Document toolboxDocument toolbox

Software inventory and vulnerabilities

Owned by Former user (Deleted)
Last updated: May 10, 2023 by Juan Tomás Alonso Nieto (Deactivated)
3 min read

Overview

From Endpoint Agent 1.3 on, you can check what software is deployed in each endpoint in the EA Manager and what vulnerabilities might be affecting that software. EA Manager downloads the information from the NVD (National Vulnerabilities Database) and checks the information against the software installed on the endpoints.

The feature is built on top of the vulnerability processing feature available in FleetDM. You can view the software inventory for each endpoint and filter the information to view only the vulnerable software.

The information on vulnerabilities is available in the corresponding Devo domain under the tag box.devo_ea.inventories.sw_vulnerabilities. Each vulnerability is shown in Devo and includes the number of hosts affected by this vulnerability. If you want to see the specific hosts being affected then go to the EA Manager Web UI.

Deployment

The feature is disabled by default. Enable it by setting the variable deam_fleet_config_enable_sfw_inventory to true in the inventory file.

To collect data from the FleetDM API, you need to provide a valid address to connect. In most cases, the value is the same as the value provided by the inventory file in deam_fqdnname and is configured by default. In the event that you need a different address to consume the API, then you can configure a specific address in the parameter dea_invent_cfg_source_address in your inventory file.

As this feature can be resource hungry, enable it with care and keep an eye on the resource consumption of the EA Manager. Vulnerabilities are checked every hour by default.

Scrapper configuration

By default, the configuration file of the SW Inventory scrapper is located in /etc/devo-ea/invent.yaml. Configuration of the scrapper is done automatically at deployment time, so the average user should not need to change any of these configurations. Explanations below are provided as references.

Configurable parameters are:

interval: Interval for the scrapper to get the latest information from the EA Manager. By default, it is set to 1 hour. This value should be used along the --vulnerabilities_periodicity EA Manager flag, which also defaults to 1 hour.

min_num_of_hosts: Can be changed to determine what is the minimum number of hosts presenting a vulnerability to send the data to Devo. Default is 1.

msgtpl: This allows you to change the format of the message that is sent to Devo. You should not change this value unless you are an expert user or were recommended to do so by Devo as it impacts the data parsing on the platform side.

stop_timeout: Changes the period to gracefully kill the system when the service is stopped.

source: Information regarding the source of data for the scrapper. All these configurations should be one automatically at deployment time, so the average user doesn not need to tweak these configurations.

  • name: Only deam-fleet-sfw-inventory is supported now. Reserved for future use.

  • version: Only deam-fleet-1.2.0 is supported now. Reserved for future use.

  • options:

    • address: Address used to connect to the existing EA Manager instance.

    • email: E-mail address used to login into the existing EA Manager instance.

    • password: Password to log in to the existing EA Manager instance.

    • client_timeout: Timeout for API calls to the EA Manager instance.

    • tls_skip_verify: Skips TLS verification when consuming data from EA Manager API.

    • retries: Max number of retries when consuming EA Manager API.

    • retry_wait_time: Default wait seconds between retries.

    • max_retry_wait_time: Max wait seconds between retries.

    • server_cert_file_name: Path to the certificate used to login the EA Manager instance.

rules: Reserved for future use.

sink: Information regarding the destination of the data. In a normal configuration, the data is sent to Devo and the configuration is done automatically at deployment time.

  • name: Defines the output target of the inventory scrapper.

  • version: Only 1.0.0 is supported now. Reserved for future use.

  • options:

    • relay_entrypoint: Devo Relay address.

    • tag: Tag to mark the events sent to Devo.

    • send_events_timeout: Timeout in events send to Devo.

    • buffer_size: Buffer queue size to save events in case of error.

    • limit_batch_size_pending_events: Number of pending events to be resent in each iteration.

    • compression:

      • enabled: Enables compression when sending events to Devo.

      • min_size: Compress events when size is greater than this value.

    • tls:

      • files:

        • key: Path to key file of the target Devo domain.

        • crt: Path to certificate of the target Devo domain.

        • ca: Path to chain certificate of the target Devo domain.