https://github.com/osquery/osquery logo
#fleet
Title
# fleet
b

benbass

08/12/2021, 2:43 PM
I have a few question about the Vulnerability processing; 1. Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs? 2. Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable) a. I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 3. Is there a way to either host those two urls internally and have fleet reference them? 4. Can those DB’s be manually ingested/placed by an admin instead of providing internet access?
t

Tomas Touceda

08/12/2021, 3:08 PM
Hi!
Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs?
when you say instance, do you mean fleet server instance? If so, yes, once it downloads the different data sources, all the processing happens within the fleet instance
Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable)
You enable them in all the instances through applying a config, we added a way to configure software inventory through config as well: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md And then only one instance does the work
I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 
The instance selected for the work is dynamic, at this time it's not possible to tag a specific instance for this. If you would like that functionality added, make sure to create a feature request: https://github.com/fleetdm/fleet/issues/new?assignees=&labels=idea&template=feature-request.md&title=
Is there a way to either host those two urls internally and have fleet reference them?
Not currently, the data feeds are updated almost daily. So we need to keep them up to date.
Can those DB’s be manually ingested/placed by an admin instead of providing internet access?
That could work, yes, but not in the current iteration. Please file a feature request and we can take it from there.
👍 2
b

benbass

08/12/2021, 4:17 PM
Sounds good. I have an single fleet instance with 3 servers - 2 behind a load balancer and one that is an admin/reserved node. The idea is to have the admin/reserve node potentially have the access to those two urls only. Would this work with the current implementation?
I can go ahead and enable the vulnerability detection on all nodes, but only one would be able to reach out.
t

Tomas Touceda

08/12/2021, 4:19 PM
it's not going to always work, because the node that checks for vulnerabilities does it so by obtaining a lock. If the instance obtaining the lock happens to be one of the two behind the LB, then it won't work
b

benbass

08/12/2021, 4:20 PM
Fair enough. How often will it try, and is it a round robin type of thing?
Where if the node that tries fails, will another node try again later?
t

Tomas Touceda

08/12/2021, 4:31 PM
it gets or refreshes the lock once an hour, basically, whichever instance wins is the one to make the vulnerability check at that point
b

benbass

08/12/2021, 4:32 PM
Fair enough. So in that instance, it would work on average every 3 hours - in a perfect world.
t

Tomas Touceda

08/12/2021, 4:33 PM
not sure I follow, why every 3 hours?
b

benbass

08/12/2021, 4:33 PM
2 are not internet facing, and one would be. So 1/3. 🙂
t

Tomas Touceda

08/12/2021, 4:33 PM
oh, right
I suppose, depends on the world and how your infra is setup. This is the first iteration, we anticipated a lot of different use cases such as yours that we are not covering, so feature requests are very important here
👍 2
b

benbass

08/12/2021, 4:35 PM
As the primary pre-processed DB is updated daily, the law of averages would indicate that it would work at least one to two times a day at a minimum, pulling the data in.
Fair enough - I do plan on opening feature requests.
t

Tomas Touceda

08/12/2021, 4:42 PM
the preprocessed db is updated once a day, but the CVE data feeds might be updated more often
b

benbass

08/12/2021, 4:45 PM
That makes sense.
10 Views