2171544ad1
This PR closes https://github.com/fleetdm/fleet/issues/21108 @noahtalerman, I double-checked all redirects, and they are working. Clicking through the URLs in [this spreadsheet](https://docs.google.com/spreadsheets/d/1djVynIMuJK4pT5ziJW12CluVqcaoxxnCLaBO3VXfAt4/edit?usp=sharing) is a pretty quick way to go through them all. Note that "Audit logs" and "Understanding host vitals" redirect to the contributor docs on GitHub, so they will throw a 404 until this is merged. Some new guides benefitted from a name change, so they make more sense as stand-alone guides, and also so that we don't have to mess around with more redirects later. Those name changes followed [this convention](https://fleetdm.com/handbook/company/communications#headings-and-titles), which was recently documented in the handbook. Have fun! --------- Co-authored-by: Eric <eashaw@sailsjs.com> Co-authored-by: Noah Talerman <noahtal@umich.edu>
4.7 KiB
Vulnerability processing
Vulnerability processing in Fleet detects vulnerabilities (CVEs) for the software installed on your hosts.
To see what software is covered, check out the Coverage section.
Learn more about how it works for different platforms.
Coverage
Fleet detects vulnerabilities for these software types:
| Type | macOS | Windows | Linux |
|---|---|---|---|
| Apps | ✅ | ✅ | ❌ |
| Browser plugins | Chrome extensions, Firefox extensions | Chrome extensions, Firefox extensions | ❌ |
| Packages | Python, Homebrew | Python, Atom, Chocolatey | Packages defined in the OVAL definitions, except for vulnerabilities involving configuration files. Supported distributions:
|
| IDE extensions | VS Code extensions | VS Code extensions | VS Code extensions |
As of right now, only app names with all ASCII characters are supported. Apps with names featuring non-ASCII characters, such as Cyrillic, will not generate matches.
For Ubuntu Linux, kernel vulnerabilities with known variants (ie. -generic) are detected using OVAL. Custom kernels (unknown variants) are detected using NVD.
Sources
Fleet combines multiple sources to get accurate and up-to-date CVE information:
- National Vulnerability Database CVE feeds
- VulnCheck CVE feeds
- Mac Office release notes for Office for Mac
- Microsoft MSRC Security Bulletins for Windows OS vulnerabilities
- OVAL definitions for Linux software
Advanced configuration
Fleet runs vulnerability downloading and processing via internal scheduled cron job. This internal mechanism is very useful for frictionless deployments and is well suited for most use cases. However, in larger deployments, where there can be dozens of Fleet server replicas sitting behind a load balancer, it is desirable to manage vulnerability processing externally.
The reasons for this are as follows:
- lower resource requirements across the entire Fleet server deployment (as vulnerability processing requires considerably more resources than just running Fleet server alone)
- more control over scheduling constraints (only process during windows of low utilization, etc.)
It is possible to limit vulnerability processing to a single dedicated host, by setting
disable_schedule to true but still run one Fleet server as false, but the drawback here is still having to dedicate resources
for this single host 24/7. The Fleet binary has a command which handles the same vulnerability processing, but will exit (successfully with 0) on completion. Using this sub-command we can delegate vulnerability processing
to external systems such as:
To opt into this functionality, be sure to configure your Fleet server deployment with
FLEET_VULNERABILITIES_DISABLE_SCHEDULE=true
which will disable the internal scheduling mechanism for vulnerability processing.
And then externally run with the same environment variables/configuration files passed to the server command.
fleet vuln_processing