Qualys Tool Box - Tools for running various functions in Qualys.
Project description
Test Release - QualysTBX - Qualys Toolbox Project
Note: This is a test release and should not be used in production.
QualysTBX is a comprehensive toolbox project designed to provide various utilities for interacting with Qualys services. The initial offering within this project is the Policy Merge tool, which allows users to selectively merge Control IDs (CIDs) from one policy into another, ensuring streamlined and consistent policy updates. As the project evolves, additional tools will be developed and integrated to meet emerging needs and enhance functionality.
Qualys Tools Included in QualysTBX
1. Policy Merge
Description: The Policy Merge tool in QualysTBX allows you to seamlessly merge specific Control IDs (CIDs) from an existing policy into a new policy. This tool is essential for maintaining up-to-date and consistent security policies, especially when integrating changes from legacy policies into current ones. It supports efficient policy management by allowing selective merging of controls, ensuring that only relevant and necessary updates are incorporated.
Prerequisites Python Module Linux/Mac or Windows
- Install Python Latest Version, greater than 3.9
First time install or upgrade of QualysTBX
| Step Number | Code to Run (Linux/Mac) | Code to Run (Windows) | Description |
|---|---|---|---|
| 1 | cd [your data storage directory] |
cd [your data storage directory] |
Change to your data storage directory where you want to store your environment and logs. |
| 2 | python -m venv qtbx_venv |
python -m venv qtbx_venv |
Create a Python virtual environment named qtbx_venv for the qualystbx tool. |
| 3 | source ./qtbx_venv/bin/activate |
.\qtbx_venv\Scripts\activate |
Activate the Python virtual environment. This step needs to be done each time you want to run qualystbx. |
| 4 | python -m pip install --upgrade psutil qualystbx lxml requests xmltodict |
python -m pip install --upgrade psutil qualystbx lxml requests xmltodict |
Install the necessary packages: qualystbx, lxml, requests, and xmltodict. |
Linux/Mac Example (bash script)
#!/bin/bash
cd /path/to/your/data/storage # Change to your data storage directory
python -m venv qtbx_venv # Create a Python virtual environment
source ./qtbx_venv/bin/activate # Activate the Python virtual environment
python -m pip install --upgrade psutil qualystbx lxml requests xmltodict # Install the necessary packages
Windows Example (batch script)
cd \path\to\your\data\storage
python -m venv qtbx_venv
.\qtbx_venv\Scripts\activate
python -m pip install --upgrade psutil qualystbx lxml requests xmltodict # Install the necessary packages
Operations You Can Perform with QualysTBX
Prerequisites
Before running qualystbx, the following environment variables need to be set:
- PYTHONUNBUFFERED: Set to
1 - q_username: Your Qualys API username
- q_password: Your Qualys API password
- q_api_fqdn_server: The Qualys API FQDN server (e.g.,
qualysapi.qualys.com)
Setting Environment Variables
Linux/Mac
To set the environment variables on Linux/Mac, use the following commands:
export PYTHONUNBUFFERED=1
export q_username=[qualys api user]
export q_password=[qualys api password]
export q_api_fqdn_server=[qualys api fqdn server]
cd /path/to/your/storage
source ./qtbx_venv/bin/activate
Windows
To set the environment variables on Windows, use the following commands:
set PYTHONUNBUFFERED=1
set q_username=[qualys api user]
set q_password=[qualys api password]
set q_api_fqdn_server=[qualys api fqdn server]
cd \path\to\your\data\storage
.\qtbx_venv\Scripts\activate
Policy Merge
Description: Execute the policy_merge command in qualystbx with the specified new policy ID, old policy ID, and comma-separated CID list. Optionally, add --log_to_console to log to the console. If not specified, logs will be saved to [your data storage directory]/qtbx_venv/qualystbx/qtbx_home/policy_merge/log/policy_merge.log.
