How InsightVM correlates non-persistent VDIs

Non-persistent virtual desktop infrastructures (VDI) are challenging to manage from an asset-tracking perspective because each session is short-lived and may be reset or replaced frequently. This makes it hard to maintain consistent tracking, managing, and reporting on these assets.

To address this, Rapid7 uses a correlation algorithm with a parameter called R7CorrelationIdentifier.

This parameter allows you to assign each VDI instance a unique identifier (UUID) of up to 200 characters. This identifier can be any unique value that meets your tracking needs, as long as it remains consistent each time a VDI session is recreated. This custom UUID can then be detected by Insight Agents and scan engines.

You can either generate a random UUID or create a self-defined UUID. On Unix systems, the uuidgen tool can generate a valid UUID. On Windows, the power shell utility New-Guid can be used. However, creating a custom, self-defined UUID gives you the opportunity to add more business context.

You can read more about How InsightVM correlates assets with Insight Agent UUIDs.

Avoid asset duplication by configuring scan credentials

When you are assessing assets with Scan Engines, ensure that you have configured scan credentials. When you scan a site with credentials, target assets in that site authenticate the Scan Engine as they would an authorized user. If you use an un-authenticated scan, the scan may not find the custom UUID you have set up on the asset and will be unable to correlate with the Insight Agent assessment that does find the custom UUID. This can lead to duplicate asset pages in the InsightVM Security Console after the scan has completed and the asset integrates into the console.

To use the latest VDI correlation algorithm, you must complete a set of prerequisite steps.

Prerequisites

To use the enhanced VDI correlation algorithm, ensure that:

How can I identify Insight Agent deployments that do not meet the minimum version requirement?

In the Insight Platform, go to Agent Management and search for assets that have older versions of the Insight Agent. In the query bar, enter this query and click Search: agent.semanticVersion <= 4.0.0

From the list that displays, note the assets that have Insight Agents with a Stale status that have been offline for more than 15 days. These assets may no longer be active hosts.

For more information about updating your version, read Insight Agent software updates.

How can I upgrade my VDI correlation algorithm?

To check which version of the algorithm you are currently using, log into the Security Console, navigate to Administration > Run, and execute this command:

get property com.rapid7.nexpose.nsc.asset.correlation.v2

If the result is true or empty, no action is needed, because this indicates that the latest version of the algorithm is in use.

If you get a result of false, update the algorithm to the latest version by executing this command:

set custom property com.rapid7.nexpose.nsc.asset.correlation.v2=true

VDI correlation options

After you have ensured that you are using the latest version of the correlation algorithm, you can decide how you want to manage non-persistent VDIs, based on your business needs.

Option 1: Correlation for non-persistent VDIs is disabled

This is the default correlation setting. If you prefer not to correlate VDIs to a single instance, no further action is required.

Each time a non-persistent VDI is assessed, it is treated as a new entity with no correlation to previous instances, provided the R7AgentID or other IDs, such as OS, are unique. This will result in a new asset being displayed in your product's asset listing each time a recreated VDI is assessed.

Option 2: Correlation is enabled at the golden image level

If you want to correlate all instances that are created from a base image, a unique identifier (UUID) can be embedded in the golden image.

For example, if you set the UUID in the golden image to VDI-template-1, this will ensure that all VDIs created from this image are treated as a single, correlated asset based on this identifier.

To use this option:

  1. Deploy the Custom UUID for your OS:
  • Windows - Use the Registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Rapid7 -> Correlation = <Unique Identifier>
  • Linux - Deploy using a .txt file at /etc/rapid7/Correlation/CorrelationUUID.txt
  1. Set the Custom UUID to uniquely identify the golden image.

Stale assets without the UUID require manual deletion

​​Installing the UUID on the golden image will correlate all non-persistent VDIs that come from that image to a single asset. Previous assets from the image without the UUID will become stale and will require manual deletion.

Option 3: Correlation is configured at startup

To enable flexible asset correlation, you must create a startup script that sets the UUID to a persistent identifier. This identifier should be a constant value that doesn’t change across VDI sessions, ensuring that all instances initialized with this value correlate to a single asset.

You can select any stable data point for correlation if it remains unchanged when new VDIs are created.

Example script

This example script shows how this could be achieved if the hostname was deemed a persistent value.

powershell
1
# Get the machine's hostname
2
$hostname = $env:COMPUTERNAME
3
# Define the registry path
4
$registryPath = "HKLM:\SOFTWARE\Rapid7"
5
# Define the registry key name and value
6
$keyName = "Correlation"
7
$keyValue = $hostname
8
# Check if the Rapid7 key exists; if not, create it
9
if (!(Test-Path $registryPath)) {
10
 	   New-Item -Path $registryPath -Force | Out-Null
11
}
12
# Set the Correlation key with the hostname value
13
New-ItemProperty -Path $registryPath -Name $keyName -Value $keyValue -PropertyType String -Force | Out-Null
14
Write-Output "Registry key 'Correlation' with hostname '$hostname' has been created under HKEY_LOCAL_MACHINE\SOFTWARE\Rapid7."

Asset history can't be updated if correlation is incorrect

​If you add a UUID by mistake and assets incorrectly correlate, the history of the asset can't be updated.