Meta pixel
Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Device management (MDM) Endpoint operations Vulnerability management Integrations
Docs REST API Guides Built-in queries Data tables SUPPORT Chat Hosting Release notes Get your license Contribute
Community
Chat News Podcasts Articles COMPANY Handbook Logos/artwork Why open source?
Pricing Start now

Fleet documentation

Welcome to the documentation for Fleet, the lightweight management platform for laptops and servers.

search

Can't find what you're looking for? Support

{{page.title}}

{{breadcrumbs[0] === 'docs' ? 'Documentation' : breadcrumbs[0]}}
right chevron {{getTitleFromUrl(breadcrumbs[1])}}
right chevron

{{thisPage.title}}

search

Vulnerability processing

Edit page
Data tables Built-in queries Releases Support
A very nice Fleet branded shirt

Request Fleet swag

It's free right arrow

On this page:

Vulnerability processing

Introduction

Vulnerability processing in Fleet detects vulnerabilities (CVEs) for the software installed on your hosts.

To see what software is covered, check out the Coverage section.

Learn more about how it works for different platforms.

Coverage

Fleet detects vulnerabilities for these software types:

Type macOS Windows Linux
Apps
Browser plugins Chrome extensions, Firefox extensions Chrome extensions, Firefox extensions
Packages Python, Homebrew Python, Atom, Chocolatey Packages defined in the OVAL definitions, except for vulnerabilities involving configuration files. Supported distributions:
  • Ubuntu
  • RHEL based distros (Red Hat, CentOS, Fedora, and Amazon Linux)
IDE extensions VS Code extensions VS Code extensions VS Code extensions

As of right now, only app names with all ASCII characters are supported. Apps with names featuring non-ASCII characters, such as Cyrillic, will not generate matches.

For Ubuntu Linux, kernel vulnerabilities with known variants (ie. -generic) are detected using OVAL. Custom kernels (unknown variants) are detected using NVD.

Advanced configuration

Fleet runs vulnerability downloading and processing via internal scheduled cron job. This internal mechanism is very useful for frictionless deployments and is well suited for most use cases. However, in larger deployments, where there can be dozens of Fleet server replicas sitting behind a load balancer, it is desirable to manage vulnerability processing externally.

The reasons for this are as follows:

  • lower resource requirements across the entire Fleet server deployment (as vulnerability processing requires considerably more resources than just running Fleet server alone)
  • more control over scheduling constraints (only process during windows of low utilization, etc.)

It is possible to limit vulnerability processing to a single dedicated host, by setting disable_schedule to true but still run one Fleet server as false, but the drawback here is still having to dedicate resources for this single host 24/7. The Fleet binary has a command which handles the same vulnerability processing, but will exit (successfully with 0) on completion. Using this sub-command we can delegate vulnerability processing to external systems such as:

To opt into this functionality, be sure to configure your Fleet server deployment with

FLEET_VULNERABILITIES_DISABLE_SCHEDULE=true

which will disable the internal scheduling mechanism for vulnerability processing.

And then externally run with the same environment variables/configuration files passed to the server command.

fleet vuln_processing

Try it out

See what Fleet can do

Start now

An arrow pointing upBack to top