empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into 15919-vulnerabilities-page

Browse Source
This commit is contained in:
Victor Lyuboslavsky 2024-02-22 16:24:11 -06:00
parent f5f0797083
commit 9e83339f3d
No known key found for this signature in database
566 changed files with 9368 additions and 34550 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.github/ISSUE_TEMPLATE/story.md vendored
View File

@ -19,11 +19,21 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
| I want to _________________________________________
| so that I can _________________________________________.
## Context
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
- Product designer: _________________________ <!-- Who is the product designer to contact if folks have questions about the UI, CLI, or API changes? -->
<!--
What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change? (Optional.)
1.
2.
-->
## Changes
### Product
- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
- [ ] CLI usage changes: TODO <!-- Specify what changes to the CLI usage are required. Remove this checkbox if there are no changes to the CLI. -->
- [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
- [ ] REST API changes: TODO <!-- Specify what changes to the API are required. Remove this checkbox if there are no changes necessary. The product manager may move this item to the engineering list below if they decide that engineering will design the API changes. -->
- [ ] Permissions changes: TODO <!-- Specify what changes to the permissions are required. Remove this checkbox if there are no changes necessary. -->
- [ ] Outdated documentation changes: TODO <!-- Specify required documentation changes (public-facing fleetdm.com/docs or contributors) & redirects to add to /website/config/routes.js. -->
@ -35,14 +45,6 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
>  Please read this issue carefully and understand it. Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
## Context
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
<!--
What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change? (Optional.)
1.
2.
-->
## QA
### Risk assessment

5
.github/workflows/codeql-analysis.yml vendored
View File

@ -48,6 +48,11 @@ jobs:
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38

6
.github/workflows/goreleaser-orbit.yaml vendored
View File

@ -66,7 +66,7 @@ jobs:
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-macos
path: dist
path: dist/orbit-macos_darwin_all/orbit
goreleaser-linux:
runs-on: ubuntu-20.04
@ -94,7 +94,7 @@ jobs:
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-linux
path: dist
path: dist/orbit_linux_amd64_v1/orbit
goreleaser-windows:
runs-on: windows-2022
@ -122,4 +122,4 @@ jobs:
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-windows
path: dist
path: dist/orbit_windows_amd64_v1/orbit.exe

58
CHANGELOG.md
View File

@ -1,3 +1,61 @@
## Fleet 4.45.0 (Feb 20, 2024)
### Changes
* **Endpoint operations**:
- Added two new API endpoints for running provided live query SQL on a single host.
- Added `fleetctl gitops` command for GitOps workflow synchronization.
- Added capabilities to the `gitops` role to support reading queries/policies and writing scripts.
- Updated policy names to be unique per team.
- Updated fleetd-chrome to use the latest wa-sqlite v0.9.11.
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag.
- Added count of upcoming activities to host vitals UI.
- Updated UI to include upcoming activity counts in host vitals.
- Updated 405 response for `POST` requests on the root path to highlight misconfigured osquery instances.
* **Device management (MDM)**:
- Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
- Changed several MDM-related endpoints to be platform-agnostic.
- Added script capabilities to UI for Linux hosts.
- Added UI for locking and unlocking hosts managed by Fleet MDM.
- Added `fleetctl mdm lock` and `fleetctl mdm unlock` commands.
- Added validation to reject script enqueue requests for hosts without fleetd.
- Added the `host_mdm_actions` DB table for MDM lock and wipe functionality.
- Updated backend MDM migration flow and added logging.
- Updated UI text for disk encryption to reflect cross-platform functionality.
- Renamed and updated fields in MDM configuration profiles for clarity.
- Improved validation of Windows profiles to prevent delivery errors.
- Improved Windows MDM profile error tooltip messages.
- Fixed MDM unlock flow and updated lock/unlock functionality for Windows and Linux.
- Fixed a bug that would cause OS Settings verification to fail with MySQL's `only_full_group_by` mode enabled.
* **Vulnerability management**:
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response.
- Fixed an issue where software from a Parallels VM would incorrectly appear as the host's software.
- Implemented permission checks for software and software titles.
- Fixed software title aggregation when triggering vulnerability scans.
### Bug fixes and improvements
- Updated text and style across the app for consistency and clarity.
- Improved UI for the view disk encryption key, host details activity card, and "Add hosts" modal.
- Addressed a bug where updating the search field caused unwanted loss of focus.
- Corrected alignment bugs on empty table states for software details.
- Updated URL query parameters to reset when switching tabs.
- Fixed device page showing invalid date for the last restarted.
- Fixed visual display issues with chevron right icons on Chrome.
- Fixed Windows vulnerabilities without exploit/severity from crashing the software page.
- Fixed issues with checkboxes in hidden modals and long enroll secrets overlapping action buttons.
- Fixed a bug with built-in platform labels.
- Fixed enroll secret error messaging showing secret in cleartext.
- Fixed various UI bugs including disk encryption key input icons, alignment issues, and dropdown menus.
- Fixed dropdown behavior in administrative settings and software title/version tables.
- Fixed various UI and style bugs, including issues with long OS names causing table render issues.
- Fixed a bug where checkboxes within a hidden modal were not correctly hidden.
- Fixed vulnerable software dropdown from switching back to all teams.
- Fixed wall_time to report in milliseconds for consistency with other query performance stats.
- Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
- Fixed how errors are reported to APM to avoid duplicates and improve stack trace accuracy.
## Fleet 4.44.1 (Feb 13, 2024)
### Bug fixes

2
Dockerfile-desktop-linux
View File

@ -1,4 +1,4 @@
FROM --platform=linux/amd64 golang:1.21.6-bullseye@sha256:fa52abd182d334cfcdffdcc934e21fcfbc71c3cde568e606193ae7db045b1b8d
FROM --platform=linux/amd64 golang:1.21.7-bullseye@sha256:447afe790df28e0bc19d782a9f776a105ce3b8417cdd21f33affc4ed6d38f9d5
LABEL maintainer="Fleet Developers"
RUN apt-get update && apt-get install -y \

2
articles/fleet-4.26.0.md
View File

@ -48,8 +48,6 @@ You already have a lot of raw data to sift through in your data lake, especially
Fleet 4.26.0 reduces the number of calls you have to make to pull software data with the REST API. Each time a host has software added, updated, or deleted, a `host_software_updated_at` timestamp gets updated for that host. The `host_software_updated_at` timestamp is exposed through the API. This lets you send the latest software data to your data lake, so you can avoid drowning in outdated information.
<call-to-action preset="mdm-beta"></call-to-action>
## Fleet MDM
**MDM features are not ready for production and are currently in development. These features are disabled by default.**

2
articles/fleet-4.27.0.md
View File

@ -21,8 +21,6 @@ In the UI an account administrator will see the following information:
If you pair this new login activity with the audit improvements from [release 4.26](https://fleetdm.com/releases/fleet-4.26.0) you can now set up an alert if multiple failed login attempts occur.
<call-to-action preset="premium-upgrade"></call-to-action>
## Better search filters on the Select Targets screen in Fleet
**Available in Fleet Free and Fleet Premium**

4
articles/fleet-4.28.0.md
View File

@ -32,8 +32,6 @@ Premium and Ultimate Fleet plans have the ability to import the CIS benchmarks i
For more information on adding CIS Benchmarks, check out the [documentation here](https://fleetdm.com/docs/using-fleet/cis-benchmarks#how-to-add-cis-benchmarks).
<call-to-action preset="premium-upgrade"></call-to-action>
## Reduced false negatives from MS Office products related to vulnerabilities reported in the NVD
A false negative occurs when a policy reports there is not a vulnerability, but there actually is a vulnerability. Even if a policy reports zero vulnerabilities, that does not imply there are no vulnerabilities present. Both of these types of errors can cause problems when trying to identify vulnerabilities that need attention.
@ -69,8 +67,6 @@ For more information on enabling this functionality, check out the [documentati
* Enabled installation and auto-updates of Nudge via Orbit.
* Added support for providing macos\_settings.custom\_settings profiles for team (with Fleet Premium) and no-team levels via fleetctl apply.
<call-to-action preset="mdm-beta"></call-to-action>
#### List of other features
* Added --policies-team flag to fleetctl apply to easily import a group of policies into a team.

