# Penetration testing of Fleet (April 2022)

![Penetration testing of Fleet](../website/assets/images/articles/security-testing-at-fleet-fleet-pentest-cover-1600x900@2x.jpg)

We have recently had Lares perform penetration testing on our internal instance of Fleet. Lares performed the last test on 4.12. This test unveiled some authorization issues identified in this [advisory](https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr) and resolved in 4.13.

As promised when we published the [Orbit audit](https://github.com/fleetdm/fleet/blob/26daf00e5a8ce509371f33065ebf06eecf50c557/docs/files/2021-04-26-orbit-auto-updater-assessment.pdf) and said we’d post other audit and pentest reports, we are now publishing the full report. We resolved the most critical issues in 4.13, and we continue to track and prioritize the others.

Small redacted sections are present in the PDF as we are hiding some internal email addresses to
save ourselves from receiving more spam. 

You can find the full report here: [2022-04-29-fleet-penetration-test.pdf](https://github.com/fleetdm/fleet/raw/main/docs/files/2022-04-29-fleet-penetration-test.pdf).

You can see all publicly available security audits and penetration testing reports in the Fleet [documentation](https://fleetdm.com/docs/using-fleet/security-audits), including what we intend to do about the remaining issues.

#### The GitHub issues that relate to this test are:
[Security advisory fixed in Fleet 4.13](https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr)

[Add manual and automated test cases for authorization #5457](https://github.com/fleetdm/fleet/issues/5457)

[Evaluate current CSV escaping and feasibility of adding if missing #5460](https://github.com/fleetdm/fleet/issues/5460)

[Increase length of login throttling delay from 4 to 10 seconds #5464](https://github.com/fleetdm/fleet/issues/5464)

[Set session duration to total session length #5476](https://github.com/fleetdm/fleet/issues/5476)

[Increase default minimum password length to 12 #5477](https://github.com/fleetdm/fleet/issues/5477)

[Add basic auth to /metrics endpoint #2322](https://github.com/fleetdm/fleet/issues/2322)

[Ensure only team admins can list other users #5657](https://github.com/fleetdm/fleet/issues/5657)

You can also view them on the [remediation board](https://github.com/fleetdm/fleet/issues/5657).


If you have questions about this test or Fleet security, please join us on [Slack](https://osquery.fleetdm.com/c/fleet)!

<meta name="category" value="security">
<meta name="authorGitHubUsername" value="GuillaumeRoss">
<meta name="authorFullName" value="Guillaume Ross">
<meta name="publishedOn" value="2022-05-10">
<meta name="articleTitle" value="Penetration testing of Fleet (April 2022)">
<meta name="articleImageUrl" value="../website/assets/images/articles/security-testing-at-fleet-fleet-pentest-cover-1600x900@2x.jpg">