Qualys Remediation Procedures
March 14, 2015Backround: Qualys provides online asset management and ticketing tools that can be used to track remediation efforts by various internal IT teams to keep IT assets patched and up to date. These procedures apply to all scanning activity, whether it be for SOX, PCI or weekly scans.
Qualys remediation efforts will not replace normal procedures for Remedy ticket tracking. Remedy is still to be used to assign resources to the remediation tasks. Qualys will act as a centralized asset management and vulnerability tracking database. It should be standard practice to reference Qualys tickets to Remedy tickets and vice-versa.
Assets have many separate owners. There are different IT functions assigned to most assets within Symantec. For instance, an individual IP address may be built by UnixOps, operated by an application team for web services, and have a database team as well as a custom application team attached to the asset. However, one vulnerability can affect the system, but the correct team must be identified and leveraged to remediate the problem.
Qualys Tickets
The primary way to track remediation in Qualys is by using its built in ticketing system. You can prioritize and fix vulnerabilities using recommended solutions, such as patches and workarounds, which are provided in scan reports. Remediation workflow allows users to manage vulnerabilities through remediation tickets. Each ticket corresponds to a vulnerability (QID) detected on a particular host and port.
Tickets are automatically created per the remediation policy whenever a scan is run. If a scan discovers a confirmed or potential vulnerability with a level of 4 or 5, a ticket is created for the asset owner.
You can view your open tickets by clicking on the remediation icon in the Navigation panel of QualysGuard.
It shows the date that remediation is due, the ticket status, the dns name and the vulnerability name and severity.
Ticket resolution – If a rescan occurs and the vulnerability is no longer detected, the ticket will be automatically closed. Otherwise, you must apply patches or firewall blocks or other remediation steps yourself. Once completed, be sure to add notes stating what actions were taken and change the ticket status to RESOLVE as shown below.
Try to include the remedy ticket number for reference as well.
If you are not responsible for patching the particular vulnerability assigned to you, you can route it to another QualysGuard user. If the user does not exist, contact your administrator to add the person’s account. See below to see an example of a ticket reassignment. Be sure to note in the comments section why you are changing the ownership of the vulnerability.