Commit Graph

293 Commits

Author SHA1 Message Date
gillespi314
37fb4b0dab
Add fleetctl run-script command (#13622) 2023-09-05 14:14:09 -05:00
Martin Angers
cbc3f32e9d
Adjust response payload, messages and validations for /scripts/run/* endpoints. (#13607) 2023-08-31 09:08:50 -05:00
Roberto Dip
cb357668d2
fix typo in migration text (#13612)
I had this locally but forgot to commit it
2023-08-30 20:32:37 -03:00
Roberto Dip
8f8a3758f9
ensure migration dialog doesn't open automatically if it was opened manually (#13551)
for #13505
2023-08-30 19:54:42 -03:00
Martin Angers
090b142c49
Implement script execution on the fleetd agent (disabled by default) (#13569) 2023-08-30 14:02:44 -04:00
Roberto Dip
b50e1939db
Allow to configure fleetd for script execution (#13564)
Related to #13310 and #13304 this adds two ways to enable script
execution in `fleetd` (the orbit component)

- By building a package with `--enable-scripts`
- By providing a setting via a configuration profile (macOS only)

Due to how the profile assignment works, this change automatically
updates the `com.fleetdm.fleetd.config` for hosts that already have the
profile installed.

> [!NOTE]
> Documentation is in
[#13577](https://github.com/fleetdm/fleet/pull/13577) to decouple
reviews.
2023-08-30 10:18:34 -03:00
Gabriel Hernandez
f810fc31e2
use OrbitNodeKey for windows mdm enrollment authentication instead of HostUUID (#13503)
related to #12847

This changes the authentication method for windows mdm enrollment. We
were using `HostByIndentifier ` method but have changed to
`LoadHostByOrbitNodeKey`.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-08-29 14:50:13 +01:00
Roberto Dip
39dc3d8ab2
close the migration dialog only after unenrollment (#13512)
for #13450, this additionally adds minor UI/UX tweaks to the migration
flow:

1. Increased padding between the notification screenshot and the text
(hacked by using a PNG for the image as we can't add padding)
2. Centered the text
3. Made sure that all dialogs take over the screen
2023-08-29 09:44:42 -03:00
Tim Lee
6c7edca368
environment variable to disable orbit enroll logs (#13519) 2023-08-25 15:25:07 -06:00
Jacob Shandling
54e6ffd61b
Fleet desktop: On Windows, replace light/dark icons with colorful icon (#13457) 2023-08-24 10:03:54 -07:00
Roberto Dip
5c7019cfc4
allow clients to report errors back to the server (#13478)
for #13189, #13238 and #13239
2023-08-24 13:04:27 -03:00
Sharon Katz
7718135bd6
#12861 Remove os.Kill since golang can't capture it (#13419)
#12861
2023-08-22 10:58:51 -04:00
github-actions[bot]
7f19069f38
Update Orbit CA certs [automated] (#13446)
Automated change from [GitHub
action](https://github.com/fleetdm/fleet/actions/workflows/update-certs.yml).

Co-authored-by: zwass <zwass@users.noreply.github.com>
2023-08-22 06:01:58 -03:00
Roberto Dip
3b815b04c2
adjust MDM migration copy and timers (#13366)
for #13158
2023-08-18 18:58:40 -03:00
Zach Wasserman
a1b8226a15
Update default TUF root key for package generation (#13381)
TUF root keys have been rotated on the server. This brings the default
roots up to date with that newest metadata.