Command:
qualystbx --execute policy_merge --new_policy_id=[new policy id] --old_policy_id=[old policy id] --cid_list=[comma separated cid list] [--log_to_console]
Explanation of Each Option
- new_policy_id: The ID of the new policy into which the CIDs will be merged.
- old_policy_id: The ID of the old policy from which the CIDs will be sourced.
- cid_list: A comma-separated list of CIDs to be merged from the old policy to the new policy.
- --log_to_console: (Optional) If this flag is included, logs will be printed to the console. If not, logs will be saved to the specified log file.
Path Differences Between Windows and Linux/Mac
- Linux/Mac Log Path:
[your data storage directory]/qtbx_venv/qualystbx/qtbx_home/policy_merge/log/policy_merge.log - Windows Log Path:
[your data storage directory]\qtbx_venv\qualystbx\qtbx_home\policy_merge\log\policy_merge.log
Example Command
-
Linux/Mac:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333 --log_to_console
or without logging to console:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333
-
Windows:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333 --log_to_console
or without logging to console:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333
Policy Merge Directories and Paths
After executing the policy_merge command, several files are created and updated within the qtbx_venv/qualystbx/qtbx_home/policy_merge/data directory. These files contain the results and details of the merge operation. Here’s a detailed explanation of each result file:
| Directory/File Path | Description |
|---|---|
qtbx_venv [qtbx_venv] |
This is the virtual directory for the QualysTBX environment and tools. |
qtbx_venv/qualystbx/qtbx_home [home_dir] |
The home directory for QualysTBX where configuration, credentials, logs, binaries, and data related to the tool are stored. |
[home_dir]/policy_merge [policy_merge] |
This directory specifically contains all the files and subdirectories related to the policy_merge operation within QualysTBX. |
[policy_merge]/log |
This directory stores log files generated during the policy_merge operation. |
[policy_merge]/log/policy_merge.log |
The main log file where the policy_merge operation logs its activities, errors, and status updates. If the --log_to_console option is not used, logs are saved here. |
[policy_merge]/config |
This directory contains configuration files for the policy_merge operation. These configurations might include settings or parameters that control how the merge process is executed. |
[policy_merge]/cred |
This directory stores credential files used by the policy_merge operation to authenticate with the Qualys API. These files are essential for secure access. |
[policy_merge]/bin |
This directory contains executable files or scripts required by the policy_merge operation. |
[policy_merge]/data |
This directory holds data files related to the policies being merged. These files include XML files representing different policies and their components. |
[policy_merge]/data/import_new_policy_results_file.xml |
This file contains the results of importing the new policy, which is used in the merge operation. |
[policy_merge]/data/old_policy_id.xml |
This file contains the details of the old policy, identified by its policy ID, from which CIDs will be sourced for merging. |
[policy_merge]/data/merged_policy_id_file.xml |
This will be loaded into Qualys with a new policy name, prefixed with. The file stores the results of the merge operation, including the newly created policy that combines elements from the old and new policies. |
[policy_merge]/data/new_policy_id.xml |
This file contains the details of the new policy, identified by its policy ID, into which CIDs will be merged. |
[policy_merge]/data/old_policy_id_cid_list_for_merge.xml |
This file lists the CIDs from the old policy that are selected for merging into the new policy. |
[policy_merge]/data/merged_policy_results_file.xml |
This file contains the final results of the policy merge operation, showing the outcome of combining the old and new policy loaded into Qualys. |
Naming Convention for Uploaded Merged Policy
The merged_policy_id_file.xml will be uploaded to Qualys with a naming convention that includes the date and time of the merge operation and the title of the new policy. The location in the Qualys UI is under Policy Compliance -> Policies -> Policies.
The format of the new merged policy is as follows:
MERGED_POLICY_YYYYMMDDThhmmssZ_[TITLE OF NEW POLICY NAME FROM new_policy_id.xml]
- YYYYMMDDThhmmssZ: Represents the date and time when the policy merge was executed.
