search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.91k stars 404 forks source link

Add Homebrew to software inventory #20392

Open getvictor opened 1 month ago

getvictor commented 1 month ago

Goal

User story
As a Fleet admin,
I want to see the Homebrew version that my hosts are using
so that I can make sure it has no vulnerabilities.

Context

Propose creating a Fleet extension git_tags table that will return the HEAD tags of a specific git repo on the host. Usage:

SELECT * FROM git_tags WHERE path = '/opt/homebrew/Library/Homebrew`;

The Fleet server can then use this table to get the Homebrew version, add Homebrew to the list of software, and perform vulnerability checks against it.

To get the Homebrew version on macOS, either do:

brew --version

or

git -C /opt/homebrew/Library/Homebrew tag --points-at HEAD

Things to consider:

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
nonpunctual commented 1 month ago

we probably have to consider user context, i.e., homebrew recommends not to use sudo to install homebrew, so, when we try to run those commands against it as root from fleetd we might get nothing back?

I had to use sudo -u to get a Fleet script to call homebrew.

Also, the other thing to consider might be if it was installed in a non-default location

JoStableford commented 1 week ago

Related to a Slack conversation