4
articles/fleet-4.29.0.md
View File

@ -27,8 +27,6 @@ Users created via JIT provisioning can be assigned Fleet roles using SAML custom
Learn more about [JIT user role setting](https://fleetdm.com/docs/deploying/configuration#just-in-time-jit-user-provisioning).
<call-to-action preset="premium-upgrade"></call-to-action>
## CIS benchmarks manual intervention
_Available in Fleet Premium and Fleet Ultimate_
@ -65,8 +63,6 @@ Fleet updated translation rules to provide better 🟢 Results and avoid false p
* Added MDM profiles status filter to hosts endpoints.
* Added indicators of aggregate host count for each possible status of MDM-enforced mac settings (hidden until 4.30.0).
<call-to-action preset="mdm-beta"></call-to-action>
#### List of other features
* As part of JIT provisioning, read user roles from SAML custom attributes.

120
articles/fleet-4.45.0.md Normal file
View File

@ -0,0 +1,120 @@
# Fleet 4.45.0 | Remote lock, Linux script library, osquery storage location.
![Fleet 4.45.0](../website/assets/images/articles/fleet-4.45.0-1600x900@2x.png)
Fleet 4.45.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.45.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
## Highlights
* Remote lock for macOS, Windows, and Linux
* Linux script library
* Customizable osquery data storage location
### Remote lock for macOS, Windows, and Linux
Fleet expands its device management capabilities with remote lock functionalities for macOS, Windows, and Linux systems. This development allows administrators to enhance security protocols and respond swiftly to potential security breaches by either locking a device remotely. This feature is particularly crucial in scenarios involving lost or stolen devices or when a device is suspected to be compromised. By integrating these remote actions, Fleet empowers IT and security teams with robust tools to protect organizational data and maintain device security. This update aligns with Fleet's values of ownership and results, as it offers users more control over their device fleet while ensuring effective response measures are in place for critical security incidents.
### Linux script library
A script library specifically designed for Linux hosts has been added. This complements Fleet's existing script execution functionalities and script libraries for macOS and Windows. The script library for Linux allows administrators to store, manage, and execute scripts efficiently using the Fleet UI or API, facilitating streamlined operations and maintenance tasks on Linux-based systems. This addition underscores Fleet's commitment to adaptability and inclusiveness, ensuring users can leverage the platform's full potential regardless of their operating system environment. By providing a dedicated script library for Linux, Fleet reinforces its dedication to delivering versatile and user-centric solutions that cater to the diverse needs of IT and security professionals.
### Customizable osquery data storage location
Fleet introduces a new `--osquery-db` flag to the `fleetctl` package command, catering to a unique requirement for virtual machine (VM) environments. This feature allows users to specify or update the osquery database directory for `fleetd` at the time of packaging or through an environment variable. By enabling the customization of the osquery data storage location, users can direct `fleetd` to utilize directories with more available space, optimizing resource use in VM setups. This enhancement demonstrates Fleet's commitment to ownership by giving users greater control over their Fleet configuration and results and facilitating more efficient data management in resource-constrained environments.
## Changes
* **Endpoint operations**:
- Added two new API endpoints for running provided live query SQL on a single host.
- Added `fleetctl gitops` command for GitOps workflow synchronization.
- Added capabilities to the `gitops` role to support reading queries/policies and writing scripts.
- Updated policy names to be unique per team.
- Updated fleetd-chrome to use the latest wa-sqlite v0.9.11.
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag.
- Added count of upcoming activities to host vitals UI.
- Updated UI to include upcoming activity counts in host vitals.
- Updated 405 response for `POST` requests on the root path to highlight misconfigured osquery instances.
* **Device management (MDM)**:
- Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
- Changed several MDM-related endpoints to be platform-agnostic.
- Added script capabilities to UI for Linux hosts.
- Added UI for locking and unlocking hosts managed by Fleet MDM.
- Added `fleetctl mdm lock` and `fleetctl mdm unlock` commands.
- Added validation to reject script enqueue requests for hosts without fleetd.
- Added the `host_mdm_actions` DB table for MDM lock and wipe functionality.
- Updated backend MDM migration flow and added logging.
- Updated UI text for disk encryption to reflect cross-platform functionality.
- Renamed and updated fields in MDM configuration profiles for clarity.
- Improved validation of Windows profiles to prevent delivery errors.
- Improved Windows MDM profile error tooltip messages.
- Fixed MDM unlock flow and updated lock/unlock functionality for Windows and Linux.
- Fixed a bug that would cause OS Settings verification to fail with MySQL's `only_full_group_by` mode enabled.
* **Vulnerability management**:
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response.
- Fixed an issue where software from a Parallels VM would incorrectly appear as the host's software.
- Implemented permission checks for software and software titles.
- Fixed software title aggregation when triggering vulnerability scans.
### Bug fixes and improvements
- Updated text and style across the app for consistency and clarity.
- Improved UI for the view disk encryption key, host details activity card, and "Add hosts" modal.
- Addressed a bug where updating the search field caused unwanted loss of focus.
- Corrected alignment bugs on empty table states for software details.
- Updated URL query parameters to reset when switching tabs.
- Fixed device page showing invalid date for the last restarted.
- Fixed visual display issues with chevron right icons on Chrome.
- Fixed Windows vulnerabilities without exploit/severity from crashing the software page.
- Fixed issues with checkboxes in hidden modals and long enroll secrets overlapping action buttons.
- Fixed a bug with built-in platform labels.
- Fixed enroll secret error messaging showing secret in cleartext.
- Fixed various UI bugs including disk encryption key input icons, alignment issues, and dropdown menus.
- Fixed dropdown behavior in administrative settings and software title/version tables.
- Fixed various UI and style bugs, including issues with long OS names causing table render issues.
- Fixed a bug where checkboxes within a hidden modal were not correctly hidden.
- Fixed vulnerable software dropdown from switching back to all teams.
- Fixed wall_time to report in milliseconds for consistency with other query performance stats.
- Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
- Fixed how errors are reported to APM to avoid duplicates and improve stack trace accuracy.
## Fleet 4.44.1 (Feb 13, 2024)
### Bug fixes
* Fixed a bug where long enrollment secrets would overlap with the action buttons on top of them.
* Fixed a bug that caused OS Settings to never be verified if the MySQL config of Fleet's database had 'only_full_group_by' mode enabled (enabled by default).
* Ensured policy names are now unique per team, allowing different teams to have policies with the same name.
* Fixed the visual display of chevron right icons on Chrome.
* Renamed the 'mdm_windows_configuration_profiles' and 'mdm_apple_configuration_profiles' 'updated_at' field to 'uploaded_at' and removed the automatic setting of the value, setting it explicitly instead.
* Fixed a small alignment bug in the setup flow.
* Improved the validation of Windows profiles to prevent errors when delivering the profiles to the hosts. If you need to embed a nested XML structure (for example, for Wi-Fi profiles), you can either:
- Escape the XML.
- Use a wrapping `<![CDATA[ ... ]]>` element.
* Fixed an issue where an inaccurate message was returned after running an asynchronous (queued) script.
* Fixed URL query parameters to reset when switching tabs.
* Fixed the vulnerable software dropdown from switching back to all teams.
* Added fleetctl gitops command:
- Synchronize Fleet configuration with the provided file. This command is intended to be used in a GitOps workflow.
* Updated the response for 'GET /api/v1/fleet/hosts/:id/activities/upcoming' to include the count of all upcoming activities for the host.
* Fixed an issue where software from a Parallels VM on a MacOS host would show up in Fleet as if it were the host's software.
* Removed unnecessary nested database transactions in batch-setting of MDM profiles.
* Added count of upcoming activities to host vitals UI.
## Ready to upgrade?
Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.45.0.
<meta name="category" value="releases">
<meta name="authorFullName" value="JD Strong">
<meta name="authorGitHubUsername" value="spokanemac">
<meta name="publishedOn" value="2024-02-21">
<meta name="articleTitle" value="Fleet 4.45.0 | Remote lock, Linux script library, osquery storage location.">
<meta name="articleImageUrl" value="../website/assets/images/articles/fleet-4.45.0-1600x900@2x.png">

