Gavin
10/18/2021, 3:37 PMlabel_membership
history.label_membership
historyMystery Incorporated
10/18/2021, 3:50 PMselect * from lable_membership;
ERROR 1146 (42S02): Table 'fleet.lable_membership' doesn't exist
Jocelyn Bothe
10/18/2021, 3:53 PMTomas Touceda
10/18/2021, 3:54 PMGavin
10/18/2021, 3:54 PMTomas Touceda
10/18/2021, 3:55 PMGavin
10/18/2021, 3:55 PMTomas Touceda
10/18/2021, 3:56 PMGavin
10/18/2021, 3:57 PMTomas Touceda
10/18/2021, 3:57 PMGavin
10/18/2021, 3:57 PMTomas Touceda
10/18/2021, 3:59 PMGavin
10/18/2021, 3:59 PMTomas Touceda
10/18/2021, 4:00 PMGavin
10/18/2021, 4:00 PMTomas Touceda
10/18/2021, 4:02 PMGavin
10/18/2021, 4:02 PMTomas Touceda
10/18/2021, 4:04 PMGavin
10/18/2021, 4:07 PMTomas Touceda
10/18/2021, 4:07 PMGavin
10/18/2021, 4:09 PMTomas Touceda
10/18/2021, 4:10 PMGavin
10/18/2021, 4:13 PMTomas Touceda
10/18/2021, 4:14 PMGavin
10/18/2021, 4:51 PMSELECT DISTINCT s.id, scv.cve
FROM host_software hs
JOIN hosts h ON (hs.host_id=h.id)
JOIN software s
JOIN software_cpe scp ON (s.id=scp.software_id)
JOIN software_cve scv ON (scp.id=scv.cpe_id)
WHERE hs.host_id=? AND TRUE
Tomas Touceda
10/18/2021, 4:54 PMGavin
10/18/2021, 4:55 PMselect count(*) from software
-> ;
+----------+
| count(*) |
+----------+
| 48578 |
+----------+
1 row in set (9.12 sec)
select count(*) from software_cpe
-> ;
+----------+
| count(*) |
+----------+
| 1070 |
+----------+
1 row in set (0.07 sec)
select count(*) from software_cve;
+----------+
| count(*) |
+----------+
| 122201 |
+----------+
1 row in set (5.38 sec)
SELECT table_name, TABLE_ROWS FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'fleet'
-> ;
+------------------------------------+------------+
| table_name | TABLE_ROWS |
+------------------------------------+------------+
| activities | 58 |
| app_config_json | 0 |
| app_configs | 1 |
| carve_blocks | 0 |
| carve_metadata | 0 |
| distributed_query_campaign_targets | 623 |
| distributed_query_campaigns | 571 |
| email_changes | 15 |
| enroll_secrets | 1 |
| host_additional | 1281 |
| host_software | 480577 |
| host_users | 37346 |
| hosts | 1363 |
| invite_teams | 0 |
| invites | 2 |
| label_membership | 2171 |
| labels | 7 |
| locks | 0 |
| migration_status_data | 11 |
| migration_status_tables | 98 |
| network_interfaces | 9598 |
| osquery_options | 3 |
| pack_targets | 12 |
| packs | 16 |
| password_reset_requests | 0 |
| policies | 0 |
| policy_membership | NULL |
| policy_membership_history | 0 |
| queries | 969 |
| scheduled_queries | 369 |
| scheduled_query_stats | 296851 |
| sessions | 51 |
| software | 48615 |
| software_cpe | 987 |
| software_cve | 122111 |
| statistics | 0 |
| teams | 0 |
| user_teams | 0 |
| users | 8 |
+------------------------------------+------------+
Tomas Touceda
10/18/2021, 5:02 PMGavin
10/18/2021, 5:06 PMTomas Touceda
10/18/2021, 5:08 PMGavin
10/18/2021, 5:10 PMcontainers:
- name: fleet-webserver
image: fleetdm/fleet:v4.4.2
command: [fleet, serve]
ports:
- containerPort: 8080
volumeMounts:
- name: global-star-csec-tls
mountPath: /secrets/fleet-tls
readOnly: true
- name: log-storage
mountPath: /var/log/
env:
- name: FLEET_BETA_SOFTWARE_INVENTORY
value: '1'
- name: FLEET_VULNERABILITIES_DATABASES_PATH
value: /var/log/
- name: FLEET_MYSQL_ADDRESS
valueFrom:
secretKeyRef:
name: fleet-mysql
key: address
- name: FLEET_MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: fleet-mysql
key: database
- name: FLEET_MYSQL_USERNAME
valueFrom:
secretKeyRef:
name: fleet-mysql
key: username
- name: FLEET_MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: fleet-mysql
key: password
- name: FLEET_REDIS_ADDRESS
value: 10.0.0.3:6379
- name: FLEET_AUTH_JWT_KEY
valueFrom:
secretKeyRef:
name: fleet-server-auth-key
key: fleet-server-auth-key
- name: FLEET_SERVER_ADDRESS
value: 0.0.0.0:8080
- name: FLEET_SERVER_CERT
value: /secrets/fleet-tls/tls.crt
- name: FLEET_SERVER_KEY
value: /secrets/fleet-tls/tls.key
- name: FLEET_LOGGING_JSON
value: 'true'
- name: FLEET_OSQUERY_STATUS_LOG_PLUGIN
value: filesystem
- name: FLEET_FILESYSTEM_STATUS_LOG_FILE
value: /var/log/osqueryd.status.log
- name: FLEET_FILESYSTEM_RESULT_LOG_FILE
value: /var/log/osqueryd.results.log
software_cve
I have instances where there is several thousand instances of the same CVE
select * from software_cve where cve='CVE-2021-37841';
+---------+--------+----------------+---------------------+---------------------+
| id | cpe_id | cve | created_at | updated_at |
+---------+--------+----------------+---------------------+---------------------+
