From f215adee5b4a24d09f83a233b6aba05b45f34601 Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Wed, 28 Feb 2024 09:59:25 -0600 Subject: [PATCH 01/13] Added --server_frequent_cleanups_enabled (FLEET_SERVER_FREQUENT_CLEANUPS_ENABLED) flag (#17235) Added --server_frequent_cleanups_enabled (FLEET_SERVER_FREQUENT_CLEANUPS_ENABLED) flag to enable 15 minute cron job to clean up stale data. Currently disabled by default. #17197 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> --- changes/17197-frequent-cleanups-enabled | 1 + cmd/fleet/serve.go | 12 ++++++++---- server/config/config.go | 3 +++ 3 files changed, 12 insertions(+), 4 deletions(-) create mode 100644 changes/17197-frequent-cleanups-enabled diff --git a/changes/17197-frequent-cleanups-enabled b/changes/17197-frequent-cleanups-enabled new file mode 100644 index 0000000000..7707456392 --- /dev/null +++ b/changes/17197-frequent-cleanups-enabled @@ -0,0 +1 @@ +Added --server_frequent_cleanups_enabled (FLEET_SERVER_FREQUENT_CLEANUPS_ENABLED) flag to enable cron job to clean up stale data running every 15 minutes. Currently disabled by default. diff --git a/cmd/fleet/serve.go b/cmd/fleet/serve.go index 01ef84b29f..c60f5d04c2 100644 --- a/cmd/fleet/serve.go +++ b/cmd/fleet/serve.go @@ -680,10 +680,14 @@ the way that the Fleet server works. } }() - if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) { - return newFrequentCleanupsSchedule(ctx, instanceID, ds, liveQueryStore, logger) - }); err != nil { - initFatal(err, "failed to register frequent_cleanups schedule") + if config.Server.FrequentCleanupsEnabled { + if err := cronSchedules.StartCronSchedule( + func() (fleet.CronSchedule, error) { + return newFrequentCleanupsSchedule(ctx, instanceID, ds, liveQueryStore, logger) + }, + ); err != nil { + initFatal(err, "failed to register frequent_cleanups schedule") + } } if err := cronSchedules.StartCronSchedule( diff --git a/server/config/config.go b/server/config/config.go index e26831ec30..7861729762 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -94,6 +94,7 @@ type ServerConfig struct { Keepalive bool `yaml:"keepalive"` SandboxEnabled bool `yaml:"sandbox_enabled"` WebsocketsAllowUnsafeOrigin bool `yaml:"websockets_allow_unsafe_origin"` + FrequentCleanupsEnabled bool `yaml:"frequent_cleanups_enabled"` } func (s *ServerConfig) DefaultHTTPServer(ctx context.Context, handler http.Handler) *http.Server { @@ -841,6 +842,7 @@ func (man Manager) addConfigs() { man.addConfigBool("server.sandbox_enabled", false, "When enabled, Fleet limits some features for the Sandbox") man.addConfigBool("server.websockets_allow_unsafe_origin", false, "Disable checking the origin header on websocket connections, this is sometimes necessary when proxies rewrite origin headers between the client and the Fleet webserver") + man.addConfigBool("server.frequent_cleanups_enabled", false, "Enable frequent cleanups of expired data (15 minute interval)") // Hide the sandbox flag as we don't want it to be discoverable for users for now sandboxFlag := man.command.PersistentFlags().Lookup(flagNameFromConfigKey("server.sandbox_enabled")) @@ -1191,6 +1193,7 @@ func (man Manager) LoadConfig() FleetConfig { Keepalive: man.getConfigBool("server.keepalive"), SandboxEnabled: man.getConfigBool("server.sandbox_enabled"), WebsocketsAllowUnsafeOrigin: man.getConfigBool("server.websockets_allow_unsafe_origin"), + FrequentCleanupsEnabled: man.getConfigBool("server.frequent_cleanups_enabled"), }, Auth: AuthConfig{ BcryptCost: man.getConfigInt("auth.bcrypt_cost"), From f36b7d4d6da0aaa93d5e4b80cd48d5459423714f Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Wed, 28 Feb 2024 10:50:10 -0600 Subject: [PATCH 02/13] Use gitops with dogfood. (#17098) #17043 Set up dogfood to use gitops. I copied the current dogfood configs/policies/queries into the gitops flow. Successful workflow run: https://github.com/fleetdm/fleet/actions/runs/8023101797/job/21918883543?pr=17098 --------- Co-authored-by: Noah Talerman --- .github/workflows/dogfood-gitops.yml | 55 + .github/workflows/example-workflow.yaml | 44 - .../fleetctl-workstations-canary.yml | 49 - .github/workflows/fleetctl-workstations.yml | 49 - it-and-security/default.yml | 86 + it-and-security/lib/agent-options.yml | 13 + .../collect-failed-login-attempts.queries.yml | 14 + it-and-security/lib/collect-fleetd-logs.sh | 7 + ...collect-fleetd-update-channels.queries.yml | 7 + .../lib/collect-usb-devices.queries.yml | 10 + .../collect-vs-code-extensions.queries.yml | 12 + it-and-security/lib/explore-data.queries.yml | 3210 +++++++++++++++++ .../lib/linux-device-health.policies.yml | 6 + .../lib/macos-device-health.policies.yml | 55 + .../macos-see-automatic-enrollment-profile.sh | 1 + it-and-security/lib/servers.agent-options.yml | 13 + .../lib/windows-device-health.policies.yml | 24 + it-and-security/lib/windows-remove-fleetd.ps1 | 110 + it-and-security/lib/windows-turn-off-mdm.ps1 | 27 + it-and-security/teams/explore-data.yml | 43 + it-and-security/teams/servers-canary.yml | 31 + it-and-security/teams/servers.yml | 31 + it-and-security/teams/workstations-canary.yml | 68 + it-and-security/teams/workstations.yml | 62 + 24 files changed, 3885 insertions(+), 142 deletions(-) create mode 100644 .github/workflows/dogfood-gitops.yml delete mode 100644 .github/workflows/example-workflow.yaml delete mode 100644 .github/workflows/fleetctl-workstations-canary.yml delete mode 100644 .github/workflows/fleetctl-workstations.yml create mode 100644 it-and-security/default.yml create mode 100644 it-and-security/lib/agent-options.yml create mode 100644 it-and-security/lib/collect-failed-login-attempts.queries.yml create mode 100644 it-and-security/lib/collect-fleetd-logs.sh create mode 100644 it-and-security/lib/collect-fleetd-update-channels.queries.yml create mode 100644 it-and-security/lib/collect-usb-devices.queries.yml create mode 100644 it-and-security/lib/collect-vs-code-extensions.queries.yml create mode 100644 it-and-security/lib/explore-data.queries.yml create mode 100644 it-and-security/lib/linux-device-health.policies.yml create mode 100644 it-and-security/lib/macos-device-health.policies.yml create mode 100644 it-and-security/lib/macos-see-automatic-enrollment-profile.sh create mode 100644 it-and-security/lib/servers.agent-options.yml create mode 100644 it-and-security/lib/windows-device-health.policies.yml create mode 100644 it-and-security/lib/windows-remove-fleetd.ps1 create mode 100644 it-and-security/lib/windows-turn-off-mdm.ps1 create mode 100644 it-and-security/teams/explore-data.yml create mode 100644 it-and-security/teams/servers-canary.yml create mode 100644 it-and-security/teams/servers.yml create mode 100644 it-and-security/teams/workstations-canary.yml create mode 100644 it-and-security/teams/workstations.yml diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml new file mode 100644 index 0000000000..10953fe23a --- /dev/null +++ b/.github/workflows/dogfood-gitops.yml @@ -0,0 +1,55 @@ +name: 'Apply latest configuration to dogfood with gitops' + +on: + push: + branches: + - main + paths: + - 'it-and-security/**' + - 'mdm_profiles/**' + - '.github/workflows/dogfood-gitops.yml' + workflow_dispatch: # allows manual triggering + +defaults: + run: + shell: bash + +# Limit permissions of GITHUB_TOKEN. +permissions: + contents: read + +jobs: + fleet-gitops: + timeout-minutes: 5 + runs-on: ubuntu-latest + steps: + - name: Checkout our repository + uses: actions/checkout@v4 + + - name: Checkout GitOps repository + uses: actions/checkout@v4 + with: + repository: fleetdm/fleet-gitops + ref: main + path: fleet-gitops + + - name: Apply latest configuration to Fleet + uses: ./fleet-gitops/.github/gitops-action + with: + working-directory: ${{ github.workspace }}/fleet-gitops + env: + FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security + FLEET_URL: https://dogfood.fleetdm.com + FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} + DOGFOOD_APPLE_BM_DEFAULT_TEAM: Workstations + DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }} + DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }} + DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }} + DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }} + DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }} + DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }} + DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }} + DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }} + DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }} + DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }} + DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }} diff --git a/.github/workflows/example-workflow.yaml b/.github/workflows/example-workflow.yaml deleted file mode 100644 index 5a19e87b9f..0000000000 --- a/.github/workflows/example-workflow.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the provided team. -name: Apply latest configuration profiles (example) -on: - push: - branches: - - main - paths: - - "path/to/**.mobileconfig" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - FLEET_URL: ${{ secrets.DOGFOOD_URL }} - TOKEN_USED_BY_PROFILE: ${{ secrets.TOKEN_USED_BY_PROFILE }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b - with: - FLEET_API_TOKEN: $FLEET_API_TOKEN - FLEET_URL: $FLEET_URL - FLEET_TEAM_NAME: 💻🐣 Workstations (canary) - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: 13.3.2 - MAC_OS_VERSION_DEADLINE: 2023-06-15 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/.github/workflows/fleetctl-workstations-canary.yml b/.github/workflows/fleetctl-workstations-canary.yml deleted file mode 100644 index 26c3919766..0000000000 --- a/.github/workflows/fleetctl-workstations-canary.yml +++ /dev/null @@ -1,49 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations (canary) team. -# It uses a fleet instance also built and executed from source. -# -# It runs automatically when a file is changed in /mdm_profiles. -name: Apply latest configuration profiles and macOS updates (Canary) - -on: - push: - branches: - - main - paths: - - "mdm_profiles/**.mobileconfig" - - ".github/workflows/fleetctl-workstations-canary.yml" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }} - CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0 - with: - FLEET_API_TOKEN: $DOGFOOD_API_TOKEN - FLEET_URL: $DOGFOOD_URL - FLEET_TEAM_NAME: 💻🐣 Workstations (canary) - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: "14.2" - MAC_OS_VERSION_DEADLINE: 2023-12-15 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/.github/workflows/fleetctl-workstations.yml b/.github/workflows/fleetctl-workstations.yml deleted file mode 100644 index fb45ddac96..0000000000 --- a/.github/workflows/fleetctl-workstations.yml +++ /dev/null @@ -1,49 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations team. -# It uses a Fleet instance also built and executed from source. -# -# It runs when the GitHub action is triggered manually -name: Apply latest configuration profiles and macOS updates - -on: - push: - branches: - - main - paths: - - "mdm_profiles/**.mobileconfig" - - ".github/workflows/fleetctl-workstations.yml" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }} - CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0 - with: - FLEET_API_TOKEN: $DOGFOOD_API_TOKEN - FLEET_URL: $DOGFOOD_URL - FLEET_TEAM_NAME: 💻 Workstations - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: "14.2" - MAC_OS_VERSION_DEADLINE: 2023-12-19 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/it-and-security/default.yml b/it-and-security/default.yml new file mode 100644 index 0000000000..5a5a170fef --- /dev/null +++ b/it-and-security/default.yml @@ -0,0 +1,86 @@ +agent_options: + path: ./lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_migration: + enable: true + mode: voluntary + webhook_url: $DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL + macos_settings: + custom_settings: null + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: "2023-06-13" + minimum_version: 13.4.1 + windows_enabled_and_configured: true + windows_settings: + custom_settings: [] + windows_updates: + deadline_days: 3 + grace_period_days: 2 + scripts: [] +org_settings: + features: + enable_host_users: true + enable_software_inventory: true + fleet_desktop: + transparency_url: https://fleetdm.com/transparency + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 7 + integrations: + jira: [ ] + zendesk: [ ] + mdm: + apple_bm_default_team: $DOGFOOD_APPLE_BM_DEFAULT_TEAM + org_info: + contact_url: https://fleetdm.com/company/contact + org_logo_url: "" + org_logo_url_light_background: "" + org_name: Fleet Device Management + secrets: + - secret: $DOGFOOD_GLOBAL_ENROLL_SECRET + server_settings: + debug_host_ids: + - 1 + - 3 + deferred_save_host: false + enable_analytics: true + live_query_disabled: false + query_reports_disabled: false + scripts_disabled: false + server_url: https://dogfood.fleetdm.com + sso_settings: + enable_jit_provisioning: true + enable_jit_role_sync: false + enable_sso: true + enable_sso_idp_login: false + entity_id: dogfood.fleetdm.com + idp_image_url: "" + idp_name: Google + issuer_uri: $DOGFOOD_SSO_ISSUER_URI + metadata: |- + $DOGFOOD_SSO_METADATA + metadata_url: "" + webhook_settings: + failing_policies_webhook: + destination_url: $DOGFOOD_FAILING_POLICIES_WEBHOOK_URL + enable_failing_policies_webhook: true + host_batch_size: 0 + policy_ids: [] + host_status_webhook: + days_count: 1 + destination_url: "" + enable_host_status_webhook: false + host_percentage: 25 + interval: 1m0s + vulnerabilities_webhook: + destination_url: $DOGFOOD_VULNERABILITIES_WEBHOOK_URL + enable_vulnerabilities_webhook: true + host_batch_size: 0 +policies: +queries: + - path: ./lib/collect-fleetd-update-channels.queries.yml diff --git a/it-and-security/lib/agent-options.yml b/it-and-security/lib/agent-options.yml new file mode 100644 index 0000000000..61559952c0 --- /dev/null +++ b/it-and-security/lib/agent-options.yml @@ -0,0 +1,13 @@ +config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 10 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/osquery/log + logger_tls_period: 10 + pack_delimiter: / diff --git a/it-and-security/lib/collect-failed-login-attempts.queries.yml b/it-and-security/lib/collect-failed-login-attempts.queries.yml new file mode 100644 index 0000000000..a2242b7e74 --- /dev/null +++ b/it-and-security/lib/collect-failed-login-attempts.queries.yml @@ -0,0 +1,14 @@ +- name: Collect failed login attempts + automations_enabled: true + description: Lists the users at least one failed login attempt and timestamp of + failed login. Number of failed login attempts reset to zero after a user successfully + logs in. + discard_data: false + interval: 300 + logging: snapshot + min_osquery_version: "" + observer_can_run: false + platform: "" + query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp + FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count + > 0; \ No newline at end of file diff --git a/it-and-security/lib/collect-fleetd-logs.sh b/it-and-security/lib/collect-fleetd-logs.sh new file mode 100644 index 0000000000..887af2ace6 --- /dev/null +++ b/it-and-security/lib/collect-fleetd-logs.sh @@ -0,0 +1,7 @@ +cp /var/log/orbit/orbit.stderr.log ~/Library/Logs/Fleet/fleet-desktop.log /Users/Shared + +echo "Successfully copied fleetd logs to the /Users/Shared folder." + +echo "To retrieve logs, ask the end user to open Finder and in the menu bar select Go > Go to Folder." + +echo "Then, ask the end user to type in /Users/Shared, press Return, and locate orbit.stderr.log (Orbit logs) and fleet-desktop.log (Fleet Desktop logs) files." \ No newline at end of file diff --git a/it-and-security/lib/collect-fleetd-update-channels.queries.yml b/it-and-security/lib/collect-fleetd-update-channels.queries.yml new file mode 100644 index 0000000000..a90ea083ab --- /dev/null +++ b/it-and-security/lib/collect-fleetd-update-channels.queries.yml @@ -0,0 +1,7 @@ +- name: Collect fleetd update channels + description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." + query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; + interval: 300 # 5 minutes + observer_can_run: true + automations_enabled: false + platform: darwin,linux,windows diff --git