys username>",
       "password": "<qualys password>",
       "report_title": "agilesec"
    },
    "callbackId": "<callback id>",
    "labels": [
        {
            "<label name>": "<label value>"
        }
    ],
    "priority": "<priority>"
  }

API Field Descriptions

See Platform Scan Configuration Fields

Remote Scan Execution

Remote Execution Flow allows you to run the sensor on a host using the Unified Sensor binary.

Remote Scan Execution Configuration

Step 1: Download Unified Sensor

1.1 Navigate to AgileSec Platform UI → Sensors → Remote Scan.

1.2 Download the sensor binary for your operating system.

Step 2: Generate Remote Sensor Token

2.1 In the Remote Scan UI, click "Generate Token".

2.2 Copy the generated token.

2.3 Store the token securely in an environment variable or set it in the sensor config:

BASH

  export SENSOR_TOKEN="your-generated-token"

Step 3: Create Configuration File

Create a YAML configuration file (e.g., qualys-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/qualys.yml.

Step 4: Run the Sensor

Execute the sensor with your configuration file:

Linux/macOS

BASH

# Set environment variables
export SENSOR_TOKEN="your-sensor-token"

# Run sensor
./unified_sensor_linux -c qualys-config.yml

Windows (PowerShell)

POWERSHELL

# Set environment variables
$env:SENSOR_TOKEN = "your-sensor-token"

# Run sensor
.\\unified_sensor_windows.exe -c .\\qualys-config.yml

Remote Scan Execution Configuration Examples

Basic Configuration

YAML

scan_config:
  plugins:
    - qualys
    - export
  config:
    qualys:
      name: qualys
      plugin_config:
        url: "<https://qualysguard.qg3.apps.qualys.com/>"
        username: "${env:QUALYS_USER}"
        password: "${env:QUALYS_PASS}"

With Custom Report Title Filter

YAML

scan_config:
  plugins:
    - qualys
    - export
  config:
    qualys:
      name: qualys
      plugin_config:
        url: "<https://qualysguard.qg3.apps.qualys.com/>"
        username: "${env:QUALYS_USER}"
        password: "${env:QUALYS_PASS}"
        report_title: "crypto-scan"

Template Mode

To initialize the connector and generate a report template in Qualys:

BASH

./isg_qualys --template templates/infosec-protocol-template.xml

This will:

Use the template to create a search list with the minimum required configuration.
Generate a report template named InfosecGlobal-Kex-Scan-Report.
Exit without initiating a scan.

Recommended: Run the connector once in this mode for every new deployment instance.

Known Limitations

Report Format

Description: Only XML-format reports are supported. Reports in other formats (PDF, CSV) are ignored.

Report Title Matching

Description: Reports are selected based on a case-insensitive title keyword match. If no reports match, no findings are produced.

Troubleshooting

Common Errors

CONFIG-404 — Unable to read/parse configuration file
- Cause: The configuration file path is incorrect or the file is malformed.
- Fix: Verify the config file path and validate JSON syntax.
CONFIG-422 — Required attribute not found
- Cause: A required configuration field is missing.
- Fix: Ensure url, username, and password are present in the configuration.
401 Unauthorized
- Cause: Invalid Qualys credentials.
- Fix: Verify the username and password are correct and have API access enabled.
No reports found
- Cause: No reports match the configured title keyword, or no reports are in XML format with "Finished" status.
- Fix: Verify reports exist in Qualys matching the title filter. Default keyword is agilesec.

Getting Support

Collect diagnostic information:

Sensor version
Configuration file (redact passwords)
Log output
Qualys platform details (URL, API version)

Contact Support:

Portal: https://support.keyfactor.com