Commit Graph

618 Commits

Author SHA1 Message Date
Zachary Winnerman
2ec19979c2
APM Improvements (#11103)
# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-24 01:13:15 -04:00
Roberto Dip
5c487890ca
add an endpoint to get an aggregate summary of bootstrap packages (#11156)
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-04-22 10:23:38 -05:00
Juan Fernandez
d353a3deb4
Handle flaky vulnerability tests (#11262)
- Refactored some of the vulnerabilities tests to help with flakiness.
- Don't load NVD assets if local assets have a timestamp of today.
2023-04-21 19:37:29 -04:00
gillespi314
bb2fbbdd38
Add apple_bm_enabled_and_configured to app config responses (#11255) 2023-04-21 11:08:09 -05:00
Martin Angers
c1d3f67e6f
Add fleetctl get mdm-commands command and supporting API endpoint (#11163) 2023-04-17 11:45:16 -04:00
Lucas Manuel Rodriguez
5aa5f8aae3
Add MDM configuration permissions to GitOps (#11207)
#8593 

Adding new MDM functionality to GitOps.

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [x] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-17 12:08:55 -03:00
Benjamin Edwards
03cc60a3db
remove code accidentally left in from previous PR (#11193) 2023-04-13 17:43:32 -04:00
Lucas Manuel Rodriguez
1ebfbb14eb
New gitops role (#10850)
#8593

This PR adds a new role `gitops` to Fleet.
MDM capabilities for the role coming on a separate PR. We need this
merged ASAP so that we can unblock the UI work for this.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [X] Documented any permissions changes
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-12 16:11:04 -03:00
Roberto Dip
77e5c004f4
implement bootstrap packages during DEP enrollment (#11052)
#10213
2023-04-07 17:31:02 -03:00
Benjamin Edwards
6f836d60cb
add support for AWS SES email backend (#10847) 2023-04-06 13:21:07 -05:00
Roberto Dip
40c5bb1c25
install fleetd on DEP enrolled hosts during enrollment (#10971)
https://github.com/fleetdm/fleet/issues/9459
2023-04-05 20:52:26 -03:00
Roberto Dip
1516caad46
explicitly enable orbit to read config from the system (#10980)
in #10134 we added a silent mechanism to try to read configuration
values from macOS configuration profiles if --fleet-url and
--enroll-secret weren't present.

while using this logic to test #9459 I have found that there's a race
condition where sometimes `fleetd` is installed before the configuration
profile with the values delivered by Fleet, causing orbit to get stuck
forever.

I added logic to loop every 30 seconds and try to fetch the values again
if none are found, but I didn't felt comfortable adding this logic
without also adding an extra flag to explicitly enable this behavior.
2023-04-05 15:02:18 -03:00
Lucas Manuel Rodriguez
2f38f2e76a
Uninstalling software in a host also updates software table (#10540)
https://github.com/fleetdm/confidential/issues/1968

It's ready for review but I still need to load test this.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-04-05 13:53:43 -03:00
Martin Angers
4ed50185c0
Add clearer message when mdm-command-results fails due to authz (#10997) 2023-04-05 11:57:31 -04:00
Martin Angers
741a7aa5d0
Finalize MDM commands part 3: add the fleetctl get mdm-command-results command (#10964) 2023-04-05 10:50:36 -04:00
Martin Angers
e0e547f1a2
Finalize MDM commands part 2: implement fleetctl mdm run-command (#10866) 2023-04-03 14:25:49 -04:00
Juan Fernandez
4c2ddba2e4
Clean out-of-date NVD results. (#10514)
Keep the vulnerabilities detected via NVD and stored in the DB in sync. with the results from the NVD vulnerability process.
2023-04-03 13:45:18 -04:00
Roberto Dip
729c1e4042
automatically create DEP JSON profiles if none is set. (#10871)
#9569
2023-03-30 14:25:30 -03:00
Martin Angers
0e2c9bb873
finalize mdm commands part 1: support fleetctl get hosts --mdm and --mdm-pending (#10796) 2023-03-29 08:30:49 -04:00
Juan Fernandez
aecc2fed75
Feature 9834: Add published date to vulnerability object (#10434)
This only applies to Premium users, we want to show the vulnerabilities' published date anywhere vulnerabilities are shown including API endpoints and third party integrations.
2023-03-28 16:11:31 -04:00
Noah Talerman
4372b5b2b5
Update broken links to MDM docs (#10789)
- At some point we updated how we generate anchor links on
fleetdm.com/docs. PR is here: #10657
  - For example:
-
`https://fleetdm.com/docs/using-fleet/mdm-setup#apple-push-notification-service-ap-ns`
is now
`https://fleetdm.com/docs/using-fleet/mdm-setup#apple-push-notification-service-apns`
(apns doesn't have a hyphen)
2023-03-27 17:14:20 -07:00
Roberto Dip
98845f03a6
remove feature flags to enable MDM (#10746)
https://github.com/fleetdm/fleet/issues/10025
2023-03-27 16:30:29 -03:00
Martin Angers
b6e10eb6da
Update host MDM profile status to pending in response to triggering events (#10443) 2023-03-27 14:43:01 -04:00
Lucas Manuel Rodriguez
e0d8dcad21
Allow prometheus /metrics endpoint with http basic auth disabled (#10634)
#8957