a/it-and-security/lib/collect-usb-devices.queries.yml b/it-and-security/lib/collect-usb-devices.queries.yml new file mode 100644 index 0000000000..ab2b40732e --- /dev/null +++ b/it-and-security/lib/collect-usb-devices.queries.yml @@ -0,0 +1,10 @@ +- name: Collect USB devices + automations_enabled: false + description: Collects the USB devices that are currently connected to macOS and Linux hosts. + discard_data: false + interval: 300 + logging: snapshot + min_osquery_version: "" + observer_can_run: true + platform: "" + query: SELECT model, vendor FROM usb_devices; \ No newline at end of file diff --git a/it-and-security/lib/collect-vs-code-extensions.queries.yml b/it-and-security/lib/collect-vs-code-extensions.queries.yml new file mode 100644 index 0000000000..29f97a2f7f --- /dev/null +++ b/it-and-security/lib/collect-vs-code-extensions.queries.yml @@ -0,0 +1,12 @@ +- name: Collect Visual Studio (VS) Code extensions + automations_enabled: false + description: Collects the name, publisher, and version of the VS Code extensions + installed on hosts. + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + observer_can_run: false + platform: "" + query: SELECT extension.name, extension.publisher, extension.version FROM users + JOIN vscode_extensions extension USING (uid); \ No newline at end of file diff --git a/it-and-security/lib/explore-data.queries.yml b/it-and-security/lib/explore-data.queries.yml new file mode 100644 index 0000000000..deb070644d --- /dev/null +++ b/it-and-security/lib/explore-data.queries.yml @@ -0,0 +1,3210 @@ +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - account_policy_data' + observer_can_run: false + platform: "" + query: SELECT * FROM account_policy_data; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ad_config' + observer_can_run: false + platform: "" + query: SELECT * FROM ad_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf' + observer_can_run: false + platform: "" + query: SELECT * FROM alf; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf_exceptions' + observer_can_run: false + platform: "" + query: SELECT * FROM alf_exceptions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf_explicit_auths' + observer_can_run: false + platform: "" + query: SELECT * FROM alf_explicit_auths; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apfs_physical_stores' + observer_can_run: false + platform: "" + query: SELECT * FROM apfs_physical_stores; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apfs_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM apfs_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - app_icons' + observer_can_run: false + platform: "" + query: SELECT * FROM app_icons; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - app_schemes' + observer_can_run: false + platform: "" + query: SELECT * FROM app_schemes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apparmor_events' + observer_can_run: false + platform: "" + query: SELECT * FROM apparmor_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apparmor_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM apparmor_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - appcompat_shims' + observer_can_run: false + platform: "" + query: SELECT * FROM appcompat_shims; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apps' + observer_can_run: false + platform: "" + query: SELECT * FROM apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apt_sources' + observer_can_run: false + platform: "" + query: SELECT * FROM apt_sources; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - arp_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM arp_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - asl' + observer_can_run: false + platform: "" + query: SELECT * FROM asl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - atom_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM atom_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - augeas' + observer_can_run: false + platform: "" + query: SELECT * FROM augeas; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authdb' + observer_can_run: false + platform: "" + query: SELECT * FROM authdb; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authenticode' + observer_can_run: false + platform: "" + query: SELECT * FROM authenticode; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorization_mechanisms' + observer_can_run: false + platform: "" + query: SELECT * FROM authorization_mechanisms; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorizations' + observer_can_run: false + platform: "" + query: SELECT * FROM authorizations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorized_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM authorized_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - autoexec' + observer_can_run: false + platform: "" + query: SELECT * FROM autoexec; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - azure_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM azure_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - azure_instance_tags' + observer_can_run: false + platform: "" + query: SELECT * FROM azure_instance_tags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - background_activities_moderator' + observer_can_run: false + platform: "" + query: SELECT * FROM background_activities_moderator; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - battery' + observer_can_run: false + platform: "" + query: SELECT * FROM battery; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bitlocker_info' + observer_can_run: false + platform: "" + query: SELECT * FROM bitlocker_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - block_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM block_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bpf_process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM bpf_process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bpf_socket_events' + observer_can_run: false + platform: "" + query: SELECT * FROM bpf_socket_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - carbon_black_info' + observer_can_run: false + platform: "" + query: SELECT * FROM carbon_black_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - carves' + observer_can_run: false + platform: "" + query: SELECT * FROM carves; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - certificates' + observer_can_run: false + platform: "" + query: SELECT * FROM certificates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chassis_info' + observer_can_run: false + platform: "" + query: SELECT * FROM chassis_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chocolatey_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM chocolatey_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chrome_extension_content_scripts' + observer_can_run: false + platform: "" + query: SELECT * FROM chrome_extension_content_scripts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chrome_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM chrome_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cis_audit' + observer_can_run: false + platform: "" + query: SELECT * FROM cis_audit; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - connected_displays' + observer_can_run: false + platform: "" + query: SELECT * FROM connected_displays; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - connectivity' + observer_can_run: false + platform: "" + query: SELECT * FROM connectivity; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - corestorage_logical_volume_families' + observer_can_run: false + platform: "" + query: SELECT * FROM corestorage_logical_volume_families; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - corestorage_logical_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM corestorage_logical_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpu_info' + observer_can_run: false + platform: "" + query: SELECT * FROM cpu_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpu_time' + observer_can_run: false + platform: "" + query: SELECT * FROM cpu_time; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpuid' + observer_can_run: false + platform: "" + query: SELECT * FROM cpuid; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - crashes' + observer_can_run: false + platform: "" + query: SELECT * FROM crashes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - crontab' + observer_can_run: false + platform: "" + query: SELECT * FROM crontab; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cryptoinfo' + observer_can_run: false + platform: "" + query: SELECT * FROM cryptoinfo; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cryptsetup_status' + observer_can_run: false + platform: "" + query: SELECT * FROM cryptsetup_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - csrutil_info' + observer_can_run: false + platform: "" + query: SELECT * FROM csrutil_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cups_destinations' + observer_can_run: false + platform: "" + query: SELECT * FROM cups_destinations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cups_jobs' + observer_can_run: false + platform: "" + query: SELECT * FROM cups_jobs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - curl' + observer_can_run: false + platform: "" + query: SELECT * FROM curl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - curl_certificate' + observer_can_run: false + platform: "" + query: SELECT * FROM curl_certificate; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - deb_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM deb_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - default_environment' + observer_can_run: false + platform: "" + query: SELECT * FROM default_environment; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_file' + observer_can_run: false + platform: "" + query: SELECT * FROM device_file; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_firmware' + observer_can_run: false + platform: "" + query: SELECT * FROM device_firmware; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_hash' + observer_can_run: false + platform: "" + query: SELECT * FROM device_hash; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_partitions' + observer_can_run: false + platform: "" + query: SELECT * FROM device_partitions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_encryption' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_encryption; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_events' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_info' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dns_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM dns_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dns_resolvers' + observer_can_run: false + platform: "" + query: SELECT * FROM dns_resolvers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_envs' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_envs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_fs_changes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_fs_changes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_mounts' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_mounts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_ports' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_ports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_processes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_processes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_stats' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_stats; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_containers' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_containers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_history' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_layers' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_layers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_images' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_images; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_info' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_network_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_network_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_version' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_version; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_volume_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_volume_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - drivers' + observer_can_run: false + platform: "" + query: SELECT * FROM drivers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dscl' + observer_can_run: false + platform: "" + query: SELECT * FROM dscl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ec2_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM ec2_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ec2_instance_tags' + observer_can_run: false + platform: "" + query: SELECT * FROM ec2_instance_tags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - es_process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM es_process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - es_process_file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM es_process_file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_hosts' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_hosts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_protocols' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_protocols; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_services' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - event_taps' + observer_can_run: false + platform: "" + query: SELECT * FROM event_taps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - extended_attributes' + observer_can_run: false + platform: "" + query: SELECT * FROM extended_attributes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - falcon_kernel_check' + observer_can_run: false + platform: "" + query: SELECT * FROM falcon_kernel_check; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - falconctl_options' + observer_can_run: false + platform: "" + query: SELECT * FROM falconctl_options; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - fan_speed_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM fan_speed_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file' + observer_can_run: false + platform: "" + query: SELECT * FROM file; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file_lines' + observer_can_run: false + platform: "" + query: SELECT * FROM file_lines; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_prk' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_prk; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_status' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_users' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - find_cmd' + observer_can_run: false + platform: "" + query: SELECT * FROM find_cmd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firefox_addons' + observer_can_run: false + platform: "" + query: SELECT * FROM firefox_addons; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firefox_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM firefox_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firmware_eficheck_integrity_check' + observer_can_run: false + platform: "" + query: SELECT * FROM firmware_eficheck_integrity_check; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firmwarepasswd' + observer_can_run: false + platform: "" + query: SELECT * FROM firmwarepasswd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - gatekeeper' + observer_can_run: false + platform: "" + query: SELECT * FROM gatekeeper; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - gatekeeper_approved_apps' + observer_can_run: false + platform: "" + query: SELECT * FROM gatekeeper_approved_apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - geolocation' + observer_can_run: false + platform: "" + query: SELECT * FROM geolocation; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - google_chrome_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM google_chrome_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - groups' + observer_can_run: false + platform: "" + query: SELECT * FROM groups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hardware_events' + observer_can_run: false + platform: "" + query: SELECT * FROM hardware_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hash' + observer_can_run: false + platform: "" + query: SELECT * FROM hash; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - homebrew_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM homebrew_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hvci_status' + observer_can_run: false + platform: "" + query: SELECT * FROM hvci_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ibridge_info' + observer_can_run: false + platform: "" + query: SELECT * FROM ibridge_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - icloud_private_relay' + observer_can_run: false + platform: "" + query: SELECT * FROM icloud_private_relay; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ie_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM ie_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - intel_me_info' + observer_can_run: false + platform: "" + query: SELECT * FROM intel_me_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_details' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_details; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_ipv6' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_ipv6; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - iokit_devicetree' + observer_can_run: false + platform: "" + query: SELECT * FROM iokit_devicetree; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - iokit_registry' + observer_can_run: false + platform: "" + query: SELECT * FROM iokit_registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ioreg' + observer_can_run: false + platform: "" + query: SELECT * FROM ioreg; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_info' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_modules' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_modules; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_panics' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_panics; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - keychain_acls' + observer_can_run: false + platform: "" + query: SELECT * FROM keychain_acls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - keychain_items' + observer_can_run: false + platform: "" + query: SELECT * FROM keychain_items; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - known_hosts' + observer_can_run: false + platform: "" + query: SELECT * FROM known_hosts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kva_speculative_info' + observer_can_run: false + platform: "" + query: SELECT * FROM kva_speculative_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - last' + observer_can_run: false + platform: "" + query: SELECT * FROM last; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - launchd' + observer_can_run: false + platform: "" + query: SELECT * FROM launchd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - launchd_overrides' + observer_can_run: false + platform: "" + query: SELECT * FROM launchd_overrides; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - listening_ports' + observer_can_run: false + platform: "" + query: SELECT * FROM listening_ports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - load_average' + observer_can_run: false + platform: "" + query: SELECT * FROM load_average; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - location_services' + observer_can_run: false + platform: "" + query: SELECT * FROM location_services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logged_in_users' + observer_can_run: false + platform: "" + query: SELECT * FROM logged_in_users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logical_drives' + observer_can_run: false + platform: "" + query: SELECT * FROM logical_drives; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logon_sessions' + observer_can_run: false + platform: "" + query: SELECT * FROM logon_sessions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_certificates' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_certificates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_cluster' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_cluster; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_cluster_members' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_cluster_members; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_images' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_images; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instance_config' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instance_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instance_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instance_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instances' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instances; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_storage_pools' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_storage_pools; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macadmins_unified_log' + observer_can_run: false + platform: "" + query: SELECT * FROM macadmins_unified_log; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macos_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM macos_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macos_rsr' + observer_can_run: false + platform: "" + query: SELECT * FROM macos_rsr; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - magic' + observer_can_run: false + platform: "" + query: SELECT * FROM magic; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - managed_policies' + observer_can_run: false + platform: "" + query: SELECT * FROM managed_policies; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM md_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_drives' + observer_can_run: false + platform: "" + query: SELECT * FROM md_drives; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_personalities' + observer_can_run: false + platform: "" + query: SELECT * FROM md_personalities; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdfind' + observer_can_run: false + platform: "" + query: SELECT * FROM mdfind; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdls' + observer_can_run: false + platform: "" + query: SELECT * FROM mdls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdm' + observer_can_run: false + platform: "" + query: SELECT * FROM mdm; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdm_bridge' + observer_can_run: false + platform: "" + query: SELECT * FROM mdm_bridge; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_array_mapped_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_array_mapped_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_arrays' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_arrays; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_device_mapped_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_device_mapped_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_error_info' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_error_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_info' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_map' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_map; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mounts' + observer_can_run: false + platform: "" + query: SELECT * FROM mounts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - msr' + observer_can_run: false + platform: "" + query: SELECT * FROM msr; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - munki_info' + observer_can_run: false + platform: "" + query: SELECT * FROM munki_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - munki_installs' + observer_can_run: false + platform: "" + query: SELECT * FROM munki_installs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - network_interfaces' + observer_can_run: false + platform: "" + query: SELECT * FROM network_interfaces; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nfs_shares' + observer_can_run: false + platform: "" + query: SELECT * FROM nfs_shares; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - npm_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM npm_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntdomains' + observer_can_run: false + platform: "" + query: SELECT * FROM ntdomains; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntfs_acl_permissions' + observer_can_run: false + platform: "" + query: SELECT * FROM ntfs_acl_permissions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntfs_journal_events' + observer_can_run: false + platform: "" + query: SELECT * FROM ntfs_journal_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nvram' + observer_can_run: false + platform: "" + query: SELECT * FROM nvram; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nvram_info' + observer_can_run: false + platform: "" + query: SELECT * FROM nvram_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - oem_strings' + observer_can_run: false + platform: "" + query: SELECT * FROM oem_strings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - office_mru' + observer_can_run: false + platform: "" + query: SELECT * FROM office_mru; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - orbit_info' + observer_can_run: false + platform: "" + query: SELECT * FROM orbit_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - os_version' + observer_can_run: false + platform: "" + query: SELECT * FROM os_version; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_events' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_flags' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_flags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_info' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_packs' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_packs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_registry' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_schedule' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_schedule; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_bom' + observer_can_run: false + platform: "" + query: SELECT * FROM package_bom; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_install_history' + observer_can_run: false + platform: "" + query: SELECT * FROM package_install_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_receipts' + observer_can_run: false + platform: "" + query: SELECT * FROM package_receipts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - password_policy' + observer_can_run: false + platform: "" + query: SELECT * FROM password_policy; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - patches' + observer_can_run: false + platform: "" + query: SELECT * FROM patches; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pci_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM pci_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - physical_disk_performance' + observer_can_run: false + platform: "" + query: SELECT * FROM physical_disk_performance; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pipes' + observer_can_run: false + platform: "" + query: SELECT * FROM pipes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - platform_info' + observer_can_run: false + platform: "" + query: SELECT * FROM platform_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - plist' + observer_can_run: false + platform: "" + query: SELECT * FROM plist; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pmset' + observer_can_run: false + platform: "" + query: SELECT * FROM pmset; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_keywords' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_keywords; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_use' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_use; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - power_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM power_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - powershell_events' + observer_can_run: false + platform: "" + query: SELECT * FROM powershell_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - prefetch' + observer_can_run: false + platform: "" + query: SELECT * FROM prefetch; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - privacy_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM privacy_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_envs' + observer_can_run: false + platform: "" + query: SELECT * FROM process_envs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_etw_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_etw_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_memory_map' + observer_can_run: false + platform: "" + query: SELECT * FROM process_memory_map; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_namespaces' + observer_can_run: false + platform: "" + query: SELECT * FROM process_namespaces; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_files' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_files; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_pipes' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_pipes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_sockets' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_sockets; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - processes' + observer_can_run: false + platform: "" + query: SELECT * FROM processes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - programs' + observer_can_run: false + platform: "" + query: SELECT * FROM programs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - prometheus_metrics' + observer_can_run: false + platform: "" + query: SELECT * FROM prometheus_metrics; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_info' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_logs' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_logs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_state' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_state; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pwd_policy' + observer_can_run: false + platform: "" + query: SELECT * FROM pwd_policy; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - python_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM python_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - quicklook_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM quicklook_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - registry' + observer_can_run: false + platform: "" + query: SELECT * FROM registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - routes' + observer_can_run: false + platform: "" + query: SELECT * FROM routes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - rpm_package_files' + observer_can_run: false + platform: "" + query: SELECT * FROM rpm_package_files; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - rpm_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM rpm_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - running_apps' + observer_can_run: false + platform: "" + query: SELECT * FROM running_apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - safari_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM safari_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sandboxes' + observer_can_run: false + platform: "" + query: SELECT * FROM sandboxes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - scheduled_tasks' + observer_can_run: false + platform: "" + query: SELECT * FROM scheduled_tasks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - screenlock' + observer_can_run: false + platform: "" + query: SELECT * FROM screenlock; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - seccomp_events' + observer_can_run: false + platform: "" + query: SELECT * FROM seccomp_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - secureboot' + observer_can_run: false + platform: "" + query: SELECT * FROM secureboot; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - security_profile_info' + observer_can_run: false + platform: "" + query: SELECT * FROM security_profile_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - selinux_events' + observer_can_run: false + platform: "" + query: SELECT * FROM selinux_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - selinux_settings' + observer_can_run: false + platform: "" + query: SELECT * FROM selinux_settings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - services' + observer_can_run: false + platform: "" + query: SELECT * FROM services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shadow' + observer_can_run: false + platform: "" + query: SELECT * FROM shadow; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_folders' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_folders; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_memory' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_memory; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_resources' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_resources; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sharing_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM sharing_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shell_history' + observer_can_run: false + platform: "" + query: SELECT * FROM shell_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shellbags' + observer_can_run: false + platform: "" + query: SELECT * FROM shellbags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shimcache' + observer_can_run: false + platform: "" + query: SELECT * FROM shimcache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - signature' + observer_can_run: false + platform: "" + query: SELECT * FROM signature; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sip_config' + observer_can_run: false + platform: "" + query: SELECT * FROM sip_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - smbios_tables' + observer_can_run: false + platform: "" + query: SELECT * FROM smbios_tables; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - smc_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM smc_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sntp_request' + observer_can_run: false + platform: "" + query: SELECT * FROM sntp_request; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - socket_events' + observer_can_run: false + platform: "" + query: SELECT * FROM socket_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - software_update' + observer_can_run: false + platform: "" + query: SELECT * FROM software_update; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ssh_configs' + observer_can_run: false + platform: "" + query: SELECT * FROM ssh_configs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - startup_items' + observer_can_run: false + platform: "" + query: SELECT * FROM startup_items; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sudo_info' + observer_can_run: false + platform: "" + query: SELECT * FROM sudo_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sudoers' + observer_can_run: false + platform: "" + query: SELECT * FROM sudoers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - suid_bin' + observer_can_run: false + platform: "" + query: SELECT * FROM suid_bin; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - syslog_events' + observer_can_run: false + platform: "" + query: SELECT * FROM syslog_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_controls' + observer_can_run: false + platform: "" + query: SELECT * FROM system_controls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM system_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_info' + observer_can_run: false + platform: "" + query: SELECT * FROM system_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_state' + observer_can_run: false + platform: "" + query: SELECT * FROM system_state; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - systemd_units' + observer_can_run: false + platform: "" + query: SELECT * FROM systemd_units; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - temperature_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM temperature_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time' + observer_can_run: false + platform: "" + query: SELECT * FROM time; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time_machine_backups' + observer_can_run: false + platform: "" + query: SELECT * FROM time_machine_backups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time_machine_destinations' + observer_can_run: false + platform: "" + query: SELECT * FROM time_machine_destinations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - tpm_info' + observer_can_run: false + platform: "" + query: SELECT * FROM tpm_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ulimit_info' + observer_can_run: false + platform: "" + query: SELECT * FROM ulimit_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - unified_log' + observer_can_run: false + platform: "" + query: SELECT * FROM unified_log; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - uptime' + observer_can_run: false + platform: "" + query: SELECT * FROM uptime; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - usb_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM usb_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_events' + observer_can_run: false + platform: "" + query: SELECT * FROM user_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_groups' + observer_can_run: false + platform: "" + query: SELECT * FROM user_groups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_interaction_events' + observer_can_run: false + platform: "" + query: SELECT * FROM user_interaction_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_login_settings' + observer_can_run: false + platform: "" + query: SELECT * FROM user_login_settings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_ssh_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM user_ssh_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - userassist' + observer_can_run: false + platform: "" + query: SELECT * FROM userassist; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - users' + observer_can_run: false + platform: "" + query: SELECT * FROM users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - video_info' + observer_can_run: false + platform: "" + query: SELECT * FROM video_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - virtual_memory_info' + observer_can_run: false + platform: "" + query: SELECT * FROM virtual_memory_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_status' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_survey' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_survey; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - winbaseobj' + observer_can_run: false + platform: "" + query: SELECT * FROM winbaseobj; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_crashes' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_crashes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_eventlog' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_eventlog; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_events' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_firewall_rules' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_firewall_rules; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_optional_features' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_optional_features; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_search' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_search; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_security_center' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_security_center; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_security_products' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_security_products; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_update_history' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_update_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_updates' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_updates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_bios_info' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_bios_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_cli_event_consumers' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_cli_event_consumers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_event_filters' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_event_filters; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_filter_consumer_binding' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_filter_consumer_binding; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_script_event_consumers' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_script_event_consumers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_entries' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_entries; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_meta' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_meta; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_reports' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_reports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yara' + observer_can_run: false + platform: "" + query: SELECT * FROM yara; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yara_events' + observer_can_run: false + platform: "" + query: SELECT * FROM yara_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ycloud_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM ycloud_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yum_sources' + observer_can_run: false + platform: "" + query: SELECT * FROM yum_sources; diff --git a/it-and-security/lib/linux-device-health.policies.yml b/it-and-security/lib/linux-device-health.policies.yml new file mode 100644 index 0000000000..0d9e2f8aa2 --- /dev/null +++ b/it-and-security/lib/linux-device-health.policies.yml @@ -0,0 +1,6 @@ +- name: Linux - Enable disk encryption + query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1'; + critical: false + description: This policy checks if disk encryption is enabled. + resolution: As an IT admin, deploy an image that includes disk encryption. + platform: linux \ No newline at end of file diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml new file mode 100644 index 0000000000..85d046a84f --- /dev/null +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -0,0 +1,55 @@ +- name: macOS - Enable FileVault + query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.'; + critical: false + description: This policy checks if FileVault (disk encryption) is enabled. + resolution: As an IT admin, turn on disk encryption in Fleet. + platform: darwin +- name: macOS - Enable Firewall + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1; + critical: false + description: This policy checks if Firewall is enabled. + resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. + platform: darwin +- name: macOS - Disable guest account + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1; + critical: false + description: This policy checks if the guest account is disabled. + resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. + platform: darwin +- name: macOS - Require 10 character password + query: SELECT 1 WHERE + EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='askForPassword' AND + CAST(value AS INT) + ) + AND EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='minLength' AND + CAST(value AS INT) <= 10 + ); + critical: false + description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. + resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. + platform: darwin +- name: macOS - Enable screen saver after 20 minutes + query: SELECT 1 WHERE + EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='idleTime' AND + CAST(value AS INT) <= 1200 AND + username = '' + ) + AND NOT EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='idleTime' AND + CAST(value AS INT) > 1200 + ); + critical: false + description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. + resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. + platform: darwin \ No newline at end of file diff --git a/it-and-security/lib/macos-see-automatic-enrollment-profile.sh b/it-and-security/lib/macos-see-automatic-enrollment-profile.sh new file mode 100644 index 0000000000..1960b0264e --- /dev/null +++ b/it-and-security/lib/macos-see-automatic-enrollment-profile.sh @@ -0,0 +1 @@ +profiles show -type enrollment \ No newline at end of file diff --git a/it-and-security/lib/servers.agent-options.yml b/it-and-security/lib/servers.agent-options.yml new file mode 100644 index 0000000000..61559952c0 --- /dev/null +++ b/it-and-security/lib/servers.agent-options.yml @@ -0,0 +1,13 @@ +config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 10 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/osquery/log + logger_tls_period: 10 + pack_delimiter: / diff --git a/it-and-security/lib/windows-device-health.policies.yml b/it-and-security/lib/windows-device-health.policies.yml new file mode 100644 index 0000000000..4b92f5841e --- /dev/null +++ b/it-and-security/lib/windows-device-health.policies.yml @@ -0,0 +1,24 @@ +- name: Windows - Enable screen saver after 20 minutes + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock" and CAST(mdm_command_output AS INT) <= 20; + critical: false + description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. + resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock" + platform: windows +- name: Windows - Enable BitLocker + query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1; + critical: false + description: As an IT admin, turn on disk encryption in Fleet. + resolution: Ask your system administrator to turn on disk encryption in Fleet + platform: windows +- name: Windows - Disable guest account + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus" and CAST(mdm_command_output AS INT) = 0; + critical: false + description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system. + resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus" + platform: windows +- name: Windows - Require 10 character password + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled" and CAST(mdm_command_output AS INT) = 0; + critical: false + description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. + resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock" + platform: windows \ No newline at end of file diff --git a/it-and-security/lib/windows-remove-fleetd.ps1 b/it-and-security/lib/windows-remove-fleetd.ps1 new file mode 100644 index 0000000000..f532843c09 --- /dev/null +++ b/it-and-security/lib/windows-remove-fleetd.ps1 @@ -0,0 +1,110 @@ +function Test-Administrator +{ + [OutputType([bool])] + param() + process { + [Security.Principal.WindowsPrincipal]$user = [Security.Principal.WindowsIdentity]::GetCurrent(); + return $user.