search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.13k stars 431 forks source link

Vulnerabilities not shown #3869

Closed rubenrodr-versia closed 2 years ago

rubenrodr-versia commented 2 years ago

Fleet version 

# fleet version --full
fleet - version 4.9.0
  branch:       HEAD
  revision:     3018ad0fb45f7f6422b3d12e6a9f4e17d1079420
  build date:   2022-01-22
  build user:   runner
  go version:   go1.17.2

Fleet tier Fleet Free User role admin

Operating system

# lsb_release -a
LSB Version:    n/a
Distributor ID: SUSE
Description:    SUSE Linux Enterprise Server 12 SP2
Release:        12.2
Codename:       n/a

Web browser Firefox 96.0.2 (64-bit)

🧑‍💻  Expected behavior

Enabled vulnerablity management

# fleetctl get config|grep -i vuln
  vulnerability_settings:
    databases_path: /etc/kolide/vulnerabilities_databases

We can see connections from fleet to github/nist to retrieve cve data on corporate firewall: imagen

💥  Actual behavior

Vulnerabilities not shown imagen

More info

noahtalerman commented 2 years ago

Hey @rubenrodr-versia sorry that you're experiencing this issue. I have a couple questions to help identify what might be happening:

Is software data appearing in the Fleet UI? You can verify this by selecting the "All" tab next to "Vulnerable" in the third screenshot you included.

In the Fleet server logs, are there any logs for the vulnerabilities cron job? If so, can you please attach screenshots of these logs? Thank you.

rubenrodr-versia commented 2 years ago

Hi @noahtalerman

Thanks for helping. Fleet is showing the software inventory: imagen

We can see it on the host detail page as well: Linux: imagen Windows: imagen

I cannot see any message related to vulnerabilities or cron in fleet log file:

filesystem:
  status_log_file: /var/log/kolide/kolide_status.json
  result_log_file: /var/log/kolide/kolide_result.json
  enable_log_rotation: true

only queries related to cron on enrolled hosts:

# cat /var/log/kolide/kolide_status.json|egrep -i 'vuln|cron'
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 05:20:22 2022 UTC","unixTime":"1643174422","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.5.1"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 05:40:44 2022 UTC","unixTime":"1643175644","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 05:45:25 2022 UTC","unixTime":"1643175925","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 05:54:50 2022 UTC","unixTime":"1643176490","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:01:46 2022 UTC","unixTime":"1643176906","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:05:56 2022 UTC","unixTime":"1643177156","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:08:05 2022 UTC","unixTime":"1643177285","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:10:34 2022 UTC","unixTime":"1643177434","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:12:07 2022 UTC","unixTime":"1643177527","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:33:07 2022 UTC","unixTime":"1643178787","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 06:35:34 2022 UTC","unixTime":"1643178934","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 07:01:59 2022 UTC","unixTime":"1643180519","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 07:02:15 2022 UTC","unixTime":"1643180535","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}
{"hostIdentifier":"X","calendarTime":"Wed Jan 26 07:03:33 2022 UTC","unixTime":"1643180613","severity":"0","filename":"query.cpp","line":"122","message":"Scheduled query has been updated: pack_Linux_Linux_Tareas_cron","version":"4.7.0"}

This sqllite file was generated on the activation of vulnerability feature, but not updated since that day:

# ls -lrth /etc/kolide/vulnerabilities_databases
total 229M
-rw-r--r-- 1 kolide kolide 229M dic 21 12:12 cpe.sqlite

Thanks. Best regards.

lucasmrod commented 2 years ago

Hi @rubenrodr-versia! Thanks for the detailed information.

