mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 08:58:41 +00:00
Merge branch 'main' into feat-labels-scoped-software
This commit is contained in:
Gabriel Hernandez
commit
89862b012b
110 changed files with 183 additions and 149 deletions
69
CHANGELOG.md
69
CHANGELOG.md
|
|
@ -1,3 +1,72 @@
|
|||
## Fleet 4.61.0 (Dec 17, 2024)
|
||||
|
||||
## Endpoint operations
|
||||
- Added support to require email verification (MFA) on each login when setting up a Fleet user outside SSO.
|
||||
- Extended Linux encryption key escrow support to Ubuntu 20.04.6.
|
||||
- Added missing APM instrumentation for Fleet API routes.
|
||||
- Improved label validation when running live queries. Previously, when passing label(s) that do not exist, the labels were ignored. Now, an error is returned indicating which labels were not found. This change affects both the API and `fleetctl query` command.
|
||||
|
||||
## Device management (MDM)
|
||||
- Added functionality for creating an automatic install policy for Fleet-maintained apps.
|
||||
- Replaced Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during installation.
|
||||
- Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.
|
||||
- Updated to only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted but for which Fleet hasn't escrowed a valid key.
|
||||
- Added App Store app UI: Added different empty state when VPP token is not added at all vs. when it's not assigned to a team to prevent confusion.
|
||||
- Allowed APNS key to be in unencrypted PKCS8 format, which may happen when migrating from another MDM.
|
||||
- Allowed calling `/api/v1/fleet/software/fleet_maintained_apps` with no team ID to retrieve the full global list of maintained apps.
|
||||
- Added UI changes for windows MDM page and allow for automatic migration for windows hosts.
|
||||
- Bypassed the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.
|
||||
|
||||
## Vulnerability management
|
||||
- Added `without_vulnerability_details` to software versions endpoint (/api/latest/fleet/software/versions) so CVE details can be truncated when on Fleet Premium.
|
||||
- Fixed an issue where the github cli software name was not matching against the cpe vulnerability name.
|
||||
|
||||
## Bug fixes and improvements
|
||||
- Updated Go version to 1.23.4.
|
||||
- Update help text for policy automation Install software and run script modals.
|
||||
- Updated to display Windows MDM WSTEP flags in `fleet --help`.
|
||||
- Added language in email templates indicating that users should not reply to the automated emails.
|
||||
- Added better information on what deleting a host does.
|
||||
- Added a clearer error message when users attempt to turn MDM off on a Windows host.
|
||||
- Improved side nav empty state UI under `/settings`.
|
||||
- Added missing loading spinner for delete modals (delete configuration profile, delete script, delete setup script and delete software).
|
||||
- Improved performance of updating the `nano_enrollments.last_seen_at` timestamp of Apple MDM devices by an order of magnitude under load.
|
||||
- Improved MDM `SELECT FROM nano_enrollment_queue` MySQL query performance, including calling it on DB reader much of the time.
|
||||
- Updated Inter font to latest version for woff2 files.
|
||||
- Added better documentation around how the --label flag works in the fleetctl query command.
|
||||
- Switched Twitter logo to X logo in Fleet-initiated automated emails.
|
||||
- Removed duplicate indexes from the database schema..
|
||||
- Added cleanup job to delete stuck pending Apple profiles, and requeue them.
|
||||
- Exclude any custom sourced "users" from the host details "used by" display if Fleet doesn't have an email for them.
|
||||
- Replaced the internal use of the deprecated `go.mozilla.org/pkcs7` package with the maintained fork `github.com/smallstep/pkcs7`.
|
||||
- Switched email template font to Inter to match previous changes in the rest of the UI.
|
||||
- Updated resend config profile API from `hosts/[hostid}/configuration_profiles/resend/{uuid}` to `hosts/{hostid}/configuration_profiles/{uuid}/resend`.
|
||||
- Update nanomdm dependency with latest bug fixes and improvements.
|
||||
- Updated documentation to include `firefox_preferences` table for Linux and Windows platforms.
|
||||
- Restored the user's previous scroll, if any, when they change the filter on the host software table.
|
||||
- Updated a link in the Fleet-maintained apps UI to point to the correct place.
|
||||
- Removed image borders that are included in Apple's app store icons.
|
||||
- Redirect when user provides an invalid URL param for fleet-maintained software id.
|
||||
- Added additional statistics item for number of saved queries.
|
||||
- Fixed a bug where the name of the setup experience script was not showing up in the activity for that script execution.
|
||||
- Present a nicely formatted and more informative UI for log destination in two places.
|
||||
- Fixed bug in `fleetdm/fleetctl` docker image where the `build` directory does not exist when generating deb/rpm packages.
|
||||
- Fixed missing read permission for team maintainers and admins on Fleet maintained apps.
|
||||
- Fixed a bug that would add "Fleet" to activities where it shouldn't be.
|
||||
- Fixed ability to clear policy automation that empties webhook URL.
|
||||
- Fixes a bug with pagination in the profiles and scripts lists.
|
||||
- Fixed duplicate queries in query stats list in host details.