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator); + } +} + +# borrowed from Jeffrey Snover http://blogs.msdn.com/powershell/archive/2006/12/07/resolve-error.aspx +function Resolve-Error-Detailed($ErrorRecord = $Error[0]) { + $error_message = "========== ErrorRecord:{0}ErrorRecord.InvocationInfo:{1}Exception:{2}" + $formatted_errorRecord = $ErrorRecord | format-list * -force | out-string + $formatted_invocationInfo = $ErrorRecord.InvocationInfo | format-list * -force | out-string + $formatted_exception = "" + $Exception = $ErrorRecord.Exception + for ($i = 0; $Exception; $i++, ($Exception = $Exception.InnerException)) { + $formatted_exception += ("$i" * 70) + "-----" + $formatted_exception += $Exception | format-list * -force | out-string + $formatted_exception += "-----" + } + + return $error_message -f $formatted_errorRecord, $formatted_invocationInfo, $formatted_exception +} + +#Stops Orbit service and related processes +function Stop-Orbit { + + # Stop Service + Stop-Service -Name "Fleet osquery" -ErrorAction "Continue" + Start-Sleep -Milliseconds 1000 + + # Ensure that no process left running + Get-Process -Name "orbit" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Get-Process -Name "osqueryd" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Get-Process -Name "fleet-desktop" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Start-Sleep -Milliseconds 1000 +} + +#Remove Orbit footprint from registry and disk +function Force-Remove-Orbit { + + try { + + #Stoping Orbit + Stop-Orbit + + #Remove Service + $service = Get-WmiObject -Class Win32_Service -Filter "Name='Fleet osquery'" + if ($service) { + $service.delete() | Out-Null + } + + #Removing Program files entries + $targetPath = $Env:Programfiles + "\\Orbit" + Remove-Item -LiteralPath $targetPath -Force -Recurse -ErrorAction "Continue" + + #Remove HKLM registry entries + Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -Recurse -ErrorAction "SilentlyContinue" | Where-Object {($_.ValueCount -gt 0)} | ForEach-Object { + + # Filter for osquery entries + $properties = Get-ItemProperty $_.PSPath -ErrorAction "SilentlyContinue" | Where-Object {($_.DisplayName -eq "Fleet osquery")} + if ($properties) { + + #Remove Registry Entries + $regKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" + $_.PSChildName + + Get-Item $regKey -ErrorAction "SilentlyContinue" | Remove-Item -Force -ErrorAction "SilentlyContinue" + + return + } + } + } + catch { + Write-Host "There was a problem running Force-Remove-Orbit" + Write-Host "$(Resolve-Error-Detailed)" + return $false + } + + return $true +} + +function Main { + + try { + # Is Administrator check + if (-not (Test-Administrator)) { + Write-Host "Please run this script with adming privileges." + Exit -1 + } + + Write-Host "About to uninstall fleetd..." + + if (Force-Remove-Orbit) { + Write-Host "fleetd was uninstalled." + Exit 0 + } else { + Write-Host "There was a problem uninstalling fleetd." + Exit -1 + } + + } catch { + Write-Host "Errorr: Entry point" + Write-Host "$(Resolve-Error-Detailed)" + Exit -1 + } +} + +$null = Main diff --git a/it-and-security/lib/windows-turn-off-mdm.ps1 b/it-and-security/lib/windows-turn-off-mdm.ps1 new file mode 100644 index 0000000000..2ffc3be05d --- /dev/null +++ b/it-and-security/lib/windows-turn-off-mdm.ps1 @@ -0,0 +1,27 @@ +Add-Type -TypeDefinition @" +using System; +using System.Runtime.InteropServices; + +public class MdmRegistration +{ + [DllImport("mdmregistration.dll", SetLastError = true)] + public static extern int UnregisterDeviceWithManagement(IntPtr pDeviceID); + + public static int UnregisterDevice() + { + return UnregisterDeviceWithManagement(IntPtr.Zero); + } +} +"@ -Language CSharp + +try { + $result = [MdmRegistration]::UnregisterDevice() + + if ($result -ne 0) { + throw "UnregisterDeviceWithManagement failed with error code: $result" + } + + Write-Host "Device unregistration called successfully." +} catch { + Write-Error "Error calling UnregisterDeviceWithManagement: $_" +} diff --git a/it-and-security/teams/explore-data.yml b/it-and-security/teams/explore-data.yml new file mode 100644 index 0000000000..4fef4ef021 --- /dev/null +++ b/it-and-security/teams/explore-data.yml @@ -0,0 +1,43 @@ +name: "Explore data (fleetdm.com) [DO NOT DELETE]" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_EXPLORE_DATA_ENROLL_SECRET +agent_options: + config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 5 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/v1/osquery/log + pack_delimiter: / +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: + - path: ../lib/explore-data.queries.yml diff --git a/it-and-security/teams/servers-canary.yml b/it-and-security/teams/servers-canary.yml new file mode 100644 index 0000000000..a009d9dcf0 --- /dev/null +++ b/it-and-security/teams/servers-canary.yml @@ -0,0 +1,31 @@ +name: "Servers (canary)" +team_settings: + features: + enable_host_users: false + enable_software_inventory: false + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_SERVERS_CANARY_ENROLL_SECRET +agent_options: + path: ../lib/servers.agent-options.yml +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: diff --git a/it-and-security/teams/servers.yml b/it-and-security/teams/servers.yml new file mode 100644 index 0000000000..b10d25d3e3 --- /dev/null +++ b/it-and-security/teams/servers.yml @@ -0,0 +1,31 @@ +name: "Servers" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_SERVERS_ENROLL_SECRET +agent_options: + path: ../lib/servers.agent-options.yml +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml new file mode 100644 index 0000000000..bd34a4f4a1 --- /dev/null +++ b/it-and-security/teams/workstations-canary.yml @@ -0,0 +1,68 @@ +name: "Workstations (canary)" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET +agent_options: + path: ../lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_settings: + custom_settings: + - path: ../../mdm_profiles/automatic_updates.mobileconfig + - path: ../../mdm_profiles/chrome_enrollment.mobileconfig + - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig + - path: ../../mdm_profiles/disable_content_caching.mobileconfig + - path: ../../mdm_profiles/disable_guest_account.mobileconfig + - path: ../../mdm_profiles/disable_guest_shares.mobileconfig + - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig + - path: ../../mdm_profiles/disable_media_sharing.mobileconfig + - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig + - path: ../../mdm_profiles/enable_doh.mobileconfig + - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig + - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig + - path: ../../mdm_profiles/enforce_library_validation.mobileconfig + - path: ../../mdm_profiles/firewall.mobileconfig + - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig + - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig + - path: ../../mdm_profiles/misc.mobileconfig + - path: ../../mdm_profiles/password_policy.mobileconfig + - path: ../../mdm_profiles/prevent_autologon.mobileconfig + - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig + - path: ../../mdm_profiles/time_and_date.mobileconfig + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: true + macos_setup_assistant: null + macos_updates: + deadline: "2023-12-15" + minimum_version: "14.2" + windows_settings: + custom_settings: null + windows_updates: + deadline_days: 7 + grace_period_days: 2 + scripts: + - path: ../lib/collect-fleetd-logs.sh + - path: ../lib/macos-see-automatic-enrollment-profile.sh + - path: ../lib/windows-remove-fleetd.ps1 + - path: ../lib/windows-turn-off-mdm.ps1 +policies: + - path: ../lib/macos-device-health.policies.yml + - path: ../lib/windows-device-health.policies.yml + - path: ../lib/linux-device-health.policies.yml + - name: chromeOS/macOS - Screenlock enabled + query: SELECT 1 FROM screenlock WHERE enabled = 1; + critical: false + description: "" + resolution: "" + platform: darwin,chrome +queries: + - path: ../lib/collect-failed-login-attempts.queries.yml + - path: ../lib/collect-usb-devices.queries.yml + - path: ../lib/collect-vs-code-extensions.queries.yml diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml new file mode 100644 index 0000000000..65fe53fdc7 --- /dev/null +++ b/it-and-security/teams/workstations.yml @@ -0,0 +1,62 @@ +name: "Workstations" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_WORKSTATIONS_ENROLL_SECRET +agent_options: + path: ../lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_settings: + custom_settings: + - path: ../../mdm_profiles/automatic_updates.mobileconfig + - path: ../../mdm_profiles/chrome_enrollment.mobileconfig + - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig + - path: ../../mdm_profiles/disable_content_caching.mobileconfig + - path: ../../mdm_profiles/disable_guest_account.mobileconfig + - path: ../../mdm_profiles/disable_guest_shares.mobileconfig + - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig + - path: ../../mdm_profiles/disable_media_sharing.mobileconfig + - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig + - path: ../../mdm_profiles/enable_doh.mobileconfig + - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig + - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig + - path: ../../mdm_profiles/enforce_library_validation.mobileconfig + - path: ../../mdm_profiles/firewall.mobileconfig + - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig + - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig + - path: ../../mdm_profiles/misc.mobileconfig + - path: ../../mdm_profiles/password_policy.mobileconfig + - path: ../../mdm_profiles/prevent_autologon.mobileconfig + - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig + - path: ../../mdm_profiles/time_and_date.mobileconfig + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: true + macos_setup_assistant: null + macos_updates: + deadline: "2023-12-19" + minimum_version: "14.2" + windows_settings: + custom_settings: null + windows_updates: + deadline_days: 7 + grace_period_days: 2 + scripts: + - path: ../lib/collect-fleetd-logs.sh + - path: ../lib/macos-see-automatic-enrollment-profile.sh + - path: ../lib/windows-remove-fleetd.ps1 + - path: ../lib/windows-turn-off-mdm.ps1 +policies: + - path: ../lib/macos-device-health.policies.yml + - path: ../lib/windows-device-health.policies.yml + - path: ../lib/linux-device-health.policies.yml +queries: + - path: ../lib/collect-failed-login-attempts.queries.yml + - path: ../lib/collect-usb-devices.queries.yml + - path: ../lib/collect-vs-code-extensions.queries.yml From 22dd392da724981927caa5d04c6e2bf690ad5c96 Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Wed, 28 Feb 2024 10:53:37 -0600 Subject: [PATCH 03/13] Fixing code review comments. (#17240) Fixing code review comments from https://github.com/fleetdm/fleet/pull/16855 Also, moving `CleanupDistributedQueryCampaigns` back to once an hour, so that it is not disabled. --- cmd/fleet/cron.go | 26 +++++++++++++++----------- cmd/fleet/serve.go | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/cmd/fleet/cron.go b/cmd/fleet/cron.go index 2400a29598..78873db9b6 100644 --- a/cmd/fleet/cron.go +++ b/cmd/fleet/cron.go @@ -705,7 +705,6 @@ func newCleanupsAndAggregationSchedule( ctx context.Context, instanceID string, ds fleet.Datastore, - lq fleet.LiveQueryStore, logger kitlog.Logger, enrollHostLimiter fleet.EnrollHostLimiter, config *config.FleetConfig, @@ -721,6 +720,13 @@ func newCleanupsAndAggregationSchedule( schedule.WithAltLockID("leader"), schedule.WithLogger(kitlog.With(logger, "cron", name)), // Run cleanup jobs first. + schedule.WithJob( + "distributed_query_campaigns", + func(ctx context.Context) error { + _, err := ds.CleanupDistributedQueryCampaigns(ctx, time.Now().UTC()) + return err + }, + ), schedule.WithJob( "incoming_hosts", func(ctx context.Context) error { @@ -846,16 +852,16 @@ func newFrequentCleanupsSchedule( s := schedule.New( ctx, name, instanceID, defaultInterval, ds, ds, // Using leader for the lock to be backwards compatilibity with old deployments. - schedule.WithAltLockID("leader"), + schedule.WithAltLockID("leader_frequent_cleanups"), schedule.WithLogger(kitlog.With(logger, "cron", name)), // Run cleanup jobs first. schedule.WithJob( - "distributed_query_campaigns", + "redis_live_queries", func(ctx context.Context) error { - _, err := ds.CleanupDistributedQueryCampaigns(ctx, time.Now().UTC()) - if err != nil { - return err - } + // It's necessary to avoid lingering live queries in case of: + // - (Unknown) bug in the implementation, or, + // - Redis is so overloaded already that the lq.StopQuery in svc.CompleteCampaign fails to execute, or, + // - MySQL is so overloaded that ds.SaveDistributedQueryCampaign in svc.CompleteCampaign fails to execute. names, err := lq.LoadActiveQueryNames() if err != nil { return err @@ -865,10 +871,8 @@ func newFrequentCleanupsSchedule( if err != nil { return err } - if err := lq.CleanupInactiveQueries(ctx, completed); err != nil { - return err - } - return nil + err = lq.CleanupInactiveQueries(ctx, completed) + return err }, ), ) diff --git a/cmd/fleet/serve.go b/cmd/fleet/serve.go index c60f5d04c2..729cc31801 100644 --- a/cmd/fleet/serve.go +++ b/cmd/fleet/serve.go @@ -697,7 +697,7 @@ the way that the Fleet server works. commander = apple_mdm.NewMDMAppleCommander(mdmStorage, mdmPushService) } return newCleanupsAndAggregationSchedule( - ctx, instanceID, ds, liveQueryStore, logger, redisWrapperDS, &config, commander, + ctx, instanceID, ds, logger, redisWrapperDS, &config, commander, ) }, ); err != nil { From 41ad4ba0018dbeb221bdeac36258a208048b1d3d Mon Sep 17 00:00:00 2001 From: Joanne Stableford <59930035+JoStableford@users.noreply.github.com> Date: Wed, 28 Feb 2024 11:56:17 -0500 Subject: [PATCH 04/13] Add "change a Fleetie's manager" responsibility to BizOps Handbook (#17120) --- handbook/business-operations/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/handbook/business-operations/README.md b/handbook/business-operations/README.md index 9b67e8e627..9a786862f0 100644 --- a/handbook/business-operations/README.md +++ b/handbook/business-operations/README.md @@ -147,6 +147,17 @@ When a Fleetie, consultant or advisor requests an update to their personnel deta - If required, BizOps also makes changes to other core systems (e.g: creating a new email alias in google workspace; updating details in Carta; etc). - The change is now actioned, notify the team member and close the issue. +### Change a Fleetie's manager +When BizOps receives notification of a Fleetie's manager changing, follow these steps to ensure correct recording in our systems. +- Update the [Fleeties](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0). + - Search for the Fleetie's new manager, and copy the new manager's unique ID from the far left "Unique ID" column. + - Search for the Fleetie who's manager is changing, and paste (without formatting) their new manager's unique ID in the "Reports to: (manager unique ID)" cell in the Fleetie's row. + - Verify that the "Reports to (auto: manager name and job title)" cell in the Fleetie's row reflects the new manager's details. + - Verify that in the new manager's row, the "# direct reports" cell reflect the correct number. + - Navigate to the "Org chart" tab in the spreadsheet, and verify that the Fleetie now appears in the correct place in the org chart. +> **Note:** The Fleeties spreadsheet is the source of truth for this information, and any other systems reflecting reporting lines should be disregarded. + + ### Prepare salary benchmarking information - Use the relevant template text in the README section of the [¶¶ 💌 Compensation decisions document](https://docs.google.com/document/d/1NQ-IjcOTbyFluCWqsFLMfP4SvnopoXDcX0civ-STS5c/edit?usp=sharing) for a current Fleetie, a new role, a prospective hire, or other benchmarking use case. - Copy the template text and paste at the end of the document. From 8d7e3472e7fe339f17d4731ba8fc2e30e1a75c4c Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Wed, 28 Feb 2024 11:17:31 -0600 Subject: [PATCH 05/13] Add priority rating labels to product groups handbook (#17103) --- handbook/company/communications.md | 1 + handbook/company/product-groups.md | 91 +++++++++++++++--------------- handbook/engineering/README.md | 34 ++++++----- 3 files changed, 69 insertions(+), 57 deletions(-) diff --git a/handbook/company/communications.md b/handbook/company/communications.md index 5d07fd9a88..6c1e120243 100644 --- a/handbook/company/communications.md +++ b/handbook/company/communications.md @@ -253,6 +253,7 @@ Labels with a `#g-` prefix refer to a kanban board. Since it is best practice to > - `bug-` Defect category. For example, `bug-enrollment`, `bug-profiles-sync`, `bug-policies`. This allows us to track the areas of the product producing the most bugs. > - `story` A user story. > - `prospect-` A customer prospect. +> - `P-` A (priority level)[https://fleetdm.com/handbook/company/product-groups#high-priority-user-stories-and-bugs]. > - `Epic` Do not use. _(TODO: ZenHub automatically recreates this label when we group sub-tasks inside of a user story. Find a way to remove this. It is an artifact from Zenhub and not something we actually want to exist or use, as it is confusing.)