How to use Qualys

On this page:

Overview

The QualysGuard vulnerability scanners (often known as "Qualys") let faculty and staff who maintain servers and websites at Indiana University discover vulnerabilities. Qualys offers a standard system vulnerability scan that identifies the host operating system, running services, and open ports. Qualys web application scanning is another useful option which tests web applications for a variety of vulnerabilities, such as cross-site scripting and SQL injection.

Basic steps for performing vulnerability scans and creating reports are listed below.

Request Qualys access

To use Qualys, send mail to scanner-admin@iu.edu and include the following information:

  • A unique name for your group; ADS groups or HR codes (such as IU-UISO) are the optimal format here
  • The email addresses and full names of users who will need to be involved in vulnerability management
  • If you're doing website scanning, a list of URLs to scan
  • If you're doing system scanning, a list of IPs or CIDR blocks broken out into these sections:
    • Servers in the IU Data Centers
    • Servers outside the IU Data Centers

Also, be sure to join the Vulnerability Management team in Microsoft Teams.

Scan engines

Server and web scans can originate from any of the following IU IP addresses.

To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.

Web application vulnerability scanning

Web application vulnerability scans are set up by the UISO. For assistance, email scanner-admin@iu.edu.

Web application vulnerability scans can be run against production or development servers. Scanning production servers has the disadvantage that the site load may be too great during regular hours, necessitating a less convenient off-peak scan. Conversely, scanning a development server may produce unreliable results if the development server is not a perfect copy of the production server. However, it can eliminate possible problems before they reach the production environment.

Important:
Before proceeding with web application scans, review Risks of web application vulnerability scanning.

Create reports

Each department is responsible for creating their own reports for Qualys system vulnerability scans so they can receive results. Steps for creating a report are below.

  1. From the Qualys dashboard, navigate to VMDR > Reports tab > Schedules > New > Scan report > Template based. This will open a new window.
  2. Create a descriptive title for your report with your department code (for example, "IU-UISO Vulnerability report").
  3. Select a report template. The Default Vulnerability Report is the most generally useful. Feel free to explore other templates.
  4. Select the report format. Portable Document Format (PDF) is the default format, and Comma-Separated Value (CSV) is a compact alternative.
  5. No changes are needed for the "Report Source" section.
  6. Scroll down and select the Scheduling checkbox.
  7. For "Start", select a date and time.
  8. For "Occurs", change Daily to Weekly. The weekly scan runs on Mondays, so you should run the report on either a Wednesday or on a Thursday.
  9. Select the Schedule button. It should close the window and display your new report schedule.

Qualys web application vulnerability scan reports are created during the setup process and do not require these steps.

View and interpret reports

After you have been granted access to Qualys, you can view system vulnerability scan reports and web application vulnerability scan reports via the Qualys dashboard.

  • To view system vulnerability scan reports, from the Qualys dashboard, navigate to VMDR > Scans tab > Scans.
  • To view web application vulnerability scan reports, from the Qualys dashboard, navigate to Web application scanning > Scans.

You will also receive an email with a link to the scan report once it has finished.

If you have run a web app scan and have received a scan report containing vulnerability issues, contact your department's local UITS support person for help interpreting the results.

If you are a local UITS support person, you should contact Tier 2, who can guide you to various resources, documents, and training sessions.

View dashboards

After you log into the QualysGuard vulnerability scanners, you can access the risk score dashboard. The UISO created the risk score dashboard to help units quickly determine risk posture based on CVSS, Severity, and Qualys Detection score.

You must use the new Qualys UI to access the risk score dashboard. To confirm you are using the new UI, make sure you see the Qualys VM dashboard. If you are not using the new Qualys UI, in a banner at the top of the screen, select the option to use it.

To view the risk score dashboard, in the upper left, under Vulnerability Management, select the rectangles icon, and then choose the risk score dashboard from the drop-down menu. You can select other dashboards from the drop-down menu as well.

Learn more

This is document biis in the Knowledge Base.
Last modified on 2024-04-15 16:13:06.