Verified that the new `fleetctl` still builds packages successfully.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Manual QA for all new/changed functionality
2023-08-18 09:03:00 -06:00
Roberto Dip
2a02936ed6
account for mixed case domains (#13342)
Unreleased tweak, do a case insensitive comparison of domains.
2023-08-15 19:11:44 -03:00
Roberto Dip
998e1dfb6b
fix issues when MDM info is empty during migration (#13320)
for #13319
2023-08-14 19:21:06 -03:00
Roberto Dip
902e064d04
fix issues with migration flow (#13297)
For #13094
2023-08-14 09:56:59 -03:00
Roberto Dip
70bdfe9512
fix panic if concurrent requests write capabilities (#13278) 2023-08-10 19:49:07 -03:00
gillespi314
c42f8230f7
Check assigned DEP in Orbit MDM migration (#13232) 2023-08-10 17:36:34 -05:00
Roberto Dip
ac25d8f581
remove quotes from FLEET_URL property in Windows templates (#13190)
related to #13175 and #13186
2023-08-08 16:36:33 -03:00
RachelElysia
b64f1b0d7a
Fleet Documentation: Remove docs about cgroups (#13143) 2023-08-04 14:40:29 -04:00
Marcos Oviedo
7cfea0787e
Windows Installer changes to support MDM Azure flow (#13025)
This relates to #12600 

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
2023-07-31 12:12:06 -03:00
gillespi314
abfa113083
Disable nudge in case of launch error (#12906) 2023-07-26 14:40:03 -05:00
smgrol
2c45ae73ca
update augeas lense "simplevars.aug" (#12922)
PR for update simplevars for reading subdirectories config file of
/etc/zabbix dir

changes from augeas team review
https://github.com/hercules-team/augeas/pull/815

Co-authored-by: liana <liana@mcbook.local>
2023-07-25 09:22:41 -07:00
Roberto Dip
11a78e27db
Avoid migration actions if the host is already enrolled into Fleet (#12882)
for #12068
2023-07-20 19:08:08 -03:00
Gabriel Hernandez
9aa7c0c714
add dark and light background logo colors and show them on mdm migrat… (#12681) 2023-07-13 19:35:25 +01:00
smgrol
c596ac6f34
augeas: read subdirectories from /etc/zabbix dir (#12631)
PR for read configuration files in subdirectories in /etc/zabbix
directory with augeas
2023-07-07 11:18:26 -07:00
Roberto Dip
100b211ba5
prevent panic when orbit is run with updates disabled (#12654)
for #11980
2023-07-06 14:43:10 -03:00
github-actions[bot]
d2b49931ca
Update Orbit CA certs [automated] (#12028)
Automated change from [GitHub
action](https://github.com/fleetdm/fleet/actions/workflows/update-certs.yml).

Co-authored-by: zwass <zwass@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2023-07-05 15:04:51 -03:00
Lucas Manuel Rodriguez
810eb58b95
macOS CIS: Use find command (exposed as fleetd table) instead of relying on the osquery core file table (#12560)
#10292, #12554

When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-29 16:22:41 -03:00
Martin Angers
1db2f7646a
Implement Windows MDM programmatic unenrollment (notification + orbit trigger) (#12505) 2023-06-28 09:13:37 -04:00
Marcos Oviedo
821f6b064f
Adding support for GetPolicies message (#12477)
This relates to #12262 

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-06-27 12:59:33 -03:00
Lucas Manuel Rodriguez
7a33a108cb
Add --verbose flag to fleetd_tables (needed when osqueryd runs in verbose mode) (#12504)
Found while load testing the macOS CIS benchmark policy queries using
`fleetd_tables` as an extension (#10292).

Basically, osqueryd passes the `--verbose` flag to the extension, so we
need to add it here to not fail the extension execution.
2023-06-27 10:42:48 -03:00
Martin Angers
ca02abb660
Trigger Windows MDM host enrollment on device when notified that it is enabled (#12426) 2023-06-26 12:13:17 -04:00
Marcos Oviedo
22bb16bf2e
Pushing initial support for MS-MDE2 Discovery message (#12387)
This PR requires the Windows MDM configuration changes - This will be
updated next week

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Documented any permissions changes
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
2023-06-22 17:31:17 -03:00
Roberto Dip
3bee27d423
adjust swiftDialog layout and buttons (#12428)
related to #11859, this adjusts swiftDialog according to the specs in
the issue



https://github.com/fleetdm/fleet/assets/4419992/91d42e88-677e-4e67-aed9-7916b301577d
2023-06-21 12:10:33 -03:00
gillespi314
87fe00db71
Create new Fleet osquery extension table to read escrowed FileVault key (#12198) 2023-06-15 10:23:59 -05:00
Marcos Oviedo
4428d1e1aa
Adding windows profiling tool and documentation on how to use it (#12090)
This relates to #11939 