_ ### Process new requests diff --git a/handbook/company/product-groups.md b/handbook/company/product-groups.md index 72b3cecd80..956dd987b8 100644 --- a/handbook/company/product-groups.md +++ b/handbook/company/product-groups.md @@ -141,17 +141,6 @@ User stories are small and independently valuable. - Is it small enough? Will this task be likely to fit in 1 sprint when estimated? - Is it valuable enough? Will this task drive business value when released, independent of other tasks? - -#### Engineering-initiated stories - -Engineering-initiated stories are types of user stories created by engineers to make technical changes to Fleet. Technical changes should improve the user experience or contributor experience. For example, optimizing SQL that improves the response time of an API endpoint improves user experience by reducing latency. A script that generates common boilerplate, or automated tests to cover important business logic, improves the quality of life for contributors, making them happier and more productive, resulting in faster delivery of features to our customers. - -It is important to frame engineering-initiated user stories the same way we frame all user stories. Stay focused on how this technical change will drive value for our users. - -To [create an engineering-initiated user story](https://fleetdm.com/handbook/engineering#creating-an-engineering-initiated-story), follow the [user story drafting process](https://fleetdm.com/handbook/company/development-groups#drafting). Once your user story is created using the [new story template](https://github.com/fleetdm/fleet/issues/new?assignees=&labels=story,~engineering-initiated&projects=&template=story.md&title=), add the `~engineering-initiated` label, assign it to yourself, and bring to your EM to be considered for future prioritization into a sprint. The engineering output and architecture DRI is responsible for prioritizing engineering-initiated stories. - -> We prefer the term engineering-initiated stories over technical debt because the user story format helps keep us focused on our users. - #### Defining "done" To successfully deliver a user story, the people working on it need to know what "done" means. @@ -428,6 +417,28 @@ Fleet [always prioritizes bugs](https://fleetdm.com/handbook/product#prioritizin #### Awaiting QA Bugs will be verified as fixed by QA when they are placed in the "Awaiting QA" column of the relevant product group's sprint board. If the bug is verified as fixed, it is moved to the "Ready for release" column of the sprint board. Otherwise, the remaining issues are noted in a comment, and it is moved back to the "In progress" column of the sprint board. +## High priority user stories and bugs +All issues are treated as standard priority by default. Some issues are assigned a priority label to indicate urgency for the business. + +1. Emergency: `P0` +- Examples: Customer outage, confirmed security vulnerability ([critical bug](https://fleetdm.com/handbook/company/product-groups#release-testing)), a new feature is needed to address an immediate business emergency. +- Response: Immediately stop other work to swarm the issue. Work 24/7 in shifts until resolved. +- Impact: Significant impact. May void current sprint. + +2. Critical: `P1` +- Examples: A supported workflow is broken ([critical bug](https://fleetdm.com/handbook/company/product-groups#release-testing)), a potential security vulnerability, a new feature is required to address an immediate critical business need. +- Response: Issue brought to next standup for estimation and immediately brought into the sprint. Necessary team members are assigned as their top priority. +- Impact: High impact. Does not void sprint, but reduces overall velocity and requires deprioritizing other work. + +3. Urgent: `P2` +- Examples: A supported workflow is not functioning as intended, a newly drafted feature has an associated urgent business need. +- Response: Issue is prioritized at the top of the next sprint. If opporunity cost of waiting for the next sprint is too high, it may be considered for current sprint. +- Impact: Low to medium impact. If prioritized into current sprint, may reduce overall velocity and require deprioritizing other work. + +Add as much context as possible to the issue description and assign labels to help the team understand the problem and what is driving the urgency. All issues with a `P0`, `P1`, or `P2` label should be assigned to the (DRI for what goes in a release)[https://fleetdm.com/handbook/company/communications#directly-responsible-individuals-dris]. For immediate action, follow up on Slack or by phone. + +Once the release DRI is aware of the issue, they will adjust the labels as needed and assign to the PM and EM of the appropriate product group. If they disagree with the priority label applied to the issue, they will contact the requestor to discuss further. + ## How to reach the developer on-call Oncall engineers do not need to actively monitor Slack channels, except when called in by the Community or Customer teams. Members of those teams are instructed to `@oncall` in `#help-engineering` to get the attention of the on-call engineer to continue discussing any issues that come up. In some cases, the Community or Customer representative will continue to communicate with the requestor. In others, the on-call engineer will communicate directly (team members should use their judgment and discuss on a case-by-case basis how to best communicate with community members and customers). @@ -464,13 +475,11 @@ The on-call developer is encouraged to attend some of the customer success meeti This has a dual purpose of providing more context for how our customers use Fleet. The developer should actively participate and provide input where appropriate (if not sure, please ask your manager or organizer of the call). - - **Documentation for contributors** Fleet's documentation for contributors can be found in the [Fleet GitHub repo](https://github.com/fleetdm/fleet/tree/main/docs/Contributing). The on-call developer is asked to read, understand, test, correct, and improve at least one doc page per week. Our goal is to 1, ensure accuracy and verify that our deployment guides and tutorials are up to date and work as expected. And 2, improve the readability, consistency, and simplicity of our documentation – with empathy towards first-time users. See [Writing documentation](https://fleetdm.com/handbook/marketing#writing-documentation) for writing guidelines, and don't hesitate to reach out to [#g-digital-experience](https://fleetdm.slack.com/archives/C01GQUZ91TN) on Slack for writing support. A backlog of documentation improvement needs is kept [here](https://github.com/fleetdm/fleet/issues?q=is%3Aopen+is%3Aissue+label%3A%22%3Aimprove+documentation%22). - ### Escalations When the on-call developer is unsure of the answer, they should follow this process for escalation. @@ -482,7 +491,6 @@ How to escalate: 2. Create a new thread in the [#help-engineering channel](https://fleetdm.slack.com/archives/C019WG4GH0A), tagging `@zwass` and provide the information turned up in your research. Please include possibly relevant links (even if you didn't find what you were looking for there). Zach will work with you to craft an appropriate answer or find another team member who can help. - ### Changing of the guard The on-call developer changes each week on Wednesday. @@ -509,8 +517,7 @@ In the Slack reminder thread, the on-call developer includes their retrospective ## Wireframes - Showing these principles and ideas, to help remember the pros and cons and conceptualize the above visually. - - - Figma: [⚗️ Fleet product project](https://www.figma.com/files/project/17318630/%E2%9A%97%EF%B8%8F-Fleet-product?fuid=1234929285759903870) +- Figma: [⚗️ Fleet product project](https://www.figma.com/files/project/17318630/%E2%9A%97%EF%B8%8F-Fleet-product?fuid=1234929285759903870) We have certain design conventions that we include in Fleet. We will document more of these over time. @@ -581,22 +588,6 @@ OPTIONS ## Meetings - - ### Design consultation Design consultations are scheduled as needed with the relevant participants, typically product designers and frontend engineers. It is an opportunity to collaborate and discuss design, implementation, and story requirements. The meeting is scheduled as needed by the product designer or frontend engineer when a user story is in the "Prioritized" column on the [drafting board](https://app.zenhub.com/workspaces/-drafting-ships-in-6-weeks-6192dd66ea2562000faea25c/board). @@ -662,6 +641,30 @@ QA has weekly check-in with product to go over the inbox items. QA is responsibl QA may also propose that a reported bug is not actually a bug. A bug is defined as “behavior that is not according to spec or implied by spec.” If agreed that it is not a bug, then it's assigned to the relevant product manager to determine its priority. +### Group weeklies +A chance for deeper, synchronous discussion on topics relevant across product groups like “Frontend weekly”, “Backend weekly”, etc. + +**Participants:** Anyone who wishes to participate. + +**Sample agenda from frontend weekly** +- Discuss common patterns and conventions in the codebase +- Review difficult frontend bugs +- Write engineering-initiated stories + +### Eng Together +This meeting is to disseminate engineering-wide announcements, promote cohesion across groups within the engineering team, and connect with engineers (and the "engineering-curious") in other departments. Held monthly for one hour. + +**Participants:** Everyone at the company is welcome to attend. All engineers are asked to attend. The subject matter is focused on engineering. + +**Agenda:** +- Announcements +- Engineering KPIs review +- “Tech talks” + - At least one member from each product group demos or discusses a technical subject relevant to engineering at Fleet. + - Everyone is welcome to present on a technical topic. Add your name and tech talk subject in the agenda doc included in the Eng Together calendar event. +- Social + - Structured and/or unstructured social activities + ## Development best practices - Remember the user. What would you do if you saw that error message? [🔴](https://fleetdm.com/handbook/company#empathy) - Communicate any blockers ASAP in your group Slack channel or standup. [🟠](https://fleetdm.com/handbook/company#ownership) diff --git a/handbook/engineering/README.md b/handbook/engineering/README.md index 41c24079ff..92496cafdd 100644 --- a/handbook/engineering/README.md +++ b/handbook/engineering/README.md @@ -27,6 +27,15 @@ The metrics are: Each week these are tracked and shared in the weekly KPI sheet by Luke Heath. +#### Create an engineering-initiated story +Engineering-initiated stories are types of user stories created by engineers to make technical changes to Fleet. Technical changes should improve the user experience or contributor experience. For example, optimizing SQL that improves the response time of an API endpoint improves user experience by reducing latency. A script that generates common boilerplate, or automated tests to cover important business logic, improves the quality of life for contributors, making them happier and more productive, resulting in faster delivery of features to our customers. + +It is important to frame engineering-initiated user stories the same way we frame all user stories. Stay focused on how this technical change will drive value for our users. + +To [create an engineering-initiated user story](https://fleetdm.com/handbook/engineering#creating-an-engineering-initiated-story), follow the [user story drafting process](https://fleetdm.com/handbook/company/development-groups#drafting). Once your user story is created using the [new story template](https://github.com/fleetdm/fleet/issues/new?assignees=&labels=story,~engineering-initiated&projects=&template=story.md&title=), add the `~engineering-initiated` label, assign it to yourself, and bring to your EM to be considered for future prioritization into a sprint. The engineering output and architecture DRI is responsible for prioritizing engineering-initiated stories. + +> We prefer the term engineering-initiated stories over technical debt because the user story format helps keep us focused on our users and contributors. + ### Begin a merge freeze To ensure release quality, Fleet has a freeze period for testing beginning the Tuesday before the release at 9:00 AM Pacific. Effective at the start of the freeze period, new feature work will not be merged into `main`. @@ -180,7 +189,6 @@ When merging a pull request from a community contributor: - Thank and congratulate the contributor. - Share the merged PR with the team in the #help-promote channel of Fleet Slack to be publicized on social media. Those who contribute to Fleet and are recognized for their contributions often become great champions for the project. - ### Schedule developer on-call workload Engineering managers are asked to be aware of the [on-call rotation](https://docs.google.com/document/d/1FNQdu23wc1S9Yo6x5k04uxT2RwT77CIMzLLeEI2U7JA/edit#) and schedule a light workload for engineers while they are on-call. While it varies week to week considerably, the on-call responsibilities can sometimes take up a substantial portion of the engineer's time. @@ -334,40 +342,40 @@ Please see [handbook/engineering#notify-community-members-about-a-critical-bug]( Please see [handbook/engineering#run-fleet-locally-for-qa-purposes](https://fleetdm.com/handbook/engineering#run-fleet-localy-for-qa-purposes) ##### Scrum at Fleet -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#scrum-at-fleet) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#scrum-at-fleet) ##### Scrum items -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#scrum-items) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#scrum-items) ##### Sprint ceremonies -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#sprint-ceremonies) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#sprint-ceremonies) ##### Meetings -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#meetings) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#meetings) ##### Principles -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#principles) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#principles) -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#eng-together) for **below** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#eng-together) for **below** ##### Eng Together ##### Participants ##### Agenda -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#eng-together) for **above** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#eng-together) for **above** -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **below** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **below** ##### User story discovery ##### Participants ##### Agenda -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **above** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **above** -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **below** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **below** ##### Group weeklies ##### Participants ##### Sample agenda (Frontend weekly) -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **above** +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/product-groups#group-weeklies) for **above** ##### Engineering-initiated stories -Please see [handbook/company/product-groups#engineering-initiated-stories](https://fleetdm.com/handbook/company/product-groups#engineering-initiated-stories) +Please see [handbook/company/engineering#create-an-engineering-initiated-story](https://fleetdm.com/handbook/company/engineering#create-an-engineering-initiated-story) ##### Creating an engineering-initiated story Please see [handbook/engineering#create-an-engineering-initiated-user-story](https://fleetdm.com/handbook/engineering#create-an-engineering-initiated-user-story) From 4a97587edf7504915ac90f8f4cc0b859c0cd1e15 Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 28 Feb 2024 12:50:16 -0600 Subject: [PATCH 06/13] Website: Update content on device management page (#17248) Closes: https://github.com/fleetdm/confidential/issues/5566 Changes: - Updated the content of the "Absolute certainty" section of the /device-management page --- website/views/pages/device-management.ejs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/views/pages/device-management.ejs b/website/views/pages/device-management.ejs index e0d39961f6..72d23ff89e 100644 --- a/website/views/pages/device-management.ejs +++ b/website/views/pages/device-management.ejs @@ -157,11 +157,12 @@
-

Absolute certainty

-

Reduce time wasted hunting down whether a change happened. Actually verify that settings are applied using real data pulled from your users' devices.

+

Shorten the feedback loop

+

Spend less time debugging whether changes actually happened. Auto-verify using real data pulled from your users' devices.

