When running a live query recently, I noticed some columns in the
results that we didn't have documented, and realized we weren't using
the latest osquery schema version when regenerating the merged schema.
According to the docs, [we support the latest version of
osquery](https://fleetdm.com/docs/using-fleet/enroll-hosts#supported-osquery-versions),
so figure we ought to update the schema version to the latest.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: #13722
Changes:
- Updated the `get-extended-osquery-schema` helper to sort the merged
schema by table name.
- Regenerated `/schema/osquery_fleet_schema.JSON`
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
## Addresses #11037
### Implement the `privacy_preferences` table for the Fleetd Chrome
extension. Columns correspond to the available properties of
[`chrome.privacy`](https://developer.chrome.com/docs/extensions/reference/privacy/).
Chrome on mac:
<img width="816" alt="Screenshot 2023-06-23 at 11 55 21 AM"
src="https://github.com/fleetdm/fleet/assets/61553566/a4700749-6325-442e-acf2-c14b1c9adf8f">
Chromebook with enterprise access (actual use case):
* Chromebook w/o enterprise access: as you can see, sometimes certain
APIs are not available - this error occurs because the expected API
object that would have a `get` method is actually `undefined` TODO – How
to handle this case given that we want to let errors bubble up to the
level at which Fleet can catch them? Maybe it would be nice to catch
such errors and send them up to the Fleet layer, and still allow the
loop to continue to populate the columns whose APIs _are_ available.
_Decision: catch API errors here to preserve functionality of the
remaining columns_
- [x] Changes file
- [x] Manual QA
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Changes:
- Updated the `platform` value for osquery tables and columns that
support chromeos to be `chrome` (Previously `chromeos`)
- Updated `get-exteneded-osquery-schema.js` to use the new `platform`
value
- Updated the Fleet website to use the `chrome` `platform`.
- Regenerated `schema/osquery_fleet_schema.json` with ChromeOS tables.
This relates to #11244
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
Changes:
- Changed the version of osquery schema we merge with Fleet's overrides
from `5.7.0` to `5.8.1`
- Rand the `generate-merged-schema` script to regenerate
`osquery_fleet_schema.json` .
## EDIT
Mike: Hi Eric, if my changes look good to you, and if it's passing CI,
would you merge?
.
---------
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
This adds a new check about whether all APFS volumes are encrypted. I
needed to add a new table, and I took that opportunity to add another so
that osquery has all information from `diskutil apfs list -plist`.
Note that it is somewhat unclear whether to use the `encryption` or
`filevault` field in the query. FileVault is about whether the volume is
encrypted with a password and Encryption is about whether it is
encrypted at all, since all modern macs have hardware-backed disk
encryption.
Changes:
- Added three errors to
`website/api/helpers/get-extended-osquery-schema.js` that are thrown if
a YAML schema table has:
- A `platforms` value that is not an array
- A `description` value that is not a string
- A `columns` value that is not an array
- Updated the `platforms` of YAML schema tables in `schema/tables/` that
had string `platforms` values
- Regenerated `/schema/osquery_fleet_schema.json`
.
Changes:
- Updated the version of the osquery schema we merge with Fleet's
overrides (`5.6.0` » `5.7.0`)
- Ran the `generate-merged-schema` script to regenerate
`schema/osquery_fleet_schema.json`
. .
As raised by a community member in
[Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639),
this updates our documentation to account for both `unified_log` and
`macadmins_unified_log`.
Per my testing, it should also help with the #9158 bug in Fleet's UI.
I have updated the columns of `macadmins_unified_log` according to
what's in the [source
code](50f94d0d70/tables/unifiedlog/unified_log.go (L47-L69)),
and modified the example to work.
Since I was there I have also updated the osquery version we use to pull
the JSON to `5.6.0` and fixed a small bug related to the examples we
pull from there.
. . . . . . .
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
* update helper to use the osquery schema from the osquery/osquery-site repo
* update script description and generated json filename
* Add ritual to digital experience handbook
* add merged schema
* Update README.md
* Update get-extended-osquery-schema.js