This PR adds the test tool and procedure used to profile orbit and
osqueryd processes on Windows
2023-06-09 10:55:47 -03:00
Eric
9ab1eed003
Update invalid osquery slack invitation link in markdown files (#12186)
Changes:
- Updated the old (now invalid) osquery slack invitation link to go to
fleetdm.com/slack (which redirects to a valid osquery slack invitation)
2023-06-07 17:29:57 -05:00
Martin Angers
f27fcddd55
Prevent clearing macos updates settings when applying/modifying a team without those settings (#12160) 2023-06-06 14:31:33 -04:00
Roberto Dip
1eb1e93e26
don't automatically kickstart softwareupdated in Orbit (#12072)
Related to #11777, this disables the kickstart of softwareupdated in
Orbit.

I have kept the `--disable-kickstart-softwareupdated` for backwards
compatibility, but it doesn't have any effect anymore.
2023-06-02 12:33:40 -03:00
Roberto Dip
6e3248237c
read orbit profile configuration values using osascript in macOS (#12086)
The current approach to read the enroll secret and fleet url from a
configuration profile is not ideal because:

1. (important) We're looking for a profile with a `ProfileIdentifier`
equal to `com.fleetdm.fleetd.config`. This is not ideal because
`ProfileIdentifier` is often modified by MDM vendors to ensure that's
unique across all profiles in the system.
2. (nit) To look for the relevant profile, we were running `profiles
list -o stdout-xml`, which can output a large amount of data that we
need to parse and loop through to find the right profile.

I have also considered:

1. Reading the value from a file that gets created at `/Library/Managed
Preferences/com.fleetdm.fleetd.config.plist`, but I couldn't find any
official sources on the reliablity of this, and after consulting
internally and in the macAdmins slack I decided to not rely on it.
2. Keep on reading from the output of `profiles` but be smarter parsing
the output (we should still be able to find the right profile)

At the end, I decided to use osascript to read the value directly from
the system.
2023-06-01 20:50:52 -03:00
Roberto Dip
e57f90fbac
fix display issues with screenshot in MDM migration flow (#11866)
For #11858, I reproduced the issue by running a local server behind
ngrok, _with the exact_ same path as the one in the website:
`https://server-url/images/permanent/mdm-migration-screenshot-768x180@2x.png`

I tried multiple combinations, but at the end, removing the `@` made the
trick. My guess is that's something to do with the markdown parser
library used by swiftDIalog.

I also removed a rogue `\` that was being displayed.
2023-05-23 14:29:42 -03:00
Marcos Oviedo
bc223af05d
Helper utilities to showcase windows authenticode signing (#11780)
This relates to #11013 

Helper utilities to showcase Windows Authenticode signing.

The fleetdm.pfx certificate file is a self-signed test certificate
2023-05-18 16:47:33 -03:00
Roberto Dip
8829b84a63
add migration support to FD and orbit (#11741)
https://github.com/fleetdm/fleet/issues/11534
2023-05-18 14:21:54 -03:00
Juan Fernandez
827c4a7c33
Feature 8058: Added resource.syso metadata file (#10783)
Addresses https://github.com/fleetdm/fleet/issues/8058, https://github.com/fleetdm/fleet/issues/11012 and https://github.com/fleetdm/fleet/issues/11013

This PR adds a new VERSIONINFO metadata file using the
https://github.com/josephspurrier/goversioninfo library.
2023-05-17 18:53:25 -03:00
Roberto Dip
4dd127d577
base logic to show/hide the new Migrate to Fleet FD menu (#11679)
Related to #11670
2023-05-15 17:00:52 -03:00
Marcos Oviedo
3ec04887e6
New CIS Audit table (#11381)
This relates to #11244 

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2023-05-12 11:16:36 -03:00
Roberto Dip
4103e77e90
add swiftDialog to TUF (#11643)
Related to #11534 this is an extract from the code I used to build a
prototype to see if `swiftDialog` would work for us.

This is very similar to the work we did for Nudge previously.
2023-05-11 15:01:43 -03:00