A couple of things to check:

  1. The /var/log/kolide/kolide_*.json files are logs from the osquery agents (the status is for status logs and the result is for scheduled queries results). Instead, grep for cron=vulnerabilities on fleet serve's stderr (or the file you are redirecting such output).
  2. If possible attach the output of fleetctl get config --include-server-config (make sure to redact any sensitive information).
rubenrodr-versia commented 2 years ago

Hi @lucasmrod

We had the systemd service with this option set:

StandardError=null

Have changed to:

StandardError=file:/var/log/kolide/fleet_stderr.log
StandardOutput=file:/var/log/kolide/fleet_stdout.log

and restarted the service. The log files are not generated, but i can see the logs using systemd:

# journalctl -u kolide.service
ene 26 15:37:48 systemd[1]: Stopping Kolide Server...
ene 26 15:37:48 systemd[1]: Stopped Kolide Server.
ene 26 15:37:48 systemd[1]: Started Kolide Server.
ene 26 15:37:48 fleet[13053]: Using config file:  /etc/kolide/kolide.yml
ene 26 15:37:48 fleet[13053]: {"component":"redis","level":"info","mode":"standalone","ts":"2022-01-26T14:37:48.866251397Z"}
ene 26 15:37:48 fleet[13053]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T14:37:48.887917698Z"}
ene 26 15:37:48 fleet[13053]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T14:37:48.887963538Z"}
ene 26 15:37:48 fleet[13053]: {"address":"127.0.0.1:8080","msg":"listening","transport":"https","ts":"2022-01-26T14:37:48.90397131Z"}

Here you have the config (redacted)

 # fleetctl get config --include-server-config
---
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        always:
        - SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time
          LIMIT 1
        interval:
          "3600": SELECT total_seconds AS uptime FROM uptime
        load:
        - SELECT version FROM osquery_info
        - SELECT uuid AS host_uuid FROM system_info
      options:
        audit_allow_config: true
        audit_allow_process_events: false
        audit_allow_sockets: false
        audit_persist: true
        config_refresh: 30
        disable_audit: false
        disable_events: false
        distributed_interval: 30
        distributed_tls_max_attempts: 3
        enable_bpf_events: false
        events_expiry: 1
        events_max: 50000
        events_optimize: true
        logger_plugin: tls
        logger_tls_endpoint: /api/v1/osquery/log
        logger_tls_period: 10
    overrides:
      platforms:
        rhel:
          decorators:
            interval:
              "3600": SELECT total_seconds AS uptime FROM uptime
          exclude_paths:
            configuracion:
            - /etc/redis/%%
            - /etc/httpd/logs/%%
            - /etc/sudoers.augnew%
          file_paths:
            configuracion:
            - /etc/%%
          options:
            audit_allow_config: true
            audit_allow_process_events: false
            audit_allow_sockets: false
            audit_persist: true
            config_refresh: 30
            disable_audit: false
            disable_events: false
            distributed_interval: 30
            distributed_tls_max_attempts: 3
            enable_bpf_events: false
            events_expiry: 1
            events_max: 50000
            events_optimize: true
            logger_plugin: tls
            logger_tls_endpoint: /api/v1/osquery/log
            logger_tls_period: 10
        sles:
          decorators:
            interval:
              "3600": SELECT total_seconds AS uptime FROM uptime
          exclude_paths:
            configuracion:
            - /etc/redis/%%
            - /etc/httpd/logs/%%
            - /etc/sudoers.augnew%
          file_paths:
            configuracion:
            - /etc/%%
          options:
            audit_allow_config: true
            audit_allow_process_events: false
            audit_allow_sockets: false
            audit_persist: true
            config_refresh: 30
            disable_audit: false
            disable_events: false
            distributed_interval: 30
            distributed_tls_max_attempts: 3
            enable_bpf_events: false
            events_expiry: 1
            events_max: 50000
            events_optimize: true
            logger_plugin: tls
            logger_tls_endpoint: /api/v1/osquery/log
            logger_tls_period: 10
        windows:
          options:
            disable_events: false
            events_expiry: 3600
            events_max: 50000
            events_optimize: true
            windows_event_channels: System,Application,Setup,Security
  host_expiry_settings:
    host_expiry_enabled: false
    host_expiry_window: 0
  host_settings:
    enable_host_users: true
    enable_software_inventory: true
  license:
    expiration: "0001-01-01T00:00:00Z"
    tier: free
  logging:
    debug: false
    json: true
    result:
      config:
        enable_log_compression: false
        enable_log_rotation: true
        result_log_file: /var/log/kolide/kolide_result.json
        status_log_file: /var/log/kolide/kolide_status.json
      plugin: filesystem
    status:
      config:
        enable_log_compression: false
        enable_log_rotation: true
        result_log_file: /var/log/kolide/kolide_result.json
        status_log_file: /var/log/kolide/kolide_status.json
      plugin: filesystem
  org_info:
    org_logo_url: X 
    org_name: X
  server_settings:
    deferred_save_host: false
    enable_analytics: false
    live_query_disabled: false
    server_url: https://domain
  smtp_settings:
    authentication_method: "0"
    authentication_type: "1"
    configured: true
    domain: ""
    enable_smtp: false
    enable_ssl_tls: true
    enable_start_tls: true
    password: ""
    port: 25
    sender_address: kolide@domain
    server: X
    user_name: ""
    verify_ssl_certs: true
  sso_settings:
    enable_sso: true
    enable_sso_idp_login: false
    entity_id: https://fleet/login
    idp_image_url: ""
    idp_name: X
    issuer_uri: 
    metadata: ""
    metadata_url: 
  update_interval:
    osquery_detail: 3600000000000
    osquery_policy: 3600000000000
  vulnerabilities:
    cpe_database_url: ""
    current_instance_checks: auto
    cve_feed_prefix_url: ""
    databases_path: /etc/kolide/vulnerabilities_databases
    disable_data_sync: false
    periodicity: 3600000000000
  vulnerability_settings:
    databases_path: /etc/kolide/vulnerabilities_databases
  webhook_settings:
    failing_policies_webhook:
      destination_url: ""
      enable_failing_policies_webhook: false
      host_batch_size: 0
      policy_ids: null
    host_status_webhook:
      days_count: 0
      destination_url: ""
      enable_host_status_webhook: false
      host_percentage: 0
    interval: 24h0m0s

