Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-20 23:48:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 109
fleet/docs/1-Using-Fleet/13-Vulnerability-Processing.md
Tomas Touceda ae2bd137b1
Issue 1632 software inventory config (#1636) 
* Add config option for software inventory

* Add documentation for the new config
2021-08-11 15:57:53 -03:00

64 lines
No EOL
2.5 KiB
Markdown
Raw Blame History

# Vulnerability Processing
- [What to expect](#what-to-expect)
- [Setup](#setup)
## What to expect
Fleet checks for vulnerabilities against the National Vulnerability Database only at the moment. The way it works is by
first translating the software from each host into a CPE (Common Platform Enumeration) representation of the name.
With this CPE, we search the full list of CVEs (Common Vulnerabilities and Exposures) from NVD to detect the CVEs that
match the defined CPE. If any matches are found, they are exposed through the API for describing a host and through the
frontend in the host details section.
These checks are performed in one Fleet instance. If your Fleet deployment uses multiple instances, only one will be doing
this work.
In order to do all this, Fleet downloads the following files:
1. A preprocessed CPE database generated by FleetDM to speed up the translation process: https://github.com/fleetdm/nvd/releases
2. The historical data for all CVEs and how to match to a CPE: from https://nvd.nist.gov/vuln/data-feeds
The database generated in 1 is processed from the original official CPE dictionary https://nvd.nist.gov/products/cpe. It's
updated once a day at most, depending on whether there's new data.
The whole process is both CPU intensive and Memory intensive. The goal is to make the processing as fast as possible. As
an example, matching 200k CPEs against the CVE database will take around 10 seconds on an Apple Macbook Pro with 16 cores
and it will take around 3Gbs of RAM while it's doing so. The CPU and memory usages are in burst once every hour in the
instance that does the processing.
Vulnerability processing is currently in Beta.
## Setup
Vulnerability checking is disabled by default. In order to enable it, you need to enable the software inventory feature
by setting the following environment variable:
```
FLEET_BETA_SOFTWARE_INVENTORY=1
```
Or through the app config (see below).
Fleet also needs a path where it will download the different data feeds. This is done through the usual configuration:
```
---
apiVersion: v1
kind: config
spec:
host_settings:
enable_software_inventory: true
vulnerability_settings:
databases_path: /tmp/vulndbs
```
Or if you want a more complete example, you can check out the following:
```
fleetctl apply -f docs/1-Using-Fleet/configuration-files/multi-file-configuration/organization-settings.yml
```
The path specified needs to exist and fleet needs to be able to read and write to and from it.
After applying the settings, you'll need to restart fleet for it to start.
Reference in a new issue View git blame Copy permalink