empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
aef64e3241
fleet/articles/security-testing-at-fleet-fleet-pentest.md
Mike Thomas bf11f2df66
Articles housekeeping (#6389) 
* Articles housekeeping

Style tweaks:

- reduced categories-and-search margin-top
- changed color of category on cards
- removed time stamps from cards

Image updates:
- created missing images, and replaced existing with a cleaner, more vibrant style to the following categories.
    - security
    - guides
    - engineering
    - podcasts
- Normalized release thumbnails. The current graphics are over-designed, inconsistent, and too busy/hard to process.

* lint fix

* remove ")" from image caption

* remove old article images

* update cover image filenames for consistency

* add deleted image, update filenames to match naming conventions

* fix typo in filename

Co-authored-by: Eric <eashaw@sailsjs.com>
2022-06-28 16:18:41 -05:00

2.9 KiB
Raw Blame History

Penetration testing of Fleet (April 2022)

Penetration testing of Fleet

We have recently had Lares perform penetration testing on our internal instance of Fleet. Lares performed the last test on 4.12. This test unveiled some authorization issues identified in this advisory and resolved in 4.13.

As promised when we published the Orbit audit and said wed post other audit and pentest reports, we are now publishing the full report. We resolved the most critical issues in 4.13, and we continue to track and prioritize the others.

Small redacted sections are present in the PDF as we are hiding some internal email addresses to save ourselves from receiving more spam.

You can find the full report here: 2022-04-29-fleet-penetration-test.pdf.

You can see all publicly available security audits and penetration testing reports in the Fleet documentation, including what we intend to do about the remaining issues.

The GitHub issues that relate to this test are:

Security advisory fixed in Fleet 4.13

Add manual and automated test cases for authorization #5457

Evaluate current CSV escaping and feasibility of adding if missing #5460

Increase length of login throttling delay from 4 to 10 seconds #5464

Set session duration to total session length #5476

Increase default minimum password length to 12 #5477

Add basic auth to /metrics endpoint #2322

Ensure only team admins can list other users #5657

You can also view them on the remediation board.

If you have questions about this test or Fleet security, please join us on Slack!