Please, tell me if you need anything more.

Thanks. Best regards.

rubenrodr-versia commented 2 years ago

Hi,

Our systemd version

# rpm -qa|grep -i systemd
systemd-sysvinit-228-117.12.x86_64

does not support file option for output imagen imagen

so we have configured like this:

StandardError=syslog
StandardOutput=syslog

and restarted fleet again. The syslog entries have the same as systemd:

2022-01-26T16:03:19.238239+01:00 fleet[13053]: {"terminated":"http: Server closed","ts":"2022-01-26T15:03:19.237916136Z"}
2022-01-26T16:03:19.316755+01:00 fleet[15989]: Using config file:  /etc/kolide/kolide.yml
2022-01-26T16:03:19.363256+01:00 fleet[15989]: {"component":"redis","level":"info","mode":"standalone","ts":"2022-01-26T15:03:19.363147426Z"}
2022-01-26T16:03:19.375955+01:00 fleet[15989]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T15:03:19.375880259Z"}
2022-01-26T16:03:19.376152+01:00 fleet[15989]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T15:03:19.375916688Z"}
2022-01-26T16:03:19.408520+01:00 fleet[15989]: {"address":"127.0.0.1:8080","msg":"listening","transport":"https","ts":"2022-01-26T15:03:19.408306308Z"}
2022-01-26T16:03:26.706688+01:00 fleet[15989]: {"terminated":"http: Server closed","ts":"2022-01-26T15:03:26.706475094Z"}
2022-01-26T16:03:26.812408+01:00 fleet[16045]: Using config file:  /etc/kolide/kolide.yml
2022-01-26T16:03:26.848292+01:00 fleet[16045]: {"component":"redis","level":"info","mode":"standalone","ts":"2022-01-26T15:03:26.848184836Z"}
2022-01-26T16:03:26.887302+01:00 fleet[16045]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T15:03:26.887212361Z"}
2022-01-26T16:03:26.887564+01:00 fleet[16045]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T15:03:26.887252934Z"}
2022-01-26T16:03:26.896360+01:00 fleet[16045]: {"address":"127.0.0.1:8080","msg":"listening","transport":"https","ts":"2022-01-26T15:03:26.896275579Z"}
2022-01-26T16:03:58.347220+01:00 fleet[16045]: {"err":"failed","level":"error","op":"directIngestSoftware","ts":"2022-01-26T15:03:58.347144565Z"}
2022-01-26T16:07:10.769511+01:00 fleet[16045]: {"err":"failed","level":"error","op":"directIngestSoftware","ts":"2022-01-26T15:07:10.769392956Z"}

Thanks. Best regards.

lucasmrod commented 2 years ago

The configuration seems to be correct.