Use a git repo as the source of truth to reduce errors (submitting the wrong patch, configuration setting etc)

Every change to a policy or security control is tracked and auditable in Fleet’s history, or via the repo commit log

+

Instantly reveal failed patches and broken settings with osquery to shorten the feedback loop and avoid tickets.

From aadf82911ac0dfe73a84219228c5a876c57d0566 Mon Sep 17 00:00:00 2001 From: Jacob Shandling <61553566+jacobshandling@users.noreply.github.com> Date: Wed, 28 Feb 2024 11:16:02 -0800 Subject: [PATCH 07/13] Cap salt length before concatenating with plaintext for password updates (#17068) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## –> #16487 - Ensures length of salt is no larger than the key size. This ensures the remaining space within the 72-byte limit for salt+hash is the advertised 48 bytes, for the default salt size. - Per [this discussion](https://github.com/fleetdm/fleet/pull/16524#discussion_r1474675857), we are assuming ASCII characters, and therefore 1byte:1char, for now – unicode support may come later. - Updated tests to follow. ## Checklist for submitter - [x] Changes file added for user-visible changes in `changes/` - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling --- server/fleet/users.go | 1 + server/fleet/users_test.go | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/server/fleet/users.go b/server/fleet/users.go index 0549b86416..94f22292bd 100644 --- a/server/fleet/users.go +++ b/server/fleet/users.go @@ -404,6 +404,7 @@ func saltAndHashPassword(keySize int, plaintext string, cost int) (hashed []byte return nil, "", err } + salt = salt[:keySize] withSalt := []byte(fmt.Sprintf("%s%s", plaintext, salt)) hashed, err = bcrypt.GenerateFromPassword(withSalt, cost) if err != nil { diff --git a/server/fleet/users_test.go b/server/fleet/users_test.go index a1c9c12c78..1c4e45a655 100644 --- a/server/fleet/users_test.go +++ b/server/fleet/users_test.go @@ -164,11 +164,11 @@ func TestUserPasswordRequirements(t *testing.T) { } func TestSaltAndHashPassword(t *testing.T) { - passwordTests := []string{"foobar!!", "bazbing!!"} + goodTests := []string{"foobar!!", "bazbing!!", "foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!", "foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!!"} keySize := 24 cost := 10 - for _, pwd := range passwordTests { + for _, pwd := range goodTests { hashed, salt, err := saltAndHashPassword(keySize, pwd, cost) require.NoError(t, err) @@ -178,6 +178,14 @@ func TestSaltAndHashPassword(t *testing.T) { err = bcrypt.CompareHashAndPassword(hashed, []byte(fmt.Sprint("invalidpassword", salt))) require.Error(t, err) + + // too long + badTests := []string{"foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!!!"} + for _, pwd := range badTests { + _, _, err := saltAndHashPassword(keySize, pwd, cost) + require.Error(t, err) + + } } } From 2d4a183789c5336373665516839b9314cd056a1e Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Wed, 28 Feb 2024 15:05:13 -0500 Subject: [PATCH 08/13] feat: allow node in Windows MDM profiles (#17234) > Related issue: #16335 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --- changes/jve-16335 | 1 + server/fleet/windows_mdm.go | 18 +++---- server/fleet/windows_mdm_test.go | 27 +++++------ server/mdm/mdm.go | 14 +++--- server/mdm/mdm_test.go | 10 ++++ server/service/integration_mdm_test.go | 65 ++++++++++++++++++++++++-- server/service/mdm_test.go | 4 +- server/service/microsoft_mdm_test.go | 9 +++- 8 files changed, 113 insertions(+), 35 deletions(-) create mode 100644 changes/jve-16335 diff --git a/changes/jve-16335 b/changes/jve-16335 new file mode 100644 index 0000000000..692f761ccf --- /dev/null +++ b/changes/jve-16335 @@ -0,0 +1 @@ +- Enables usage of `` nodes in Windows MDM profiles. \ No newline at end of file diff --git a/server/fleet/windows_mdm.go b/server/fleet/windows_mdm.go index 427e705dd8..a83fa4d5f1 100644 --- a/server/fleet/windows_mdm.go +++ b/server/fleet/windows_mdm.go @@ -75,7 +75,7 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error { // NOTE: since we're only checking for well-formedness // we don't need to validate the required nesting // structure (Target>Item>LocURI) so we don't need to track all the tags. - var inReplace bool + var inValidNode bool var inLocURI bool for { @@ -96,24 +96,24 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error { case xml.StartElement: switch t.Name.Local { - case "Replace": - inReplace = true + case "Replace", "Add": + inValidNode = true case "LocURI": - if !inReplace { - return errors.New("Only supported as a top level element. Make sure you don't have other top level elements.") + if !inValidNode { + return errors.New("Windows configuration profiles can only have or top level elements.") } inLocURI = true default: - if !inReplace { - return errors.New("Only supported as a top level element. Make sure you don't have other top level elements.") + if !inValidNode { + return errors.New("Windows configuration profiles can only have or top level elements.") } } case xml.EndElement: switch t.Name.Local { - case "Replace": - inReplace = false + case "Replace", "Add": + inValidNode = false case "LocURI": inLocURI = false } diff --git a/server/fleet/windows_mdm_test.go b/server/fleet/windows_mdm_test.go index 3e407afdd5..0a16717546 100644 --- a/server/fleet/windows_mdm_test.go +++ b/server/fleet/windows_mdm_test.go @@ -39,10 +39,10 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { - name: "Invalid top level element", + name: "Add top level element", profile: MDMWindowsConfigProfile{ SyncML: []byte(` @@ -52,7 +52,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements.", + wantErr: "", }, { name: "Reserved LocURI", @@ -139,7 +139,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "", }, { name: "XML with Replace and Alert", @@ -157,7 +157,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Atomic", @@ -175,7 +175,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Delete", @@ -193,7 +193,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Exec", @@ -211,7 +211,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Get", @@ -229,7 +229,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Results", @@ -247,7 +247,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with Replace and Status", @@ -265,7 +265,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "XML with elements not defined in the protocol", @@ -283,7 +283,7 @@ func TestValidateUserProvided(t *testing.T) { `), }, - wantErr: "Only supported as a top level element. Make sure you don't have other top level elements", + wantErr: "Windows configuration profiles can only have or top level elements.", }, { name: "invalid XML with mismatched tags", @@ -359,7 +359,8 @@ func TestValidateUserProvided(t *testing.T) { Invalid & Data -`)}, +`), + }, wantErr: "The file should include valid XML", }, { diff --git a/server/mdm/mdm.go b/server/mdm/mdm.go index 4e2b1c9485..00e515667b 100644 --- a/server/mdm/mdm.go +++ b/server/mdm/mdm.go @@ -35,8 +35,7 @@ func DecryptBase64CMS(p7Base64 string, cert *x509.Certificate, key crypto.Privat // // - Returns "darwin" if the profile starts with "= len(darwinPrefix) && bytes.EqualFold(darwinPrefix, trimmedProfile[:len(darwinPrefix)]) { + prefixMatches := func(prefix []byte) bool { + return len(trimmedProfile) >= len(prefix) && + bytes.EqualFold(prefix, trimmedProfile[:len(prefix)]) + } + + if prefixMatches([]byte("= len(windowsPrefix) && bytes.EqualFold(windowsPrefix, trimmedProfile[:len(windowsPrefix)]) { + if prefixMatches([]byte(""), expected: "windows", }, + { + name: "Windows case insensitive add ", + input: []byte(""), + expected: "windows", + }, + { + name: "Windows case sensitive add", + input: []byte(""), + expected: "windows", + }, { name: "Whitespace before prefix", input: []byte(" "), diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go index 648ef866c9..27f19ff118 100644 --- a/server/service/integration_mdm_test.go +++ b/server/service/integration_mdm_test.go @@ -8078,10 +8078,36 @@ func (s *integrationMDMTestSuite) TestWindowsMDM() { err = s.ds.MDMWindowsInsertCommandForHosts(context.Background(), []string{orbitHost.UUID}, commandThree) require.NoError(t, err) + cmdFourUUID := uuid.New().String() + commandFour := &fleet.MDMWindowsCommand{ + CommandUUID: cmdFourUUID, + RawCommand: []byte(fmt.Sprintf(` + + %s + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + text/plain + chr + + + <?xml version="1.0"?><WLANProfile + xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type + + + + `, cmdFourUUID)), + TargetLocURI: "./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml", + } + err = s.ds.MDMWindowsInsertCommandForHosts(context.Background(), []string{orbitHost.UUID}, commandFour) + require.NoError(t, err) + cmds, err = d.StartManagementSession() require.NoError(t, err) - // two status + the two commands we enqueued - require.Len(t, cmds, 4) + // two status + the three commands we enqueued + require.Len(t, cmds, 5) receivedCmdTwo := cmds[cmdTwoUUID] require.NotNil(t, receivedCmdTwo) require.Equal(t, receivedCmdTwo.Verb, fleet.CmdGet) @@ -8094,6 +8120,12 @@ func (s *integrationMDMTestSuite) TestWindowsMDM() { require.Len(t, receivedCmdThree.Cmd.Items, 1) require.EqualValues(t, "./Device/Vendor/MSFT/DMClient/Provider/DEMO%20MDM/SignedEntDMID", *receivedCmdThree.Cmd.Items[0].Target) + receivedCmdFour := cmds[cmdFourUUID] + require.NotNil(t, receivedCmdFour) + require.Equal(t, receivedCmdFour.Verb, fleet.CmdAdd) + require.Len(t, receivedCmdFour.Cmd.Items, 1) + require.EqualValues(t, "./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml", *receivedCmdFour.Cmd.Items[0].Target) + // status 200 for command Two (Get) d.AppendResponse(fleet.SyncMLCmd{ XMLName: xml.Name{Local: mdm_types.CmdStatus}, @@ -8130,8 +8162,19 @@ func (s *integrationMDMTestSuite) TestWindowsMDM() { Items: nil, CmdID: fleet.CmdID{Value: uuid.NewString()}, }) + // status 200 for command Four (Add) + d.AppendResponse(fleet.SyncMLCmd{ + XMLName: xml.Name{Local: mdm_types.CmdStatus}, + MsgRef: &msgID, + CmdRef: &cmdFourUUID, + Cmd: ptr.String("Add"), + Data: ptr.String("200"), + Items: nil, + CmdID: fleet.CmdID{Value: uuid.NewString()}, + }) cmds, err = d.SendResponse() require.NoError(t, err) + // the ack of the message should be the only returned command require.Len(t, cmds, 1) @@ -8192,6 +8235,20 @@ func (s *integrationMDMTestSuite) TestWindowsMDM() { Hostname: "TestIntegrationsMDM/TestWindowsMDMh1.local", Payload: commandThree.RawCommand, }, getMDMCmdResp.Results[0]) + + s.DoJSON("GET", "/api/latest/fleet/mdm/commandresults", nil, http.StatusOK, &getMDMCmdResp, "command_uuid", cmdFourUUID) + require.Len(t, getMDMCmdResp.Results, 1) + require.NotZero(t, getMDMCmdResp.Results[0].UpdatedAt) + getMDMCmdResp.Results[0].UpdatedAt = time.Time{} + require.Equal(t, &fleet.MDMCommandResult{ + HostUUID: orbitHost.UUID, + CommandUUID: cmdFourUUID, + Status: "200", + RequestType: "./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml", + Result: getCommandFullResult(cmdFourUUID), + Hostname: "TestIntegrationsMDM/TestWindowsMDMh1.local", + Payload: commandFour.RawCommand, + }, getMDMCmdResp.Results[0]) } func (s *integrationMDMTestSuite) TestWindowsAutomaticEnrollmentCommands() { @@ -8730,7 +8787,7 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() { body, headers := generateNewProfileMultipartRequest( t, filename, - []byte(fmt.Sprintf(`%s`, locURI)), + []byte(fmt.Sprintf(`%s%s`, locURI, locURI)), s.token, fields, ) @@ -9011,7 +9068,7 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() { tm2ProfG, err := s.ds.NewMDMWindowsConfigProfile(ctx, fleet.MDMWindowsConfigProfile{ Name: "tG", TeamID: &tm2.ID, - SyncML: []byte(``), + SyncML: []byte(``), Labels: []mdm_types.ConfigurationProfileLabel{ {LabelID: lblFoo.ID, LabelName: lblFoo.Name}, {LabelID: lblBar.ID, LabelName: lblBar.Name}, diff --git a/server/service/mdm_test.go b/server/service/mdm_test.go index d8a6f783e2..f566b78be8 100644 --- a/server/service/mdm_test.go +++ b/server/service/mdm_test.go @@ -1028,7 +1028,7 @@ func TestUploadWindowsMDMConfigProfileValidations(t *testing.T) { {"mdm not enabled", 0, ``, false, "Windows MDM isn't turned on."}, {"duplicate profile name", 0, `duplicate`, true, "configuration profile with this name already exists."}, {"multiple Replace", 0, `ab`, true, ""}, - {"Replace and non-Replace", 0, `ab`, true, "Only supported as a top level element."}, + {"Replace and non-Replace", 0, `ab`, true, "Windows configuration profiles can only have or top level elements."}, {"BitLocker profile", 0, `./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption`, true, "Custom configuration profiles can't include BitLocker settings."}, {"Windows updates profile", 0, ` ./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates `, true, "Custom configuration profiles can't include Windows updates settings."}, @@ -1039,7 +1039,7 @@ func TestUploadWindowsMDMConfigProfileValidations(t *testing.T) { {"team mdm not enabled", 1, ``, false, "Windows MDM isn't turned on."}, {"team duplicate profile name", 1, `duplicate`, true, "configuration profile with this name already exists."}, {"team multiple Replace", 1, `ab`, true, ""}, - {"team Replace and non-Replace", 1, `ab`, true, "Only supported as a top level element."}, + {"team Replace and non-Replace", 1, `ab`, true, "Windows configuration profiles can only have or top level elements."}, {"team BitLocker profile", 1, `./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption`, true, "Custom configuration profiles can't include BitLocker settings."}, {"team Windows updates profile", 1, ` ./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates `, true, "Custom configuration profiles can't include Windows updates settings."}, diff --git a/server/service/microsoft_mdm_test.go b/server/service/microsoft_mdm_test.go index a688f69735..f806e4da4f 100644 --- a/server/service/microsoft_mdm_test.go +++ b/server/service/microsoft_mdm_test.go @@ -407,11 +407,18 @@ func TestBuildCommandFromProfileBytes(t *testing.T) { func syncMLForTest(locURI string) []byte { return []byte(fmt.Sprintf(` + + + + %s + + + %s -`, locURI)) +`, locURI, locURI)) } From 4751e6652a150d1a05a57788dda6c2cedc8202ed Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Wed, 28 Feb 2024 15:15:10 -0600 Subject: [PATCH 09/13] API docs: Add missing Fleet Premium clarification (#17255) + Add some missing "_Available in Fleet Premium_." flags to `team_id` parameter descriptions for API endpoints available in Fleet Free. + Remove one duplicate instance of `team_id` --- docs/REST API/rest-api.