To test this feature, build+run Fleet and then visit:
`https://localhost:8080/metrics`.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [ ] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-23 19:00:11 -03:00
Martin Angers
2fb5aa629d
Normalize the naming of mdm settings, update docs and document missing ones (#10681)
#10408
2023-03-23 07:30:28 -03:00
Mo Zhu
e632725a44
Break up MDM docs to be smaller articles for improved readability. (#10538)
- Broke up the single MDM doc into multiple ones organized by category
- Changed any links to point to the new docs

---------

Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2023-03-17 12:34:35 -07:00
Lucas Manuel Rodriguez
6d918d1366
Add enable_jit_role_sync config (#10478)
#8411

We decided to only update roles for existing accounts if enabled by a
new setting (disabled by default) `sso_settings.enable_jit_role_sync`.

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 17:17:08 -03:00
Lucas Manuel Rodriguez
5ec4fab440
Orbit to set --database_path when invoking osquery to retrieve system info (#10308)
#9132

The actual fix for the empty hosts is adding the `--database_path`
argument in the initial `osqueryd -S` invocation when retrieving the
UUID. Osquery attempts to retrieve the UUID from OS files/APIs, when not
possible (which is what happens on some linux distributions), then it
resorts to generating a new random UUID and storing it in the
`osquery.db`. The issue was Orbit's first invocation of `osqueryd -S`
was not using the same `osquery.db` as the main daemon invocation of
`osqueryd`.

I'm also adding a `hostname` + `platform` to the orbit enroll phase so
that if there are any issues in the future we can avoid the "empty" host
and have some information to help us troubleshoot.

## How to reproduce

On Linux, osquery reads `/sys/class/dmi/id/product_uuid` to load the
hardware UUID.
Some Linux distributions running on specific hardware or container
environments do not have such file available.
The way to reproduce on a Linux VM is to do the following:
```sh
$ sudo su
# chmod -r /sys/class/dmi/id/product_uuid
```
which will turn the file inaccessible to root.

## Checklist

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-03-13 18:54:18 -03:00
Roberto Dip
61f276fe44
allow to start Fleet MDM without configuring Apple BM (#10453)
Related to https://github.com/fleetdm/fleet/issues/10299, this allows to
start the Fleet server with MDM enabled without having to provide ABM
configs.

I have tested this with:

1. Premium account, no ABM config: the server starts normally, but
without ABM features
2. Premium account, invalid ABM config: error starting the server
3. Premium account, valid ABM config: ABM features enabled
4. Free account, no ABM config: the server starts normally
5. Free account, any ABM config: error due to invalid license
2023-03-13 18:16:11 -03:00
Lucas Manuel Rodriguez
b0475d998e
Run cleanup of cron_stats outside of the schedule package to prevent outages from breaking cron jobs (#10439)
#9486

Now cron jobs should recover from a Fleet outage after ~ two hours.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 16:15:30 -03:00
Lucas Manuel Rodriguez
93e150666b
Add instanceID to schedule logging (#10413)
#9515

Sample output after running `fleetctl trigger --name
cleanups_then_aggregation`:
```sh
./build/fleet serve --dev --dev_license 2>&1 | tee ~/fleet.txt
level=info ts=2023-03-09T19:27:17.324691Z component=redis mode=standalone
level=info ts=2023-03-09T19:27:17.360565Z instanceID="V9mArnX3lPhlIS0enyFau9eWi/dpjUPmOzJ3rwQUkX+l2aU1AMM4lQfdaDFZfeyJSHBwrIt/km1ghmRcyhdWqA=="
level=info ts=2023-03-09T19:27:17.372767Z msg="started cron schedules: automations, cleanups_then_aggregation, integrations, usage_statistics, vulnerabilities"
ts=2023-03-09T19:27:17.391404Z transport=https address=0.0.0.0:8080 msg=listening
level=error ts=2023-03-09T19:27:19.973841Z query=fleet_detail_query_software_macos message="distributed query is denylisted" hostID=58
level=info ts=2023-03-09T19:27:21.262799Z cron=cleanups_then_aggregation schedule=cleanups_then_aggregation instanceID="V9mArnX3lPhlIS0enyFau9eWi/dpjUPmOzJ3rwQUkX+l2aU1AMM4lQfdaDFZfeyJSHBwrIt/km1ghmRcyhdWqA==" status=pending
ts=2023-03-09T19:27:22.218129Z inf="skipping verification of encryption keys as MDM is not fully configured"
level=info ts=2023-03-09T19:27:22.224179Z cron=cleanups_then_aggregation schedule=cleanups_then_aggregation instanceID="V9mArnX3lPhlIS0enyFau9eWi/dpjUPmOzJ3rwQUkX+l2aU1AMM4lQfdaDFZfeyJSHBwrIt/km1ghmRcyhdWqA==" status=completed
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 15:37:03 -03:00
Lucas Manuel Rodriguez
3757aace08
Add UUID to Fleet errors and clean up error msgs (#10411)
#8129 

Apart from fixing the issue in #8129, this change also introduces UUIDs
to Fleet errors. To be able to match a returned error from the API to a
error in the Fleet logs. See
https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for
more context.

Samples with the changes in this PR:
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0"
}
```
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd'
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "json decoder error"
    }
  ],
  "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d"
}
```
```
curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams"
{
  "message": "Authentication required",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication required"
    }
  ],
  "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Authorization header required",
  "errors": [
    {
      "name": "base",
      "reason": "Authorization header required"
    }
  ],
  "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Permission Denied",
  "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06"
}
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 13:44:06 -03:00
Roberto Dip
a1ca172c95
allow to set up a DEP flow gated by Okta auth (#10338)
#10271
2023-03-13 10:33:32 -03:00
Juan Fernandez
6ff2c449cf
Improve test coverage and bug fix (#10301)
Addresses https://github.com/fleetdm/fleet/issues/10112

