Tips for TuxCare’s KernelCare Enterprise integration with Qualys

Qualys provides visibility into the IT infrastructure, with comprehensive reporting on the state of systems and vulnerabilities that may be present in them.

TuxCare’s KernelCare Enterprise provides Live Patching for the Linux Kernel and important shared libraries like OpenSSL and glibc (functionality provided with LibraryCare Add-on).

It is possible to integrate KernelCare specific information into Qualys reports having the best of both worlds and accurately reflect the patched state of running kernels. This article shows you how to achieve this.

There is already an integration between Qualys and KernelCare, which lets “Information gathering” operations return the correct information. When KernelCare is deployed onto a system, Qualys will provide the following output for an “Information gathering” operation:

And this is as expected. When digging into the details, you can see the effective version of the currently running kernel:

And

This is the result of “/usr/bin/kcare-uname -r”. This command provides the correct output version for a system running a kernel that has received live patches, as opposed to “uname -r”, which will only show the installed kernel version.

So, for “Information gathering” operations, Qualys is KernelCare-aware and provides the correct output.

However, when scanning for kernel-related package versions, “Outdated packages” will still report the older kernel version, and this will artificially inflate the number of vulnerabilities present:

To correct this, there is an option under “Report Template” in Qualys to specifically ignore older versions:

This filter will correctly ignore older kernel versions in the report. In our test example, the change made this:

Go to this:

This isn’t just a trick to ignore some issues – it’s a way to ensure the Qualys’ report reflects accurate vulnerabilities when systems are protected with TuxCare’s KernelCare Enterprise.