Install an Autobahn Security Cloud Agent on Linux
This guide will instruct you how to install a Qualys Cloud Agent on Linux to run internal scans through Autobahn Security
1. Installation requirements
To install a Cloud Agent on Linux, you must have root privileges, non-root with Sudo root delegation, or non-root with sufficient privileges. Proxy configuration is supported. The following are minimum system requirements: - Minimum of 512 MB of RAM for scan-based features such as Inventory, Vulnerability Management (VM), and Policy Compliance (PC). - Minimum 100 MB of available disk space.2. Request the Agent installer
Before starting, obtain the Cloud Agent installer file from your Customer Success Manager. Once obtained, proceed with the installation on your system.
If you encounter any difficulties during the process, feel free to contact us for further assistance.
3. Download the Agent installer
After the Customer Success Manager shares the Agent installer, you need to download the file.1 - Once the Agent installer is downloaded to your local system, in the UI you will see the associated Activation key ID and Customer ID.
2 - Copy and paste the Activation key ID and Customer ID to a safe place, you will need it later to complete the installation.4. Installation steps for Agents
1 - Copy the Qualys Cloud Agent installer onto the target host. 2 - Install the Qualys Cloud Agent using the following commands for x64. Depending on the package(x64 or ARM64), following commands vary. Linux (.rpm)> sudo rpm -ivh qualys-cloud-agent.x86_64.rpm > sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/Linux (.deb)
> sudo dpkg --install qualys-cloud-agent.x86_64.deb > sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/
5. Installation steps in Golden images
These steps are similar to installing on Linux (.rpm) hosts, with an extra step to restart the Qualys Cloud Agent service and AMI instance. 1 - Start the Golden Image instance. 2 - Copy the Qualys Cloud Agent RPM onto the instance. 3 - Install the Qualys Cloud Agent RPM using the following command:> sudo rpm -ivh qualys-cloud-agent.x86_64.rpm4 - Run the Qualys Cloud Agent installation command:
> sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx CustomerId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ServerUri=https://qagpublic.qg2.apps.qualys.eu/CloudAgent/5 - Stop Qualys Cloud Agent service:
> sudo service qualys-cloud-agent stop6 - Stop the instance and create an image out of the instance. This completes the bake-in process. When the instance is started it will activate the Cloud Agent which will provision itself and continue functioning as expected.
6. Relocation with Linux RPM Installer
Linux RPM installer now supports up to three relocation paths during the installation process if there is a need to install the Cloud Agents in locations different from the default locations. Any/all of the following agent categories can be relocated: - Binaries/Libraries/Data- Default location:/usr/local/qualys relocated to /qualys.- Configuration - Default location:
/etc/qualys relocated to /qualys.- Log Files - Default location:
/var/log/qualys relocated to /qualys.The relocation uses standard RPM relocation capabilities that specifies the default location (listed above) and the new location. Example installation argument:
rpm --relocate /usr/local=/opt/ --relocate /etc=/etc/opt/config --relocate/var/log=/var/opt -ivh qualys-cloud-agent- x86_64.rpmSame permissions as that of the default directories are set on the relocated directories. Symbolic links are used in each of the default locations to reference the new locations and are required to be present in the default locations
Relocation is only available for new agent installations. You cannot relocate an existing installation.
For relocating an existing installation, uninstall the existing installation completely and execute a new installation. Note: this creates a new agent UUID for the installation.
7. Installation on RHEL 5.4
Cloud Agents installed on RHEL 5.4 may throw SSL communication errors while trying to communicate with the Qualys platform. This happens when the certificate files are not present on the host asset. To fix this issue, you need to manually create the certificate files, and place them in the appropriate location on the host asset. 1 - Create the two cert files: cert1.crt and cert2.crt. 2 - Paste the contents in a text editor, then save the file with the extension “.crt”. 3 - Use the following commands to append the contents of cer1.crt and cert2.crt at the end of/etc/pki/tls/certs/ca-bundle.crt
cat cert1.crt >> /etc/pki/tls/certs/ca-bundle.crt
cat cert2.crt >> /etc/pki/tls/certs/ca-bundle.crt4 - Now restart the QAgent Service cert1.crt subject= /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE----- MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6 ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E A7sKPPcw7+uvTPyLNhBzPvOk -----END CERTIFICATE-----cert2.crt subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
8. Installation on SUSE Linux Enterprise
Cloud Agents installed on SUSE Linux Enterprise 11 may throw a file not found error for the certificate ca-bundle.crt when trying to communicate with the Qualys platform. This happens when the certificate files are not present on the host asset. To fix this issue, you must: 1 - Manually install the certificate files in the appropriate location on the host. You can either use the certificate files from your existing RHEL or CentOS assets or download the certificate files from the following location:https://curl.haxx.se/docs/caextract.html
2 - Download the file cacert.pem and rename it to ca-bundle.pem.
3 - Copy the certificate files (ca-bundle.pem) at the following default location on SUSE Linux Enterprise 11:
/etc/ssl/
If you want to use a non-default location, ensure that the directory path is added in the /etc/qualys/cloud-agent/qagent.config file in the following manner:
{
"os": "Suse",
"cafile": "<CustomizedPath>"
}9. Troubleshooting
Please refer to this page to see the Qualys Cloud Agent troubleshooting.
If you have already installed the Qualys Cloud Agent on your server and verified that it has an active internet connection, but our team notifies you that your server is undetectable, follow these steps to troubleshoot the issue:
1. Check Agent Logs for Installation Errors
The first step in diagnosing the issue is to review the error logs generated during the agent installation. The log file locations vary by operating system:
Windows Agent:
- Log files are located in:
C:Program DataQualysQualysAgent - For Windows XP and Windows Server 2003:
C:Documents and SettingsAll UsersApplication DataQualysQualysAgent
- Log files are located in:
/var/log/qualys/
- Log files are located in:
/var/opt/qualys/
2. Verify Network Connectivity
Ensure the server where the agent is installed can establish a connection to the following Qualys services endpoints:
Endpoint URLs:
Testing the connection:
- For Windows: Open Command Prompt and use
pingortelnetto test connectivity.
- For Linux/Unix/macOS: Use commands like
curlortelnetto verify the server can reach these URLs.
Example:
bash curl -I https://qagpublic.qg2.apps.qualys.eu
3. Additional Troubleshooting Tips
- Firewall/Proxy Configuration:
- Verify that your firewall or proxy settings allow outbound traffic to the above URLs on the required ports (typically HTTPS on port 443).
- Agent Service Status:
- Ensure that the Qualys agent service is running on the server:
- Windows: Check the status of the “Qualys Cloud Agent” service in the Services application (
services.msc). - Linux/Unix/macOS: Use commands such as
systemctl status qualys-cloud-agentorservice qualys-cloud-agent status.
- Windows: Check the status of the “Qualys Cloud Agent” service in the Services application (
- Reinstall the Agent (if needed):
- If the issue persists after reviewing the logs and verifying connectivity, consider uninstalling and reinstalling the agent. Ensure you are using the latest version of the Qualys Cloud Agent installer for your operating system.