Improved test coverage, also fixed a bug related to vulnerability processing for mac office apps.
2023-03-06 15:07:27 -04:00
Benjamin Edwards
dc210d594b
missed config translation (#10294)
missed setting the new rotation configs when wiring up all the
dependencies in fleet serve
2023-03-03 15:28:58 -05:00
Zach Wasserman
ca2e30e59c
Fix error writing coverage when running tests (#10278)
Intended to fix this error we are seeing in CI:

```
error generating coverage report: write |1: file already closed
```

It seems like perhaps a change in the way the test coverage is reported
in a recent Go version has interacted with the closing of stdout in
these tests.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Added/updated tests
2023-03-02 17:11:15 -08:00
Martin Angers
4593c49ec4
Add disk_encryption option to config and team YAML (#10185) 2023-02-28 15:34:46 -05:00
Martin Angers
e3ddb5f3ce
Support matching a host in orbit enrollment using the serial number (#9612) 2023-02-28 12:55:04 -05:00
gillespi314
6fec539fbf
Update API responses for hosts and labels endpoints to include host mdm info (#10141)
Issue #10126 

- Add mdm solution name to host mdm inf
- Add host mdm info in labels API response;
2023-02-27 18:40:34 -03:00
Juan Fernandez
7e366272c0
Feature 9386: Parse the Mac Office release notes for vulnerability processing (#9993)
This PR adds the capability of parsing the release notes posted in https://learn.microsoft.com/en-us/officeupdates/release-notes-office-for-mac into a JSON metadata file (to be released in the NVD repo) and use it for detecting vulnerabilities on Mac Office apps.
2023-02-24 14:18:25 -04:00
Benjamin Edwards
f3b0e4da72
add configuration parameters for filesystem logging file rotation (#10048) 2023-02-24 07:44:56 -05:00
Benjamin Edwards
6f8abe3bc3
refactor vuln process command (#10088)
propagate error and properly defer store unlock
2023-02-23 23:22:36 -05:00
Benjamin Edwards
1158e62e44
use the same lock id between lock and unlock (#10039)
# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-02-22 17:48:46 -05:00
gillespi314
e31fc889f1
Add MDM profiles to host detail in API responses (#10034)
Issue #9599 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-02-22 16:26:06 -06:00
Roberto Dip
8284274c3b
incomplete implementation of device wipe and lock (#9947) 2023-02-22 17:11:44 -03:00
Roberto Dip
262e9870e3
add a cron job to reconcile profiles (#9946)
https://github.com/fleetdm/fleet/issues/9590
2023-02-22 14:49:06 -03:00
Lucas Manuel Rodriguez
407d05eab9
Workaround to set policy specs on a team (#9978)
For the CIS benchmark feature, we need a way to import a group of
policies (spec yml) into a team.
This PR adds a flag to `apply -f` to allow setting a team name to a
group of policies.