2
articles/using-fleet-and-tines-together.md
View File

@ -74,8 +74,6 @@ The final email with the above definition looks like this:
The Fleet API is very flexible, but with the addition of Tines, the options for data transformation are endless. In the above example, we easily connected to the Fleet API and transformed the data response with a single Tines Transform function, and allowed the end user to receive a customized report of vulnerable software on an individual host.
<call-to-action preset="premium-upgrade"></call-to-action>
<meta name="category" value="guides">
<meta name="authorFullName" value="Dave Herder">
<meta name="authorGitHubUsername" value="dherder">

1
changes/10476-lock-unlock-api-changes
View File

@ -1 +0,0 @@
* Added tracking of Windows and Linux' scripts to lock or unlock the host, report the proper current and pending states.

2
changes/13643-fleetctl-gitops
View File

@ -1,2 +0,0 @@
Added fleetctl gitops command:
- Synchronize Fleet configuration with provided file. This command is intended to be used in a GitOps workflow.

1
changes/13643-gitops-role
View File

@ -1 +0,0 @@
gitops role can now read queries/policies and write (but not execute) scripts

1
changes/13643-policy-name-uniqueness
View File

@ -1 +0,0 @@
Policy names are now unique per team -- different teams can have policies with the same name.

1
changes/14444-mdm-migration-debug
View File

@ -1 +0,0 @@
- Updated backend MDM migration flow and added logging to aid in debugging migration errors.

1
changes/14713-fix-apm-stacktrace-and-duplicates
View File

@ -1 +0,0 @@
* Fixed how errors are sent to APM (Elastic) to avoid duplicates, cover more errors in background tasks (cron and worker jobs) and fix the reported stack trace.

1
changes/14850-fix-ui-settings-action-dropdowns
View File

@ -1 +0,0 @@
- Fixed UI issues where dropdown menus were not displaying correctly in the administrative settings page.

9
changes/15082-make-endpoints-consistent
View File

@ -1,9 +0,0 @@
- Changed the following endpoints to be platform-agnostic. The old routes still work but are deprecated.
- POST /mdm/apple/setup/eula was replaced by POST /mdm/setup/eula
- GET /mdm/apple/setup/eula/metadata was replaced by GET /mdm/setup/eula/metadata
- DELETE /mdm/apple/setup/eula/:token was replaced by DELETE /mdm/setup/eula/:token
- GET /mdm/apple/setup/eula/:token was replaced by GET /mdm/setup/eula/:token
- POST /mdm/apple/bootstrap was replaced by POST /mdm/bootstrap
- GET /mdm/apple/bootstrap/:team_id/metadata was replaced by GET /mdm/bootstrap/:team_id/metadata
- DELETE /mdm/apple/bootstrap/:team_id was replaced by DELETE /mdm/bootstrap/:team_id
- GET /mdm/apple/bootstrap/summary was replaced by GET /mdm/bootstrap/summary

1
changes/15283-linux-scripts
View File

@ -1 +0,0 @@
- Added script capabilities to UI for Linux hosts.

1
changes/15332-scep-renew Normal file
View File

@ -0,0 +1 @@
* Automatically renew macOS identity certificates for devices 30 days prior to their expiration.

1
changes/15703-wall_time
View File

@ -1 +0,0 @@
wall_time is now reported in milliseconds (as opposed to seconds), consistent with other query performance stats.

2
changes/15855-vm-software
View File

@ -1,2 +0,0 @@
- Fixes issue where software from a Parallels VM on a MacOS host would show up in Fleet as if it
were the host's software.

1
changes/15893-team-users
View File

@ -1 +0,0 @@
- Change verbiage around team members to users

1
changes/15923-page-descriptions-part-2 Normal file
View File

@ -0,0 +1 @@
- Update page descriptions

1
changes/15968-rename-team Normal file
View File

@ -0,0 +1 @@
- UI Edit team more properly labeled as rename team

1
changes/16014-add-osquery-db-flag-to-fleetd
View File

@ -1 +0,0 @@
* Add `--osquery-db` flag to `fleetctl package` command to configure a custom directory for osquery's database (`fleetctl package --osquery-db=/path/to/osquery.db`).

1
changes/16025-empty-policy-state Normal file
View File

@ -0,0 +1 @@
- Update UI's empty policy states

1
changes/16029-account-page Normal file
View File

@ -0,0 +1 @@
- User settings/profile page officially renamed to account page

1
changes/16051-rename-update-timestamp-mdm-profiles
View File

@ -1 +0,0 @@
* Renamed the `mdm_windows_configuration_profiles` and `mdm_apple_configuration_profiles` `updated_at` field to `uploaded_at` and removed the automatic setting of the value, set explicity instead.

1
changes/16133-icons
View File

@ -1 +0,0 @@
* Fix visual display of chevron right icons on Chrome

1
changes/16155-enroll-secret-bug
View File

@ -1 +0,0 @@
- Fix a bug where long enroll enroll secrets would overlap with the action buttons on top of them.

5
changes/16182-fail-post-to-root
View File

@ -1,5 +0,0 @@
* Return 405 when receiving `POST` requests on the root path.
WARNING:
We found that misconfigured (empty `logger_tls_endpoint`) osquery instances were sending log results (`POST` requests) to the root path and Fleet was incorrectly returning HTTP 200 responses on such root path.
This version will now return HTTP 405 (Method Not Allowed) when receiving `POST` requests on the root path so that this misconfiguration can be detected by administrators.
If you deploy this version of Fleet and there's log traffic on the root path it could cause increased network usage on your infrastructure because osquery will retry sending the logs and these will accumulate (up to a limit configured by logger flags). Thus, before upgrading, make sure there's no osquery traffic (`POST` requests) to Fleet's root path.

1
changes/16232-resolved-in-version-windows
View File

@ -1 +0,0 @@
- Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response

1
changes/16273-remove-nested-transactions
View File

@ -1 +0,0 @@
* Removed unnecessary nested database transactions in batch-setting of MDM profiles.

