8
Get Started
Privileges - what are my options?
Here is an example of an agent user entry in sudoers file (where “agentuser” is the
username for the account that you use to install the Linux Agent):
%agentuser ALL=(ALL) NOPASSWD: ALL
You can also use secure Sudo. When you set UseSudo=1, the agent tries to find the custom
path in the secure_path parameter located in the /etc/sudoers file. This can be used to
restrict the path from where commands are picked up during data collection. If this
parameter is not set, the agent refers to the PATH variable to locate the command by
running sudo sh.
3.Use an account with root privileges
Typically, you may start with a comprehensive assessment for vulnerabilities and
misconfigurations, including privilege access for administrators and root. This agent
configuration provides the Cloud Agent for Linux with all the required privileges (for
example to access the RPM database) to conduct a complete assessment on the host
system and allows for high fidelity assessments with reduced management overheads.
However, after the Qualys Cloud Agent is installed, it can be configured to run as a specific
user and group context using our Agent configuration tool. When you create a non-
privileged user with full sudo, the user account is exclusive to the Qualys Cloud Agent and
you can disable SSH/ remote login for that user, if needed.
The Qualys Cloud Agent does not require SSH (Secure Shell). You can also assign a user
with specific permissions and categories of commands that the user can run. If the path is
not provided in the command, the system provides the path and only a privileged user can
set the PATH variables.
Considerations to select an option best suited to your environment and
needs
The Qualys Cloud Agent uses multiple methods to collect metadata to provide asset
inventory, vulnerability management, and Policy Compliance (PC) use cases. Some of
these methods include running commands to collect a list of installed applications and
versions, running processes, network interfaces, and so on.
Root access is required for some detections, including most detections that are part of PC
(reading global config files related to system-wide security settings and gathering
information from more than one user account). There is an exceptionally low number of
QIDs in VM module that require root, other QIDs run fine without root. However, those
that do need elevated privileges are likely to result into False negatives, if the user does
not have the necessary privileges.
Qualys also provides a scan tool that identifies the commands that need root access in
your environment. For this scan tool, connect with the Qualys support team. You can
decide whether to elevate/grant the required permissions to run the commands or risk
losing visibility to the information. You can grant permissions only for the specific
commands/binaries that are failing.