https://github.com/osquery/osquery logo
Title
e

Esteban

08/13/2021, 3:15 PM
The Software Inventory functionality only lists the host's sofware? Where I can see related CVE's? Do i need to set the databases_path variable? I'm using environmental variables, how can I set it that way?
t

Tomas Touceda

08/13/2021, 3:50 PM
you need to set the databases path, please follow the documentation to enable vulnerability checks: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md
e

Esteban

08/13/2021, 3:53 PM
I'm not setting my configuration via a conf file, I'm using environmental variables. Can I do it that way? (I'm using Docker)
t

Tomas Touceda

08/13/2021, 3:56 PM
not for vulnerabilities, only for software inventory
e

Esteban

08/13/2021, 3:59 PM
Ok, did you know where the config file is in the docker image? I don't have the config file mapped so I can't set that variable
t

Tomas Touceda

08/13/2021, 4:00 PM
you would apply it through fleetctl with
fleetctl apply -f yourconfig.yml
the config itself for the server lives in mysql
e

Esteban

08/13/2021, 4:01 PM
Ok, aplying
docs/1-Using-Fleet/configuration-files/multi-file-configuration/organization-settings.yml
should be enough?
Mapping the path of the db to my host obviously
t

Tomas Touceda

08/13/2021, 4:03 PM
if you just want to set these two things, the config you need is this:
---
apiVersion: v1
kind: config
spec:
  host_settings:
    enable_software_inventory: true
  vulnerability_settings:
    databases_path: /tmp/vulndbs
as mentioned in the docs. The other is a more complete example
e

Esteban

08/13/2021, 4:07 PM
I don't see the info being updated on the web
I doesn't seems to download any file on the folder specified
t

Tomas Touceda

08/13/2021, 4:20 PM
did you restart
fleet
? if so, please share the logs. It checks every hour, it takes an hour to do the first check
e

Esteban

08/13/2021, 4:27 PM
Yep, I've restart it. The check time is related to FLEET_OSQUERY_LABEL_UPDATE_INTERVAL or FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL? Because I've changed that time
t

Tomas Touceda

08/13/2021, 4:28 PM
no, the check time is fixed at 1hr
e

Esteban

08/13/2021, 4:29 PM
Ok, I will check again after 1 hour and return if I see any issue. Thanks
Quick question, how I should see the cve info? Along with the sofware inventory table?
t

Tomas Touceda

08/13/2021, 4:35 PM
correct, you'll see it above the software and with a mark next to each app that's detected
:ty: 1
e

Esteban

08/13/2021, 5:49 PM
Hello again, I've see that a bunch of files were downloaded on the folder but the software inventory table remains the same
t

Tomas Touceda

08/13/2021, 5:50 PM
what does "the same" mean? empty?
e

Esteban

08/13/2021, 5:51 PM
Sorry, I meant no extra info, just the software name and version, still don't seeing any CVE related.
t

Tomas Touceda

08/13/2021, 5:52 PM
the cve data is stored in software_cve, the cpe data is stored in software_cve. You would see any CVE data when you list hosts either through fleetctl or through the web
e

Esteban

08/13/2021, 5:55 PM
Both tables are empty. I don't see any CVE data when I'm listing the hosts or viewing the Host info
t

Tomas Touceda

08/13/2021, 6:09 PM
could you share the logs for fleet?
e

Esteban

08/13/2021, 6:13 PM
What kind of logs? (result.log or status.log) There are many logs of my private hosts and queries (packs)
t

Tomas Touceda

08/13/2021, 6:22 PM
the logs of the fleet server itself
e

Esteban

08/13/2021, 6:27 PM
Sorry, there's a clean way to do it? I have my Docker container but it's overflooding with logs since it logs almost everything. Any kind of log or message in particular?
t

Tomas Touceda

08/13/2021, 6:29 PM
anything that contains
component=crons cron=vulnerabilities
e

Esteban

08/13/2021, 6:45 PM
Ok, i'll look into it. Thanks
Hello, checking again after few days and no hosts are being tagged with vulnerabilities. I'm not seeing any logs related to that.
t

Tomas Touceda

08/18/2021, 1:39 PM
hi Esteban, could you share your fleet server logs?
e

Esteban

08/18/2021, 2:09 PM
I was filtering by keyword "vuln" and no found no logs. I can't share all my logs since there's private information.
t

Tomas Touceda

08/18/2021, 2:17 PM
you should have seen at least 1 log that matches that, no matter whether you configured right or wrong, or it failed in unexpected ways
e

Esteban

08/18/2021, 2:25 PM
Mmm... There's a log file for that? My container is flooding the terminal with logs so it's kind of difficult to track specific logs. I've got result.log and status.log file logs.
t

Tomas Touceda

08/18/2021, 2:29 PM
fleet serve logs to stderr, result and status logs are for osquery
can you restart fleet? you should see some logs at the very beginning of the process running, that will tell us if it's properly configured or not
otherwise you could pipe the logs to a file