mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 00:45:19 +00:00
Merge branch 'main' into 15919-vulnerabilities-page
This commit is contained in:
parent
f5f0797083
commit
9e83339f3d
20
.github/ISSUE_TEMPLATE/story.md
vendored
20
.github/ISSUE_TEMPLATE/story.md
vendored
@ -19,11 +19,21 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
|
||||
| I want to _________________________________________
|
||||
| so that I can _________________________________________.
|
||||
|
||||
## Context
|
||||
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
|
||||
- Product designer: _________________________ <!-- Who is the product designer to contact if folks have questions about the UI, CLI, or API changes? -->
|
||||
|
||||
<!--
|
||||
What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change? (Optional.)
|
||||
1.
|
||||
2.
|
||||
-->
|
||||
|
||||
## Changes
|
||||
|
||||
### Product
|
||||
- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
|
||||
- [ ] CLI usage changes: TODO <!-- Specify what changes to the CLI usage are required. Remove this checkbox if there are no changes to the CLI. -->
|
||||
- [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
|
||||
- [ ] REST API changes: TODO <!-- Specify what changes to the API are required. Remove this checkbox if there are no changes necessary. The product manager may move this item to the engineering list below if they decide that engineering will design the API changes. -->
|
||||
- [ ] Permissions changes: TODO <!-- Specify what changes to the permissions are required. Remove this checkbox if there are no changes necessary. -->
|
||||
- [ ] Outdated documentation changes: TODO <!-- Specify required documentation changes (public-facing fleetdm.com/docs or contributors) & redirects to add to /website/config/routes.js. -->
|
||||
@ -35,14 +45,6 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
|
||||
|
||||
> ℹ️ Please read this issue carefully and understand it. Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
|
||||
|
||||
## Context
|
||||
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
|
||||
<!--
|
||||
What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change? (Optional.)
|
||||
1.
|
||||
2.
|
||||
-->
|
||||
|
||||
## QA
|
||||
|
||||
### Risk assessment
|
||||
|
5
.github/workflows/codeql-analysis.yml
vendored
5
.github/workflows/codeql-analysis.yml
vendored
@ -48,6 +48,11 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
||||
with:
|
||||
go-version: ${{ vars.GO_VERSION }}
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38
|
||||
|
6
.github/workflows/goreleaser-orbit.yaml
vendored
6
.github/workflows/goreleaser-orbit.yaml
vendored
@ -66,7 +66,7 @@ jobs:
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
|
||||
with:
|
||||
name: orbit-macos
|
||||
path: dist
|
||||
path: dist/orbit-macos_darwin_all/orbit
|
||||
|
||||
goreleaser-linux:
|
||||
runs-on: ubuntu-20.04
|
||||
@ -94,7 +94,7 @@ jobs:
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
|
||||
with:
|
||||
name: orbit-linux
|
||||
path: dist
|
||||
path: dist/orbit_linux_amd64_v1/orbit
|
||||
|
||||
goreleaser-windows:
|
||||
runs-on: windows-2022
|
||||
@ -122,4 +122,4 @@ jobs:
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
|
||||
with:
|
||||
name: orbit-windows
|
||||
path: dist
|
||||
path: dist/orbit_windows_amd64_v1/orbit.exe
|
||||
|
58
CHANGELOG.md
58
CHANGELOG.md
@ -1,3 +1,61 @@
|
||||
## Fleet 4.45.0 (Feb 20, 2024)
|
||||
|
||||
### Changes
|
||||
|
||||
* **Endpoint operations**:
|
||||
- Added two new API endpoints for running provided live query SQL on a single host.
|
||||
- Added `fleetctl gitops` command for GitOps workflow synchronization.
|
||||
- Added capabilities to the `gitops` role to support reading queries/policies and writing scripts.
|
||||
- Updated policy names to be unique per team.
|
||||
- Updated fleetd-chrome to use the latest wa-sqlite v0.9.11.
|
||||
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag.
|
||||
- Added count of upcoming activities to host vitals UI.
|
||||
- Updated UI to include upcoming activity counts in host vitals.
|
||||
- Updated 405 response for `POST` requests on the root path to highlight misconfigured osquery instances.
|
||||
|
||||
* **Device management (MDM)**:
|
||||
- Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
|
||||
- Changed several MDM-related endpoints to be platform-agnostic.
|
||||
- Added script capabilities to UI for Linux hosts.
|
||||
- Added UI for locking and unlocking hosts managed by Fleet MDM.
|
||||
- Added `fleetctl mdm lock` and `fleetctl mdm unlock` commands.
|
||||
- Added validation to reject script enqueue requests for hosts without fleetd.
|
||||
- Added the `host_mdm_actions` DB table for MDM lock and wipe functionality.
|
||||
- Updated backend MDM migration flow and added logging.
|
||||
- Updated UI text for disk encryption to reflect cross-platform functionality.
|
||||
- Renamed and updated fields in MDM configuration profiles for clarity.
|
||||
- Improved validation of Windows profiles to prevent delivery errors.
|
||||
- Improved Windows MDM profile error tooltip messages.
|
||||
- Fixed MDM unlock flow and updated lock/unlock functionality for Windows and Linux.
|
||||
- Fixed a bug that would cause OS Settings verification to fail with MySQL's `only_full_group_by` mode enabled.
|
||||
|
||||
* **Vulnerability management**:
|
||||
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response.
|
||||
- Fixed an issue where software from a Parallels VM would incorrectly appear as the host's software.
|
||||
- Implemented permission checks for software and software titles.
|
||||
- Fixed software title aggregation when triggering vulnerability scans.
|
||||
|
||||
### Bug fixes and improvements
|
||||
- Updated text and style across the app for consistency and clarity.
|
||||
- Improved UI for the view disk encryption key, host details activity card, and "Add hosts" modal.
|
||||
- Addressed a bug where updating the search field caused unwanted loss of focus.
|
||||
- Corrected alignment bugs on empty table states for software details.
|
||||
- Updated URL query parameters to reset when switching tabs.
|
||||
- Fixed device page showing invalid date for the last restarted.
|
||||
- Fixed visual display issues with chevron right icons on Chrome.
|
||||
- Fixed Windows vulnerabilities without exploit/severity from crashing the software page.
|
||||
- Fixed issues with checkboxes in hidden modals and long enroll secrets overlapping action buttons.
|
||||
- Fixed a bug with built-in platform labels.
|
||||
- Fixed enroll secret error messaging showing secret in cleartext.
|
||||
- Fixed various UI bugs including disk encryption key input icons, alignment issues, and dropdown menus.
|
||||
- Fixed dropdown behavior in administrative settings and software title/version tables.
|
||||
- Fixed various UI and style bugs, including issues with long OS names causing table render issues.
|
||||
- Fixed a bug where checkboxes within a hidden modal were not correctly hidden.
|
||||
- Fixed vulnerable software dropdown from switching back to all teams.
|
||||
- Fixed wall_time to report in milliseconds for consistency with other query performance stats.
|
||||
- Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
|
||||
- Fixed how errors are reported to APM to avoid duplicates and improve stack trace accuracy.
|
||||
|
||||
## Fleet 4.44.1 (Feb 13, 2024)
|
||||
|
||||
### Bug fixes
|
||||
|
@ -1,4 +1,4 @@
|
||||
FROM --platform=linux/amd64 golang:1.21.6-bullseye@sha256:fa52abd182d334cfcdffdcc934e21fcfbc71c3cde568e606193ae7db045b1b8d
|
||||
FROM --platform=linux/amd64 golang:1.21.7-bullseye@sha256:447afe790df28e0bc19d782a9f776a105ce3b8417cdd21f33affc4ed6d38f9d5
|
||||
LABEL maintainer="Fleet Developers"
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
|
@ -48,8 +48,6 @@ You already have a lot of raw data to sift through in your data lake, especially
|
||||
|
||||
Fleet 4.26.0 reduces the number of calls you have to make to pull software data with the REST API. Each time a host has software added, updated, or deleted, a `host_software_updated_at` timestamp gets updated for that host. The `host_software_updated_at` timestamp is exposed through the API. This lets you send the latest software data to your data lake, so you can avoid drowning in outdated information.
