https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
l

Leonoor S

11/30/2021, 10:25 AM
Hey guys, is there a guide for enabling vulnerability processing? I tried using https://fleetdm.com/docs/using-fleet/vulnerability-processing but its not clear for me
1
t

Tomas Touceda

11/30/2021, 12:18 PM
hi there! could you tell me a bit more about what you tried and what's not clear? that's the only documentation we have so far
l

Leonoor S

11/30/2021, 1:22 PM
Iam running the fleet serve with my added config file: /tmp/fleet.yml But if i look at fleetctl get config, the " database_path" is not shown In the /tmp/fleet.yml file ive got this: vulnerabilities: databases_path: /home/ubuntu/vulnfeeds
Do i need to update something ?
t

Tomas Touceda

11/30/2021, 1:33 PM
if you're using 4.6.1, could you tell me the output of 
fleetctl get config --include-server-config
? Also, how are you running fleet serve exactly?
l

Leonoor S

11/30/2021, 1:35 PM
Copy code
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
      options:
        disable_distributed: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        logger_plugin: tls
        logger_tls_endpoint: /api/v1/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
    overrides: {}
  host_expiry_settings:
    host_expiry_enabled: false
    host_expiry_window: 0
  host_settings:
    enable_host_users: true
    enable_software_inventory: true
  license:
    expiration: "0001-01-01T00:00:00Z"
    tier: free
  logging:
    debug: false
    json: true
    result:
      config:
        enable_log_compression: false
        enable_log_rotation: false
        result_log_file: /tmp/osquery_result
        status_log_file: /tmp/osquery_status
      plugin: filesystem
    status:
      config:
        enable_log_compression: false
        enable_log_rotation: false
        result_log_file: /tmp/osquery_result
        status_log_file: /tmp/osquery_status
      plugin: filesystem
  org_info:
    org_logo_url: XXXXXXX
    org_name: XXXXXXX
  server_settings:
    deferred_save_host: false
    enable_analytics: true
    live_query_disabled: false
    server_url: XXXXXXXXX
  smtp_settings:
    authentication_method: authmethod_plain
    authentication_type: authtype_username_password
    configured: false
    domain: ""
    enable_smtp: false
    enable_ssl_tls: false
    enable_start_tls: true
    password: ""
    port: 587
    sender_address: ""
    server: ""
    user_name: ""
    verify_ssl_certs: false
  sso_settings:
    enable_sso: false
    enable_sso_idp_login: false
    entity_id: ""
    idp_image_url: ""
    idp_name: ""
    issuer_uri: ""
    metadata: ""
    metadata_url: ""
  update_interval:
    osquery_detail: 3600000000000
    osquery_policy: 3600000000000
  vulnerabilities:
    cpe_database_url: ""
    current_instance_checks: auto
    cve_feed_prefix_url: ""
    databases_path: /home/ubuntu/vulnfeeds
    disable_data_sync: false
    periodicity: 3600000000000
  vulnerability_settings:
    databases_path: ""
  webhook_settings:
    host_status_webhook:
      days_count: 0
      destination_url: ""
      enable_host_status_webhook: false
      host_percentage: 0
    interval: 24h0m0s
I see there are two Databases-path paths. What is the difference?
t

Tomas Touceda

11/30/2021, 1:38 PM
one is legacy and another is not. Could you share the logs of fleet serve when it starts?
the config looks good
1
l

Leonoor S

11/30/2021, 1:40 PM
Copy code
Using config file:  /tmp/fleet.yml
{"component":"redis","level":"info","mode":"standalone","ts":"2021-11-30T13:39:19.152168268Z"}
{"component":"crons","cron":"vulnerabilities","databases-path":"/home/ubuntu/vulnfeeds","level":"info","ts":"2021-11-30T13:39:19.167740856Z"}
{"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2021-11-30T13:39:19.167895617Z"}
{"address":"0.0.0.0:8080","msg":"listening","transport":"https","ts":"2021-11-30T13:39:19.198993334Z"}
t

Tomas Touceda

11/30/2021, 1:52 PM
that looks good, do you have any other logs that match 
"cron":"vulnerabilities"
?
l

Leonoor S

11/30/2021, 1:53 PM
no, not that i see. Should it be working then?
or do i have to add a list of CVE's it should look for
t

Tomas Touceda

11/30/2021, 2:01 PM
it all points at it working so far, you can check the databases path to see when fleet downloads the feeds. What version are you running?
l

Leonoor S

11/30/2021, 2:04 PM
I am running 4.6.1 I guess this is what supposed to happen!
t

Tomas Touceda

11/30/2021, 2:07 PM
yes, it all looks reasonable so far
l

Leonoor S

11/30/2021, 2:08 PM
So now the vulnerabilities found in software will be shown in the UI?
t

Tomas Touceda

11/30/2021, 2:11 PM
correct, in the home page, or in the host page. You can also use 
fleetctl get software --yaml
to get a full list of software and vulnerabilities found
l

Leonoor S

11/30/2021, 2:11 PM
Cool, thanks!
👍 1
37 Views
Powered by