mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
bf11f2df66
* Articles housekeeping
Style tweaks:
- reduced categories-and-search margin-top
- changed color of category on cards
- removed time stamps from cards
Image updates:
- created missing images, and replaced existing with a cleaner, more vibrant style to the following categories.
- security
- guides
- engineering
- podcasts
- Normalized release thumbnails. The current graphics are over-designed, inconsistent, and too busy/hard to process.
* lint fix
* remove ")" from image caption
* remove old article images
* update cover image filenames for consistency
* add deleted image, update filenames to match naming conventions
* fix typo in filename
Co-authored-by: Eric <eashaw@sailsjs.com>
44 lines
2.9 KiB
Markdown
44 lines
2.9 KiB
Markdown
# Penetration testing of Fleet (April 2022)
|
||
|
||
|
||
|
||
We have recently had Lares perform penetration testing on our internal instance of Fleet. Lares performed the last test on 4.12. This test unveiled some authorization issues identified in this [advisory](https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr) and resolved in 4.13.
|
||
|
||
As promised when we published the [Orbit audit](https://github.com/fleetdm/fleet/blob/26daf00e5a8ce509371f33065ebf06eecf50c557/docs/files/2021-04-26-orbit-auto-updater-assessment.pdf) and said we’d post other audit and pentest reports, we are now publishing the full report. We resolved the most critical issues in 4.13, and we continue to track and prioritize the others.
|
||
|
||
Small redacted sections are present in the PDF as we are hiding some internal email addresses to
|
||
save ourselves from receiving more spam.
|
||
|
||
You can find the full report here: [2022-04-29-fleet-penetration-test.pdf](https://github.com/fleetdm/fleet/raw/main/docs/files/2022-04-29-fleet-penetration-test.pdf).
|
||
|
||
You can see all publicly available security audits and penetration testing reports in the Fleet [documentation](https://fleetdm.com/docs/using-fleet/security-audits), including what we intend to do about the remaining issues.
|
||
|
||
#### The GitHub issues that relate to this test are:
|
||
[Security advisory fixed in Fleet 4.13](https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr)
|
||
|
||
[Add manual and automated test cases for authorization #5457](https://github.com/fleetdm/fleet/issues/5457)
|
||
|
||
[Evaluate current CSV escaping and feasibility of adding if missing #5460](https://github.com/fleetdm/fleet/issues/5460)
|
||
|
||
[Increase length of login throttling delay from 4 to 10 seconds #5464](https://github.com/fleetdm/fleet/issues/5464)
|
||
|
||
[Set session duration to total session length #5476](https://github.com/fleetdm/fleet/issues/5476)
|
||
|
||
[Increase default minimum password length to 12 #5477](https://github.com/fleetdm/fleet/issues/5477)
|
||
|
||
[Add basic auth to /metrics endpoint #2322](https://github.com/fleetdm/fleet/issues/2322)
|
||
|
||
[Ensure only team admins can list other users #5657](https://github.com/fleetdm/fleet/issues/5657)
|
||
|
||
You can also view them on the [remediation board](https://github.com/fleetdm/fleet/issues/5657).
|
||
|
||
|
||
If you have questions about this test or Fleet security, please join us on [Slack](https://osquery.fleetdm.com/c/fleet)!
|
||
|
||
<meta name="category" value="security">
|
||
<meta name="authorGitHubUsername" value="GuillaumeRoss">
|
||
<meta name="authorFullName" value="Guillaume Ross">
|
||
<meta name="publishedOn" value="2022-05-10">
|
||
<meta name="articleTitle" value="Penetration testing of Fleet (April 2022)">
|
||
<meta name="articleImageUrl" value="../website/assets/images/articles/security-testing-at-fleet-fleet-pentest-cover-1600x900@2x.jpg">
|