|
||||
|
||||
<call-to-action preset="mdm-beta"></call-to-action>
|
||||
|
||||
## Fleet MDM
|
||||
**MDM features are not ready for production and are currently in development. These features are disabled by default.**
|
||||
|
||||
|
@ -21,8 +21,6 @@ In the UI an account administrator will see the following information:
|
||||
|
||||
If you pair this new login activity with the audit improvements from [release 4.26](https://fleetdm.com/releases/fleet-4.26.0) you can now set up an alert if multiple failed login attempts occur.
|
||||
|
||||
<call-to-action preset="premium-upgrade"></call-to-action>
|
||||
|
||||
## Better search filters on the ‘Select Targets’ screen in Fleet
|
||||
|
||||
**Available in Fleet Free and Fleet Premium**
|
||||
|
@ -32,8 +32,6 @@ Premium and Ultimate Fleet plans have the ability to import the CIS benchmarks i
|
||||
|
||||
For more information on adding CIS Benchmarks, check out the [documentation here](https://fleetdm.com/docs/using-fleet/cis-benchmarks#how-to-add-cis-benchmarks).
|
||||
|
||||
<call-to-action preset="premium-upgrade"></call-to-action>
|
||||
|
||||
## Reduced false negatives from MS Office products related to vulnerabilities reported in the NVD
|
||||
|
||||
A false negative occurs when a policy reports there is not a vulnerability, but there actually is a vulnerability. Even if a policy reports zero vulnerabilities, that does not imply there are no vulnerabilities present. Both of these types of errors can cause problems when trying to identify vulnerabilities that need attention.
|
||||
@ -69,8 +67,6 @@ For more information on enabling this functionality, check out the [documentati
|
||||
* Enabled installation and auto-updates of Nudge via Orbit.
|
||||
* Added support for providing macos\_settings.custom\_settings profiles for team (with Fleet Premium) and no-team levels via fleetctl apply.
|
||||
|
||||
<call-to-action preset="mdm-beta"></call-to-action>
|
||||
|
||||
#### List of other features
|
||||
|
||||
* Added --policies-team flag to fleetctl apply to easily import a group of policies into a team.
|
||||
|
@ -27,8 +27,6 @@ Users created via JIT provisioning can be assigned Fleet roles using SAML custom
|
||||
|
||||
Learn more about [JIT user role setting](https://fleetdm.com/docs/deploying/configuration#just-in-time-jit-user-provisioning).
|
||||
|
||||
<call-to-action preset="premium-upgrade"></call-to-action>
|
||||
|
||||
## CIS benchmarks manual intervention
|
||||
|
||||
_Available in Fleet Premium and Fleet Ultimate_
|
||||
@ -65,8 +63,6 @@ Fleet updated translation rules to provide better 🟢 Results and avoid false p
|
||||
* Added MDM profiles status filter to hosts endpoints.
|
||||
* Added indicators of aggregate host count for each possible status of MDM-enforced mac settings (hidden until 4.30.0).
|
||||
|
||||
<call-to-action preset="mdm-beta"></call-to-action>
|
||||
|
||||
#### List of other features
|
||||
|
||||
* As part of JIT provisioning, read user roles from SAML custom attributes.
|
||||
|
120
articles/fleet-4.45.0.md
Normal file
120
articles/fleet-4.45.0.md
Normal file
@ -0,0 +1,120 @@
|
||||
# Fleet 4.45.0 | Remote lock, Linux script library, osquery storage location.
|
||||
|
||||
![Fleet 4.45.0](../website/assets/images/articles/fleet-4.45.0-1600x900@2x.png)
|
||||
|
||||
Fleet 4.45.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.45.0) or continue reading to get the highlights.
|
||||
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
|
||||
|
||||
## Highlights
|
||||
|
||||
* Remote lock for macOS, Windows, and Linux
|
||||
* Linux script library
|
||||
* Customizable osquery data storage location
|
||||
|
||||
|
||||
### Remote lock for macOS, Windows, and Linux
|
||||
|
||||
Fleet expands its device management capabilities with remote lock functionalities for macOS, Windows, and Linux systems. This development allows administrators to enhance security protocols and respond swiftly to potential security breaches by either locking a device remotely. This feature is particularly crucial in scenarios involving lost or stolen devices or when a device is suspected to be compromised. By integrating these remote actions, Fleet empowers IT and security teams with robust tools to protect organizational data and maintain device security. This update aligns with Fleet's values of ownership and results, as it offers users more control over their device fleet while ensuring effective response measures are in place for critical security incidents.
|
||||
|
||||
|
||||
### Linux script library
|
||||
|
||||
A script library specifically designed for Linux hosts has been added. This complements Fleet's existing script execution functionalities and script libraries for macOS and Windows. The script library for Linux allows administrators to store, manage, and execute scripts efficiently using the Fleet UI or API, facilitating streamlined operations and maintenance tasks on Linux-based systems. This addition underscores Fleet's commitment to adaptability and inclusiveness, ensuring users can leverage the platform's full potential regardless of their operating system environment. By providing a dedicated script library for Linux, Fleet reinforces its dedication to delivering versatile and user-centric solutions that cater to the diverse needs of IT and security professionals.
|
||||
|
||||
|
||||
### Customizable osquery data storage location
|
||||
|
||||
Fleet introduces a new `--osquery-db` flag to the `fleetctl` package command, catering to a unique requirement for virtual machine (VM) environments. This feature allows users to specify or update the osquery database directory for `fleetd` at the time of packaging or through an environment variable. By enabling the customization of the osquery data storage location, users can direct `fleetd` to utilize directories with more available space, optimizing resource use in VM setups. This enhancement demonstrates Fleet's commitment to ownership by giving users greater control over their Fleet configuration and results and facilitating more efficient data management in resource-constrained environments.
|
||||
|
||||
|
||||
|
||||
## Changes
|
||||
|
||||
* **Endpoint operations**:
|
||||
- Added two new API endpoints for running provided live query SQL on a single host.
|
||||
- Added `fleetctl gitops` command for GitOps workflow synchronization.
|
||||
- Added capabilities to the `gitops` role to support reading queries/policies and writing scripts.
|
||||
- Updated policy names to be unique per team.
|
||||
- Updated fleetd-chrome to use the latest wa-sqlite v0.9.11.
|
||||
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag.
|
||||
- Added count of upcoming activities to host vitals UI.
|
||||
- Updated UI to include upcoming activity counts in host vitals.
|
||||
- Updated 405 response for `POST` requests on the root path to highlight misconfigured osquery instances.
|
||||
|
||||
* **Device management (MDM)**:
|
||||
- Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
|
||||
- Changed several MDM-related endpoints to be platform-agnostic.
|
||||
- Added script capabilities to UI for Linux hosts.
|
||||
- Added UI for locking and unlocking hosts managed by Fleet MDM.
|
||||
- Added `fleetctl mdm lock` and `fleetctl mdm unlock` commands.
|
||||
- Added validation to reject script enqueue requests for hosts without fleetd.
|
||||
- Added the `host_mdm_actions` DB table for MDM lock and wipe functionality.
|
||||
- Updated backend MDM migration flow and added logging.
|
||||
- Updated UI text for disk encryption to reflect cross-platform functionality.