According to the log line, the vulnerabilities scanning should run after about one hour of fleet serve running.

If after +1h there's still no trace of the vulnerability process running, please try running fleet serve with FLEET_LOGGING_DEBUG=1 env variable or the --logging_debug argument (this may provide more information on why it's not running).

chiiph commented 2 years ago

@rubenrodr-versia thank you for baring with us as we try to make sense of your setup and what might be wrong.

Could you upload the output of the following command as well: fleetctl get software --yaml?

rubenrodr-versia commented 2 years ago

Hi,

We have started the service with --loging_debug and see this kind of errors:

$ cat fleet_messages.log |egrep -i 'cron|vuln'
2022-01-26T15:30:34.470912+01:00  fleet[11331]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T14:30:34.470792766Z"}
2022-01-26T15:30:34.471139+01:00  fleet[11331]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T14:30:34.470868379Z"}
2022-01-26T15:35:02.641913+01:00  fleet[12055]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T14:35:02.64181302Z"}
2022-01-26T15:35:02.642396+01:00  fleet[12055]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T14:35:02.642349044Z"}
2022-01-26T15:37:48.888029+01:00  fleet[13053]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T14:37:48.887917698Z"}
2022-01-26T15:37:48.888222+01:00  fleet[13053]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T14:37:48.887963538Z"}
2022-01-26T16:03:19.375955+01:00  fleet[15989]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T15:03:19.375880259Z"}
2022-01-26T16:03:19.376152+01:00  fleet[15989]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T15:03:19.375916688Z"}
2022-01-26T16:03:26.887302+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-26T15:03:26.887212361Z"}
2022-01-26T16:03:26.887564+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-26T15:03:26.887252934Z"}
2022-01-26T17:03:40.409585+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:40.409469176Z"}
2022-01-26T17:03:40.589421+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:40.589301937Z"}
2022-01-26T17:03:48.298665+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: cross-env: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.298574578Z"}
2022-01-26T17:03:48.300804+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: increase-memory-limit: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.300737226Z"}
2022-01-26T17:03:48.351433+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: n: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.351330424Z"}
2022-01-26T17:03:48.352865+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: node-gyp: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.351649089Z"}
2022-01-26T17:03:48.353044+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: node-pre-gyp: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.351778918Z"}
2022-01-26T17:03:48.353180+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.352558077Z"}
2022-01-26T17:03:48.353302+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: oracledb: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.35277394Z"}
2022-01-26T17:03:48.353420+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: pm2: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:48.352870354Z"}
2022-01-26T17:03:49.843356+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"1 synchronisation error:\n\tGet \"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta\": x509: certificate has expired or is not yet valid: current time 2022-01-26T17:03:49+01:00 is after 2021-09-30T14:01:15Z","level":"error","msg":"analyzing vulnerable software: CPE-\u003eCVE","ts":"2022-01-26T16:03:49.843256925Z"}
2022-01-26T18:03:39.429055+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:39.428947311Z"}
2022-01-26T18:03:39.658394+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:39.658298014Z"}
2022-01-26T18:03:45.716392+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: cross-env: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.716284677Z"}
2022-01-26T18:03:45.717807+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: increase-memory-limit: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.717741001Z"}
2022-01-26T18:03:45.755009+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: n: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.754917516Z"}
2022-01-26T18:03:45.755336+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: node-gyp: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.755213327Z"}
2022-01-26T18:03:45.755464+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: node-pre-gyp: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.755338771Z"}
2022-01-26T18:03:45.756067+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.756016582Z"}
2022-01-26T18:03:45.756294+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: oracledb: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.756242571Z"}
2022-01-26T18:03:45.756417+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: pm2: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T17:03:45.756357631Z"}
2022-01-26T18:03:47.037733+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"1 synchronisation error:\n\tGet \"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta\": x509: certificate has expired or is not yet valid: current time 2022-01-26T18:03:47+01:00 is after 2021-09-30T14:01:15Z","level":"error","msg":"analyzing vulnerable software: CPE-\u003eCVE","ts":"2022-01-26T17:03:47.037641609Z"}