5
changes/16316-windows-xml-validation
View File

@ -1,5 +0,0 @@
* Improved the validation of Windows profiles to prevent errors when the
profiles are delivered to the hosts. If you need to embed a nested XML
structure (for example for Wi-Fi profiles) you can either:
- Escape the XML
- Use a wrapping `<![CDATA[ ... ]]>` element

2
changes/16381-add-hosts-modal-enable-scripts
View File

@ -1,2 +0,0 @@
- Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag unless scripts are
disabled in the server settings.

1
changes/16382-fleetctl-copy
View File

@ -1 +0,0 @@
- Updates the copy in `fleetctl`'s output to reference `fleetd`.

2
changes/16383-lock-cli
View File

@ -1,2 +0,0 @@
- Adds the `fleetctl mdm` commands `lock` and `unlock`
- Adds missing functionality for lock/unlock flows for Windows and Linux

1
changes/16386-host-lock-schema
View File

@ -1 +0,0 @@
- Adds the `host_mdm_actions` DB table to support MDM lock and wipe functionality.

1
changes/16394-fleetd-chrome-runtime-error
View File

@ -1 +0,0 @@
Updated fleetd-chrome to use the latest wa-sqlite v0.9.11

1
changes/16394-fleetd-chrome-runtime-error-fix Normal file
View File

@ -0,0 +1 @@
In fleetd-chrome, fixed RuntimeError seen by some hosts.

4
changes/16416-cmd-debugging
View File

@ -1,4 +0,0 @@
* Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
* Added a new column named "PAYLOAD" to the output of `fleetctl get mdm-command-results` with the request payload.
* Replaced CmdID values in favor of the LocURI for messages for failed profiles.
* Added a new comment over CmdID elements generated by Fleet in Windows profiles and commands to make evident that Fleet is in control of those values.

2
changes/16426-add-upcoming-activity-count
View File

@ -1,2 +0,0 @@
- Updated `GET /api/v1/fleet/hosts/:id/activities/upcoming` response to include the count of all
upcoming activities for the host.

1
changes/16426-host-upcoming-activities-count-ui
View File

@ -1 +0,0 @@
- Added count of upcoming activities to host vitals UI.

1
changes/16431-scripts-result-message
View File

@ -1 +0,0 @@
- Fixes issue where an inaccurate message was returned after running an async (queued) script.

1
changes/16466-transfer-hosts-to-No-team
View File

@ -1 +0,0 @@
fleetctl can now transfer hosts to No team like: fleetctl hosts transfer --team '' --hosts yourHost

4
changes/16480-fix-capturing-errors-in-sentry Normal file
View File

@ -0,0 +1,4 @@
* Fixed issues with how errors were captured in Sentry:
- The stack trace is now more precise.
- More error paths will now get captured in Sentry.
- **NOTE: Many more entries could be generated in Sentry compared to earlier Fleet versions.** Sentry capacity should be planned accordingly.

1
changes/16506-page-descriptions Normal file
View File

@ -0,0 +1 @@
- Update page description styling

1
changes/16541-create-user-with-bad-team
View File

@ -1 +0,0 @@
Improved error message when creating a new user (via API or fleetctl) with a team that does not exist.

1
changes/16569-setup-flow-alignment
View File

@ -1 +0,0 @@
* Fix a small alignment bug in the setup flow

1
changes/16621-obfuscate-enroll-secret
View File

@ -1 +0,0 @@
When attempting to set an enroll secret which already exists in DB, error message no longer contains the secret in cleartext.

2
changes/16648-windows-mdm-cmd-type Normal file
View File

@ -0,0 +1,2 @@
- Fixes issue where the "Type" column was empty for Windows MDM profile commands when running
`fleetctl get mdm-commands` and `fleetctl get mdm-command-results`.

1
changes/16649-ui-activity-disk-encryption
View File

@ -1 +0,0 @@
- Updated UI text for disk encryption activities to reflect cross-platform functionality.

1
changes/16669-fix-hardcoded-label-bug
View File

@ -1 +0,0 @@
- Fixed built in platform labels bug

2
changes/16672-software-url-states-bug
View File

@ -1,2 +0,0 @@
- Fix URL query params to reset when switching tabs
- Fix vulnerable software dropdown from switching back to all teams

1
changes/16681-device-last-restarted-bug
View File

@ -1 +0,0 @@
- Fix device page showing invalid date for last restarted

2
changes/16700-scripts-disabled-osquery-only
View File

@ -1,2 +0,0 @@
- Added validation to reject requests to enqueue scripts for hosts that do not have fleetd installed
(i.e. plain osquery hosts).

1
changes/16701-move-show-query-button Normal file
View File

@ -0,0 +1 @@
- Move show query button so it shows in report page even with no results

1
changes/16724-capitalization-fixes
View File

@ -1 +0,0 @@
- Fix title case to sentence case and a few other headers

2
changes/16752-blur-on-software-search
View File

@ -1,2 +0,0 @@
- Fix a bug where updating the search field for the Software titles page caused an unwanted loss of
focus from the search field on rerender.

1
changes/16765-windows-software-vuln-crash
View File

@ -1 +0,0 @@
- Fix windows vulnerabilities without exploit/severity from crashing the page when rendered

1
changes/16805-new-live-query-on-host-endpoint
View File

@ -1 +0,0 @@
* Add two new API endpoints to run a live query SQL on one host: `POST /api/latest/fleet/hosts/identifier/{identifier}/query` and `POST /api/_version_/fleet/hosts/{id}/query`.

1
changes/16820-loading-state-auto-enroll-ui Normal file
View File

@ -0,0 +1 @@
- Fixed UI styling of loading state for automatic enrollment settings page.

1
changes/16856-fix-duplicate-activities-lock-unlock-scripts
View File

@ -1 +0,0 @@
* Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.

2
changes/16910-sw-table-breakpoint
View File

@ -1,2 +0,0 @@
- Fix a style bug where the controls on the software title and versions table would wrap and bump into
each other.

1
changes/16912-hide–modal-checkboxes
View File

@ -1 +0,0 @@
- Fix a bug where checkboxes within a hidden modal would not be hidden with the rest of the modal content.

1
changes/16941-sw-os-table-overflows
View File

@ -1 +0,0 @@
- Fix a bug where long OS names caused the table to render outside its bounds with smaller viewports

2
changes/16942-empty-swversion-swos-details-tables
View File

@ -1,2 +0,0 @@
* Fix alignment bugs on the Software > OS > details and Software > Versions > details empty table
states.

1
changes/17029-update-policy-count Normal file
View File

@ -0,0 +1 @@
- Deleting a policy updates the policy count

2
changes/17048-updating-policy-name Normal file
View File

@ -0,0 +1,2 @@
Fixed bug where updating policy name can result with multiple policies with the same name in a team.
- This bug was introduced in fleet v4.44.1. Any duplicate policy names in the same team will be renamed by adding a number to the end of the policy name.

1
changes/issue-10477-ui-for-locking-unlocking
View File

@ -1 +0,0 @@
- add UI for locking and unlocking hosts managed by fleet mdm.

1
changes/issue-16052-add-permission-checks-to-software-titles
View File

@ -1 +0,0 @@
- Implemented permission checks for endpoints and UI routes related to software and software titles, restricting visibility to team-specific hosts.

1
changes/issue-16417-improve-windows-profile-error-tooltip
View File

@ -1 +0,0 @@
- improve windows mdm profile error tooltip messages.

1
changes/issue-16747-fix-disk-encryption-key-input
View File

@ -1 +0,0 @@
- fix UI bug for the view disk encryption key input icons

1
changes/issue-16794-update-go-to-1.21.7 Normal file
View File

@ -0,0 +1 @@
- upgrade golang version to 1.21.7

1
changes/issue-16854-fix-software-version-and-os-loading Normal file
View File

@ -0,0 +1 @@
- fix UI loading state for software versions and os for the inital request.

