Packetfence does not handle policy violation from fleetdm

[Toxa]

Describe the bug Packetfence does not handle policy violation from fleetdm. In the logs I see that fleetdm sends a POST request containing policy violation data, but packetfence does not process this data in any way. I don't see any traffic from packetfence to FleetDM Host. The fleetdm logs are also empty (fleetdm & nginx).

To Reproduce Steps to reproduce the behavior:

1. In the packetfence configuration, under fleetdm, I have provided the fleetdm server address, login (mail address), password and API token. All data entered here is verified with curl requests from packetfence host.

2. In packetfence local user fleetdm is created for authentication with access level FleetDM Event Handler

3. In fleetdm, under policy automation, the packetfence url is specified (port 9999 and login/password from the previous step)

4. In security event 3500001, in Event triger, regexp .*. is specified

5. In fleetdm, the policy is moved from pass to fail status. To trigger the webhook call, on the fleetdm server I execute

   fleetctl trigger --name cleanups_then_aggregation & fleetctl trigger --name automations

6. In tcpdump on fleetdm and packetfence hosts I see https POST request to packetfence host

7. In packetfence logs I see successful authentication and POST request

8. I don't see any requests from packetfence to fleetdm API (tcpdump & logs).

9. I don't see Security Events triggered in packetfence (WebUI & logs) Behavior is independent of whether node with mac address of host with failed policy exists.

Screenshots Log from packetfence:

Oct 14 18:20:32 packetfence pfperl-api-docker-wrapper[1586]: pfperl-api(13) INFO: [mac:[undef]]. Found a realm source local for user fleetdm in realm null. (pf::authentication::adminAuthentication)
Oct 14 18:20:32 packetfence pfperl-api-docker-wrapper[1586]: pfperl-api(13) INFO: [mac:[undef]] Authentication successful for fleetdm in source local (SQL) (pf::authentication::authenticate)
Oct 14 18:20:32 packetfence pfperl-api-docker-wrapper[1586]: pfperl-api(13) INFO: [mac:[undef]] Using sources local for matching (pf::authentication::match2)
Oct 14 18:20:32 packetfence api-frontend-docker-wrapper[2175]: t=2024-10-14T18:20:32+0300 lvl=info msg=“API login for user fleetdm” pid=7 request-uuid=da4f08ab-8a3f-11ef-841a-024264400007
Oct 14 18:20:32 packetfence api-frontend-docker-wrapper[2175]: api-frontend-access 100.64.0.1 - - - - [14/Oct/2024:15:20:32 +0000] “POST /api/v1/fleetdm-events/policy HTTP/2.0” 202 78 “-” “Go-http-client/2.0”
Oct 14 18:20:32 packetfence pfqueue-backend[4153]: pfqueue(3273) INFO: [mac:unknown] Running task fleetdm (main::process_data)

Expected behavior Security Events triggered. Displaying this in logs and reports. Performing an action (sending an email). Or an error message in the logs.

Versions Clean install packetfence: packetfence 14.0.0+20240910143601+1448220744+0012+maintenance~14~0+bookworm1 Debian GNU/Linux 12 (bookworm) Fleetdm: fleet version 4.57.2

[satkunas]

More information is needed.

1. More logs would help determine if the payload from fleetdm was well-formed.
2. The relevant contents of conf/security_events.conf to ensure the Security Event is configured properly for a policy violation webhook.
3. Ensure that fleetdm is accessible by PacketFence. After the webhook PF will reach-out to fleetdm for more information before triggering the violation.

[Toxa]

I apologize. It's a configuration error. You have nudged me in the right direction to look for it. The conf/security_events.conf config specified cve instead of policy

trigger=fleetdm_cve::.*.

After correcting it to

trigger=fleetdm_policy::.*.

everything works as expected