| 334 | NULL | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 337 | 120 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 341 | 123 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 343 | 122 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 345 | 125 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 346 | 124 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 347 | 126 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 348 | NULL | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 4835 | NULL | CVE-2021-37841 | 2021-09-22 14:54:49 | 2021-09-22 14:54:49 |
| 4848 | NULL | CVE-2021-37841 | 2021-09-22 14:54:49 | 2021-09-22 14:54:49 |
| 9332 | NULL | CVE-2021-37841 | 2021-09-22 15:54:53 | 2021-09-22 15:54:53 |
| 9349 | NULL | CVE-2021-37841 | 2021-09-22 15:54:53 | 2021-09-22 15:54:53 |
| 13833 | NULL | CVE-2021-37841 | 2021-09-22 16:54:49 | 2021-09-22 16:54:49 |
| 13847 | NULL | CVE-2021-37841 | 2021-09-22 16:54:49 | 2021-09-22 16:54:49 |
select count(*) from software_cve where cve='CVE-2021-37841';
+----------+
| count(*) |
+----------+
| 1007 |
+----------+
| CVE-2021-32751 | 1005 |
| CVE-2021-32761 | 6 |
| CVE-2021-32777 | 1 |
| CVE-2021-32778 | 1 |
| CVE-2021-32779 | 1 |
| CVE-2021-32781 | 1 |
| CVE-2021-3282 | 1 |
| CVE-2021-32923 | 5 |
| CVE-2021-33194 | 4014 |
| CVE-2021-33195 | 4014 |
| CVE-2021-33196 | 4014 |
| CVE-2021-33197 | 4015 |
| CVE-2021-33198 | 4014 |
| CVE-2021-3331 | 2 |
| CVE-2021-33361 | 1 |
| CVE-2021-33362 | 1 |
Tomas Touceda
10/18/2021, 5:19 PM| 337 | 120 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 341 | 123 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 343 | 122 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 345 | 125 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 346 | 124 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
| 347 | 126 | CVE-2021-37841 | 2021-09-22 13:55:06 | 2021-09-22 13:55:06 |
Gavin
10/18/2021, 5:25 PMmysql> select * from software_cpe where id = 120;
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| id | software_id | created_at | updated_at | cpe |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| 120 | 45494907 | 2021-09-22 13:54:19 | 2021-09-22 13:54:19 | cpe:2.3:a:docker:desktop:3.1.0:*:*:*:*:windows:*:* |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
1 row in set (1.90 sec)
mysql> select * from software_cpe where id = 123;
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| id | software_id | created_at | updated_at | cpe |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| 123 | 45473432 | 2021-09-22 13:54:19 | 2021-09-22 13:54:19 | cpe:2.3:a:docker:desktop:3.3.3:*:*:*:*:windows:*:* |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
1 row in set (0.23 sec)
mysql> select * from software_cpe where id = 122;
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| id | software_id | created_at | updated_at | cpe |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| 122 | 45474569 | 2021-09-22 13:54:19 | 2021-09-22 13:54:19 | cpe:2.3:a:docker:desktop:3.3.1:*:*:*:*:windows:*:* |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
1 row in set (0.18 sec)
mysql> select * from software_cpe where id = 125;
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| id | software_id | created_at | updated_at | cpe |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| 125 | 45491834 | 2021-09-22 13:54:19 | 2021-09-22 13:54:19 | cpe:2.3:a:docker:desktop:3.5.1:*:*:*:*:windows:*:* |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
1 row in set (0.05 sec)
mysql> select * from software_cpe where id = 124;
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| id | software_id | created_at | updated_at | cpe |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
| 124 | 45494278 | 2021-09-22 13:54:19 | 2021-09-22 13:54:19 | cpe:2.3:a:docker:desktop:3.4.0:*:*:*:*:windows:*:* |
+-----+-------------+---------------------+---------------------+----------------------------------------------------+
1 row in set (0.04 sec)
Tomas Touceda
10/18/2021, 5:26 PMGavin
10/18/2021, 5:29 PMTomas Touceda
10/18/2021, 5:31 PMosquery.max_jitter_percent
, it defaults to 10%, but you could push that to 50% and spread out the hosts checking inGavin
10/18/2021, 5:33 PMTomas Touceda
10/18/2021, 5:33 PMGavin
10/18/2021, 5:36 PMTomas Touceda
10/19/2021, 10:18 PMGavin
10/19/2021, 10:22 PMTomas Touceda
10/20/2021, 5:18 PMJocelyn Bothe
10/20/2021, 5:28 PMTomas Touceda
10/20/2021, 5:29 PM