1
changes/jve-lock-host-auth
View File

@ -1 +0,0 @@
- Adds authorization tests for the MDM lock and unlock features.

2
changes/jve-macos-special-case
View File

@ -1,2 +0,0 @@
- Updates the MDM unlock flow to allow the PIN to unlock MacOS machines to be viewed as many times
as needed.

1
changes/lock-perms-docs
View File

@ -1 +0,0 @@
- Updates the permissions docs to include permissions for lock/unlock/wipe actions on a host.

1
changes/profiles-fix
View File

@ -1 +0,0 @@
* Fixed a bug that would cause OS Settings to never get verified if the MySQL config of Fleet's database has `only_full_group_by` mode enabled (enabled by default).

2
charts/fleet/Chart.yaml
View File

@ -8,7 +8,7 @@ version: v6.0.2
home: https://github.com/fleetdm/fleet
sources:
- https://github.com/fleetdm/fleet.git
appVersion: v4.44.1
appVersion: v4.45.0
dependencies:
- name: mysql
condition: mysql.enabled

2
charts/fleet/values.yaml
View File

@ -2,7 +2,7 @@
# All settings related to how Fleet is deployed in Kubernetes
hostName: fleet.localhost
replicas: 3 # The number of Fleet instances to deploy
imageTag: v4.44.1 # Version of Fleet to deploy
imageTag: v4.45.0 # Version of Fleet to deploy
podAnnotations: {} # Additional annotations to add to the Fleet pod
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
resources:

9
cmd/fleet/cron.go
View File

@ -32,7 +32,6 @@ import (
"github.com/fleetdm/fleet/v4/server/vulnerabilities/utils"
"github.com/fleetdm/fleet/v4/server/webhooks"
"github.com/fleetdm/fleet/v4/server/worker"
"github.com/getsentry/sentry-go"
kitlog "github.com/go-kit/log"
"github.com/go-kit/log/level"
"github.com/hashicorp/go-multierror"
@ -41,7 +40,6 @@ import (
func errHandler(ctx context.Context, logger kitlog.Logger, msg string, err error) {
level.Error(logger).Log("msg", msg, "err", err)
sentry.CaptureException(err)
ctxerr.Handle(ctx, err)
}
@ -710,6 +708,7 @@ func newCleanupsAndAggregationSchedule(
logger kitlog.Logger,
enrollHostLimiter fleet.EnrollHostLimiter,
config *config.FleetConfig,
commander *apple_mdm.MDMAppleCommander,
) (*schedule.Schedule, error) {
const (
name = string(fleet.CronCleanupsThenAggregation)
@ -810,6 +809,12 @@ func newCleanupsAndAggregationSchedule(
return verifyDiskEncryptionKeys(ctx, logger, ds, config)
},
),
schedule.WithJob(
"renew_scep_certificates",
func(ctx context.Context) error {
return service.RenewSCEPCertificates(ctx, logger, ds, config, commander)
},
),
schedule.WithJob("query_results_cleanup", func(ctx context.Context) error {
config, err := ds.AppConfig(ctx)
if err != nil {

8
cmd/fleet/serve.go
View File

@ -46,6 +46,7 @@ import (
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push"
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push/buford"
nanomdm_pushsvc "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push/service"
scep_depot "github.com/fleetdm/fleet/v4/server/mdm/scep/depot"
"github.com/fleetdm/fleet/v4/server/pubsub"
"github.com/fleetdm/fleet/v4/server/service"
"github.com/fleetdm/fleet/v4/server/service/async"
@ -57,7 +58,6 @@ import (
"github.com/go-kit/kit/log/level"
kitprometheus "github.com/go-kit/kit/metrics/prometheus"
"github.com/go-kit/log"
scep_depot "github.com/micromdm/scep/v2/depot"
"github.com/ngrok/sqlmw"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
@ -681,7 +681,11 @@ the way that the Fleet server works.
}()
if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) {
return newCleanupsAndAggregationSchedule(ctx, instanceID, ds, logger, redisWrapperDS, &config)
var commander *apple_mdm.MDMAppleCommander
if appCfg.MDM.EnabledAndConfigured {
commander = apple_mdm.NewMDMAppleCommander(mdmStorage, mdmPushService)
}
return newCleanupsAndAggregationSchedule(ctx, instanceID, ds, logger, redisWrapperDS, &config, commander)
}); err != nil {
initFatal(err, "failed to register cleanups_then_aggregations schedule")
}

12
cmd/fleetctl/get.go
View File

@ -1510,10 +1510,14 @@ func getMDMCommandResultsCommand() *cli.Command {
}
formattedPayload = r.Payload
}
reqType := r.RequestType
if len(reqType) == 0 {
reqType = "InstallProfile"
}
data = append(data, []string{
r.CommandUUID,
r.UpdatedAt.Format(time.RFC3339),
r.RequestType,
reqType,
r.Status,
r.Hostname,
string(formattedPayload),
@ -1561,10 +1565,14 @@ func getMDMCommandsCommand() *cli.Command {
// print the results as a table
data := [][]string{}
for _, r := range results {
reqType := r.RequestType
if len(reqType) == 0 {
reqType = "InstallProfile"
}
data = append(data, []string{
r.CommandUUID,
r.UpdatedAt.Format(time.RFC3339),
r.RequestType,
reqType,
r.Status,
r.Hostname,
})

