TUF root keys have been rotated on the server. This brings the default
roots up to date with that newest metadata.
Verified that the new `fleetctl` still builds packages successfully.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Manual QA for all new/changed functionality
This relates to #12600
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
PR for update simplevars for reading subdirectories config file of
/etc/zabbix dir
changes from augeas team review
https://github.com/hercules-team/augeas/pull/815
Co-authored-by: liana <liana@mcbook.local>
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Found while load testing the macOS CIS benchmark policy queries using
`fleetd_tables` as an extension (#10292).
Basically, osqueryd passes the `--verbose` flag to the extension, so we
need to add it here to not fail the extension execution.
This PR requires the Windows MDM configuration changes - This will be
updated next week
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Documented any permissions changes
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
Changes:
- Updated the old (now invalid) osquery slack invitation link to go to
fleetdm.com/slack (which redirects to a valid osquery slack invitation)
Related to #11777, this disables the kickstart of softwareupdated in
Orbit.
I have kept the `--disable-kickstart-softwareupdated` for backwards
compatibility, but it doesn't have any effect anymore.
The current approach to read the enroll secret and fleet url from a
configuration profile is not ideal because:
1. (important) We're looking for a profile with a `ProfileIdentifier`
equal to `com.fleetdm.fleetd.config`. This is not ideal because
`ProfileIdentifier` is often modified by MDM vendors to ensure that's
unique across all profiles in the system.
2. (nit) To look for the relevant profile, we were running `profiles
list -o stdout-xml`, which can output a large amount of data that we
need to parse and loop through to find the right profile.
I have also considered:
1. Reading the value from a file that gets created at `/Library/Managed
Preferences/com.fleetdm.fleetd.config.plist`, but I couldn't find any
official sources on the reliablity of this, and after consulting
internally and in the macAdmins slack I decided to not rely on it.
2. Keep on reading from the output of `profiles` but be smarter parsing
the output (we should still be able to find the right profile)
At the end, I decided to use osascript to read the value directly from
the system.
For #11858, I reproduced the issue by running a local server behind
ngrok, _with the exact_ same path as the one in the website:
`https://server-url/images/permanent/mdm-migration-screenshot-768x180@2x.png`
I tried multiple combinations, but at the end, removing the `@` made the
trick. My guess is that's something to do with the markdown parser
library used by swiftDIalog.
I also removed a rogue `\` that was being displayed.
This relates to #11244
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Related to #11534 this is an extract from the code I used to build a
prototype to see if `swiftDialog` would work for us.
This is very similar to the work we did for Nudge previously.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
For #11218, In the initial implementation of the feature, we used to
launch Nudge as a root, so setting the permissions of the config file to
0600 was okay.
As part of the fix for #10044, we now launch Nudge as the current user
(which is also recommended in the Nudge wiki), but previous
installations of the beta version (probably only Fleeties using Dogfood)
still have the configuration file with restrictive permissions, so Nudge
wasn't able to read the config when launched as a user.
This is kind of hidden because `os.WriteFile` takes a permission
arugment, but it's only used if it's writing the file for the first
time.
#7970
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
#11065
Since `secret.txt` is written when the installer is built, but
installers using `--use-system-config` don't have an enroll secret at
build time, this file was empty and causing osquery to have trouble
enrolling.
This PR writes the file when the values are read from a configuration
profile.
in #10134 we added a silent mechanism to try to read configuration
values from macOS configuration profiles if --fleet-url and
--enroll-secret weren't present.
while using this logic to test #9459 I have found that there's a race
condition where sometimes `fleetd` is installed before the configuration
profile with the values delivered by Fleet, causing orbit to get stuck
forever.
I added logic to loop every 30 seconds and try to fetch the values again
if none are found, but I didn't felt comfortable adding this logic
without also adding an extra flag to explicitly enable this behavior.
relates to #10786
This fixes an issue where users would see the incorrect disk encryption
banners on the my device page. This included a change to the ingestion
logic of the `directIngestDiskEncryptionKeyDarwin` method to take into
account if a host was already being encrypted with filevault locally.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
