Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Ryan
08/26/2021, 4:54 PMI'm trying out the vulnerability scanner, seems like a great feature. Can I ask what's the intended workflow here? I can see a couple of vulnerabilities showing up on a host's page in the "Software" section, but can I query for that in a Query Pack or similar? Is there a way to show all the known vulnerabilities across all your hosts?
What's the intended way to use this feature? Thanks!
n
Noah Talerman
08/26/2021, 5:27 PMHey @Ryan. The current Vulnerability detection feature is intended to only surface vulnerable software on a per host basis in the Fleet UI (Host’s page) and Fleet API (
GET /api/v1/fleet/hosts/{id}👍 1
Please feel free to file a feature request with your ideal workflow here: https://github.com/fleetdm/fleet/issues/new?assignees=&labels=idea&template=feature-request.md&title=
👍 1
m
Mystery Incorporated
08/27/2021, 5:21 AM@Noah Talerman do you know if discovered vulnerabilities get wrote to result.log?
n
Noah Talerman
08/27/2021, 1:06 PMWhen you say “result.log” are you referring to the osquery result logs?
m
Mystery Incorporated
08/27/2021, 1:08 PM@Noah Talerman the one wrote by fleet, it writes status.log and results.log, but it does have osquery results in it yes, but I'd also assume as it's wrote by fleet it would have fleet results when things like vulnerability scans are ran.
n
Noah Talerman
08/27/2021, 1:16 PMGot it. Currently, discovered vulnerabilities are surfaced only in the Fleet UI (Host details page) and Fleet API (
GET /api/v1/fleet/hosts/{id}I’d also assume as it’s wrote by fleet it would have fleet results when things like vulnerability scans are ran.This makes sense. Please feel free to file a feature request that includes your use case for the above.
m
Mystery Incorporated
08/27/2021, 3:20 PMr
Ryan
08/31/2021, 9:46 AMHi @Noah Talerman I'm not sure, but the way I'd envisage using it would be to surface all the known CVEs somewhere, grouped by host, so you can see in one place what actions are needed? I'd also like to see that data exposed as a virtual table so we can use it in queries, and have it logged so it can show up in our reporting too.
@Noah Talerman We currently consume the fleet logs and send them to ELK where we can search them, and build dashboards for various things, for example we have one showing a breakdown of operating system versions everywhere. It would be good to be able to build a CVE dashboard that shows number of hosts with CVEs, ranked my criticality, grouped by host, and joining on other tables, like the operating system information.