178
cmd/fleetctl/get_test.go
View File

@ -2365,7 +2365,6 @@ func TestGetMDMCommandResults(t *testing.T) {
CommandUUID: commandUUID,
Status: "200",
UpdatedAt: time.Date(2023, 4, 4, 15, 29, 0, 0, time.UTC),
RequestType: "test",
Payload: []byte(winPayloadXML),
Result: []byte(winResultXML),
},
@ -2374,7 +2373,6 @@ func TestGetMDMCommandResults(t *testing.T) {
CommandUUID: commandUUID,
Status: "500",
UpdatedAt: time.Date(2023, 4, 4, 15, 29, 0, 0, time.UTC),
RequestType: "test",
Payload: []byte(winPayloadXML),
Result: []byte(winResultXML),
},
@ -2518,89 +2516,89 @@ func TestGetMDMCommandResults(t *testing.T) {
})
t.Run("windows command results", func(t *testing.T) {
expectedOutput := strings.TrimSpace(`+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| ID | TIME | TYPE | STATUS | HOSTNAME | PAYLOAD | RESULTS |
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| valid-cmd | 2023-04-04T15:29:00Z | test | 200 | host1 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
| | | | | | <!-- CmdID generated by Fleet --> | <SessionID>48</SessionID> |
| | | | | | <CmdID>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdID> | <MsgID>2</MsgID> |
| | | | | | <Item> | <Target> |
| | | | | | <Target> | <LocURI>https://roperzh-fleet.ngrok.io/api/mdm/microsoft/management</LocURI> |
| | | | | | <LocURI>./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode</LocURI> | </Target> |
| | | | | | </Target> | <Source> |
| | | | | | <Meta> | <LocURI>1F28CCBDCE02AE44BD2AAC3C0B9AD4DE</LocURI> |
| | | | | | <Format xmlns="syncml:metinf">int</Format> | </Source> |
| | | | | | </Meta> | </SyncHdr> |
| | | | | | <Data>1</Data> | <SyncBody> |
| | | | | | </Item> | <Status> |
| | | | | | </Replace> | <CmdID>1</CmdID> |
| | | | | | </Atomic> | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>0</CmdRef> |
| | | | | | | <Cmd>SyncHdr</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>2</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdRef> |
| | | | | | | <Cmd>Atomic</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>3</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdRef> |
| | | | | | | <Cmd>Replace</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Final/> |
| | | | | | | </SyncBody> |
| | | | | | | </SyncML> |
| | | | | | | |
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| valid-cmd | 2023-04-04T15:29:00Z | test | 500 | host2 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
| | | | | | <!-- CmdID generated by Fleet --> | <SessionID>48</SessionID> |
| | | | | | <CmdID>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdID> | <MsgID>2</MsgID> |
| | | | | | <Item> | <Target> |
| | | | | | <Target> | <LocURI>https://roperzh-fleet.ngrok.io/api/mdm/microsoft/management</LocURI> |
| | | | | | <LocURI>./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode</LocURI> | </Target> |
| | | | | | </Target> | <Source> |
| | | | | | <Meta> | <LocURI>1F28CCBDCE02AE44BD2AAC3C0B9AD4DE</LocURI> |
| | | | | | <Format xmlns="syncml:metinf">int</Format> | </Source> |
| | | | | | </Meta> | </SyncHdr> |
| | | | | | <Data>1</Data> | <SyncBody> |
| | | | | | </Item> | <Status> |
| | | | | | </Replace> | <CmdID>1</CmdID> |
| | | | | | </Atomic> | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>0</CmdRef> |
| | | | | | | <Cmd>SyncHdr</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>2</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdRef> |
| | | | | | | <Cmd>Atomic</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>3</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdRef> |
| | | | | | | <Cmd>Replace</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Final/> |
| | | | | | | </SyncBody> |
| | | | | | | </SyncML> |
| | | | | | | |
+-----------+----------------------+------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
expectedOutput := strings.TrimSpace(`+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| ID | TIME | TYPE | STATUS | HOSTNAME | PAYLOAD | RESULTS |
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| valid-cmd | 2023-04-04T15:29:00Z | InstallProfile | 200 | host1 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
| | | | | | <!-- CmdID generated by Fleet --> | <SessionID>48</SessionID> |
| | | | | | <CmdID>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdID> | <MsgID>2</MsgID> |
| | | | | | <Item> | <Target> |
| | | | | | <Target> | <LocURI>https://roperzh-fleet.ngrok.io/api/mdm/microsoft/management</LocURI> |
| | | | | | <LocURI>./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode</LocURI> | </Target> |
| | | | | | </Target> | <Source> |
| | | | | | <Meta> | <LocURI>1F28CCBDCE02AE44BD2AAC3C0B9AD4DE</LocURI> |
| | | | | | <Format xmlns="syncml:metinf">int</Format> | </Source> |
| | | | | | </Meta> | </SyncHdr> |
| | | | | | <Data>1</Data> | <SyncBody> |
| | | | | | </Item> | <Status> |
| | | | | | </Replace> | <CmdID>1</CmdID> |
| | | | | | </Atomic> | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>0</CmdRef> |
| | | | | | | <Cmd>SyncHdr</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>2</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdRef> |
| | | | | | | <Cmd>Atomic</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>3</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdRef> |
| | | | | | | <Cmd>Replace</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Final/> |
| | | | | | | </SyncBody> |
| | | | | | | </SyncML> |
| | | | | | | |
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
| valid-cmd | 2023-04-04T15:29:00Z | InstallProfile | 500 | host2 | <Atomic> | <SyncML xmlns="SYNCML:SYNCML1.2"> |
| | | | | | <!-- CmdID generated by Fleet --> | <SyncHdr> |
| | | | | | <CmdID>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdID> | <VerDTD>1.2</VerDTD> |
| | | | | | <Replace> | <VerProto>DM/1.2</VerProto> |
| | | | | | <!-- CmdID generated by Fleet --> | <SessionID>48</SessionID> |
| | | | | | <CmdID>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdID> | <MsgID>2</MsgID> |
| | | | | | <Item> | <Target> |
| | | | | | <Target> | <LocURI>https://roperzh-fleet.ngrok.io/api/mdm/microsoft/management</LocURI> |
| | | | | | <LocURI>./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode</LocURI> | </Target> |
| | | | | | </Target> | <Source> |
| | | | | | <Meta> | <LocURI>1F28CCBDCE02AE44BD2AAC3C0B9AD4DE</LocURI> |
| | | | | | <Format xmlns="syncml:metinf">int</Format> | </Source> |
| | | | | | </Meta> | </SyncHdr> |
| | | | | | <Data>1</Data> | <SyncBody> |
| | | | | | </Item> | <Status> |
| | | | | | </Replace> | <CmdID>1</CmdID> |
| | | | | | </Atomic> | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>0</CmdRef> |
| | | | | | | <Cmd>SyncHdr</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>2</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>90dbfca8-d4ac-40c9-bf57-ba5b8cbf1ce0</CmdRef> |
| | | | | | | <Cmd>Atomic</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Status> |
| | | | | | | <CmdID>3</CmdID> |
| | | | | | | <MsgRef>1</MsgRef> |
| | | | | | | <CmdRef>81a141b2-5064-4dc3-a51a-128b8caa5438</CmdRef> |
| | | | | | | <Cmd>Replace</Cmd> |
| | | | | | | <Data>200</Data> |
| | | | | | | </Status> |
| | | | | | | <Final/> |
| | | | | | | </SyncBody> |
| | | | | | | </SyncML> |
| | | | | | | |
+-----------+----------------------+----------------+--------+----------+---------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
`)
platform = "windows"
@ -2644,6 +2642,14 @@ func TestGetMDMCommands(t *testing.T) {
Status: "200",
Hostname: "host2",
},
// This represents a command generated by fleet as part of a Windows profile
{
HostUUID: "h2",
CommandUUID: "u3",
UpdatedAt: time.Date(2023, 4, 11, 9, 5, 0, 0, time.UTC),
Status: "200",
Hostname: "host2",
},
}, nil
}
@ -2669,6 +2675,8 @@ func TestGetMDMCommands(t *testing.T) {
+----+----------------------+---------------------------------------+--------------+----------+
| u2 | 2023-04-11T09:05:00Z | ./Device/Vendor/MSFT/Reboot/RebootNow | 200 | host2 |
+----+----------------------+---------------------------------------+--------------+----------+
| u3 | 2023-04-11T09:05:00Z | InstallProfile | 200 | host2 |
+----+----------------------+---------------------------------------+--------------+----------+
`))
}

1
cmd/osquery-perf/agent.go
View File

@ -629,6 +629,7 @@ func (a *agent) runOrbitLoop() {
HardwareSerial: a.SerialNumber,
Hostname: a.CachedString("hostname"),
},
nil,
)
if err != nil {
log.Println("creating orbit client: ", err)

10
docs/Configuration/configuration-files/kubernetes/fleet-deployment.yml
View File

@ -1,4 +1,4 @@
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: fleet-webserver
@ -20,10 +20,10 @@ spec:
secretName: fleet-tls
containers:
- name: fleet-webserver
image: fleetdm/fleet:4.0.1
image: fleetdm/fleet:v4.43.3
command: ["fleet", "serve"]
ports:
- containerPort: 443
- containerPort: 8443
volumeMounts:
- name: fleet-tls
mountPath: "/secrets/fleet-tls"
@ -37,14 +37,14 @@ spec:
name: fleet-database-mysql
key: mysql-password
- name: FLEET_REDIS_ADDRESS
value: fleet-cache-redis:6379
value: fleet-cache-redis-master:6379
- name: FLEET_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: fleet-cache-redis
key: redis-password
- name: FLEET_SERVER_ADDRESS
value: "0.0.0.0:443"
value: "0.0.0.0:8443"
- name: FLEET_SERVER_CERT
value: "/secrets/fleet-tls/tls.crt"
- name: FLEET_SERVER_KEY