- [TITLE OF NEW POLICY NAME FROM new_policy_id.xml]: The title of the new policy as specified in the
new_policy_id.xmlfile.
This naming convention helps in easily identifying and managing merged policies within Qualys.
Example
If the merge operation was executed on March 25, 2024, at 14:30:45 UTC, and the title of the new policy from new_policy_id.xml is "Security Policy v2", the uploaded file name would be:
MERGED_POLICY_20240325T143045Z_Security_Policy_v2.xml
QualysTBX Activity Diagram
Policy Merge Tool
Policy Merge is a Policy Comliance Function that merges an old policies CID list into a new Policy. This is useful when customers want to easily merge in their customizations made to existing policies
Policy Merge Activity Diagram
Roadmap
Capability | Target | Description
---------- | ------ | -----------
Policy Merge | May 2024 | Automate Policy Merge of specific CID's between old and new policy.
Other Tools | TBD | Other Qualys Tools
Application Directories
| Path | Description |
|---|---|
| [user storage dir] | Your python virtaul environment entered at runtime. |
| [user storage dir]/qualystbx/qtbx_home/ | Directory of Tools Data |
| qtbx_home/[tool] | Tool Home Directory. Ex. qtbx_home/policy_merge |
| [tool]/bin | TBD |
| [tool]/cred | TBD |
| [tool]/config | TBD |
| [tool]/log | Logs - Directory of all run logs |
| [tool]/data | Application Data - Directory containing results of tool execution. |
Logging
Logging fields are pipe delimited with some formatting for raw readability. You can easily import this data into excel, a database for analysis or link this data to a monitoring system.
| Format | Description |
|---|---|
| YYYY-MM-DD hh:mm:ss,ms | UTC Date and Time. UTC is used to match internal date and time within Qualys data. |
| Logging Level | INFO, ERROR, WARNING, etc. Logging levels can be used for troubleshooting or remote monitoring for ERROR/WARNING log entries. |
| Module Name: YYYYMMDDHHMMSS | Top Level qetl Application Module Name that is executing, along with date to uniquely identify all log entries associated with that job. |
| User Name | Operating System User executing this application. |
| Function Name | qetl Application Function Executing. |
| Message | qetl Application Messages describing actions, providing data. |
Application Monitoring
- To monitor the application for issues, the logging format includes a logging level.
- Monitoring for ERROR will help identify issues and tend to the overall health of the applicaiton operation.
Securing Your Application in the Data Center
Follow your corporate procedures for securing your application. A key recommendation is to use a password vault or remote invocation method that passes the credentials at run time so the password isn't stored on the system.
Password Vault
QualysTBX provides options to inject credentials at runtime in memory.
Qualys recommends customers move to a password vault of their choosing to operate this applications credentials. By creating functions to obtain credentials from your corporations password vault, you can improve the security of your application by separating the password from the machine, injecting the credentials at runtime.
One way customers can do this is through a work load management solution, where the external work load management system ( Ex. Autosys ) schedules jobs injecting the required credentials into application at runtime. This eliminates the need to store credentials locally on your system.
If you are unfamiliar with password vaults, here is one example from Hashicorp.
License
Copyright 2021 David Gregory and Qualys Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
ChangeLog
Version | Date of Change | Description of Changes
------- | -------------- | ----------------------
0.1.0 | 2024-05-17 10:00 ET | Test release, do not use.
0.50.0 | 2024-05-17 10:00 ET | Test release, do not use.
Release Notes Log
- 0.1.0 thru 0.50.0 initial test releases, do not use.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for qualystbx-0.47.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1d60eeafe4cd1d37a77d4de4c98ae4b91d66eac3aac5e5367cc16b687c620be4 |
|
| MD5 | 8fb5f2571ba801d9287b0fc5ae7aa3c6 |
|
| BLAKE2b-256 | f94579e631ab2f80eaa3272bef353508f545492fa634064d9bb44942611fc30c |