|
||||
- Renamed and updated fields in MDM configuration profiles for clarity.
|
||||
- Improved validation of Windows profiles to prevent delivery errors.
|
||||
- Improved Windows MDM profile error tooltip messages.
|
||||
- Fixed MDM unlock flow and updated lock/unlock functionality for Windows and Linux.
|
||||
- Fixed a bug that would cause OS Settings verification to fail with MySQL's `only_full_group_by` mode enabled.
|
||||
|
||||
* **Vulnerability management**:
|
||||
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response.
|
||||
- Fixed an issue where software from a Parallels VM would incorrectly appear as the host's software.
|
||||
- Implemented permission checks for software and software titles.
|
||||
- Fixed software title aggregation when triggering vulnerability scans.
|
||||
|
||||
### Bug fixes and improvements
|
||||
- Updated text and style across the app for consistency and clarity.
|
||||
- Improved UI for the view disk encryption key, host details activity card, and "Add hosts" modal.
|
||||
- Addressed a bug where updating the search field caused unwanted loss of focus.
|
||||
- Corrected alignment bugs on empty table states for software details.
|
||||
- Updated URL query parameters to reset when switching tabs.
|
||||
- Fixed device page showing invalid date for the last restarted.
|
||||
- Fixed visual display issues with chevron right icons on Chrome.
|
||||
- Fixed Windows vulnerabilities without exploit/severity from crashing the software page.
|
||||
- Fixed issues with checkboxes in hidden modals and long enroll secrets overlapping action buttons.
|
||||
- Fixed a bug with built-in platform labels.
|
||||
- Fixed enroll secret error messaging showing secret in cleartext.
|
||||
- Fixed various UI bugs including disk encryption key input icons, alignment issues, and dropdown menus.
|
||||
- Fixed dropdown behavior in administrative settings and software title/version tables.
|
||||
- Fixed various UI and style bugs, including issues with long OS names causing table render issues.
|
||||
- Fixed a bug where checkboxes within a hidden modal were not correctly hidden.
|
||||
- Fixed vulnerable software dropdown from switching back to all teams.
|
||||
- Fixed wall_time to report in milliseconds for consistency with other query performance stats.
|
||||
- Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
|
||||
- Fixed how errors are reported to APM to avoid duplicates and improve stack trace accuracy.
|
||||
|
||||
## Fleet 4.44.1 (Feb 13, 2024)
|
||||
|
||||
### Bug fixes
|
||||
|
||||
* Fixed a bug where long enrollment secrets would overlap with the action buttons on top of them.
|
||||
* Fixed a bug that caused OS Settings to never be verified if the MySQL config of Fleet's database had 'only_full_group_by' mode enabled (enabled by default).
|
||||
* Ensured policy names are now unique per team, allowing different teams to have policies with the same name.
|
||||
* Fixed the visual display of chevron right icons on Chrome.
|
||||
* Renamed the 'mdm_windows_configuration_profiles' and 'mdm_apple_configuration_profiles' 'updated_at' field to 'uploaded_at' and removed the automatic setting of the value, setting it explicitly instead.
|
||||
* Fixed a small alignment bug in the setup flow.
|
||||
* Improved the validation of Windows profiles to prevent errors when delivering the profiles to the hosts. If you need to embed a nested XML structure (for example, for Wi-Fi profiles), you can either:
|
||||
- Escape the XML.
|
||||
- Use a wrapping `<![CDATA[ ... ]]>` element.
|
||||
* Fixed an issue where an inaccurate message was returned after running an asynchronous (queued) script.
|
||||
* Fixed URL query parameters to reset when switching tabs.
|
||||
* Fixed the vulnerable software dropdown from switching back to all teams.
|
||||
* Added fleetctl gitops command:
|
||||
- Synchronize Fleet configuration with the provided file. This command is intended to be used in a GitOps workflow.
|
||||
* Updated the response for 'GET /api/v1/fleet/hosts/:id/activities/upcoming' to include the count of all upcoming activities for the host.
|
||||
* Fixed an issue where software from a Parallels VM on a MacOS host would show up in Fleet as if it were the host's software.
|
||||
* Removed unnecessary nested database transactions in batch-setting of MDM profiles.
|
||||
* Added count of upcoming activities to host vitals UI.
|
||||
|
||||
|
||||
## Ready to upgrade?
|
||||
|
||||
Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.45.0.
|
||||
|
||||
<meta name="category" value="releases">
|
||||
<meta name="authorFullName" value="JD Strong">
|
||||
<meta name="authorGitHubUsername" value="spokanemac">
|
||||
<meta name="publishedOn" value="2024-02-21">
|
||||
<meta name="articleTitle" value="Fleet 4.45.0 | Remote lock, Linux script library, osquery storage location.">
|
||||
<meta name="articleImageUrl" value="../website/assets/images/articles/fleet-4.45.0-1600x900@2x.png">
|
@ -74,8 +74,6 @@ The final email with the above definition looks like this:
|
||||
|
||||
The Fleet API is very flexible, but with the addition of Tines, the options for data transformation are endless. In the above example, we easily connected to the Fleet API and transformed the data response with a single Tines Transform function, and allowed the end user to receive a customized report of vulnerable software on an individual host.
|
||||
|
||||
<call-to-action preset="premium-upgrade"></call-to-action>
|
||||
|
||||
<meta name="category" value="guides">
|
||||
<meta name="authorFullName" value="Dave Herder">
|
||||
<meta name="authorGitHubUsername" value="dherder">
|
||||
|
@ -1 +0,0 @@
|
||||
* Added tracking of Windows and Linux' scripts to lock or unlock the host, report the proper current and pending states.
|
@ -1,2 +0,0 @@
|
||||
Added fleetctl gitops command:
|
||||
- Synchronize Fleet configuration with provided file. This command is intended to be used in a GitOps workflow.
|
@ -1 +0,0 @@
|
||||
gitops role can now read queries/policies and write (but not execute) scripts
|
@ -1 +0,0 @@
|
||||
Policy names are now unique per team -- different teams can have policies with the same name.
|
@ -1 +0,0 @@
|
||||
- Updated backend MDM migration flow and added logging to aid in debugging migration errors.
|
@ -1 +0,0 @@
|
||||
* Fixed how errors are sent to APM (Elastic) to avoid duplicates, cover more errors in background tasks (cron and worker jobs) and fix the reported stack trace.
|
@ -1 +0,0 @@
|
||||
- Fixed UI issues where dropdown menus were not displaying correctly in the administrative settings page.
|
@ -1,9 +0,0 @@
|
||||
- Changed the following endpoints to be platform-agnostic. The old routes still work but are deprecated.
|
||||
- POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula
|
||||
- GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata
|
||||
- DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token
|
||||
- GET /mdm/apple/setup/eula/:token was replaced by GET /mdm/setup/eula/:token
|
||||
- POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap
|
||||
- GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata
|
||||
- DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id
|
||||
- GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary
|
@ -1 +0,0 @@
|
||||
- Added script capabilities to UI for Linux hosts.
|
1
changes/15332-scep-renew
Normal file
1
changes/15332-scep-renew
Normal file
@ -0,0 +1 @@
|
||||
* Automatically renew macOS identity certificates for devices 30 days prior to their expiration.
|
@ -1 +0,0 @@
|
||||
wall_time is now reported in milliseconds (as opposed to seconds), consistent with other query performance stats.
|
@ -1,2 +0,0 @@
|
||||
- Fixes issue where software from a Parallels VM on a MacOS host would show up in Fleet as if it
|
||||
were the host's software.
