The current approach to read the enroll secret and fleet url from a
configuration profile is not ideal because:
1. (important) We're looking for a profile with a `ProfileIdentifier`
equal to `com.fleetdm.fleetd.config`. This is not ideal because
`ProfileIdentifier` is often modified by MDM vendors to ensure that's
unique across all profiles in the system.
2. (nit) To look for the relevant profile, we were running `profiles
list -o stdout-xml`, which can output a large amount of data that we
need to parse and loop through to find the right profile.
I have also considered:
1. Reading the value from a file that gets created at `/Library/Managed
Preferences/com.fleetdm.fleetd.config.plist`, but I couldn't find any
official sources on the reliablity of this, and after consulting
internally and in the macAdmins slack I decided to not rely on it.
2. Keep on reading from the output of `profiles` but be smarter parsing
the output (we should still be able to find the right profile)
At the end, I decided to use osascript to read the value directly from
the system.
This could help future users to detect this issue: #10957
It also adds an error log in Fleet that prints the actual error.
The error is displayed if I kill Redis during a live session or if I set
`client-output-buffer-limit` to something real low like `CONFIG SET
"client-output-buffer-limit" "pubsub 100kb 50kb 60"`:
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- ~[ ] Added/updated tests~
- [X] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Changes:
- Updated the build-static-content script to throw an error if a
Markdown file contains a vue template (e.g., `{{ foo }}`)
- Updated an example in the "Using Fleet" FAQ to use single curly
brackets (`{{host}} ` » `{host}`)
Context: https://github.com/fleetdm/fleet/pull/12088
This guide are the lessons learned during the troubleshooting for
#10957.
It attempts to reduce pain for future oncall issues with live queries.
PS: AFAICS, this should close
https://github.com/fleetdm/fleet/issues/6141.
Changes:
- Replaced the double curly brackets in the Github action examples to
prevent the Fleet website from interpreting those examples as [Vue
templates](https://vuejs.org/guide/essentials/template-syntax.html#text-interpolation)
(Which causes Javascript errors and prevents the page from rendering)
- Updated the indentation of images in ordered lists and added newlines
to keep the formatting consistent.
Increase the statistics report frequency from once a week to once in 3
days.
The idea is to double it in slow steps to make sure the Heroku can
withstand it.
Goal is to get to once every few hours.
Add step to ensure there are no release blocking tickets open that might
have gone missed.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Added/updated tests (smoke test template)
Related to #11185 this adds a Puppet module that provides:
1. A custom type named `fleetdm::profile` that can be used to define
profiles to a device
2. A function named `fleetdm::release_device` that can be used to
release a device from await device configuration.
Instructions/usage can be found in the `README.md` file.
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
For issues #12003 and #12051
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Changes:
- Removed the `platforms` value of columns that support all platforms on
the schema tables added in https://github.com/fleetdm/fleet/pull/11784.
Columns in our YAML table overrides should only have a `platforms` value
if it is not compatible with all platforms
Add support for Fleet audit logs by adding a new variable
`firehose_audit_name` to the `firehose` module. If the variable is set,
a new delivery stream is created for Fleet audit logs. The IAM role is
updated to allow writing to the new delivery stream. The `outputs.tf`
file is updated to include the new environment variable
`FLEET_ACTIVITY_ENABLE_AUDIT_LOG` and `FLEET_ACTIVITY_AUDIT_LOG_PLUGIN`
to the `fleet_extra_environment_variables` output. The `firehose_policy`
in `firehose.tf` is updated to allow writing to the new delivery stream.
The `firehose_audit` policy is created and attached to the IAM role if
the `firehose_audit_name` variable is set.
---------
Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Closes https://github.com/fleetdm/fleet/issues/11837
Changes:
- Changed the OS icons used on tables/ and queries/ pages.
- updated `get-extended-osquery-schema` to change the `platform` value
of osquery table columns to be the normalized platform name (`chromeos`
» `ChromeOS`)
- updated `build-static-content` to support three `platforms` values
when adding platform compatibility notes to generated Markdown tables
(e.g., "**Only available on macOS, Linux, and Windows.**" )
- Added dropdown options and icons for ChromeOS on osquery schema table
pages, query details pages, and the query library.
Useful while working on #11890.
Hidden flags `--audit_debug`, `--audit_fim_debug`,
`--audit_show_partial_fim_events` and
`--audit_show_untracked_res_warnings` are useful when troubleshooting
the `process_file_events` table. This change allows setting the flags in
the agent settings:
Closes https://github.com/fleetdm/confidential/issues/2700
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Closes: https://github.com/fleetdm/confidential/issues/2755
Changes:
- Updated the homepage to match the latest wireframes (Switched to a
single hero image, removed the hero background image, updated the text
in the hero and other headings on the page)
Closes: #11915
Changes:
- Deleted `website/assets/fonts/nunito-sans`
- Deleted `website/assets/dependencies/nunito-webfonts.css`
- Updated the quotemark used for large blockquotes in markdown content
to be an image (Previously was using a `"` character with the Nunito
Sans font).
#10784
The removal of the now deprecated `sso_settings.enable_jit_role_sync`
config will be tackled in: #10688.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
#10878
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Closes#11640
Changes:
- Removed the whitespace in between the permission role names and the
asterisk that was causing the table header to have a linebreak in the
permission roles table.
Updated Slack channels added "#g-website" DRI Mike Thomas
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Update Ritual table removed departed DRI's
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Closes: #11989
Changes:
- Changed the Bootstrap 4 class that is added to every table in content
built from Markdown so our tables are responsive at all widths
(`table-responsive-xl` » `table-responsive`)