Sample:
```sh
fleetctl apply --context dogfood --policies-team "📊 CIS Benchmarks" -f ee/cis/macos-13/cis-policy-queries.yml
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [ ] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-22 13:14:53 -03:00
Roberto Dip
f6b86a55d9
Use dynamic serial numbers in osquery-perf (#9904)
This helps with MDM local testing as serial numbers play a big role.
2023-02-17 17:10:49 -03:00
Benjamin Edwards
0db432f7e3
vuln processing distinct command (#9813)
closes https://github.com/fleetdm/fleet/issues/3723

Add new vuln processing command, configs, and documentation on how to utilize.
2023-02-17 10:00:57 -05:00
Martin Angers
33f33163a9
Add macos custom profiles support via fleetctl apply (#9824) 2023-02-15 13:01:44 -05:00
Roberto Dip
7cd581866a
add API endpoint to see disk encryption key (#9713)
https://github.com/fleetdm/fleet/issues/8708
2023-02-08 20:20:23 -03:00
Roberto Dip
046401d190
Ingest file vault recovery keys in macOS (#9712)
Related + details at https://github.com/fleetdm/fleet/issues/8708
2023-02-08 11:49:42 -03:00
Lucas Manuel Rodriguez
dfe6b53963
Make fleetctl get teams --yaml output compatible with fleetctl apply -f (#9626)
#9535

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-02 14:46:50 -03:00
Roberto Dip
e06b00df11
Add readonly MDM.EnabledAndConfigured to app config and device responses (#9575)
Related to #9571, this adds a new value to both responses which is
calculated when the Fleet server is started, and only set to `true` if
the server is properly configured for MDM.

This helps the UI to determine wether or not we should show certain UI
elements that we only want to show to servers with MDM enabled.
2023-02-01 14:47:52 -03:00
Roberto Dip
ffed7f8ebe
return 422 status code if fleetdm.com returns any 4xx status for CSR (#9610)
Related to https://github.com/fleetdm/fleet/issues/9588, we now handle 4xx responses from the fleetdm.com server and forward those to the client.

At the time of this commit, the only 4xx response that wasn't already handled by the server is because of an invalid email domain, so we assume that, but we should look into establishing a pattern of error messages with the website instead.
2023-02-01 12:50:22 -03:00
Roberto Dip
4c4c114e96
add mocks + tests and move things around (#9574)
#8948

- Add more go:generate commands for MDM mocks
- Add unit and integration tests for MDM code
- Move interfaces from their PoC location to match existing patterns
2023-01-31 11:46:01 -03:00
Martin Angers
8a137e2b5b
Move host details mdm properties to new mdm object (#9505) 2023-01-30 16:40:11 -06:00
Martin Angers
d0e6891d10
Add endpoint to trigger CSR request for APNs on fleetdm.com (#9494) 2023-01-25 14:44:29 -05:00
Martin Angers
84717de461
Document APNs and ABM setup and renewal (#9471) 2023-01-24 15:20:41 -05:00
Roberto Dip
2d25a3f48d
add mdm root key and macos_updates to app and team configs (#9442)
Related to https://github.com/fleetdm/fleet/issues/9345,
https://github.com/fleetdm/fleet/issues/9358 and
https://github.com/fleetdm/fleet/issues/9346 this adds:

1. The ability to configure `mdm.macos_updates` via `PATCH /config` and
`PATCH /teams/{id}`
3. The ability to configure `mdm.macos_updates` by using `fleetctl apply
-f` for teams and global config.
2023-01-24 13:20:02 -03:00
Gabriel Hernandez
7d4653baaa
add attribute to GET /activities endpoint with pagination metadata (#9279)
relates to https://github.com/fleetdm/fleet/issues/8928

This adds a new `meta` attribute to the "GET /activities" endpoint that
includes pagination metadata. This can allow clients to know if there
are additional items to request.


- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-01-18 12:57:11 +00:00
gillespi314
fba3607c4a
Add mdm status and server url to host endpoint responses (#9320) 2023-01-16 17:08:24 -06:00
Roberto Dip
2447a371b0
use nanomdm's multi service + integration tests and fixes (#9269)
**Use nano's multi service**

This allows us to integrate more seamlessly with nano and to run our
custom MDM logic _after_ the request was handled by nano, which gives us
more flexibility (for example: now we can issue commands after a
TokenUpdate message)

From nano's code:

> MultiService executes multiple services for the same service calls.
> The first service returns values or errors to the caller. We give the
> first service a chance to alter any 'core' request data (say, the
> Enrollment ID) by waiting for it to finish then we run the remaining
> services' calls in parallel.

**Integration tests + fixes**

- Move some of the service logic from `cmd/` to `server/service`