It seems the certificate is expired: 2022-01-26T17:03:49.843356+01:00 fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"1 synchronisation error:\n\tGet \"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta\": x509: certificate has expired or is not yet valid: current time 2022-01-26T17:03:49+01:00 is after 2021-09-30T14:01:15Z","level":"error","msg":"analyzing vulnerable software: CPE-\u003eCVE","ts":"2022-01-26T16:03:49.843256925Z"}

But if we try to curl the url from fleet vm, is valid from start date: 2022-01-01 01:06:34 GMT to expire date: 2022-04-01 01:06:33 GMT

# curl -i -v -k https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta
* Hostname was NOT found in DNS cache
*   Trying 18.235.227.114...
* Connected to nvd.nist.gov (18.235.227.114) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=*.nist.gov
*        start date: 2022-01-01 01:06:34 GMT
*        expire date: 2022-04-01 01:06:33 GMT
*        issuer: C=US; O=Let's Encrypt; CN=R3
*        SSL certificate verify result: certificate has expired (10), continuing anyway.
* SSLv2, Unknown (23):
> GET /feeds/json/cve/1.1/nvdcve-1.1-2002.meta HTTP/1.1
> User-Agent: curl/7.37.0
> Host: nvd.nist.gov
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< content-type: text/plain
content-type: text/plain
< last-modified: Sat, 22 Jan 2022 08:15:07 GMT
last-modified: Sat, 22 Jan 2022 08:15:07 GMT
< accept-ranges: bytes
accept-ranges: bytes
< etag: "8077692a68fd81:0"
etag: "8077692a68fd81:0"
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-security-policy: frame-ancestors 'self'
content-security-policy: frame-ancestors 'self'
< date: Thu, 27 Jan 2022 11:46:22 GMT
date: Thu, 27 Jan 2022 11:46:22 GMT
< content-length: 165
content-length: 165
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000

<
lastModifiedDate:2022-01-22T03:00:58-05:00
size:20972695
zipSize:1453971
gzSize:1453835
sha256:E2D7B3A7239C5DDCF9713E6A892782BC3E9B07A6023D1D4F345BCC9644D99FBA
* Connection #0 to host nvd.nist.gov left intact

We are going to investigate certificate issue with network team.

Thanks. Best regards.

lucasmrod commented 2 years ago

Thanks for the extra logs!

Please let us know if, after resolving the expired certificate issue, you still get no vulnerabilities reported.

We'll be opening a separate issue for the following parsing errors:

2022-01-26T17:03:40.409585+01:00  fleet[16045]: {"component":"crons","cron":"vulnerabilities","err":"getting cpes for: npm: fts5: syntax error near \".\"","level":"error","software-\u003ecpe":"error translating to CPE, skipping...","ts":"2022-01-26T16:03:40.409469176Z"}

We have started the service with --loging_debug and see this kind of errors:

--logging_debug (just in case you have the typo on the fleet serve invocation too).

rubenrodr-versia commented 2 years ago

Hi,

Maybe a typo, so we have added the parameter again:

ExecStart=/bin/fleet serve --config /etc/kolide/kolide.yml --logging_debug

and restarted the service.

