I've looked around the forum for this but not found any info targeted at my issue. The info I have found has still left me with questions. Hopefully this is an easy one.
I have taken on an environment where almost all information was lost.
Passwords were sent in a txt file but with no clarity on which assets they were for. I'm sure this is nothing new....
So, how did I sort them out? Well, lets use a Cisco device as our example here.
1. Run standard scan without authentication on all assets in a given subnet
2. Tag OS where the OS contained the word Cisco, IOS or NX (This is just a starter)
3. All asset identified as Cisco now have a parent tag os Cisco, with a child tag a bit more specific, based on the OS detection from initial discovery.
4. I created a Cisco authentication record in TACACS. Level 15 privs.
5. I put ALL IP's related to a Cisco device in to the authentication record.
6. I then ran a scan testing only for authentication.
7. Once complete, I had a list of Pass, Failed and NA. All Failed and NA were removed from the authentication record.
8. Using the remaining IP's in the (now proven) Cisco record, I created an Asset Group (AG-Cisco Success)
9. I then ran a standard scan for further information regarding the assets for which authentication worked.
10. Once complete, I created more tags from the identified models, IOS Versions etc....
In short, my steps above proved the account worked and the assets were happy to be scanned; enough for me to get model and config details at least. Everyone was happy.
4 or 5 weeks later I rescanned our Cisco assets. Now I find some of those assets are either failing authentication or reporting as NA - Record type not for this asset.
This has happened not just on my Cisco devices but on my SNMP Authentication records and even some Windows devices. I'm now trying to work out which direction to go in? Qualys Support? Internal Support? Unfortunately we are in the middle of a Digital Transformation project and yes, things are a changing but these assets don't appear to have changed, merely stopped accepting authentication. Furthermore, i did another scan and some of them responded??
Any thoughts or pointers would be much appreciated
Note: I'm the only person who access Qualys in our environment so little chance someone else changed anything.