On new installations we unintentionally set the enroll secret to empty
string during database migrations. The enroll secret would be reset
during the setup process. This fixes the migration to not create any
enroll secret until the setup process.
- Conduct complete visual QA for recent icon changes merged in #128
- Edit styles to vertically align the "copy" and "reveal" icons in EnrollSecretTable
- Clean up unused <KolideIcon /> properties in <SelectTargetsDropdown />
- Add min-height to left side navigation. At window heights under 500px, the user can now vertically scroll to reveal the remainder of the nav options.
- Edit 500 page styles by moving the "Show error" button above the link to "File an issue"
- Add back <KolideIcon /> to SelectTargetsDropdown. <KolideIcon /> was prematurely replaced.
- Edit styles to allow SelectTargetsDropdown to vertically scroll on overflow.
Fixes#168
- Run the `fleetctl setup` command to set up the Fleet server with
default username ('admin') and password ('admin123#').
- Configures fleetctl if it has not yet been configured.
Closes#152
- Quick attempt to alleviate potential confusion for how the osquery configuration overrides option works
- Leave in the commented explanation in the sample yaml file
- Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor.
- Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns
- Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case)
- Fix all broken markdown links
Resolves a GitHub security alert about node-notifier (https://github.com/advisories/GHSA-5fw9-fq32-wv5p). This was unlikely
to be relevant in the case of Fleet where this was used only as a
development dependency.
The current implementation of FleetDM doesn't support Docker secrets for supplying the MySQL password and JWT key. This PR provides the ability for a file path to read in secrets. The goal of this PR is to avoid storing secrets in a static config or in an environment variable.
Example config for Docker:
```yaml
mysql:
address: mysql:3306
database: fleet
username: fleet
password_path: /run/secrets/mysql-fleetdm-password
redis:
address: redis:6379
server:
address: 0.0.0.0:8080
cert: /run/secrets/fleetdm-tls-cert
key: /run/secrets/fleetdm-tls-key
auth:
jwt_key_path: /run/secrets/fleetdm-jwt-key
filesystem:
status_log_file: /var/log/osquery/status.log
result_log_file: /var/log/osquery/result.log
enable_log_rotation: true
logging:
json: true
```
* prevent eslintrc conflicts
* Pricing + chat for website (#124)
* Update manage users styles. Implement table (list) view. (#104)
The goal of this PR is to change the layout of the manage users to a table (list view).
Move the user actions into the table view.
Move EditUserForm into a Modal
Update styles for InviteUserForm
Edit copy for the configuring SMTP warning.
* Update query page (edit, new, manage) and packs page (edit, new, manage) styles. (#106)
The goal of this PR is to update the style across the query and packs pages so they are consistent with the latest global styles (colors, buttons, and fonts).
* Update app settings page and osquery options page styles. (#107)
The goal of this PR is to implement the new global styling (colors, buttons, and fonts) to the "App settings" and "Osquery options" pages. These pages are only visible to users granted an admin role.
* Fix and clarify API auth documentation (#109)
- Fix header name.
- Add note about SSO auth.
* New styles for 404, 500, Login, User settings, and Confirm invite pages. (#108)
- Kolide404 and Kolide500 components renamed to Fleet404 and Fleet500
- Styling for Login and Confirm invite pages are consistent with the recent changes to the Setup page.
- Add "*" character to the 404 <Route />'s path property. Now the 404 page renders when there is no exact path match.
* Fix JSON in rest-endpoints.md (#110)
* Add host enrollment cooldown period (#112)
This addresses an issue some users experienced in which performance
problems were encountered when hosts were "competing" for enrollment
using the same osquery host identifier. The issue is addressed by adding
a cooldown period for host enrollment, preventing the same (as judged by
osquery host identifier) host from enrolling more than once per minute.
When users end up in the problematic scenario, they will see quite a bit
of error logs due to this issue. For now that's probably a good thing as
users need to be aware of the lack of visibility. We can explore rate
limiting the logging if that becomes an issue for someone.