2022-01-28T08:52:48.926921+01:00 fleet[21120]: {"terminated":"http: Server closed","ts":"2022-01-28T07:52:48.926850849Z"}
2022-01-28T08:52:48.995267+01:00 fleet[15280]: Using config file:  /etc/kolide/kolide.yml
2022-01-28T08:52:49.046119+01:00 fleet[15280]: {"component":"redis","level":"info","mode":"standalone","ts":"2022-01-28T07:52:49.046026109Z"}
2022-01-28T08:52:49.069524+01:00 fleet[15280]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-28T07:52:49.069439639Z"}
2022-01-28T08:52:49.069749+01:00 fleet[15280]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-28T07:52:49.069491384Z"}
2022-01-28T08:52:49.097550+01:00 fleet[15280]: {"address":"127.0.0.1:8080","msg":"listening","transport":"https","ts":"2022-01-28T07:52:49.097247159Z"}
2022-01-28T08:52:56.404795+01:00 fleet[15280]: {"terminated":"http: Server closed","ts":"2022-01-28T07:52:56.404556213Z"}
2022-01-28T08:52:56.496879+01:00 fleet[17643]: Using config file:  /etc/kolide/kolide.yml
2022-01-28T08:52:56.551168+01:00 fleet[17643]: {"component":"redis","level":"info","mode":"standalone","ts":"2022-01-28T07:52:56.551027014Z"}
2022-01-28T08:52:56.590503+01:00 fleet[17643]: {"component":"crons","cron":"async_task","level":"debug","task":"async disabled, not starting collectors","ts":"2022-01-28T07:52:56.58830003Z"}
2022-01-28T08:52:56.590712+01:00 fleet[17643]: {"component":"crons","cron":"cleanups","level":"debug","ts":"2022-01-28T07:52:56.589215848Z","waiting":"on ticker"}
2022-01-28T08:52:56.591742+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","databases-path":"/etc/kolide/vulnerabilities_databases","level":"info","ts":"2022-01-28T07:52:56.591666741Z"}
2022-01-28T08:52:56.592170+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","level":"info","periodicity":"1h0m0s","ts":"2022-01-28T07:52:56.592110104Z"}
2022-01-28T08:52:56.592469+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","current instance checks":"auto","level":"debug","trying to create databases-path":"/etc/kolide/vulnerabilities_databases","ts":"2022-01-28T07:52:56.592405425Z"}
2022-01-28T08:52:56.592785+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","level":"debug","ts":"2022-01-28T07:52:56.592732788Z","waiting":"on ticker"}
2022-01-28T08:52:56.596608+01:00 fleet[17643]: {"component":"crons","cron":"webhooks","interval":"24h0m0s","level":"debug","ts":"2022-01-28T07:52:56.596524711Z"}
2022-01-28T08:52:56.596794+01:00 fleet[17643]: {"component":"crons","cron":"webhooks","level":"debug","ts":"2022-01-28T07:52:56.596561783Z","waiting":"on ticker"}
2022-01-28T08:52:56.622679+01:00 fleet[17643]: {"address":"127.0.0.1:8080","msg":"listening","transport":"https","ts":"2022-01-28T07:52:56.622054863Z"}
2022-01-28T08:53:06.599514+01:00 fleet[17643]: {"component":"crons","cron":"cleanups","level":"debug","ts":"2022-01-28T07:53:06.599418517Z","waiting":"done"}
2022-01-28T08:53:06.613933+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","level":"debug","ts":"2022-01-28T07:53:06.61356573Z","waiting":"done"}
2022-01-28T08:53:06.616628+01:00 fleet[17643]: {"component":"crons","cron":"cleanups","leader":"Not the leader. Skipping...","level":"debug","ts":"2022-01-28T07:53:06.616572253Z"}
2022-01-28T08:53:06.616686+01:00 fleet[17643]: {"component":"crons","cron":"cleanups","level":"debug","ts":"2022-01-28T07:53:06.616605441Z","waiting":"on ticker"}
2022-01-28T08:53:06.622347+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","leader":"Not the leader. Skipping...","level":"debug","ts":"2022-01-28T07:53:06.622277768Z"}
2022-01-28T08:53:06.622416+01:00 fleet[17643]: {"component":"crons","cron":"vulnerabilities","level":"debug","ts":"2022-01-28T07:53:06.622303647Z","waiting":"on ticker"}

Will add more info if we detect new errors.

Thanks. Best regards

noahtalerman commented 2 years ago

@rubenrodr-versia thank you for the follow up! Can you please confirm that vulnerabilities do appear after resolving the expired certificate?

If so, we can close this issue. The conversation around parsing errors can continue in the following issue: #3901

rubenrodr-versia commented 2 years ago

It seems an issue related to curl/openssl version. We are planning an os upgrade to check if it resolves the certificate problem and will update this issue.

Thanks. Best regards.

rubenrodr-versia commented 2 years ago

We have upgraded from SLES12 SP2 to SLES12 SP5 and now the connection to nvd.nist.gov works fine. And the vulnerable software feature is working as expected: imagen

It would be nice to see CVSS score on vulnerable software and be able to order it by score.

Thanks. Best regards.