|
@ -1 +0,0 @@
|
||||
- Change verbiage around team members to users
|
1
changes/15923-page-descriptions-part-2
Normal file
1
changes/15923-page-descriptions-part-2
Normal file
@ -0,0 +1 @@
|
||||
- Update page descriptions
|
1
changes/15968-rename-team
Normal file
1
changes/15968-rename-team
Normal file
@ -0,0 +1 @@
|
||||
- UI Edit team more properly labeled as rename team
|
@ -1 +0,0 @@
|
||||
* Add `--osquery-db` flag to `fleetctl package` command to configure a custom directory for osquery's database (`fleetctl package --osquery-db=/path/to/osquery.db`).
|
1
changes/16025-empty-policy-state
Normal file
1
changes/16025-empty-policy-state
Normal file
@ -0,0 +1 @@
|
||||
- Update UI's empty policy states
|
1
changes/16029-account-page
Normal file
1
changes/16029-account-page
Normal file
@ -0,0 +1 @@
|
||||
- User settings/profile page officially renamed to account page
|
@ -1 +0,0 @@
|
||||
* Renamed the `mdm_windows_configuration_profiles` and `mdm_apple_configuration_profiles` `updated_at` field to `uploaded_at` and removed the automatic setting of the value, set explicity instead.
|
@ -1 +0,0 @@
|
||||
* Fix visual display of chevron right icons on Chrome
|
@ -1 +0,0 @@
|
||||
- Fix a bug where long enroll enroll secrets would overlap with the action buttons on top of them.
|
@ -1,5 +0,0 @@
|
||||
* Return 405 when receiving `POST` requests on the root path.
|
||||
WARNING:
|
||||
We found that misconfigured (empty `logger_tls_endpoint`) osquery instances were sending log results (`POST` requests) to the root path and Fleet was incorrectly returning HTTP 200 responses on such root path.
|
||||
This version will now return HTTP 405 (Method Not Allowed) when receiving `POST` requests on the root path so that this misconfiguration can be detected by administrators.
|
||||
If you deploy this version of Fleet and there's log traffic on the root path it could cause increased network usage on your infrastructure because osquery will retry sending the logs and these will accumulate (up to a limit configured by logger flags). Thus, before upgrading, make sure there's no osquery traffic (`POST` requests) to Fleet's root path.
|
@ -1 +0,0 @@
|
||||
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response
|
@ -1 +0,0 @@
|
||||
* Removed unnecessary nested database transactions in batch-setting of MDM profiles.
|
@ -1,5 +0,0 @@
|
||||
* Improved the validation of Windows profiles to prevent errors when the
|
||||
profiles are delivered to the hosts. If you need to embed a nested XML
|
||||
structure (for example for Wi-Fi profiles) you can either:
|
||||
- Escape the XML
|
||||
- Use a wrapping `<![CDATA[ ... ]]>` element
|
@ -1,2 +0,0 @@
|
||||
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag unless scripts are
|
||||
disabled in the server settings.
|
@ -1 +0,0 @@
|
||||
- Updates the copy in `fleetctl`'s output to reference `fleetd`.
|
@ -1,2 +0,0 @@
|
||||
- Adds the `fleetctl mdm` commands `lock` and `unlock`
|
||||
- Adds missing functionality for lock/unlock flows for Windows and Linux
|
@ -1 +0,0 @@
|
||||
- Adds the `host_mdm_actions` DB table to support MDM lock and wipe functionality.
|
@ -1 +0,0 @@
|
||||
Updated fleetd-chrome to use the latest wa-sqlite v0.9.11
|
1
changes/16394-fleetd-chrome-runtime-error-fix
Normal file
1
changes/16394-fleetd-chrome-runtime-error-fix
Normal file
@ -0,0 +1 @@
|
||||
In fleetd-chrome, fixed RuntimeError seen by some hosts.
|
@ -1,4 +0,0 @@
|
||||
* Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
|
||||
* Added a new column named "PAYLOAD" to the output of `fleetctl get mdm-command-results` with the request payload.
|
||||
* Replaced CmdID values in favor of the LocURI for messages for failed profiles.
|
||||
* Added a new comment over CmdID elements generated by Fleet in Windows profiles and commands to make evident that Fleet is in control of those values.
|
@ -1,2 +0,0 @@
|
||||
- Updated `GET /api/v1/fleet/hosts/:id/activities/upcoming` response to include the count of all
|
||||
upcoming activities for the host.
|
@ -1 +0,0 @@
|
||||
- Added count of upcoming activities to host vitals UI.
|
@ -1 +0,0 @@
|
||||
- Fixes issue where an inaccurate message was returned after running an async (queued) script.
|
@ -1 +0,0 @@
|
||||
fleetctl can now transfer hosts to No team like: fleetctl hosts transfer --team '' --hosts yourHost
|
4
changes/16480-fix-capturing-errors-in-sentry
Normal file
4
changes/16480-fix-capturing-errors-in-sentry
Normal file
@ -0,0 +1,4 @@
|
||||
* Fixed issues with how errors were captured in Sentry:
|
||||
- The stack trace is now more precise.
|
||||
- More error paths will now get captured in Sentry.
|
||||
- **NOTE: Many more entries could be generated in Sentry compared to earlier Fleet versions.** Sentry capacity should be planned accordingly.
|
1
changes/16506-page-descriptions
Normal file
1
changes/16506-page-descriptions
Normal file
@ -0,0 +1 @@
|
||||
- Update page description styling
|
@ -1 +0,0 @@
|
||||
Improved error message when creating a new user (via API or fleetctl) with a team that does not exist.
|
@ -1 +0,0 @@
|
||||
* Fix a small alignment bug in the setup flow
|
@ -1 +0,0 @@
|
||||
When attempting to set an enroll secret which already exists in DB, error message no longer contains the secret in cleartext.
|
2
changes/16648-windows-mdm-cmd-type
Normal file
2
changes/16648-windows-mdm-cmd-type
Normal file
@ -0,0 +1,2 @@
|
||||
- Fixes issue where the "Type" column was empty for Windows MDM profile commands when running
|
||||
`fleetctl get mdm-commands` and `fleetctl get mdm-command-results`.
|
@ -1 +0,0 @@
|
||||
- Updated UI text for disk encryption activities to reflect cross-platform functionality.
|
@ -1 +0,0 @@
|
||||
- Fixed built in platform labels bug
|
@ -1,2 +0,0 @@
|
||||
- Fix URL query params to reset when switching tabs
|
||||
- Fix vulnerable software dropdown from switching back to all teams
|
@ -1 +0,0 @@
|
||||
- Fix device page showing invalid date for last restarted
|
@ -1,2 +0,0 @@
|
||||
- Added validation to reject requests to enqueue scripts for hosts that do not have fleetd installed
|
||||
(i.e. plain osquery hosts).
|
1
changes/16701-move-show-query-button
Normal file
1
changes/16701-move-show-query-button
Normal file
@ -0,0 +1 @@
|
||||
- Move show query button so it shows in report page even with no results
|
@ -1 +0,0 @@
|
||||
- Fix title case to sentence case and a few other headers
|
@ -1,2 +0,0 @@
|
||||
- Fix a bug where updating the search field for the Software titles page caused an unwanted loss of
|
||||
focus from the search field on rerender.
|
@ -1 +0,0 @@
|
||||
- Fix windows vulnerabilities without exploit/severity from crashing the page when rendered
|
@ -1 +0,0 @@
|
||||
* Add two new API endpoints to run a live query SQL on one host: `POST /api/latest/fleet/hosts/identifier/{identifier}/query` and `POST /api/_version_/fleet/hosts/{id}/query`.
|
1
changes/16820-loading-state-auto-enroll-ui
Normal file
1
changes/16820-loading-state-auto-enroll-ui
Normal file
@ -0,0 +1 @@
|
||||
- Fixed UI styling of loading state for automatic enrollment settings page.
