Related to #13310 and #13304 this adds two ways to enable script
execution in `fleetd` (the orbit component)
- By building a package with `--enable-scripts`
- By providing a setting via a configuration profile (macOS only)
Due to how the profile assignment works, this change automatically
updates the `com.fleetdm.fleetd.config` for hosts that already have the
profile installed.
> [!NOTE]
> Documentation is in
[#13577](https://github.com/fleetdm/fleet/pull/13577) to decouple
reviews.
related to #12847
This changes the authentication method for windows mdm enrollment. We
were using `HostByIndentifier ` method but have changed to
`LoadHostByOrbitNodeKey`.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
for #13450, this additionally adds minor UI/UX tweaks to the migration
flow:
1. Increased padding between the notification screenshot and the text
(hacked by using a PNG for the image as we can't add padding)
2. Centered the text
3. Made sure that all dialogs take over the screen
TUF root keys have been rotated on the server. This brings the default
roots up to date with that newest metadata.
Verified that the new `fleetctl` still builds packages successfully.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Manual QA for all new/changed functionality
This relates to #12600
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
PR for update simplevars for reading subdirectories config file of
/etc/zabbix dir
changes from augeas team review
https://github.com/hercules-team/augeas/pull/815
Co-authored-by: liana <liana@mcbook.local>
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Found while load testing the macOS CIS benchmark policy queries using
`fleetd_tables` as an extension (#10292).
Basically, osqueryd passes the `--verbose` flag to the extension, so we
need to add it here to not fail the extension execution.
This PR requires the Windows MDM configuration changes - This will be
updated next week
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Documented any permissions changes
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
Changes:
- Updated the old (now invalid) osquery slack invitation link to go to
fleetdm.com/slack (which redirects to a valid osquery slack invitation)
Related to #11777, this disables the kickstart of softwareupdated in
Orbit.
I have kept the `--disable-kickstart-softwareupdated` for backwards
compatibility, but it doesn't have any effect anymore.
The current approach to read the enroll secret and fleet url from a
configuration profile is not ideal because:
1. (important) We're looking for a profile with a `ProfileIdentifier`
equal to `com.fleetdm.fleetd.config`. This is not ideal because
`ProfileIdentifier` is often modified by MDM vendors to ensure that's
unique across all profiles in the system.
2. (nit) To look for the relevant profile, we were running `profiles
list -o stdout-xml`, which can output a large amount of data that we
need to parse and loop through to find the right profile.
I have also considered:
1. Reading the value from a file that gets created at `/Library/Managed
Preferences/com.fleetdm.fleetd.config.plist`, but I couldn't find any
official sources on the reliablity of this, and after consulting
internally and in the macAdmins slack I decided to not rely on it.
2. Keep on reading from the output of `profiles` but be smarter parsing
the output (we should still be able to find the right profile)
At the end, I decided to use osascript to read the value directly from
the system.
For #11858, I reproduced the issue by running a local server behind
ngrok, _with the exact_ same path as the one in the website:
`https://server-url/images/permanent/mdm-migration-screenshot-768x180@2x.png`
I tried multiple combinations, but at the end, removing the `@` made the
trick. My guess is that's something to do with the markdown parser
library used by swiftDIalog.
I also removed a rogue `\` that was being displayed.
This relates to #11244
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Related to #11534 this is an extract from the code I used to build a
prototype to see if `swiftDialog` would work for us.
This is very similar to the work we did for Nudge previously.