https://github.com/osquery/osquery logo
Join Slack
Powered by
Interesting discovery regarding the automated vuln...
# fleet
r
Interesting discovery regarding the automated vulnerability scanning - we have some Oracle Enterprise Linux hosts (don’t ask), and several vulnerabilities have been detected, we set up yum-cron and they got patched, however the vulnerability count hasn’t changed for the hosts in Fleet. Interestingly Fleet shows them as RedHat Enterprise Linux, which is what Oracle Linux is based on, and in fact the hosts themselves report that in 
/etc/redhat-release
. How does the vulnerability scanner determine if a package is vulnerable or not? Is it based on the distro it thinks it is running?
Copy code
$ cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="<https://linux.oracle.com/>"
BUG_REPORT_URL="<https://bugzilla.oracle.com/>"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9
Copy code
$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)
The code for this table suggests to me they don’t expect 
/etc/redhat-release
to be present when 
/etc/os-release
is, but I don’t know C++ very well 🤔 🙂 https://github.com/osquery/osquery/blob/master/osquery/tables/system/linux/os_version.cpp
r
Looks like it’s an open issue: https://github.com/osquery/osquery/issues/7268
r
ah yeah 😄
glad I’m not the only one then heheh
t
vulnerabilities are detected based on the best CPE guess from a software name, version, and source
if you upgrade to a non vulnerable version and osquery doesn't report the old version anymore, then it will disappear from the host vulnerable software. However, what we have seen is that upgrading sometimes results in having both versions, and osquery picks that up
that said, there's always the possibility of a bug in fleet, and if you feel like that's the case, we can debug further to see what might be happening
ty 2
m
@Ryan are they python packages you're seeing vulnerable by chance?
r
no, lots of packages actually, like 
curl
and the 
kernel
m
Ok gotcha, my experience is unrelated then, I updated python packages and found the original package still remained
👍 1
3 Views
Open in Slack
PreviousNext
Powered by