|
@ -1 +0,0 @@
|
||||
* Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
|
@ -1,2 +0,0 @@
|
||||
- Fix a style bug where the controls on the software title and versions table would wrap and bump into
|
||||
each other.
|
@ -1 +0,0 @@
|
||||
- Fix a bug where checkboxes within a hidden modal would not be hidden with the rest of the modal content.
|
@ -1 +0,0 @@
|
||||
- Fix a bug where long OS names caused the table to render outside its bounds with smaller viewports
|
@ -1,2 +0,0 @@
|
||||
* Fix alignment bugs on the Software > OS > details and Software > Versions > details empty table
|
||||
states.
|
1
changes/17029-update-policy-count
Normal file
1
changes/17029-update-policy-count
Normal file
@ -0,0 +1 @@
|
||||
- Deleting a policy updates the policy count
|
2
changes/17048-updating-policy-name
Normal file
2
changes/17048-updating-policy-name
Normal file
@ -0,0 +1,2 @@
|
||||
Fixed bug where updating policy name can result with multiple policies with the same name in a team.
|
||||
- This bug was introduced in fleet v4.44.1. Any duplicate policy names in the same team will be renamed by adding a number to the end of the policy name.
|
@ -1 +0,0 @@
|
||||
- add UI for locking and unlocking hosts managed by fleet mdm.
|
@ -1 +0,0 @@
|
||||
- Implemented permission checks for endpoints and UI routes related to software and software titles, restricting visibility to team-specific hosts.
|
@ -1 +0,0 @@
|
||||
- improve windows mdm profile error tooltip messages.
|
@ -1 +0,0 @@
|
||||
- fix UI bug for the view disk encryption key input icons
|
1
changes/issue-16794-update-go-to-1.21.7
Normal file
1
changes/issue-16794-update-go-to-1.21.7
Normal file
@ -0,0 +1 @@
|
||||
- upgrade golang version to 1.21.7
|
1
changes/issue-16854-fix-software-version-and-os-loading
Normal file
1
changes/issue-16854-fix-software-version-and-os-loading
Normal file
@ -0,0 +1 @@
|
||||
- fix UI loading state for software versions and os for the inital request.
|
@ -1 +0,0 @@
|
||||
- Adds authorization tests for the MDM lock and unlock features.
|
@ -1,2 +0,0 @@
|
||||
- Updates the MDM unlock flow to allow the PIN to unlock MacOS machines to be viewed as many times
|
||||
as needed.
|
@ -1 +0,0 @@
|
||||
- Updates the permissions docs to include permissions for lock/unlock/wipe actions on a host.
|
@ -1 +0,0 @@
|
||||
* Fixed a bug that would cause OS Settings to never get verified if the MySQL config of Fleet's database has `only_full_group_by` mode enabled (enabled by default).
|
@ -8,7 +8,7 @@ version: v6.0.2
|
||||
home: https://github.com/fleetdm/fleet
|
||||
sources:
|
||||
- https://github.com/fleetdm/fleet.git
|
||||
appVersion: v4.44.1
|
||||
appVersion: v4.45.0
|
||||
dependencies:
|
||||
- name: mysql
|
||||
condition: mysql.enabled
|
||||
|
@ -2,7 +2,7 @@
|
||||
# All settings related to how Fleet is deployed in Kubernetes
|
||||
hostName: fleet.localhost
|
||||
replicas: 3 # The number of Fleet instances to deploy
|
||||
imageTag: v4.44.1 # Version of Fleet to deploy
|
||||
imageTag: v4.45.0 # Version of Fleet to deploy
|
||||
podAnnotations: {} # Additional annotations to add to the Fleet pod
|
||||
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
|
||||
resources:
|
||||
|
@ -32,7 +32,6 @@ import (
|
||||
"github.com/fleetdm/fleet/v4/server/vulnerabilities/utils"
|
||||
"github.com/fleetdm/fleet/v4/server/webhooks"
|
||||
"github.com/fleetdm/fleet/v4/server/worker"
|
||||
"github.com/getsentry/sentry-go"
|
||||
kitlog "github.com/go-kit/log"
|
||||
"github.com/go-kit/log/level"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
@ -41,7 +40,6 @@ import (
|
||||
|
||||
func errHandler(ctx context.Context, logger kitlog.Logger, msg string, err error) {
|
||||
level.Error(logger).Log("msg", msg, "err", err)
|
||||
sentry.CaptureException(err)
|
||||
ctxerr.Handle(ctx, err)
|
||||
}
|
||||
|
||||
@ -710,6 +708,7 @@ func newCleanupsAndAggregationSchedule(
|
||||
logger kitlog.Logger,
|
||||
enrollHostLimiter fleet.EnrollHostLimiter,
|
||||
config *config.FleetConfig,
|
||||
commander *apple_mdm.MDMAppleCommander,
|
||||
) (*schedule.Schedule, error) {
|
||||
const (
|
||||
name = string(fleet.CronCleanupsThenAggregation)
|
||||
@ -810,6 +809,12 @@ func newCleanupsAndAggregationSchedule(
|
||||
return verifyDiskEncryptionKeys(ctx, logger, ds, config)
|
||||
},
|
||||
),
|
||||
schedule.WithJob(
|
||||
"renew_scep_certificates",
|
||||
func(ctx context.Context) error {
|
||||
return service.RenewSCEPCertificates(ctx, logger, ds, config, commander)
|
||||
},
|
||||
),
|
||||
schedule.WithJob("query_results_cleanup", func(ctx context.Context) error {
|
||||
config, err := ds.AppConfig(ctx)
|
||||
if err != nil {
|
||||
|
@ -46,6 +46,7 @@ import (
|
||||
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push"
|
||||
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push/buford"
|
||||
nanomdm_pushsvc "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push/service"
|
||||
scep_depot "github.com/fleetdm/fleet/v4/server/mdm/scep/depot"
|
||||
"github.com/fleetdm/fleet/v4/server/pubsub"
|
||||
"github.com/fleetdm/fleet/v4/server/service"
|
||||
"github.com/fleetdm/fleet/v4/server/service/async"
|
||||
@ -57,7 +58,6 @@ import (
|
||||
"github.com/go-kit/kit/log/level"
|
||||
kitprometheus "github.com/go-kit/kit/metrics/prometheus"
|
||||
"github.com/go-kit/log"
|
||||
scep_depot "github.com/micromdm/scep/v2/depot"
|
||||
"github.com/ngrok/sqlmw"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||
@ -681,7 +681,11 @@ the way that the Fleet server works.
