Note: This is a test release and should not be used in production.
QualysTBX is a comprehensive toolbox project designed to provide various utilities for interacting with Qualys services. The initial offering within this project is the Policy Merge tool, which allows users to selectively merge Control IDs (CIDs) from one policy into another, ensuring streamlined and consistent policy updates. As the project evolves, additional tools will be developed and integrated to meet emerging needs and enhance functionality.
Description: The Policy Merge tool in QualysTBX allows you to seamlessly merge specific Control IDs (CIDs) from an existing policy into a new policy. This tool is essential for maintaining up-to-date and consistent security policies, especially when integrating changes from legacy policies into current ones. It supports efficient policy management by allowing selective merging of controls, ensuring that only relevant and necessary updates are incorporated.
- Install Python Latest Version, greater than 3.9
| Step Number | Code to Run (Linux/Mac) | Code to Run (Windows) | Description |
|---|---|---|---|
| 1 | cd [your data storage directory] | cd [your data storage directory] | Change to your data storage directory where you want to store your environment and logs. |
| 2 | python -m venv qtbx_venv | python -m venv qtbx_venv | Create a Python virtual environment named qtbx_venv for the qualystbx tool. |
| 3 | source ./qtbx_venv/bin/activate | .\qtbx_venv\Scripts\activate | Activate the Python virtual environment. This step needs to be done each time you want to run qualystbx. |
| 4 | python -m pip install --upgrade psutil qualystbx lxml requests xmltodict | python -m pip install --upgrade psutil qualystbx lxml requests xmltodict | Install the necessary packages: qualystbx, lxml, requests, and xmltodict. |
Linux/Mac Example (bash script)
#!/bin/bash
cd /path/to/your/data/storage # Change to your data storage directory
python -m venv qtbx_venv # Create a Python virtual environment
source ./qtbx_venv/bin/activate # Activate the Python virtual environment
python -m pip install --upgrade psutil qualystbx lxml requests xmltodict # Install the necessary packages
Windows Example (batch script)
cd \path\to\your\data\storage
python -m venv qtbx_venv
.\qtbx_venv\Scripts\activate
python -m pip install --upgrade psutil qualystbx lxml requests xmltodict # Install the necessary packages
Before running qualystbx, the following environment variables need to be set:
1qualysapi.qualys.com)To set the environment variables on Linux/Mac, use the following commands:
export PYTHONUNBUFFERED=1
export q_username=[qualys api user]
export q_password=[qualys api password]
export q_api_fqdn_server=[qualys api fqdn server]
cd /path/to/your/storage
source ./qtbx_venv/bin/activate
To set the environment variables on Windows, use the following commands:
set PYTHONUNBUFFERED=1
set q_username=[qualys api user]
set q_password=[qualys api password]
set q_api_fqdn_server=[qualys api fqdn server]
cd \path\to\your\data\storage
.\qtbx_venv\Scripts\activate
Description: Execute the policy_merge command in qualystbx with the specified new policy ID, old policy ID, and comma-separated CID list. Optionally, add --log_to_console to log to the console. If not specified, logs will be saved to [your data storage directory]/qtbx_venv/qualystbx/qtbx_home/policy_merge/log/policy_merge.log.
Command:
qualystbx --execute policy_merge --new_policy_id=[new policy id] --old_policy_id=[old policy id] --cid_list=[comma separated cid list] [--log_to_console]
[your data storage directory]/qtbx_venv/qualystbx/qtbx_home/policy_merge/log/policy_merge.log[your data storage directory]\qtbx_venv\qualystbx\qtbx_home\policy_merge\log\policy_merge.logLinux/Mac:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333 --log_to_console
or without logging to console:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333
Windows:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333 --log_to_console
or without logging to console:
qualystbx --execute policy_merge --new_policy_id=12345 --old_policy_id=67890 --cid_list=111,222,333
After executing the policy_merge command, several files are created and updated within the qtbx_venv/qualystbx/qtbx_home/policy_merge/data directory. These files contain the results and details of the merge operation. Here’s a detailed explanation of each result file:
| Directory/File Path | Description |
|---|---|
qtbx_venv [qtbx_venv] | This is the virtual directory for the QualysTBX environment and tools. |
qtbx_venv/qualystbx/qtbx_home [home_dir] | The home directory for QualysTBX where configuration, credentials, logs, binaries, and data related to the tool are stored. |
[home_dir]/policy_merge [policy_merge] | This directory specifically contains all the files and subdirectories related to the policy_merge operation within QualysTBX. |
[policy_merge]/log | This directory stores log files generated during the policy_merge operation. |
[policy_merge]/log/policy_merge.log | The main log file where the policy_merge operation logs its activities, errors, and status updates. If the --log_to_console option is not used, logs are saved here. |
[policy_merge]/config | This directory contains configuration files for the policy_merge operation. These configurations might include settings or parameters that control how the merge process is executed. |