- Add integration tests for the MDM enrollment flow, including SCEP
authentication.
- Fixed a bug that set `host_mdm.mdm_id = 0`  during MDM enrollment due
  to how MySQL reports the last insert id when `ON DUPLICATE KEY` is
  used.
- Completely remove the host row from `host_mdm` when a device is
  unenrolled from MDM to match the behavior of how we ingest MDM data
  from osquery

Related to https://github.com/fleetdm/fleet/issues/8708,
https://github.com/fleetdm/fleet/issues/9034
2023-01-16 17:06:30 -03:00
Tomas Touceda
398bb38da7
Add software_updated_at field to host (#9116)
#9012

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2023-01-09 08:55:43 -03:00
Martin Angers
656e5bfc70
Flag when the Apple BM terms have expired (#9091)
#8862 

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-01-06 17:44:20 -03:00
Lucas Manuel Rodriguez
ba6b6e12cc
Fix ingestion of MDM server for macOS and Windows hosts (#9133)
* Fix ingestion of MDM server for macOS and Windows hosts

* Return early if there are no mobile_device_management_solutions to clean up

* Run make dump-test-schema

* Fix TestHosts/DeleteHosts test

* Add test for host unenrolling from MDM

* Fix lint

* Fix typo

* Identify Fleet MDM

* Move logic to deduce MDM name out of Datastore

* Run make dump-test-schema

* Remove printfs from migration
2023-01-04 10:29:48 -03:00
Frank Sievertsen
91c90b4caa
Add new configuration option to set default team for Apple Business Manager (#9062) 2023-01-03 16:14:18 -06:00
Lucas Manuel Rodriguez
ac22aadc13
Fleet server and tooling to use NETWORK_TEST_GITHUB_TOKEN when environment variable is set. (#9143)
* WIP

* Add more logging

* Check rate limit at end of action

* Add github client in more places

* Add new published firefox 93 vulnerabilities to tests

* Remove fmt printfs

* Restore CI check settings

* Readd newline
2023-01-03 14:56:11 -03:00
gillespi314
b990121fdc
Add mdm enrollment pending filter to API endpoints (#9137) 2023-01-03 11:26:23 -06:00
Roberto Dip
1b47f9e700
add activities when a host is enrolled/unenrolled from MDM (#9127)
#8996
2022-12-28 16:41:18 -03:00
gillespi314
94dd1c3745
Ingest pending MDM hosts (#9065)
Co-authored-by @roperzh
2022-12-26 15:32:39 -06:00
Lucas Manuel Rodriguez
e1bbcfcfda
Generate audit logs for activities (#9001)
* Generate audit logs for activities

* Fix config tests

* Fix TestGetConfig/IncludeServerConfig

* Fix use of AddAttributes in results only

* Stream activities asynchronously

* Fix index and add logging

* Revert change

* Documentation fixes
2022-12-23 19:04:13 -03:00
Lucas Manuel Rodriguez
39f1029390
Make activities typed and auto-generate docs for each type (#9069)
* Make activities type and auto-generate docs for each type

* Add pageOrderInSection to not break site

* Add do not edit note to generated file

* Add make generate-doc step

* Fix main merge
2022-12-23 13:05:16 -03:00
Frank Sievertsen
8e65ec67b5
Add new activity that records create/edit/delete user roles (#9086) 2022-12-21 18:30:19 +01:00
Tomas Touceda
68bd8661e9
Simplify disk encryption query in linux and filter at ingestion (#9037)
* Simplify disk encryption query in linux and filter at ingestion

* Join with mounts to detect whatever is encrypting /
2022-12-19 10:01:59 -03:00
Frank Sievertsen
7ebb97cd70
Fire automations for hosts that failed before automation enabled (#9028) 2022-12-16 22:00:54 +01:00
Michal Nicpon
37f454c0be
Add dep key pair endpoint (#9007) 2022-12-16 19:39:36 +01:00
Stephan Miehe
b6a409fa3b
Support redis username (#9018) 2022-12-14 08:53:38 -05:00
Michal Nicpon
3c9dd27d75
add fleectl generate mdm-apple-bm command (#8979) 2022-12-13 16:24:50 +01:00
Martin Angers
f18a320bd5
Add command get mdm-apple-bm to fleetctl (#8949) 2022-12-12 15:45:53 -05:00
Roberto Dip
e68535d468
report errors that can occur during file carving (#8972)
related to https://github.com/fleetdm/fleet/issues/8117
2022-12-09 13:21:30 -03:00
Michal Nicpon
10b3179b63
Add fleetctl generate mdm-apple (#8812) 2022-12-07 18:24:42 +01:00
Martin Angers
d4a3730610
Add new configuration options for Apple Business Manager (#8886) 2022-12-06 15:50:56 -05:00
gillespi314
43b1241a0c
Add fleetctl trigger command (#8877) 2022-12-06 09:56:54 -06:00
Frank Sievertsen
e0766d21a3
Add ability to mark policy as critical. (#8896) 2022-12-06 15:59:20 +01:00
gillespi314
6fb3a87ae9
Enable errcheck linter for golangci-lint (#8899) 2022-12-05 16:50:49 -06:00
Martin Angers
866829dbfa
Implement fleetctl get mdm-apple (#8786) 2022-12-05 11:35:45 -05:00
Martin Angers
f5fc316ad3