|
||||
}()
|
||||
|
||||
if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) {
|
||||
return newCleanupsAndAggregationSchedule(ctx, instanceID, ds, logger, redisWrapperDS, &config)
|
||||
var commander *apple_mdm.MDMAppleCommander
|
||||
if appCfg.MDM.EnabledAndConfigured {
|
||||
commander = apple_mdm.NewMDMAppleCommander(mdmStorage, mdmPushService)
|
||||
}
|
||||
return newCleanupsAndAggregationSchedule(ctx, instanceID, ds, logger, redisWrapperDS, &config, commander)
|
||||
}); err != nil {
|
||||
initFatal(err, "failed to register cleanups_then_aggregations schedule")
|
||||
}
|
||||
|
@ -1510,10 +1510,14 @@ func getMDMCommandResultsCommand() *cli.Command {
|
||||
}
|
||||
formattedPayload = r.Payload
|
||||
}
|
||||
reqType := r.RequestType
|
||||
if len(reqType) == 0 {
|
||||
reqType = "InstallProfile"
|
||||
}
|
||||
data = append(data, []string{
|
||||
r.CommandUUID,
|
||||
r.UpdatedAt.Format(time.RFC3339),
|
||||
r.RequestType,
|
||||
reqType,
|
||||
r.Status,
|
||||
r.Hostname,
|
||||
string(formattedPayload),
|
||||
@ -1561,10 +1565,14 @@ func getMDMCommandsCommand() *cli.Command {
|
||||
// print the results as a table
|
||||
data := [][]string{}
|
||||
for _, r := range results {
|
||||
reqType := r.RequestType
|
||||
if len(reqType) == 0 {
|
||||
reqType = "InstallProfile"
|
||||
}
|
||||
data = append(data, []string{
|
||||
r.CommandUUID,
|
||||
r.UpdatedAt.Format(time.RFC3339),
|
||||
r.RequestType,
|
||||
reqType,
|
||||
r.Status,
|
||||
r.Hostname,
|
||||
})
|
||||
|
@ -2365,7 +2365,6 @@ func TestGetMDMCommandResults(t *testing.T) {
|
||||
CommandUUID: commandUUID,
|
||||
Status: "200",
|
||||
UpdatedAt: time.Date(2023, 4, 4, 15, 29, 0, 0, time.UTC),
|
||||
RequestType: "test",
|
||||
Payload: []byte(winPayloadXML),
|
||||
Result: []byte(winResultXML),
|
||||
},
|
||||
@ -2374,7 +2373,6 @@ func TestGetMDMCommandResults(t *testing.T) {
|
||||
CommandUUID: commandUUID,
|
||||
Status: "500",
|
||||
UpdatedAt: time.Date(2023, 4, 4, 15, 29, 0, 0, time.UTC),
|
||||
RequestType: "test",
|
||||
Payload: []byte(winPayloadXML),
|
||||
Result: []byte(winResultXML),
|
||||
},
|
||||
@ -2518,10 +2516,10 @@ func TestGetMDMCommandResults(t *testing.T) {
|
||||
})
|
||||
|
||||
t.Run("windows command results", func(t *testing.T) {
|
||||
expectedOutput := strings.TrimSpace(`+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
expectedOutput := strings.TrimSpace(`+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| ID | TIME | TYPE | STATUS | HOSTNAME | PAYLOAD | RESULTS |
|
||||
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| valid-cmd | 2023-04-04T15:29:00Z | test | 200 | host1 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
|
||||
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| valid-cmd | 2023-04-04T15:29:00Z | InstallProfile | 200 | host1 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
|
||||
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
|
||||
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
|
||||
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
|
||||
@ -2560,8 +2558,8 @@ func TestGetMDMCommandResults(t *testing.T) {
|
||||
| | | | | | | </SyncBody> |
|
||||
| | | | | | | </SyncML> |
|
||||
| | | | | | | |
|
||||
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| valid-cmd | 2023-04-04T15:29:00Z | test | 500 | host2 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
|
||||
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| valid-cmd | 2023-04-04T15:29:00Z | InstallProfile | 500 | host2 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
|
||||
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
|
||||
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
|
||||
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
|
||||
@ -2600,7 +2598,7 @@ func TestGetMDMCommandResults(t *testing.T) {
|
||||
| | | | | | | </SyncBody> |
|
||||
| | | | | | | </SyncML> |
|
||||
| | | | | | | |
|
||||
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
`)
|
||||
|
||||
platform = "windows"
|
||||
@ -2644,6 +2642,14 @@ func TestGetMDMCommands(t *testing.T) {
|
||||
Status: "200",
|
||||
Hostname: "host2",
|
||||
},
|
||||
// This represents a command generated by fleet as part of a Windows profile
|
||||
{
|
||||
HostUUID: "h2",
|
||||
CommandUUID: "u3",
|
||||
UpdatedAt: time.Date(2023, 4, 11, 9, 5, 0, 0, time.UTC),
|
||||
Status: "200",
|
||||
Hostname: "host2",
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -2669,6 +2675,8 @@ func TestGetMDMCommands(t *testing.T) {
|
||||
+----+----------------------+---------------------------------------+--------------+----------+
|
||||
| u2 | 2023-04-11T09:05:00Z | ./Device/Vendor/MSFT/Reboot/RebootNow | 200 | host2 |
|
||||
+----+----------------------+---------------------------------------+--------------+----------+
|
||||
| u3 | 2023-04-11T09:05:00Z | InstallProfile | 200 | host2 |
|
||||
+----+----------------------+---------------------------------------+--------------+----------+
|
||||
`))
|
||||
}
|
||||
|
||||
|
@ -629,6 +629,7 @@ func (a *agent) runOrbitLoop() {
|
||||
HardwareSerial: a.SerialNumber,
|
||||
Hostname: a.CachedString("hostname"),
|
||||
},
|
||||
nil,
|
||||
)
|
||||
if err != nil {
|
||||
log.Println("creating orbit client: ", err)
|
||||
|
@ -1,4 +1,4 @@
|
||||
apiVersion: apps/v1beta2
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: fleet-webserver
|
||||
@ -20,10 +20,10 @@ spec:
|
||||
secretName: fleet-tls
|
||||
containers:
|
||||
- name: fleet-webserver
|
||||
image: fleetdm/fleet:4.0.1
|
||||
image: fleetdm/fleet:v4.43.3
|
||||
command: ["fleet", "serve"]
|
||||
ports:
|
||||
- containerPort: 443
|
||||
- containerPort: 8443
|
||||
volumeMounts:
|
||||
- name: fleet-tls
|
||||
mountPath: "/secrets/fleet-tls"
|
||||
@ -37,14 +37,14 @@ spec:
|
||||
name: fleet-database-mysql
|
||||
key: mysql-password
|
||||
- name: FLEET_REDIS_ADDRESS
|
||||
value: fleet-cache-redis:6379
|
||||
value: fleet-cache-redis-master:6379
|
||||
- name: FLEET_REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: fleet-cache-redis
|
||||
key: redis-password
|
||||
- name: FLEET_SERVER_ADDRESS
|
||||
value: "0.0.0.0:443"
|
||||
value: "0.0.0.0:8443"
|
||||
- name: FLEET_SERVER_CERT
|
||||
value: "/secrets/fleet-tls/tls.crt"
|
||||
- name: FLEET_SERVER_KEY
|
||||
|
@ -9,7 +9,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: fleet
|
||||
image: fleetdm/fleet:4.0.1
|
||||
image: fleetdm/fleet:v4.43.3
|
||||
command: ["fleet", "prepare", "db"]
|
||||
env:
|
||||
- name: FLEET_MYSQL_ADDRESS
|
||||
|
@ -9,7 +9,7 @@ spec:
|
||||
ports:
|
||||
- name: proxy-tls
|
||||
port: 443
|
||||
targetPort: 443
|
||||
targetPort: 8443
|
||||
protocol: TCP
|
||||
- name: proxy-http
|
||||
port: 80
|
||||
|
@ -1825,6 +1825,8 @@ None.
|
||||
- [Get host's scripts](#get-hosts-scripts)
|
||||
- [Get hosts report in CSV](#get-hosts-report-in-csv)
|
||||
- [Get host's disk encryption key](#get-hosts-disk-encryption-key)
|
||||
- [Lock host](#lock-host)
|
||||
- [Unlock host](#unlock-host)
|
||||
- [Get host's past activity](#get-hosts-past-activity)
|
||||
- [Get host's upcoming activity](#get-hosts-upcoming-activity)
|
||||
- [Live query one host (ad-hoc)](#live-query-one-host-ad-hoc)
|
||||
@ -2019,7 +2021,9 @@ If `after` is being used with `created_at` or `updated_at`, the table must be sp
|
||||
"encryption_key_available": false,
|
||||
"enrollment_status": null,
|
||||
"name": "",
|
||||
"server_url": null
|
||||
"server_url": null,
|
||||
"device_status": "unlocked",
|
||||
"pending_action": ""
|
||||
},
|
||||
"software": [
|
||||
{
|
||||
@ -2451,6 +2455,8 @@ Returns the information of the specified host.