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 6b14a2f022..502b2a0327 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -2155,9 +2155,9 @@ Returns the count of all hosts organized by status. `online_count` includes all | Name | Type | In | Description | | --------------- | ------- | ---- | ------------------------------------------------------------------------------- | -| team_id | integer | query | The ID of the team whose host counts should be included. Defaults to all teams. | +| team_id | integer | query | _Available in Fleet Premium_. The ID of the team whose host counts should be included. Defaults to all teams. | | platform | string | query | Platform to filter by when counting. Defaults to all platforms. | -| low_disk_space | integer | query | _Available in Fleet Premium_ Returns the count of hosts with less GB of disk space available than this value. Must be a number between 1-100. | +| low_disk_space | integer | query | _Available in Fleet Premium_. Returns the count of hosts with less GB of disk space available than this value. Must be a number between 1-100. | #### Example @@ -3464,11 +3464,10 @@ Retrieves the aggregated host OS versions information. | Name | Type | In | Description | | --- | --- | --- | --- | -| team_id | integer | query | _Available in Fleet Premium_ Filters the hosts to only include hosts in the specified team. If not provided, all hosts are included. | +| team_id | integer | query | _Available in Fleet Premium_. Filters to only include OS versions for hosts on the specified team. If not provided, OS versions for all hosts are included. | | platform | string | query | Filters the hosts to the specified platform | | os_name | string | query | The name of the operating system to filter hosts by. `os_version` must also be specified with `os_name` | | os_version | string | query | The version of the operating system to filter hosts by. `os_name` must also be specified with `os_version` | -| team_id | integer | query | _Available in Fleet Premium_. Filters to only include OS versions for the specified team. | | page | integer | query | Page number of the results to fetch. | | per_page | integer | query | Results per page. | | order_key | string | query | What to order results by. Allowed fields are: `hosts_count`. Default is `hosts_count` (descending). | @@ -6268,7 +6267,7 @@ Returns a list of global queries or team queries. | --------------- | ------- | ----- | ----------------------------------------------------------------------------------------------------------------------------- | | order_key | string | query | What to order results by. Can be any column in the queries table. | | order_direction | string | query | **Requires `order_key`**. The direction of the order given the order key. Options include `asc` and `desc`. Default is `asc`. | -| team_id | integer | query | The ID of the parent team for the queries to be listed. When omitted, returns global queries. | +| team_id | integer | query | _Available in Fleet Premium_. The ID of the parent team for the queries to be listed. When omitted, returns global queries. | | query | string | query | Search query keywords. Searchable fields include `name`. | @@ -6589,7 +6588,7 @@ Creates a global query or team query. | query | string | body | **Required**. The query in SQL syntax. | | description | string | body | The query's description. | | observer_can_run | bool | body | Whether or not users with the `observer` role can run the query. In Fleet 4.0.0, 3 user roles were introduced (`admin`, `maintainer`, and `observer`). This field is only relevant for the `observer` role. The `observer_plus` role can run any query and is not limited by this flag (`observer_plus` role was added in Fleet 4.30.0). | -| team_id | integer | body | The parent team to which the new query should be added. If omitted, the query will be global. | +| team_id | integer | body | _Available in Fleet Premium_. The parent team to which the new query should be added. If omitted, the query will be global. | | interval | integer | body | The amount of time, in seconds, the query waits before running. Can be set to `0` to never run. Default: 0. | | platform | string | body | The OS platforms where this query will run (other platforms ignored). Comma-separated string. If omitted, runs on all compatible platforms. | | min_osquery_version | string | body | The minimum required osqueryd version installed on a host. If omitted, all osqueryd versions are acceptable. | @@ -6732,7 +6731,7 @@ Deletes the query specified by name. | Name | Type | In | Description | | ---- | ---------- | ---- | ------------------------------------ | | name | string | path | **Required.** The name of the query. | -| team_id | integer | body | The ID of the parent team of the query to be deleted. If omitted, Fleet will search among queries in the global context. | +| team_id | integer | body | _Available in Fleet Premium_. The ID of the parent team of the query to be deleted. If omitted, Fleet will search among queries in the global context. | #### Example @@ -7456,7 +7455,7 @@ Uploads a script, making it available to run on hosts assigned to the specified | Name | Type | In | Description | | ---- | ------- | ---- | -------------------------------------------- | | script | file | form | **Required**. The file containing the script. | -| team_id | integer | form | The team ID. If specified, the script will only be available to hosts assigned to this team. If not specified, the script will only be available to hosts on **no team**. | +| team_id | integer | form | _Available in Fleet Premium_. The team ID. If specified, the script will only be available to hosts assigned to this team. If not specified, the script will only be available to hosts on **no team**. | #### Example From 456bc3c9a95f2428e358075ab3e574da470abf60 Mon Sep 17 00:00:00 2001 From: Roberto Dip Date: Wed, 28 Feb 2024 19:15:41 -0300 Subject: [PATCH 10/13] puppet module: prevent running match call if a preassignment failed (#17175) for #16954 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --- .github/workflows/test-puppet.yml | 2 +- .../fleetdm/lib/puppet/reports/fleetdm.rb | 14 ++-- ee/tools/puppet/fleetdm/manifests/profile.pp | 4 +- .../fleetdm/spec/unit/reports/fleetdm_spec.rb | 64 +++++++++++++++++++ 4 files changed, 77 insertions(+), 7 deletions(-) create mode 100644 ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb diff --git a/.github/workflows/test-puppet.yml b/.github/workflows/test-puppet.yml index 0b8f3c2382..82531fc272 100644 --- a/.github/workflows/test-puppet.yml +++ b/.github/workflows/test-puppet.yml @@ -7,7 +7,7 @@ on: - patch-* pull_request: paths: - - 'ee/tools/puppet/fleetdm/*.*' + - 'ee/tools/puppet/fleetdm/**' - '.github/workflows/test-puppet.yml' workflow_dispatch: # Manual diff --git a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb index 5bc0b58d31..369f713ecc 100644 --- a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb +++ b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb @@ -8,15 +8,21 @@ Puppet::Reports.register_report(:fleetdm) do def process return if noop - client = Puppet::Util::FleetClient.instance + node_name = Puppet[:node_name_value] + if resource_statuses.any? { |r| r.include?('error pre-setting fleetdm::profile') } + Puppet.err("Some resources failed to be assigned, not matching profiles for #{node_name}") + return + end + + client = Puppet::Util::FleetClient.instance run_identifier = "#{catalog_uuid}-#{node_name}" response = client.match_profiles(run_identifier, environment) - if response['error'].empty? Puppet.info("Successfully matched #{node_name} with a team containing configuration profiles") - else - Puppet.err("Error matching node #{node_name} with a team containing configuration profiles: #{response['error']}") + return end + + Puppet.err("Error matching node #{node_name} with a team containing configuration profiles: #{response['error']}") end end diff --git a/ee/tools/puppet/fleetdm/manifests/profile.pp b/ee/tools/puppet/fleetdm/manifests/profile.pp index 5cd7265fca..4c695b98af 100644 --- a/ee/tools/puppet/fleetdm/manifests/profile.pp +++ b/ee/tools/puppet/fleetdm/manifests/profile.pp @@ -47,13 +47,13 @@ define fleetdm::profile ( $changed = $response['resource_changed'] if $err != '' { - notify { "error pre-setting profile ${name} as ${ensure}: ${err}": + notify { "error pre-setting fleetdm::profile ${name} as ${ensure}: ${err}": loglevel => 'err', } } elsif $changed { # NOTE: sending a notification also marks the # 'fleetdm::profile' as changed in the reports. - notify { "successfully pre-set profile ${name} as ${ensure}": } + notify { "successfully pre-set fleetdm::profile ${name} as ${ensure}": } } } } diff --git a/ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb b/ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb new file mode 100644 index 0000000000..7dd31d4355 --- /dev/null +++ b/ee/tools/puppet/fleetdm/spec/unit/reports/fleetdm_spec.rb @@ -0,0 +1,64 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'puppet/reports' +require_relative '../../../lib/puppet/reports/fleetdm.rb' + +describe 'Puppet::Reports::Fleetdm' do + let(:fleet_client_mock) { instance_double('Puppet::Util::FleetClient') } + let(:catalog_uuid) { '827a74c8-cf98-44da-9ff7-18c5e4bee41e' } + let(:node_name) { Puppet[:node_name_value] } + let(:report) do + report = Puppet::Transaction::Report.new('apply') + report.extend(Puppet::Reports.report(:fleetdm)) + report + end + + before(:each) do + Puppet[:reports] = 'fleetdm' + Puppet::Util::Log.level = :warning + Puppet::Util::Log.newdestination(:console) + + fleet_client_class = class_spy('Puppet::Util::FleetClient') + stub_const('Puppet::Util::FleetClient', fleet_client_class) + allow(fleet_client_class).to receive(:instance) { fleet_client_mock } + allow(SecureRandom).to receive(:uuid).and_return(catalog_uuid) + end + + it 'does not process in noop mode' do + allow(report).to receive(:noop).and_return(true) + expect(fleet_client_mock).not_to receive(:match_profiles) + report.process + end + + it 'logs an error if resources failed to be assigned' do + allow(report).to receive(:resource_statuses).and_return({ 'myresource' => 'error pre-setting fleetdm::profile' }) + expect(Puppet).to receive(:err).with(%r{Some resources failed to be assigned}) + expect(fleet_client_mock).not_to receive(:match_profiles) + report.process + end + + it 'successfully matches profiles when there are no errors' do + allow(report).to receive(:noop).and_return(false) + allow(report).to receive(:resource_statuses).and_return({}) + allow(fleet_client_mock).to receive(:match_profiles).and_return({ 'error' => '' }) + allow(report).to receive(:catalog_uuid).and_return(catalog_uuid) + + expect(fleet_client_mock).to receive(:match_profiles).with("#{catalog_uuid}-#{node_name}", anything) + expect(Puppet).to receive(:info).with("Successfully matched #{node_name} with a team containing configuration profiles") + + report.process + end + + it 'logs an error when matching profiles fails' do + allow(report).to receive(:noop).and_return(false) + allow(report).to receive(:resource_statuses).and_return({}) + allow(fleet_client_mock).to receive(:match_profiles).and_return({ 'error' => 'Some error' }) + allow(report).to receive(:catalog_uuid).and_return(catalog_uuid) + + expect(fleet_client_mock).to receive(:match_profiles).with("#{catalog_uuid}-#{node_name}", anything) + expect(Puppet).to receive(:err).with("Error matching node #{node_name} with a team containing configuration profiles: Some error") + + report.process + end +end From 9c83ba291ffc99b6af05ee26d74932dad1c64bae Mon Sep 17 00:00:00 2001 From: Joanne Stableford <59930035+JoStableford@users.noreply.github.com> Date: Wed, 28 Feb 2024 17:41:35 -0500 Subject: [PATCH 11/13] Add "change job title" responsibility to BizOps handbook (#17121) --- handbook/business-operations/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/handbook/business-operations/README.md b/handbook/business-operations/README.md index 9a786862f0..aba923f9a7 100644 --- a/handbook/business-operations/README.md +++ b/handbook/business-operations/README.md @@ -147,6 +147,25 @@ When a Fleetie, consultant or advisor requests an update to their personnel deta - If required, BizOps also makes changes to other core systems (e.g: creating a new email alias in google workspace; updating details in Carta; etc). - The change is now actioned, notify the team member and close the issue. + +### Change a Fleetie's job title +When BizOps receives notification of a Fleetie's job title changing, follow these steps to ensure accurate recording of the change across our systems. +- Update the ["🧑‍🚀 Fleeties"](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0) spreadsheet: + - Search the spreadsheet for the Fleetie in need of a job title change. + - Input the new job title in the Fleetie's row in the "Job title" cell. + - Navigate to the "Org chart" tab of the spreadsheet, and verify that the Fleetie's title appears correctly in the org chart. +- Update the relevant HRIS system. + - For updating Gusto (US-based Fleeties): + - Login to Gusto and navigate to "People > Team members". + - Find the Fleetie and select them to see their profile page. + - Under the "Compensation" heading, select edit and update the "Job title" and input the specific date the change happened. Save the changes. + - For updating Plane (non-US Fleeties): + - Login to Plane and navigate to "People > Team". + - Find the Fleetie and select them to see their profile page. + - Use the "Help" function, or email support@plane.com to notify Plane of the need to change the job title for the Fleetie. Include the Fleetie's name, current title, new title, and effective date. + - Take any relevant steps as directed by Plane in order to make the required changes to the Fleetie's profile. + + ### Change a Fleetie's manager When BizOps receives notification of a Fleetie's manager changing, follow these steps to ensure correct recording in our systems. - Update the [Fleeties](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0). @@ -156,6 +175,7 @@ When BizOps receives notification of a Fleetie's manager changing, follow these - Verify that in the new manager's row, the "# direct reports" cell reflect the correct number. - Navigate to the "Org chart" tab in the spreadsheet, and verify that the Fleetie now appears in the correct place in the org chart. > **Note:** The Fleeties spreadsheet is the source of truth for this information, and any other systems reflecting reporting lines should be disregarded. + ### Prepare salary benchmarking information From 6f0c02eb2dde6fc16cd96bd4e6ad41d80bae6913 Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Wed, 28 Feb 2024 16:42:22 -0600 Subject: [PATCH 12/13] Fix broken markdown link (#17252) --- handbook/company/communications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handbook/company/communications.md b/handbook/company/communications.md index 6c1e120243..9a65a98a09 100644 --- a/handbook/company/communications.md +++ b/handbook/company/communications.md @@ -253,7 +253,7 @@ Labels with a `#g-` prefix refer to a kanban board. Since it is best practice to > - `bug-` Defect category. For example, `bug-enrollment`, `bug-profiles-sync`, `bug-policies`. This allows us to track the areas of the product producing the most bugs. > - `story` A user story. > - `prospect-` A customer prospect. -> - `P-` A (priority level)[https://fleetdm.com/handbook/company/product-groups#high-priority-user-stories-and-bugs]. +> - `P-` A [priority level](https://fleetdm.com/handbook/company/product-groups#high-priority-user-stories-and-bugs). > - `Epic` Do not use. _(TODO: ZenHub automatically recreates this label when we group sub-tasks inside of a user story. Find a way to remove this. It is an artifact from Zenhub and not something we actually want to exist or use, as it is confusing.)_ ### Process new requests From 93af32a9307b2a7125d6207df7c3cc023a9769d1 Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Wed, 28 Feb 2024 16:42:38 -0600 Subject: [PATCH 13/13] Fix broken markdown link (#17253) --- handbook/company/product-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handbook/company/product-groups.md b/handbook/company/product-groups.md index 956dd987b8..5b16d9b8a9 100644 --- a/handbook/company/product-groups.md +++ b/handbook/company/product-groups.md @@ -435,7 +435,7 @@ All issues are treated as standard priority by default. Some issues are assigned - Response: Issue is prioritized at the top of the next sprint. If opporunity cost of waiting for the next sprint is too high, it may be considered for current sprint. - Impact: Low to medium impact. If prioritized into current sprint, may reduce overall velocity and require deprioritizing other work. -Add as much context as possible to the issue description and assign labels to help the team understand the problem and what is driving the urgency. All issues with a `P0`, `P1`, or `P2` label should be assigned to the (DRI for what goes in a release)[https://fleetdm.com/handbook/company/communications#directly-responsible-individuals-dris]. For immediate action, follow up on Slack or by phone. +Add as much context as possible to the issue description and assign labels to help the team understand the problem and what is driving the urgency. All issues with a `P0`, `P1`, or `P2` label should be assigned to the [DRI for what goes in a release](https://fleetdm.com/handbook/company/communications#directly-responsible-individuals-dris). For immediate action, follow up on Slack or by phone. Once the release DRI is aware of the issue, they will adjust the labels as needed and assign to the PM and EM of the appropriate product group. If they disagree with the priority label applied to the issue, they will contact the requestor to discuss further.