Add options for configuring APNS and SCEP keys/certs in Fleet server (#8730) 2022-12-05 10:22:56 -05:00
gillespi314
d5c096fa02
Implement schedule triggers (#8747) 2022-11-28 13:28:06 -06:00
gillespi314
267aaf0dbe
Add holdLock and releaseLock methods to schedule package (#8464) 2022-11-16 15:14:38 -06:00
Martin Angers
7aab706175
Document the osquery-perf os_templates flag (#8745) 2022-11-16 16:12:24 -05:00
Martin Angers
ca13659fe0
Fix broken test (#8715) 2022-11-15 09:52:47 -05:00
Martin Angers
472c8bafb3
Refactor license so it is stored in the context (#8544) 2022-11-15 09:08:05 -05:00
Martin Angers
f3c7a37813
Support Windows and Ubuntu in osquery-perf (#8616) 2022-11-15 08:24:40 -05:00
Martin Angers
54bb5448a0
Fix missing valid properties in validation of FIM and YARA agent options (#8707) 2022-11-14 15:50:41 -05:00
Michal Nicpon
9ad1721efd
fix issue with duplicate vulns detected using nvd (#8613)
The OVAL analyzer falsely assumes that any vulnerabilities detected on a
host only come from OVAL. However, it is possible that NVD detects
vulnerabilities on these hosts even though it excludes software from
deb_packages and rpm_packages. For example, a python package twisted
v22.20 has a vulnerability CVE-2022-39348 detected by NVD. The OVAL
analyzer would delete this vulnerability, and it would be re-inserted by
the NVD scanner on the next run. This creates a loop.

The fix is to only delete vulnerabilities that are actually detected
using OVAL. We already store this in the source column in the
software_cve table.
2022-11-10 10:28:00 -07:00
Martin Angers
7fbe394b94
Ingest disk encryption flag for hosts, return in GET /hosts/{id} endpoint (#8526) 2022-11-02 15:44:02 -04:00
Martin Angers
8f21e026e3
Fix bug with fleetctl apply for teams, clear agent options only if key is present (#8508) 2022-11-01 15:22:45 -04:00
Roberto Dip
c51927e873
enhance support for orbit and fleet desktop in osquery-perf (#8217)
This improves osquery-perf with support for a more realistic orbit + fleet desktop simulation as described in #8212

This was based on the work done by @sharvilshah in his branch.
2022-10-28 14:27:21 -03:00
Juan Fernandez
53e112d264
Feature 7494: Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities (#7889)
Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities
2022-10-28 11:12:21 -04:00
Martin Angers
49e910270b
Add vulnerability scores to Jira/Zendesk tickets for premium users (#8346) 2022-10-26 10:42:09 -04:00
gillespi314
51e6369653
Fix password reset request expiration (#8246) 2022-10-25 09:46:41 -05:00
gillespi314
881194b3b4
Add orbit version and osquery version usage statistics (#8229) 2022-10-24 11:12:56 -05:00
Martin Angers
e19191161e
Validate team spec unknown keys (#8265) 2022-10-24 08:49:44 -04:00
Roberto Dip
d0cde1aaaa
Use the same HTTP server config as the production server in tests (#8254)
* Use the same HTTP server config as the production server in tests

This abstracts the default config we use to run the server into a
function so it can be used in tests to run an HTTP server using the same
configuration.

Additionally, this fixes a data race in tests, as an HTTP server
configuration can't be changed once you call `server.Start()`[1]

[1]:
https://cs.opensource.google/go/go/+/refs/tags/go1.19.2:src/net/http/httptest/server.go;l=40;drc=19309779ac5e2f5a2fd3cbb34421dafb2855ac21
2022-10-19 07:42:21 -03:00
Martin Angers
323620bf39
Deep-clone the appconfig when getting from cache (#8194) 2022-10-17 15:03:49 -04:00
Frank Sievertsen
a2c47cf4f4
add host_display_name to live query rows (#8251) 2022-10-17 15:52:25 +02:00
gillespi314
59876d37ea
Add usage statistics to measure policy violations (#8199) 2022-10-14 13:55:37 -05:00
Frank Sievertsen
e54f066266
Add display_name to more results (#8204)
* Make HostResponses with one dedicated function only
* more display_name for Hosts
2022-10-14 11:14:18 -03:00
Martin Angers
fae8e4ca2c
Translate the AppConfig and Team validation messages to be more user-friendly (#8171) 2022-10-12 17:10:50 -04:00
Juan Fernandez
91ea7bf244
Vulnerabilities not detected if NVD CVE feed is unavailable or rate limited (#8191)
If there is any problem when synching NVD source, proceed with vuln scan
2022-10-12 15:09:18 -04:00
Frank Sievertsen
23199c3d83
Add missing display_name to getHostEndpoint (#8174) 2022-10-11 17:00:32 -04:00
Roberto Dip
e630fabf89
token rotation for fleet desktop (#7779)
This implements what's described in detail here https://github.com/fleetdm/fleet/blob/main/proposals/fleet-desktop-token-rotation.md
2022-10-10 17:15:35 -03:00
Frank Sievertsen
e9f7066d87
