search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.18k stars 435 forks source link

Add ability to view critical vulnerabilities that contribute to issues count for a host #21438

Open ddribeiro opened 3 months ago

ddribeiro commented 3 months ago

User stories

JoStableford commented 3 months ago

Related to a Slack conversation

noahtalerman commented 3 months ago

Design capacity: S

That said, I don't think this is workflow blocking b/c we're about to ship the following story:

harrisonravazzolo commented 2 months ago

Hey @noahtalerman - Something very similar came up in a call today with prospect-brashear where on the hosts page, Fleet surfaces the critical issues, but from the tooltip there is not a way to drill down and requires a bit of clicking around to get the info the sec team wants straight away.

BG

It's mentioned on this Gong snippet.

Do you think this belongs as part of this issue or should I spin up separate issue?

noahtalerman commented 2 months ago

Hey @harrisonravazzolo!

Thanks for tracking this. I watched the Gong. I think the request is the same so I moved your Gong snippet up to the top of the issue description.

For future requests, if you're not sure the request is the same, I think lean towards spinning up a new ticket.

I think it's faster for whoever is filing it (instead of finding an existing issue). And, then whoever is responsible for reviewing requests and watching the Gongs (product) can explicitly call out that they think these requests are the same. And if folks disagree we can have a conversation about that at that time.

noahtalerman commented 1 month ago

Moved the original issue description here for safekeeping:

Problem

In Fleet, the hosts details page includes an Issues field that displays a count of failing policies + critical vulnerabilities for that host. When a user hovers over the field, a tooltip appears that says Critical vulnerabilities (count)/Failing policies (count).

The problem is Fleet does not provide a way for the admin to see which vulnerabilities are deemed critical, which makes it difficult to act on them.

Additionally, Fleet does not display any guidance about what makes a vulnerability critical in the UI. A Fleet user would need to check the source code to learn that a critical vulnerability is one with a CVSS score of 8.9 or higher.

What have you tried?

In Dogfood, I saw a host with 4 issues. I clicked the software tab and used the drop down menu to filter by software with vulnerabilities. There were 15 items in the list. I was not able to determine which were contributing to the count of 4 critical vulnerabilities.

Potential solutions

In addition to the existing filter to show vulnerable software, there could be an additional filter to only show software with critical vulnerabilities. The count of software with critical vulnerabilities should match the number displayed in the Issues field for that host.

The tooltip that appears when a user hovers over the issues count could be changed to display something like “A critical vulnerability has a CVSS score of 8.9 of higher”.

What is the expected workflow as a result of your proposal?

When viewing their hosts in Fleet, an admin would be able to see which hosts might have critical vulnerabilities or a failing policy according to the number displayed in the `Issues` column. When they hover over the number, they would see how many of those issues are caused by a critical vulnerability and how many are caused by a failing policy. An admin would be able to click into a host details page and see which vulnerabilities are considered critical and contributing to the issues count, just like they’re able to do for a failing policy today.
noahtalerman commented 1 month ago

Hey @pintomi1989 @Patagonia121 can you please add Gong snippes for bali, flavia, and figali? Thanks!