[policy_merge]/cred | This directory stores credential files used by the policy_merge operation to authenticate with the Qualys API. These files are essential for secure access. |
[policy_merge]/bin | This directory contains executable files or scripts required by the policy_merge operation. |
[policy_merge]/data | This directory holds data files related to the policies being merged. These files include XML files representing different policies and their components. |
[policy_merge]/data/import_new_policy_results_file.xml | This file contains the results of importing the new policy, which is used in the merge operation. |
[policy_merge]/data/old_policy_id.xml | This file contains the details of the old policy, identified by its policy ID, from which CIDs will be sourced for merging. |
[policy_merge]/data/merged_policy_id_file.xml | This will be loaded into Qualys with a new policy name, prefixed with. The file stores the results of the merge operation, including the newly created policy that combines elements from the old and new policies. |
[policy_merge]/data/new_policy_id.xml | This file contains the details of the new policy, identified by its policy ID, into which CIDs will be merged. |
[policy_merge]/data/old_policy_id_cid_list_for_merge.xml | This file lists the CIDs from the old policy that are selected for merging into the new policy. |
[policy_merge]/data/merged_policy_results_file.xml | This file contains the final results of the policy merge operation, showing the outcome of combining the old and new policy loaded into Qualys. |
The merged_policy_id_file.xml will be uploaded to Qualys with a naming convention that includes the date and time of the merge operation and the title of the new policy. The location in the Qualys UI is under Policy Compliance -> Policies -> Policies.
The format of the new merged policy is as follows:
MERGED_POLICY_YYYYMMDDThhmmssZ_[TITLE OF NEW POLICY NAME FROM new_policy_id.xml]
new_policy_id.xml file.This naming convention helps in easily identifying and managing merged policies within Qualys.
If the merge operation was executed on March 25, 2024, at 14:30:45 UTC, and the title of the new policy from new_policy_id.xml is "Security Policy v2", the uploaded file name would be:
MERGED_POLICY_20240325T143045Z_Security_Policy_v2.xml
Policy Merge is a Policy Comliance Function that merges an old policies CID list into a new Policy. This is useful when customers want to easily merge in their customizations made to existing policies
Capability | Target | Description
---------- | ------ | -----------
Policy Merge | May 2024 | Automate Policy Merge of specific CID's between old and new policy.
Other Tools | TBD | Other Qualys Tools
| Path | Description |
|---|---|
| [user storage dir] | Your python virtaul environment entered at runtime. |
| [user storage dir]/qualystbx/qtbx_home/ | Directory of Tools Data |
| qtbx_home/[tool] | Tool Home Directory. Ex. qtbx_home/policy_merge |
| [tool]/bin | TBD |
| [tool]/cred | TBD |
| [tool]/config | TBD |
| [tool]/log | Logs - Directory of all run logs |
| [tool]/data | Application Data - Directory containing results of tool execution. |
Logging fields are pipe delimited with some formatting for raw readability. You can easily import this data into excel, a database for analysis or link this data to a monitoring system.
| Format | Description |
|---|---|
| YYYY-MM-DD hh:mm:ss,ms | UTC Date and Time. UTC is used to match internal date and time within Qualys data. |
| Logging Level | INFO, ERROR, WARNING, etc. Logging levels can be used for troubleshooting or remote monitoring for ERROR/WARNING log entries. |
| Module Name: YYYYMMDDHHMMSS | Top Level qetl Application Module Name that is executing, along with date to uniquely identify all log entries associated with that job. |
| User Name | Operating System User executing this application. |
| Function Name | qetl Application Function Executing. |
| Message | qetl Application Messages describing actions, providing data. |
Follow your corporate procedures for securing your application. A key recommendation is to use a password vault or remote invocation method that passes the credentials at run time so the password isn't stored on the system.
QualysTBX provides options to inject credentials at runtime in memory.
Qualys recommends customers move to a password vault of their choosing to operate this applications credentials. By creating functions to obtain credentials from your corporations password vault, you can improve the security of your application by separating the password from the machine, injecting the credentials at runtime.
One way customers can do this is through a work load management solution, where the external work load management system ( Ex. Autosys ) schedules jobs injecting the required credentials into application at runtime. This eliminates the need to store credentials locally on your system.
If you are unfamiliar with password vaults, here is one example from Hashicorp.
Copyright 2021 David Gregory and Qualys Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Version | Date of Change | Description of Changes
------- | -------------- | ----------------------
0.1.0 | 2024-05-17 10:00 ET | Test release, do not use.
0.50.0 | 2024-05-17 10:00 ET | Test release, do not use.
FAQs
Qualys Tool Box - Tools for running various functions in Qualys.
We found that qualystbx demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.