7135 host display name (#7873) 2022-10-08 08:57:46 -04:00
Lucas Manuel Rodriguez
9191f4ce66
Add Apple MDM functionality (#7940)
* WIP

* Adding DEP functionality to Fleet

* Better organize additional MDM code

* Add cmdr.py and amend API paths

* Fix lint

* Add demo file

* Fix demo.md

* go mod tidy

* Add munki setup to Fleet

* Add diagram to demo.md

* Add fixes

* Update TODOs and demo.md

* Fix cmdr.py and add TODO

* Add endpoints to demo.md

* Add more Munki PoC/demo stuff

* WIP

* Remove proposals from PoC

* Replace prepare commands with fleetctl commands

* Update demo.md with current state

* Remove config field

* Amend demo

* Remove Munki setup from MVP-Dogfood

* Update demo.md

* Add apple mdm commands (#7769)

* fleetctl enqueue mdm command

* fix deps

* Fix build

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>

* Add command to upload installers

* go mod tidy

* fix subcommands help

There is a bug in urfave/cli where help text is not generated properly when subcommands
are nested too deep.

* Add support for installing apps

* Add a way to list enrolled devices

* Add dep listing

* Rearrange endpoints

* Move DEP routine to schedule

* Define paths globally

* Add a way to list enrollments and installers

* Parse device-ids as comma-separated string

* Remove unused types

* Add simple commands and nest under enqueue-command

* Fix simple commands

* Add help to enqueue-command

* merge apple_mdm database

* Fix commands

* update nanomdm

* Split nanomdm and nanodep schemas

* Set 512 MB in memory for upload

* Remove empty file

* Amend profile

* Add sample commands

* Add delete installers and fix bug in DEP profile assigning

* Add dogfood.md deployment guide

* Update schema.sql

* Dump schema with MySQL 5

* Set default value for authenticate_at

* add tokens to enrollment profiles

When a device downloads an MDM enrollment profile, verify the token passed
as a query parameter. This ensures untrusted devices don't enroll with
our MDM server.

- Rename enrollments to enrollment profiles. Enrollments is used by nano
  to refer to devices that are enrolled with MDM
- Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles
- Generate a token for authentication when creating an enrollment profile
- Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token=

* remove mdm apple server url

* update docs

* make dump-test-schema

* Update nanomdm with missing prefix table

* Add docs and simplify changes

* Add changes file

* Add method docs

* Fix compile and revert prepare.go changes

* Revert migration status check change

* Amend comments

* Add more docs

* Clarify storage of installers

* Remove TODO

* Remove unused

* update dogfood.md

* remove cmdr.py

* Add authorization tests

* Add TODO comment

* use kitlog for nano logging

* Add yaml tags

* Remove unused flag

* Remove changes file

* Only run DEP routine if MDM is enabled

* Add docs to all new exported types

* Add docs

* more nano logging changes

* Fix unintentional removal

* more nano logging changes

* Fix compile test

* Use string for configs and fix config test

* Add docs and amend changes

* revert changes to basicAuthHandler

* remove exported BasicAuthHandler

* rename rego authz type

* Add more information to dep list

* add db tag

* update deps

* Fix schema

* Remove unimplemented

Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 19:53:54 -03:00
Juan Fernandez
812d3c85de
Fixes various bugs with NVD vulnerability detection (#7963)
- Improved NVD CPE matching process.
- Fixed bug with the 'software/<id>' endpoint not showing the generated_cpe value.
2022-10-04 07:04:48 -04:00
Martin Angers
8eee0b35f3
Add validations for agent options' command-line flags section. (#7979) 2022-10-03 08:29:41 -04:00
Roberto Dip
3a349bb07b
fix data race in TestAutomationsSchedule (#7952) 2022-09-26 17:19:38 -03:00
Martin Angers
1fd6844bb0
Make osquery-perf aware of kubequery so that hosts are not reported as such erroneously (#7949) 2022-09-26 15:39:39 -04:00
gillespi314
639b85e47b
Refactor cron worker to schedule package (#7886) 2022-09-23 11:45:48 -05:00
Martin Angers
db24cf32fa
Add new low_disk_space URL parameter to the GET /hosts endpoint (and GET /hosts/count) (#7853) 2022-09-21 15:16:31 -04:00
gillespi314
34688f531a
Refactor webhooks cron to new schedule package (#7840) 2022-09-20 14:26:36 -05:00
Juan Fernandez
f78dc8febd
Use directories to organize msrc assets (#7851)
Use directories to organize MSRC assets
2022-09-20 14:12:19 -04:00
Martin Angers
478b4d3f69
