Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Ryan
10/20/2021, 9:18 AMInteresting discovery regarding the automated vulnerability scanning - we have some Oracle Enterprise Linux hosts (don’t ask), and several vulnerabilities have been detected, we set up yum-cron and they got patched, however the vulnerability count hasn’t changed for the hosts in Fleet. Interestingly Fleet shows them as RedHat Enterprise Linux, which is what Oracle Linux is based on, and in fact the hosts themselves report that in
/etc/redhat-release$ cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="<https://linux.oracle.com/>"
BUG_REPORT_URL="<https://bugzilla.oracle.com/>"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)The code for this table suggests to me they don’t expect
/etc/redhat-release/etc/os-releaser
Riccardo
10/20/2021, 1:56 PMLooks like it’s an open issue: https://github.com/osquery/osquery/issues/7268
r
Ryan
10/20/2021, 1:59 PMah yeah 😄
glad I’m not the only one then heheh
t
Tomas Touceda
10/20/2021, 2:07 PMvulnerabilities are detected based on the best CPE guess from a software name, version, and source
if you upgrade to a non vulnerable version and osquery doesn't report the old version anymore, then it will disappear from the host vulnerable software. However, what we have seen is that upgrading sometimes results in having both versions, and osquery picks that up
that said, there's always the possibility of a bug in fleet, and if you feel like that's the case, we can debug further to see what might be happening
:ty: 2
m
Mystery Incorporated
10/20/2021, 3:10 PM@Ryan are they python packages you're seeing vulnerable by chance?
r
Ryan
10/20/2021, 4:06 PMno, lots of packages actually, like
curlkernelm
Mystery Incorporated
10/21/2021, 1:47 AMOk gotcha, my experience is unrelated then, I updated python packages and found the original package still remained
👍 1