|
||||
"enrollment_status": null,
|
||||
"name": "",
|
||||
"server_url": null,
|
||||
"device_status": "unlocked",
|
||||
"pending_action": "",
|
||||
"macos_settings": {
|
||||
"disk_encryption": null,
|
||||
"action_required": null
|
||||
@ -2660,6 +2666,8 @@ Returns the information of the host specified using the `uuid`, `hardware_serial
|
||||
"enrollment_status": null,
|
||||
"name": "",
|
||||
"server_url": null,
|
||||
"device_status": "unlocked",
|
||||
"pending_action": "lock",
|
||||
"macos_settings": {
|
||||
"disk_encryption": null,
|
||||
"action_required": null
|
||||
@ -3758,6 +3766,67 @@ Retrieves a list of the configuration profiles assigned to a host.
|
||||
}
|
||||
```
|
||||
|
||||
### Lock host
|
||||
|
||||
_Available in Fleet Premium_
|
||||
|
||||
Sends a command to lock the specified macOS, Linux, or Windows host. The host is locked once it comes online.
|
||||
|
||||
To lock a macOS host, the host must have MDM turned on. To lock a Windows or Linux host, the host must have [scripts enabled](https://fleetdm.com/docs/using-fleet/scripts).
|
||||
|
||||
|
||||
`POST /api/v1/fleet/hosts/:id/lock`
|
||||
|
||||
#### Parameters
|
||||
|
||||
| Name | Type | In | Description |
|
||||
| ---------- | ----------------- | ---- | ----------------------------------------------------------------------------- |
|
||||
| id | integer | path | **Required**. ID of the host to be locked. |
|
||||
|
||||
#### Example
|
||||
|
||||
`POST /api/v1/fleet/hosts/123/lock`
|
||||
|
||||
##### Default response
|
||||
|
||||
`Status: 204`
|
||||
|
||||
### Unlock host
|
||||
|
||||
_Available in Fleet Premium_
|
||||
|
||||
Sends a command to unlock the specified Windows or Linux host, or retrieves the unlock PIN for a macOS host.
|
||||
|
||||
To unlock a Windows or Linux host, the host must have [scripts enabled](https://fleetdm.com/docs/using-fleet/scripts).
|
||||
|
||||
`POST /api/v1/fleet/hosts/:id/unlock`
|
||||
|
||||
#### Parameters
|
||||
|
||||
| Name | Type | In | Description |
|
||||
| ---------- | ----------------- | ---- | ----------------------------------------------------------------------------- |
|
||||
| id | integer | path | **Required**. ID of the host to be unlocked. |
|
||||
|
||||
#### Example
|
||||
|
||||
`POST /api/v1/fleet/hosts/:id/unlock`
|
||||
|
||||
##### Default response (Windows or Linux hosts)
|
||||
|
||||
`Status: 204`
|
||||
|
||||
##### Default response (macOS hosts)
|
||||
|
||||
`Status: 200`
|
||||
|
||||
```json
|
||||
{
|
||||
"host_id": 8,
|
||||
"unlock_pin": "123456"
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Get host's past activity
|
||||
|
||||
`GET /api/v1/fleet/hosts/:id/activites/past`
|
||||
@ -4874,7 +4943,8 @@ This endpoint returns the results for a specific custom MDM command.
|
||||
"updated_at": "2023-04-04:00:00Z",
|
||||
"request_type": "ProfileList",
|
||||
"hostname": "mycomputer",
|
||||
"result": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI-CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KICAgIDxrZXk-Q29tbWFuZDwva2V5PgogICAgPGRpY3Q-CiAgICAgICAgPGtleT5NYW5hZ2VkT25seTwva2V5PgogICAgICAgIDxmYWxzZS8-CiAgICAgICAgPGtleT5SZXF1ZXN0VHlwZTwva2V5PgogICAgICAgIDxzdHJpbmc-UHJvZmlsZUxpc3Q8L3N0cmluZz4KICAgIDwvZGljdD4KICAgIDxrZXk-Q29tbWFuZFVVSUQ8L2tleT4KICAgIDxzdHJpbmc-MDAwMV9Qcm9maWxlTGlzdDwvc3RyaW5nPgo8L2RpY3Q-CjwvcGxpc3Q-"
|
||||
"payload": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCg0KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+DQoJPHN0cmluZz5UaGlzIHByb2ZpbGUgY29uZmlndXJhdGlvbiBpcyBkZXNpZ25lZCB0byBhcHBseSB0aGUgQ0lTIEJlbmNobWFyayBmb3IgbWFjT1MgMTAuMTQgKHYyLjAuMCksIDEwLjE1ICh2Mi4wLjApLCAxMS4wICh2Mi4wLjApLCBhbmQgMTIuMCAodjEuMC4wKTwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJPHN0cmluZz5EaXNhYmxlIEJsdWV0b290aCBzaGFyaW5nPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCTx0cnVlLz4NCgk8a2V5PlBheWxvYWRJZGVudGlmaWVyPC9rZXk+DQoJPHN0cmluZz5jaXMubWFjT1NCZW5jaG1hcmsuc2VjdGlvbjIuQmx1ZXRvb3RoU2hhcmluZzwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+DQoJPHN0cmluZz5TeXN0ZW08L3N0cmluZz4NCgk8a2V5PlBheWxvYWRUeXBlPC9rZXk+DQoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVVVJRDwva2V5Pg0KCTxzdHJpbmc+NUNFQkQ3MTItMjhFQi00MzJCLTg0QzctQUEyOEE1QTM4M0Q4PC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5Pg0KCTxpbnRlZ2VyPjE8L2ludGVnZXI+DQogICAgPGtleT5QYXlsb2FkUmVtb3ZhbERpc2FsbG93ZWQ8L2tleT4NCiAgICA8dHJ1ZS8+DQoJPGtleT5QYXlsb2FkQ29udGVudDwva2V5Pg0KCTxhcnJheT4NCgkJPGRpY3Q+DQoJCQk8a2V5PlBheWxvYWRDb250ZW50PC9rZXk+DQoJCQk8ZGljdD4NCgkJCQk8a2V5PmNvbS5hcHBsZS5CbHVldG9vdGg8L2tleT4NCgkJCQk8ZGljdD4NCgkJCQkJPGtleT5Gb3JjZWQ8L2tleT4NCgkJCQkJPGFycmF5Pg0KCQkJCQkJPGRpY3Q+DQoJCQkJCQkJPGtleT5tY3hfcHJlZmVyZW5jZV9zZXR0aW5nczwva2V5Pg0KCQkJCQkJCTxkaWN0Pg0KCQkJCQkJCQk8a2V5PlByZWZLZXlTZXJ2aWNlc0VuYWJsZWQ8L2tleT4NCgkJCQkJCQkJPGZhbHNlLz4NCgkJCQkJCQk8L2RpY3Q+DQoJCQkJCQk8L2RpY3Q+DQoJCQkJCTwvYXJyYXk+DQoJCQkJPC9kaWN0Pg0KCQkJPC9kaWN0Pg0KCQkJPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4NCgkJCTxzdHJpbmc+RGlzYWJsZXMgQmx1ZXRvb3RoIFNoYXJpbmc8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJCQk8c3RyaW5nPkN1c3RvbTwvc3RyaW5nPg0KCQkJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCQkJPHRydWUvPg0KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5Pg0KCQkJPHN0cmluZz4wMjQwREQxQy03MERDLTQ3NjYtOTAxOC0wNDMyMkJGRUVBRDE8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4NCgkJCTxzdHJpbmc+Y29tLmFwcGxlLk1hbmFnZWRDbGllbnQucHJlZmVyZW5jZXM8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFVVSUQ8L2tleT4NCgkJCTxzdHJpbmc+MDI0MEREMUMtNzBEQy00NzY2LTkwMTgtMDQzMjJCRkVFQUQxPC9zdHJpbmc+DQoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+DQoJCQk8aW50ZWdlcj4xPC9pbnRlZ2VyPg0KCQk8L2RpY3Q+DQoJPC9hcnJheT4NCjwvZGljdD4NCjwvcGxpc3Q+",
|
||||
"result": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCiAgICA8a2V5PkNvbW1hbmRVVUlEPC9rZXk+DQogICAgPHN0cmluZz4wMDAxX0luc3RhbGxQcm9maWxlPC9zdHJpbmc+DQogICAgPGtleT5TdGF0dXM8L2tleT4NCiAgICA8c3RyaW5nPkFja25vd2xlZGdlZDwvc3RyaW5nPg0KICAgIDxrZXk+VURJRDwva2V5Pg0KICAgIDxzdHJpbmc+MDAwMDgwMjAtMDAwOTE1MDgzQzgwMDEyRTwvc3RyaW5nPg0KPC9kaWN0Pg0KPC9wbGlzdD4="
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -1,7 +1,5 @@
|
||||
# Scripts
|
||||
|
||||
_Available in Fleet Premium_
|
||||
|
||||
In Fleet you can execute a custom script to remediate an issue on your macOS, Windows, and Linux hosts.
