Rebuild machines without making duplicates in Qualys or Tenable

My friend does vulnerability management for a company that likes to rebuild machines instead of patching them. I don’t judge; that’s how I wanted to patch machines when I was a sysadmin but I didn’t have fast enough storage. But if you do this, you’re liable to end up with duplicate machines in your reports. One unpatched, and the other one (hopefully) patched. Here’s how to rebuild machines without making duplicates in Qualys or Tenable.

The problem with UUIDs

Rebuild machines without making duplicates in Qualys or Tenable
To avoid duplicate entries when rebuilding, save the Qualys or Tenable UUID and then restore it after rebuilding.

Both Qualys and Tenable stamp a machine with a tracking UUID the first time they scan it. This way, if a machine changes IP addresses, or has multiple network interfaces, they can track the machine without creating duplicates. This is great, until you rebuild a machine and don’t stamp it with the existing UUID. Then you create the problem the UUID was designed to solve. But the problem is easy enough to fix.

Rebuild Windows machines without making duplicates in Qualys or Tenable

Qualys stores its UUID in the Registry, in HKLM\Software\Qualys. Just save the whole key before you rebuild the machine, then restore the key before you re-scan it, or before you install the Qualys agent if you use agents.

Tenable stores its UUID in HKLM\Software\Tenable. Do the same thing. Save the whole key before you rebuild the machine, then restore the key before you re-scan it, or before you install the Tenable agent if you use agents.

If you ever forget and end up with duplicates, purge or delete them from within Qualys or Tenable. Both of them have facilities to do this.

Rebuild Linux machines without making duplicates in Qualys or Tenable

On Linux, Qualys stores its UUID in a file. It’s configurable, but by default it lives in /etc/qualys/hostid. Just save the file before you rebuild the machine, then restore the file before you re-scan it, or before you install the Qualys agent if you use agents.

Tenable stores its UUID in either /etc/machine_id or /etc/tenable_tag. Do the same thing. Save the file before you rebuild the machine, then restore the file before you re-scan it, or before you install the Tenable agent if you use agents.

If you forget to do this and end up with duplicates, purge or delete them from within Qualys or Tenable. Both of them have facilities to do this.

%d bloggers like this: