empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 09:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bcb5288f71
fleet/docs/01-Using-Fleet/13-Vulnerability-Processing.md
Martavis Parker 4f3f6187d6
Top-level seed data doc and re-numbering (#2109) 
* created separate doc for seeding data

* re-numbered doc names
2021-09-20 11:48:24 -07:00

2.8 KiB
Raw Blame History

Vulnerability Processing

What to expect

Vulnerability processing is currently in beta.

At the moment, Fleet only checks for vulnerabilities against the National Vulnerability Database (NVD). The way it works is by first translating the software from each host into a CPE (Common Platform Enumeration) representation of the name.

With this CPE, we search the full list of CVEs (Common Vulnerabilities and Exposures) from NVD to detect the CVEs matching the defined CPE. If any matches are found, they are exposed through the API for describing a host and through the web frontend in the host details section.

These checks are performed in one Fleet instance. If your Fleet deployment uses multiple instances, only one will be doing this work.

In order to do all this, Fleet downloads the following files:

  1. A preprocessed CPE database generated by FleetDM to speed up the translation process: https://github.com/fleetdm/nvd/releases
  2. The historical data for all CVEs and how to match to a CPE: from https://nvd.nist.gov/vuln/data-feeds

The database generated in 1 is processed from the original official CPE dictionary https://nvd.nist.gov/products/cpe. It's updated once a day at most, depending on whether there's new data.

The matching occurs server-side to make the processing as fast as possible, but the whole process is both CPU and memory intensive. For example, when running a development instance of Fleet on an Apple Macbook Pro with 16 cores, matching 200k CPEs against the CVE database will take around 10 seconds and consume about 3GBs of RAM. The CPU and memory usages are in burst once every hour on the instance that does the processing.

Setup

Vulnerability checking is disabled by default. In order to enable it, you need to enable the software inventory feature by setting the following environment variable:

FLEET_BETA_SOFTWARE_INVENTORY=1

Or through the app config:

---
apiVersion: v1
kind: config
spec:
  host_settings:
    enable_software_inventory: true

Fleet also needs a path where it will download the different data feeds. This can be done through the Fleet server config YAML:

echo '
... rest of your config here
vulnerabilities:
  databases_path: /some/path
' > /tmp/fleet.yml
fleet serve --config /tmp/fleet.yml

Or through environment variables:

FLEET_VULNERABILITIES_DATABASES_PATH=/some/path

The path specified needs to exist and Fleet needs to be able to read and write to and from it. This is the only mandatory configuration needed for vulnerability processing to work. Additional options, like vulnerability check frequency, can be found in the configuration documentation.

You'll need to restart the Fleet instances after changing these settings.