Fixes#102
* Improve MySQL transaction error logging (#113)
Clarify what exactly happened when logging these errors.
* Migrate remaining URLs to fleetdm.com (#116)
* Clean up unused test/demo SQL data (#117)
* Add style fixes caught during QA. Add favicon. (#119)
Changes include style fixes that were caught during a QA pass.
* Make password reset styles consistent with new global styles. (#120)
The changes include adding sentence casing and updating the styles of the and components.
* CHANGELOG for 3.5.0 (#121)
* Update fleetctl version number. Fix spelling error in changelog. (#122)
* Fix alt tag
* Set up pricing cards
* Match footer to bottom of gradient
* Set up FAQ and stub out chat button click
* Add chat, plus some other tweaks.
* fiddling with Papercups to hopefully get it to recognize who's responding from the Fleet side
* This isn't really a solution but it's the best we've got til Papercups is hacked to allow programmatic opening (or til we switch to something else, or just bring in the traditional contact form)
* trivial
* Temporary workaround using an undocumented API in papercups
Co-authored-by: Rachael Shaw <rachaelshaw@users.noreply.github.com>
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
Co-authored-by: Rachael McNeil <r@rachael.wtf>
Co-authored-by: Rachael Shaw <rachaelshaw@users.noreply.github.com>
This PR includes the Using Fleet section of the documentation restructure #144.
It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3).
Update the naming convention for the files to number prefixes.
This PR includes the Deployment section of the documentation restructure #144.
- Changes include the addition of 3 overarching folders/sections named Deployment, Using fleet, and Contribution guide. Each folder includes new files for the subsections.
- Move the copy from the appropriate files into the new files in the Deployment folder. Removed old files. A detailed outline of the exact old files can be found in the linked issue above.
- Add navigation to the top of each file via links to anchors in the markdown.
The naming convention for each folder and file is up for discussion. I chose to use number prefixes (1, 2, 3) to order the folders and files. This way we have control over the order when viewing on GitHub.
Running applications as root (default Docker user) is not a good security practice. The goal of this PR is to run the Fleet application as a non-root user.
For development you can still access the container as root with the following command: `docker run -it --user=0 <fleetdm container ID> bash`
- Add help text within dropdown in smaller font size underneath "Require password reset" saying "This will revoke all active Fleet API tokens for this user."
- Update API docs to use "API token" parlance instead of "Auth token"
The final PR for the UI Refresh #38.
- Complete UI issues caught during the Dec. 09 QA pass.
- Update button and color styles, including hover and active states, to align with the mockups.
- Update status labels in the hosts list and users list. The status label now includes a colored circle along with a text description.
- Fixes#138.
Fixes#65 by bringing in new regular and bold Source Code Pro monospaced fonts.
- Remove old Source Code Pro font files
- Add new platform icons to <QuerySidePanel />
- Edit styles in <EditPackForm />
This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111).
It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends).
- Add new PNG files for the new icons in the left side navigation and the right side labels on the Hosts page.
- Rename the old `<Icon />` component to `<KolideIcon />` and create a new `<Icon />` component. The ultimate goal is to get rid of the `<KolideIcon />` and `<PlatformIcon />` components and use the encompassing `<Icon />` component for all icons. The full transition will be made when we have icon assets to replace all the kolide icons and platform icons. Currently, we don't.
- Rename the `icon_name_for_label.js` utility to `icon_name.js` because the utility now includes `iconNameForLabel()` and `iconNameForPlatform()` functions.
- Fixes issue #127.
Mitigate
[CVE-2020-26273](https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8)
by attempting to prevent users from executing or saving queries that use
the SQLite `ATTACH` command.
Users must still update to osquery 4.6.0 to ensure the functionality is
fully disabled in osquery.
@ahmedmusaad added documentation for the following API endpoints:
/api/v1/kolide/users GET
/api/v1/kolide/users POST
/api/v1/kolide/users/admin POST
/api/v1/kolide/users/{id} GET
