In Fleet 5.0.0, turn on vulnerability processing for all Fleet users

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.13k stars 431 forks source link

In Fleet 5.0.0, turn on vulnerability processing for all Fleet users #2949

Closed noahtalerman closed 2 years ago

noahtalerman commented 3 years ago

Goal

Enable vulnerability detection to allow all users to easily discover and triage vulnerability software installed on their hosts.

How?

Turn on vulnerability detection for all existing Fleet users while being loud about the resources needed (CPU, RAM, internet access) for Fleet server.
Add one configuration option that turns on/off both software inventory and vuln detection features
- Note that databases_path, periodicity, and other optional vuln configuration will be supported.
Remove the existing enable_software_inventory config option
- This is because there will now be one options that turn on/off both software inventory and vuln detection

chiiph commented 3 years ago

Did a minor update on the description.

lucasmrod commented 2 years ago

Turn on vulnerability detection for all existing Fleet users while being loud about the resources needed (CPU, RAM, internet access) for Fleet server.

By loud you mean: Warning message on the logs? Release notes? Docs? (probably loud means all? :)

/cc @noahtalerman

lucasmrod commented 2 years ago

We have to keep in mind the confusion around:

https://github.com/fleetdm/fleet/blob/e956b0ba042db3e8dd624f95a8494f2313ceee4c/cmd/fleet/serve.go#L663-L672

Which brings me to:

Add one configuration option that turns on/off both software inventory and vuln detection features

Where should this new config live? Same way as in databases_path where it lives in the two places (config and app) and one takes precedence?

PS: Maybe consider simplifying all the ifs logic in cronVulnerabilities.

chiiph commented 2 years ago

@lucasmrod Note that in 5.0.0 we'll be able to just rethink the configs altogether as it's not meant to be a backwards compatible release. So we can remove things that are duplicate/confusing, and move things around as we please.

We will have to think about the upgrade process, though, but we can write a conversion script or just document it if it's not super complicated.

noahtalerman commented 2 years ago

By loud you mean: Warning message on the logs? Release notes? Docs? (probably loud means all? :)

@lucasmrod yes, by "loud" I mean some or all of these things you've listed. I don't think we've figured out exactly how to accomplish this.

noahtalerman commented 2 years ago

@mikermcneil heads up, I deprioritized this issue. I don't think we want to turn on vulnerable software for folks that still have this off.

Vulnerable software is on by default for new Fleet instances.

mikermcneil commented 2 years ago

👍

Vulnerable software is on by default for new Fleet instances.