2
docs/Configuration/configuration-files/kubernetes/fleet-migrations.yml
View File

@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: fleet
image: fleetdm/fleet:4.0.1
image: fleetdm/fleet:v4.43.3
command: ["fleet", "prepare", "db"]
env:
- name: FLEET_MYSQL_ADDRESS

2
docs/Configuration/configuration-files/kubernetes/fleet-service.yml
View File

@ -9,7 +9,7 @@ spec:
ports:
- name: proxy-tls
port: 443
targetPort: 443
targetPort: 8443
protocol: TCP
- name: proxy-http
port: 80

74
docs/REST API/rest-api.md
View File

@ -1825,6 +1825,8 @@ None.
- [Get host's scripts](#get-hosts-scripts)
- [Get hosts report in CSV](#get-hosts-report-in-csv)
- [Get host's disk encryption key](#get-hosts-disk-encryption-key)
- [Lock host](#lock-host)
- [Unlock host](#unlock-host)
- [Get host's past activity](#get-hosts-past-activity)
- [Get host's upcoming activity](#get-hosts-upcoming-activity)
- [Live query one host (ad-hoc)](#live-query-one-host-ad-hoc)
@ -2019,7 +2021,9 @@ If `after` is being used with `created_at` or `updated_at`, the table must be sp
"encryption_key_available": false,
"enrollment_status": null,
"name": "",
"server_url": null
"server_url": null,
"device_status": "unlocked",
"pending_action": ""
},
"software": [
{
@ -2451,6 +2455,8 @@ Returns the information of the specified host.
"enrollment_status": null,
"name": "",
"server_url": null,
"device_status": "unlocked",
"pending_action": "",
"macos_settings": {
"disk_encryption": null,
"action_required": null
@ -2660,6 +2666,8 @@ Returns the information of the host specified using the `uuid`, `hardware_serial
"enrollment_status": null,
"name": "",
"server_url": null,
"device_status": "unlocked",
"pending_action": "lock",
"macos_settings": {
"disk_encryption": null,
"action_required": null
@ -3758,6 +3766,67 @@ Retrieves a list of the configuration profiles assigned to a host.
}
```
### Lock host
_Available in Fleet Premium_
Sends a command to lock the specified macOS, Linux, or Windows host. The host is locked once it comes online.
To lock a macOS host, the host must have MDM turned on. To lock a Windows or Linux host, the host must have [scripts enabled](https://fleetdm.com/docs/using-fleet/scripts).
`POST /api/v1/fleet/hosts/:id/lock`
#### Parameters
| Name | Type | In | Description |
| ---------- | ----------------- | ---- | ----------------------------------------------------------------------------- |
| id | integer | path | **Required**. ID of the host to be locked. |
#### Example
`POST /api/v1/fleet/hosts/123/lock`
##### Default response
`Status: 204`
### Unlock host
_Available in Fleet Premium_
Sends a command to unlock the specified Windows or Linux host, or retrieves the unlock PIN for a macOS host.
To unlock a Windows or Linux host, the host must have [scripts enabled](https://fleetdm.com/docs/using-fleet/scripts).
`POST /api/v1/fleet/hosts/:id/unlock`
#### Parameters
| Name | Type | In | Description |
| ---------- | ----------------- | ---- | ----------------------------------------------------------------------------- |
| id | integer | path | **Required**. ID of the host to be unlocked. |
#### Example
`POST /api/v1/fleet/hosts/:id/unlock`
##### Default response (Windows or Linux hosts)
`Status: 204`
##### Default response (macOS hosts)
`Status: 200`
```json
{
"host_id": 8,
"unlock_pin": "123456"
}
```
### Get host's past activity
`GET /api/v1/fleet/hosts/:id/activites/past`
@ -4874,7 +4943,8 @@ This endpoint returns the results for a specific custom MDM command.
"updated_at": "2023-04-04:00:00Z",
"request_type": "ProfileList",
"hostname": "mycomputer",
"result": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI-CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KICAgIDxrZXk-Q29tbWFuZDwva2V5PgogICAgPGRpY3Q-CiAgICAgICAgPGtleT5NYW5hZ2VkT25seTwva2V5PgogICAgICAgIDxmYWxzZS8-CiAgICAgICAgPGtleT5SZXF1ZXN0VHlwZTwva2V5PgogICAgICAgIDxzdHJpbmc-UHJvZmlsZUxpc3Q8L3N0cmluZz4KICAgIDwvZGljdD4KICAgIDxrZXk-Q29tbWFuZFVVSUQ8L2tleT4KICAgIDxzdHJpbmc-MDAwMV9Qcm9maWxlTGlzdDwvc3RyaW5nPgo8L2RpY3Q-CjwvcGxpc3Q-"
"payload": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCg0KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+DQoJPHN0cmluZz5UaGlzIHByb2ZpbGUgY29uZmlndXJhdGlvbiBpcyBkZXNpZ25lZCB0byBhcHBseSB0aGUgQ0lTIEJlbmNobWFyayBmb3IgbWFjT1MgMTAuMTQgKHYyLjAuMCksIDEwLjE1ICh2Mi4wLjApLCAxMS4wICh2Mi4wLjApLCBhbmQgMTIuMCAodjEuMC4wKTwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJPHN0cmluZz5EaXNhYmxlIEJsdWV0b290aCBzaGFyaW5nPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCTx0cnVlLz4NCgk8a2V5PlBheWxvYWRJZGVudGlmaWVyPC9rZXk+DQoJPHN0cmluZz5jaXMubWFjT1NCZW5jaG1hcmsuc2VjdGlvbjIuQmx1ZXRvb3RoU2hhcmluZzwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+DQoJPHN0cmluZz5TeXN0ZW08L3N0cmluZz4NCgk8a2V5PlBheWxvYWRUeXBlPC9rZXk+DQoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVVVJRDwva2V5Pg0KCTxzdHJpbmc+NUNFQkQ3MTItMjhFQi00MzJCLTg0QzctQUEyOEE1QTM4M0Q4PC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5Pg0KCTxpbnRlZ2VyPjE8L2ludGVnZXI+DQogICAgPGtleT5QYXlsb2FkUmVtb3ZhbERpc2FsbG93ZWQ8L2tleT4NCiAgICA8dHJ1ZS8+DQoJPGtleT5QYXlsb2FkQ29udGVudDwva2V5Pg0KCTxhcnJheT4NCgkJPGRpY3Q+DQoJCQk8a2V5PlBheWxvYWRDb250ZW50PC9rZXk+DQoJCQk8ZGljdD4NCgkJCQk8a2V5PmNvbS5hcHBsZS5CbHVldG9vdGg8L2tleT4NCgkJCQk8ZGljdD4NCgkJCQkJPGtleT5Gb3JjZWQ8L2tleT4NCgkJCQkJPGFycmF5Pg0KCQkJCQkJPGRpY3Q+DQoJCQkJCQkJPGtleT5tY3hfcHJlZmVyZW5jZV9zZXR0aW5nczwva2V5Pg0KCQkJCQkJCTxkaWN0Pg0KCQkJCQkJCQk8a2V5PlByZWZLZXlTZXJ2aWNlc0VuYWJsZWQ8L2tleT4NCgkJCQkJCQkJPGZhbHNlLz4NCgkJCQkJCQk8L2RpY3Q+DQoJCQkJCQk8L2RpY3Q+DQoJCQkJCTwvYXJyYXk+DQoJCQkJPC9kaWN0Pg0KCQkJPC9kaWN0Pg0KCQkJPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4NCgkJCTxzdHJpbmc+RGlzYWJsZXMgQmx1ZXRvb3RoIFNoYXJpbmc8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJCQk8c3RyaW5nPkN1c3RvbTwvc3RyaW5nPg0KCQkJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCQkJPHRydWUvPg0KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5Pg0KCQkJPHN0cmluZz4wMjQwREQxQy03MERDLTQ3NjYtOTAxOC0wNDMyMkJGRUVBRDE8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4NCgkJCTxzdHJpbmc+Y29tLmFwcGxlLk1hbmFnZWRDbGllbnQucHJlZmVyZW5jZXM8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFVVSUQ8L2tleT4NCgkJCTxzdHJpbmc+MDI0MEREMUMtNzBEQy00NzY2LTkwMTgtMDQzMjJCRkVFQUQxPC9zdHJpbmc+DQoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+DQoJCQk8aW50ZWdlcj4xPC9pbnRlZ2VyPg0KCQk8L2RpY3Q+DQoJPC9hcnJheT4NCjwvZGljdD4NCjwvcGxpc3Q+",