|
||||
|
||||
Shell scripts are supported on macOS and Linux. All scripts will run in the host's (root) default shell (`/bin/sh`). Other interpreters are not supported yet.
|
||||
@ -34,9 +32,7 @@ Fleet UI:
|
||||
|
||||
3. On your target host's host details page, select the **Scripts** tab and select **Actions** to run the script.
|
||||
|
||||
> Currently, you can only run scripts on macOS and Windows hosts in the Fleet UI. To run a script on a Linux host, use the Fleet API or fleetctl CLI.
|
||||
|
||||
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script)
|
||||
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script]
|
||||
|
||||
fleetctl CLI:
|
||||
|
||||
|
4
ee/fleetd-chrome/package-lock.json
generated
4
ee/fleetd-chrome/package-lock.json
generated
@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "fleetd-for-chrome",
|
||||
"version": "1.1.3",
|
||||
"version": "1.2.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "fleetd-for-chrome",
|
||||
"version": "1.1.3",
|
||||
"version": "1.2.0",
|
||||
"dependencies": {
|
||||
"dotenv": "^16.0.3",
|
||||
"wa-sqlite": "github:rhashimoto/wa-sqlite#v0.9.11"
|
||||
|
@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "fleetd-for-chrome",
|
||||
"description": "Extension for Fleetd on ChromeOS",
|
||||
"version": "1.1.3",
|
||||
"version": "1.2.0",
|
||||
"dependencies": {
|
||||
"dotenv": "^16.0.3",
|
||||
"wa-sqlite": "github:rhashimoto/wa-sqlite#v0.9.11"
|
||||
|
@ -14,7 +14,6 @@ const CONCAT_CHROME_WARNINGS = (warnings: ChromeWarning[]): string => {
|
||||
class cursorState {
|
||||
rowIndex: number;
|
||||
rows: Record<string, string>[];
|
||||
error: any;
|
||||
}
|
||||
|
||||
interface ChromeWarning {
|
||||
@ -121,10 +120,10 @@ export default abstract class Table implements SQLiteModule {
|
||||
}
|
||||
cursorState.rows = tableDataReturned.data;
|
||||
} catch (err) {
|
||||
// Throwing here doesn't seem to work as expected in testing (the error doesn't seem to be
|
||||
// thrown in a way that it can be caught appropriately), so instead we save the error and
|
||||
// throw in xEof.
|
||||
cursorState.error = err;
|
||||
// We cannot throw inside SQLITE function because it may cause the wasm stack to run out of memory.
|
||||
// See: https://github.com/rhashimoto/wa-sqlite/issues/156#issuecomment-1942477704
|
||||
console.warn("Error generating table data: %s", err);
|
||||
return SQLite.SQLITE_ERROR;
|
||||
}
|
||||
return SQLite.SQLITE_OK;
|
||||
});
|
||||
@ -133,6 +132,9 @@ export default abstract class Table implements SQLiteModule {
|
||||
xNext(pCursor: number): number {
|
||||
// Advance the row index for the cursor.
|
||||
const cursorState = this.cursorStates.get(pCursor);
|
||||
if (!cursorState || !cursorState.rows) {
|
||||
return SQLite.SQLITE_ERROR;
|
||||
}
|
||||
cursorState.rowIndex += 1;
|
||||
return SQLite.SQLITE_OK;
|
||||
}
|
||||
@ -140,10 +142,8 @@ export default abstract class Table implements SQLiteModule {
|
||||
xEof(pCursor: number): number {
|
||||
// Check whether we've returned all rows (cursor index is beyond number of rows).
|
||||
const cursorState = this.cursorStates.get(pCursor);
|
||||
// Throw any error saved in the cursor state (because throwing in xFilter doesn't seem to work
|
||||
// correctly with async code).
|
||||
if (cursorState.error) {
|
||||
throw cursorState.error;
|
||||
if (!cursorState || !cursorState.rows) {
|
||||
return 1;
|
||||
}
|
||||
return Number(cursorState.rowIndex >= cursorState.rows.length);
|
||||
}
|
||||
|
@ -5,6 +5,18 @@ export default class TableNetworkInterfaces extends Table {
|
||||
columns = ["mac", "ipv4", "ipv6"];
|
||||
|
||||
async generate() {
|
||||
if (!chrome.enterprise) {
|
||||
return {
|
||||
data: [],
|
||||
warnings: [
|
||||
{
|
||||
column: "mac",
|
||||
error_message: "chrome.enterprise API is not available for network details",
|
||||
},
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
// @ts-expect-error @types/chrome doesn't yet have the getNetworkDetails Promise API.
|
||||
const networkDetails = (await chrome.enterprise.networkingAttributes.getNetworkDetails()) as chrome.enterprise.networkingAttributes.NetworkDetails;
|
||||
const ipv4 = networkDetails.ipv4;
|
||||
|
@ -1,6 +1,6 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
|
||||
<app appid='bfleegjcoffelppfmadimianphbcdjkb'>
|
||||
<updatecheck codebase='https://chrome-beta.fleetdm.com/fleetd.crx' version='1.1.3' />
|
||||
<updatecheck codebase='https://chrome-beta.fleetdm.com/fleetd.crx' version='1.2.0' />
|
||||
</app>
|
||||
</gupdate>
|
@ -1,6 +1,6 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
|
||||
<app appid='fleeedmmihkfkeemmipgmhhjemlljidg'>
|
||||
<updatecheck codebase='https://chrome.fleetdm.com/fleetd.crx' version='1.1.3' />
|
||||
<updatecheck codebase='https://chrome.fleetdm.com/fleetd.crx' version='1.2.0' />
|
||||
</app>
|
||||
</gupdate>
|
@ -25,7 +25,7 @@ const EmailTokenRedirect = ({
|
||||
if (currentUser && token) {
|
||||
try {
|
||||
await usersAPI.confirmEmailChange(currentUser, token);
|
||||
router.push(PATHS.USER_SETTINGS);
|
||||
router.push(PATHS.ACCOUNT);
|
||||
renderFlash("success", "Email updated successfully!");
|
||||
} catch (error) {
|
||||
console.log(error);
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user