Let's first understand what a reimage is ->
A reimage is the process of installing a new operating system on a machine. This process includes wiping, or clearing, the hard drive entirely, and installing a fresh operating system. When the reimage is complete, it is almost like getting a brand new machine!
Now, both Qualys and Tenable stamp a machine with a tracking UUID the first time they scan it. This way, if a machine changes IP addresses, or has multiple network interfaces, they can track the machine without creating duplicates.
But when you reimage a machine, Identification Attributes change, which in turn means same vulnerability will be repeated. How ? Suppose a developer is using a particular version of a library. This particular version is affected with a vulnerability. The developer after working for few days decides to move out of the organization. The machine is sent to reimage. Now, another developer gets this machine. When Tenable agent is installed, it creates a new UUID. If the new developer installs and uses the same library then a duplicate entry will be created.
As the machine was using the same mac address and hostname, for the particular instance (Hostname + Port + Vulnerability), there will be two entries (two UUIDs). Tenable considered the machine as two different machines. Hence solution to such issue is:
Save the whole key before you rebuild the machine, then restore the key before you re-scan it, or before you install the Qualys/Tenable agent if you use agents (Qualys stores its UUID in the Registry, in HKLM\Software\Qualys, Tenable stores its UUID in HKLM\Software\Tenable).
Please refer below URLs for more details:
https://community.tenable.com/s/article/How-Does-Tenable-io-Identify-an-Asset-as-Unique
https://hub.wpi.edu/article/183/prepare-a-computer-for-reimage
For duplication, there are other use cases also. This is just one of the use case.
Happy Learning !!
No comments:
Post a Comment