"result": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCiAgICA8a2V5PkNvbW1hbmRVVUlEPC9rZXk+DQogICAgPHN0cmluZz4wMDAxX0luc3RhbGxQcm9maWxlPC9zdHJpbmc+DQogICAgPGtleT5TdGF0dXM8L2tleT4NCiAgICA8c3RyaW5nPkFja25vd2xlZGdlZDwvc3RyaW5nPg0KICAgIDxrZXk+VURJRDwva2V5Pg0KICAgIDxzdHJpbmc+MDAwMDgwMjAtMDAwOTE1MDgzQzgwMDEyRTwvc3RyaW5nPg0KPC9kaWN0Pg0KPC9wbGlzdD4="
}
]
}

6
docs/Using Fleet/Scripts.md
View File

@ -1,7 +1,5 @@
# Scripts
_Available in Fleet Premium_
In Fleet you can execute a custom script to remediate an issue on your macOS, Windows, and Linux hosts.
Shell scripts are supported on macOS and Linux. All scripts will run in the host's (root) default shell (`/bin/sh`). Other interpreters are not supported yet.
@ -34,9 +32,7 @@ Fleet UI:
3. On your target host's host details page, select the **Scripts** tab and select **Actions** to run the script.
> Currently, you can only run scripts on macOS and Windows hosts in the Fleet UI. To run a script on a Linux host, use the Fleet API or fleetctl CLI.
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script)
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script]
fleetctl CLI:

4
ee/fleetd-chrome/package-lock.json generated
View File

@ -1,12 +1,12 @@
{
"name": "fleetd-for-chrome",
"version": "1.1.3",
"version": "1.2.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "fleetd-for-chrome",
"version": "1.1.3",
"version": "1.2.0",
"dependencies": {
"dotenv": "^16.0.3",
"wa-sqlite": "github:rhashimoto/wa-sqlite#v0.9.11"

2
ee/fleetd-chrome/package.json
View File

@ -1,7 +1,7 @@
{
"name": "fleetd-for-chrome",
"description": "Extension for Fleetd on ChromeOS",
"version": "1.1.3",
"version": "1.2.0",
"dependencies": {
"dotenv": "^16.0.3",
"wa-sqlite": "github:rhashimoto/wa-sqlite#v0.9.11"

18
ee/fleetd-chrome/src/tables/Table.ts
View File

@ -14,7 +14,6 @@ const CONCAT_CHROME_WARNINGS = (warnings: ChromeWarning[]): string => {
class cursorState {
rowIndex: number;
rows: Record<string, string>[];
error: any;
}
interface ChromeWarning {
@ -121,10 +120,10 @@ export default abstract class Table implements SQLiteModule {
}
cursorState.rows = tableDataReturned.data;
} catch (err) {
// Throwing here doesn't seem to work as expected in testing (the error doesn't seem to be
// thrown in a way that it can be caught appropriately), so instead we save the error and
// throw in xEof.
cursorState.error = err;
// We cannot throw inside SQLITE function because it may cause the wasm stack to run out of memory.
// See: https://github.com/rhashimoto/wa-sqlite/issues/156#issuecomment-1942477704
console.warn("Error generating table data: %s", err);
return SQLite.SQLITE_ERROR;
}
return SQLite.SQLITE_OK;
});
@ -133,6 +132,9 @@ export default abstract class Table implements SQLiteModule {
xNext(pCursor: number): number {
// Advance the row index for the cursor.
const cursorState = this.cursorStates.get(pCursor);
if (!cursorState || !cursorState.rows) {
return SQLite.SQLITE_ERROR;
}
cursorState.rowIndex += 1;
return SQLite.SQLITE_OK;
}
@ -140,10 +142,8 @@ export default abstract class Table implements SQLiteModule {
xEof(pCursor: number): number {
// Check whether we've returned all rows (cursor index is beyond number of rows).
const cursorState = this.cursorStates.get(pCursor);
// Throw any error saved in the cursor state (because throwing in xFilter doesn't seem to work
// correctly with async code).
if (cursorState.error) {
throw cursorState.error;
if (!cursorState || !cursorState.rows) {
return 1;
}
return Number(cursorState.rowIndex >= cursorState.rows.length);
}

12
ee/fleetd-chrome/src/tables/network_interfaces.ts
View File

@ -5,6 +5,18 @@ export default class TableNetworkInterfaces extends Table {
columns = ["mac", "ipv4", "ipv6"];
async generate() {
if (!chrome.enterprise) {
return {
data: [],
warnings: [
{
column: "mac",
error_message: "chrome.enterprise API is not available for network details",
},
],
};
}
// @ts-expect-error @types/chrome doesn't yet have the getNetworkDetails Promise API.
const networkDetails = (await chrome.enterprise.networkingAttributes.getNetworkDetails()) as chrome.enterprise.networkingAttributes.NetworkDetails;
const ipv4 = networkDetails.ipv4;

2
ee/fleetd-chrome/updates-beta.xml
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
<app appid='bfleegjcoffelppfmadimianphbcdjkb'>
<updatecheck codebase='https://chrome-beta.fleetdm.com/fleetd.crx' version='1.1.3' />
<updatecheck codebase='https://chrome-beta.fleetdm.com/fleetd.crx' version='1.2.0' />
</app>
</gupdate>

2
ee/fleetd-chrome/updates.xml
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
<app appid='fleeedmmihkfkeemmipgmhhjemlljidg'>
<updatecheck codebase='https://chrome.fleetdm.com/fleetd.crx' version='1.1.3' />
<updatecheck codebase='https://chrome.fleetdm.com/fleetd.crx' version='1.2.0' />
</app>
</gupdate>

2
frontend/components/EmailTokenRedirect/EmailTokenRedirect.tsx
View File

@ -25,7 +25,7 @@ const EmailTokenRedirect = ({
if (currentUser && token) {
try {
await usersAPI.confirmEmailChange(currentUser, token);
router.push(PATHS.USER_SETTINGS);
router.push(PATHS.ACCOUNT);
renderFlash("success", "Email updated successfully!");
} catch (error) {
console.log(error);

Some files were not shown because too many files have changed in this diff Show More