Validate team and appconfig payloads, with dry-run and force modes (#7731) 2022-09-19 13:53:44 -04:00
gillespi314
6a3d9959fc
Refactor vulnerabilities cron to scheduler package (#7650) 2022-09-16 10:08:51 -05:00
Juan Fernandez
765031d962
Bug 6717: Duplicate calls on vulnerability third party integrations. (#7698)
If the same vulnerability was present in more than one software, then duplicated third party integration calls were being issued.
2022-09-13 10:41:52 -04:00
Juan Fernandez
b60d535d4a
Feature 7084: Add new EE endpoint for Fleet Desktop (#7530)
Added new EE endpoint, that is meant to be used by Fleet Desktop only. The new endpoint will return the number of failed policies.
2022-09-12 15:37:38 -04:00
Juan Fernandez
98e4d6e0bc
Feature 7394: Use MSRC parser to generate security bulletin artifacts (#7491)
Generate security artifacts using the MSRC parser.
2022-09-12 15:17:13 -04:00
Juan Fernandez
b6d084deec
Feature 7559: Include 3rd party severity scores in the vulnerability web-hook payload (#7581)
Premium users should receive vulnerability scores as part of the web-hook payload.
2022-09-06 15:12:17 -04:00
Michal Nicpon
0709d1bc5c
improve vuln cpe matching on macos (#6985)
* add cpe translations
* fix matching on target_sw
2022-09-01 10:02:07 -06:00
gillespi314
8157359f84
Ingest Windows host display version for hosts table (#7403) 2022-08-30 10:16:48 -05:00
Roberto Dip
eeefe2fab9
enable controlled rollout of features by teams (#7408) 2022-08-30 08:13:09 -03:00
Martin Angers
f602ea3446
Provide Munki issues for MacOS hosts (#7280) 2022-08-29 14:40:16 -04:00
Roberto Dip
f9bb0b3dc0
adjust osquery_perf to respect config settings (#7418)
users, software_macos and software_linux queries can be optionally disabled in the fleet server via the enable_host_users and enable_software_inventory config settings, however osquery_perf is always running them.

this adjusts the code accordingly to only execute them if the server asks.
2022-08-29 13:34:40 -03:00
Juan Fernandez
0572c621d5
Fix osquery-perf Ubuntu software path issue (#7417)
Fixed issue with software fixture path used in osquery-perf
2022-08-26 15:43:06 -04:00
Juan Fernandez
3048a07fd1
Feature 7076: Ingest installed windows updates (#7138)
* Ingest installed Windows updates and store them in the windows_updates table. 
* Added config option for enabling/disabling Windows update ingestion and Windows OS vuln. detection.
2022-08-26 14:55:03 -04:00
Roberto Dip
9a1d2066bb
deprecate host_settings in favor of features (#7358)
Related to #7312, this makes use of the changes introduced in #7353 to rename host_settings to features while keeping backwards compatibility.
2022-08-25 13:41:50 -03:00
Martin Angers
1ed6512c5b
Implement retries when building MSI on Apple M1 architecture (#7367) 2022-08-24 14:52:32 -04:00
Martin Angers
dfd7d3f244
Add activity types for applied team spec and edited agent options (#7355) 2022-08-24 08:32:45 -04:00
Juan Fernandez
7e1e69c9bc
Fixed flaky vulnerability CRON tests (#7311)
* Fixed flaky vuln cron tests

* Fixed typo

* Remove sub-test
2022-08-23 08:22:08 -03:00
gillespi314
7fb109e6b3
Handle errors for duplicate os records (#7294) 2022-08-22 14:34:00 -05:00
Zachary Winnerman
2103de275a
improve error handling in vulnerabilities cron (#7276)
* improve error handling in vulnerabilities cron

* fix tests

* Use errHandler and go mod tidy

* Add dep that got removed by mod tidy

* add dsl to tools

* Add changes file

Co-authored-by: Michal Nicpon <michal@fleetdm.com>
Co-authored-by: Tomas Touceda <chiiph@gmail.com>
2022-08-18 16:53:58 -03:00
gillespi314
90f57f4849
Enhance API endpoints with host operating systems info (#7154) 2022-08-12 14:23:25 -05:00
Zach Wasserman
acf60189ff
Add message for fleetctl when prepare commands are used (#7152) 2022-08-11 12:26:52 -07:00
Martin Angers
c8cdddf0ea
Update /macadmins endpoints to include MDM name and aggregate count (#7137) 2022-08-10 15:15:01 -04:00
Roberto Dip
fc8c15c0d1
add application config setting to enable JIT provisioning (#7140)
As part of #7053, this adds a config setting to enable JIT provisioning.
2022-08-10 15:15:35 -03:00
gillespi314
e2194be61c
Add schedule package and refactor cron jobs for cleanups, aggregations, and usage statistics (#6618) 2022-08-10 11:00:56 -05:00
gillespi314
3a88afaf98
Add new database tables and queries for host operating systems (#6920) 2022-08-09 13:34:41 -05:00
Lucas Manuel Rodriguez
6dcff28be0
Move specs parsing functionality to a new pkg/spec package (#7050) 2022-08-05 19:07:32 -03:00
Martin Angers
012869f971
Fleet Premium: de-anonymize usage stats (#7013) 2022-08-03 14:44:34 -04:00