A Ruby extension for interfacing with Qualys v2 API.
I had the need to pull stats and details from Qualys automatically to collect and alert on metrics. Let's face it, in 2015, email alerts just don't cut it anymore.
Add this line to your application's Gemfile:
gem 'qualys', git: 'https://github.com/Cyberwatch/ruby-qualys.git'
And then execute:
$ bundle
Below you can find details on the configuration and usage of the Qualys API Client.
Before utilizing the API, you must configure it. You can configure it with a block like below, or by passing in a Hash#
or load a yaml file.
Qualys.configure do |config|
config.username = @email
config.password = @password
config.api_base_uri = 'https://qualysapi.qualys.eu/api/2.0/fo/'
config.proxy_uri = 'http://user:password@localhost:3128'
end
or configure using a yaml
doc:
Qualys::Config.load!('config/qualys.yaml')
Login before making other API calls:
Qualys::Auth.login
You can easily get a list of all scans within your Qualys account by accessing the following methods:
scans = Qualys::Scans.all
#-> [#<Qualys::Scan:0x007fad4c4645c8 @ref="scan/refid", @title="Scan Title", @type="Scheduled", @date="2015-04-15T12:02:12Z", @duration="01:51:38", @status="Finished", @target="ip ranges", @user="managing_user">...
You can get more details from each scan like:
scans = Qualys::Scans.all
puts scans.first.details
#-> {"ip"=>"x.x.x.x", "dns"=>"mikemackintosh.com", "netbios"=>nil, "qid"=>86000, "result"=>"Server Version\tServer Banner\nnginx\tnginx", "protocol"=>"tcp", "port"=>"80", "ssl"=>"no", "fqdn"=>""},
# {"ip"=>"x.x.x.x", "dns"=>"mikemackintosh.com", "netbios"=>nil, "qid"=>86189, "result"=>"Number of web servers behind load balancer:\n2 - based on IP Identification values", "protocol"=>"tcp", "port"=>"80", "ssl"=>"no", "fqdn"=>""},
# {"ip"=>"x.x.x.x, "dns"=>"mikemackintosh.com", "netbios"=>nil, "qid"=>86001, "result"=>"Server Version\tServer Banner\nnginx\tnginx", "protocol"=>"tcp", "port"=>"443", "ssl"=>"no", "fqdn"=>""}
If your URL differs from the default, set it using:
Qualys::Api.base_uri = OTHER_PRODUCTION_ENDPOINT
You can load the vulnerability detected by qualys for the hosts scanned by a specific scan
if you don't specify any scan_ref
, it prints all vulnerabilities detected by qualys so far for the logged user.
Here an example printing some information on the vulnerabilities for the second scan of the logged user :
scan_ref = Qualys::Scans.all[1].ref
Qualys::Report.create(scan_ref).hosts.each{ |host|
p "ip:#{ host.ip }"
p "vulns : (#{ host.vulnerabilities.count })"
host.vulnerabilities.each{ |vuln|
p vuln.to_s
}
}
Output :
"ip:12.34.156.89"
"vulns : (16)"
"qid_38173, SSL Certificate - Signature Verification Failed Vulnerability, severity : 2, cves: no cve"
"qid_38685, SSL Certificate - Invalid Maximum Validity Date Detected, severity : 2, cves: no cve"
"qid_38169, SSL Certificate - Self-Signed Certificate, severity : 2, cves: no cve"
"qid_38170, SSL Certificate - Subject Common Name Does Not Match Server FQDN, severity : 2, cves: no cve"
"qid_38628, SSL/TLS Server supports TLSv1.0, severity : 3, cves: no cve"
"qid_38601, SSL/TLS use of weak RC4 cipher, severity : 3, cves: CVE-2013-2566, CVE-2015-2808"
"qid_38140, SSL Server Supports Weak Encryption Vulnerability, severity : 3, cves: no cve"
"qid_38142, SSL Server Allows Anonymous Authentication Vulnerability, severity : 4, cves: no cve"
"qid_38657, Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32), severity : 3, cves: CVE-2016-2183"
"qid_38606, SSL Server Has SSLv3 Enabled Vulnerability, severity : 3, cves: no cve"
"qid_82003, ICMP Timestamp Request, severity : 1, cves: CVE-1999-0524"
"qid_38603, SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE), severity : 3, cves: CVE-2014-3566"
"qid_11827, HTTP Security Header Not Detected, severity : 2, cves: no cve"
"qid_11827, HTTP Security Header Not Detected, severity : 2, cves: no cve"
"qid_38628, SSL/TLS Server supports TLSv1.0, severity : 3, cves: no cve"
"qid_38657, Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32), severity : 3, cves: CVE-2016-2183"
"ip:10.34.156.89"
"vulns : (3)"
"qid_11827, HTTP Security Header Not Detected, severity : 2, cves: no cve"
"qid_11827, HTTP Security Header Not Detected, severity : 2, cves: no cve"
"qid_38628, SSL/TLS Server supports TLSv1.0, severity : 3, cves: no cve"
The API was built using the following documentation: