Find hosts with the most issues

[noahtalerman]

Goal

User story
As a security leader,
I want to sort hosts by issues (# failing policis + # critical vulns - CVSS > 8.9)
so that I can ask for the owners of these hosts to focus on fixing the hosts w/ the most issues.

Context

• Product designer: @noahtalerman

Changes

Product

• UI changes: Figma wireframes
• REST API changes: API design PR
• Permissions changes: All roles can access the number of issues
• Outdated documentation changes: If documented, update the definition of issues in Fleet. UPDATE: No mention of these "issues" found (noahtalerman 2024-07-01)
• Changes to paid features or tiers: Failing policies count and Issues count is available in Fleet Free and Fleet Premium. Critical vulns count is only available in Fleet Premium

Engineering

• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: Yes
• Risk level: High
• Risk description: We added an additional DB write for every policy result processing from the host.

Load testing plan

For the below scenarios, monitor latency and DB performance.

1. Start with 100K hosts failing a policy. Modify the SQL of that policy.

2. Start with 100K hosts failing a policy. Modify the platforms of that policy (like uncheck "windows").

3. Start with 100K hosts failing a policy. Transfer them to a different team.

4. Start with 100K hosts failing a policy. Delete that policy.

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Add sort to the "Issues" column on the Hosts page. Update issues count = # failing critical policies + # of vulnerabilities w/ known exploits (CISA KEV)

[noahtalerman]

Hey @cjwalton this story covers the next iteration of Fleet's version of a host "risk score."

Our understanding is that y'all are looking for a way to prioritize hosts that need fixing/updating/patching.

The plan is to allow y'all to sort hosts by "issues" in Fleet: # critical policies failed + # vulns w/ known exploits (from CISA KEV)

Jason: EPSS takes CISA KEV into an account. Maybe let's start w/ EPSS > 70% and/or CVSS > 8

We want to start simple so that we move quickly for y'all while leaving the door open for future iterations.

I recorded a Loom video that walks through the improvement in more details here: https://www.loom.com/share/d594151980ec47298efafb159f0e91b1?sid=c4465470-cc23-47d9-9d86-b2542898774f

What do you think?

[noahtalerman]

Jason: EPSS takes CISA KEV into an account. Maybe let's start w/ EPSS > 70% and/or CVSS > 8

Hey @cjwalton, based on your feedback (above) we tweaked the "Issues" count to include critical vulns (CVEs w/ CVSS score > 8.9):

The plan is to start with this.

In future iterations we can add the ability to customize the "Issues" count. For example:

• Only include critical vulns (no failing policies)
• Include vulns w/ EPSS > 70%. With or w/o critical vulns. With or w/o failing policies

Does that work for you?

[sharon-fdm]

BE 5
FE 5

[RachelElysia]

@sharon-fdm

@jacobshandling mentioned the scope of this for FE is probably larger than anticipated.

TLDR: Looks like device user page and host details page use the same code, HostSummary card to render issues. Make that into reusable component for ManageHostsPage, and then add sort and empty state…. And basic tests for all?

To be thorough, this might be a 5.

[getvictor]

@xpkoala The regular QA was done by @RachelElysia

I added a few test scenarios for load testing in the description, and moved issue back to Awaiting QA.

[xpkoala]

Thanks @getvictor!

[xpkoala]

Found an issue when modifying a policy that affects 50k+ hosts with 100k+ hosts enrolled.

level=error ts=2024-06-24T15:33:47.706507287Z component=http user=tomas@fleetdm.com method=PATCH uri=/api/latest/fleet/policies/1 took=3.712123448s name="Q1 (1)" sql="SELECT * FROM osquery_info" err="saving policy: update failing policies in host issues: Error 1436 (HY000): Thread stack overrun: 242191 bytes used of a 262144 byte stack, and 20000 bytes needed. Use 'mysqld --thread_stack=#' to specify a bigger stack."

Reproduce:

• With a policy that affects a large number of hosts (50k in this scenario)
• Choose to edit the affected OS's for the policy (I removed 'mac' which would have set the # of hosts affected by the policy to 0)
• Error banner "Something went wrong"

A 422 http error is recorded in the web console.

[sharon-fdm]

Remaining work reset to 1 point.

[xpkoala]

Docker image being used to test this fix is 4530loadtestA

[marko-lisica]

Hey @pintomi1989 this story has shipped.

@noahtalerman There are TODOs in issue description to solve before moving to closed.

[noahtalerman]

There are TODOs in issue description to solve before moving to closed.

Docs are merged!

[fleet-release]

Sorting hosts by flaws,
A beacon in the cloud haze,
Security evolves.