|
||||
- Fixed zip and dmg automations showing null platform for installer
|
||||
- Fixed a typo in the loading modal when adding a Fleet-maintained app.
|
||||
- Fixed UI bug where "Actions" dropdown on host software page included "Install" and "Uninstall" options for software that is not able to be installed via Fleet.
|
||||
- Fixed a bug where the HTTP client used for MDM APNs push notifications did not support using a configured proxy.
|
||||
- Fixed potential deadlocks when deploying Apple configuration profiles.
|
||||
- Fixed releasing a DEP-enrolled macOS device if mTLS is configured for `fleetd`.
|
||||
- Fixed learn more about JIT provisioning link.
|
||||
- Fixed an issue with the copy for the activity generated by viewing a locked macOS host's PIN.
|
||||
- Fixed breaking with gitops user role running `fleetctl gitops` command when MDM is enabled.
|
||||
- Fixed responsive styles for the ADM table.
|
||||
|
||||
## Fleet 4.60.1 (Dec 03, 2024)
|
||||
|
||||
### Bug fixes
|
||||
|
|
|
|||
|
|
@ -1,12 +1,5 @@
|
|||
# How Deputy achieved compliance and clarity with Fleet—keeping shift work in sync
|
||||
|
||||
<div purpose="attribution-quote">
|
||||
|
||||
“We were using Fleet to get some accurate reporting on browsers that people are using - it's useful to have that clear picture when we go and talk to SLT and can back those decisions up with some actual stats”
|
||||
|
||||
**- John Howell, Director of IT**
|
||||
</div>
|
||||
|
||||
## Challenge
|
||||
|
||||
[Deputy](https://www.deputy.com/), a global leader in workforce management software, needed a reliable way to capture device telemetry, troubleshoot issues, and ensure accurate reporting on OS and software updates to maintain SLA compliance. The increasing number of software applications and browser extensions introduced additional complexity, leading to compliance challenges and gaps across cross-functional teams.
|
||||
|
|
@ -16,13 +9,6 @@ Deputy immediately leveraged Fleet’s robust [API](https://fleetdm.com/docs/res
|
|||
|
||||
Previously reliant on [Kolide](https://www.kolide.com/), Deputy reduced costs by transitioning to Fleet while benefiting from hands-on support and direct access to Fleet’s engineers. They spun up a [dedicated Fleet instance](https://fleetdm.com/docs/deploy/deploy-fleet) on their managed infrastructure, tailoring configurations and deployments to meet the unique needs of their organization.
|
||||
|
||||
<div>
|
||||
|
||||
“We want to use Fleet to specifically build a catalog of what's currently in use across our hosts. I've said to the team, get that reporting out of Fleet. Let's see what people are using. if we found something that we weren't happy with through that reporting, it'd be quite useful to pick that up."
|
||||
|
||||
**- John Howell, Director of IT**
|
||||
</div>
|
||||
|
||||
## Results
|
||||
|
||||
<div purpose="checklist">
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
* Update Inter font to latest version for woff2 files
|
||||
|
|
@ -1 +0,0 @@
|
|||
Added missing APM instrumentation for Fleet API routes.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Improve performance of updating the `nano_enrollments.last_seen_at` timestamp of Apple MDM devices by an order of magnitude under load.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Update resend config profile API from hosts/[hostid}/configuration_profiles/resend/{uuid} to hosts/{hostid}/configuration_profiles/{uuid}/resend
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Replaced the internal use of the deprecated `go.mozilla.org/pkcs7` package with the maintained fork `github.com/smallstep/pkcs7`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- fix responsive styles for the adm table
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Allow requiring email verification (MFA) on each login when setting up a Fleet user outside SSO
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Add language in email templates indicating that users should not reply to the automated emails
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Switch Twitter logo to X logo in Fleet-initiated automated emails
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Update help text for policy automation Install software and Run script modals
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fleet UI: Better information on what deleting a host does
|
||||
|
|
@ -1 +0,0 @@
|
|||
- add UI changes for windows mdm page and allow for automatic migration for windows hosts.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fix zip and dmg automations showing null platform for installer
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Improve side nav empty state UI under `/settings`
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Restore the user's previous scroll, if any, when they change the filter on the host software table.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Adds a clearer error message when users attempt to turn MDM off on a Windows host.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Add App Store app UI: Added different empty state when VPP token is not added at all vs. when it's
|
||||
not assigned to a team to prevent confusion.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed missing read permission for team maintainers and admins on Fleet maintained apps
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fixes a bug with pagination in the profiles and scripts lists.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added additional statistics item for number of saved queries
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Display Windows MDM WSTEP flags in `fleet --help`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fix duplicate queries in query stats list in host details
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fixes an issue with the copy for the activity generated by viewing a locked macOS host's PIN.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added `without_vulnerability_details` to software versions endpoint (/api/latest/fleet/software/versions) so CVE details can be truncated when on Fleet Premium
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Replaces Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during
|
||||
installation.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fleet UI: Remove image borders that are included in Apple's app store icons
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fleet UI: Fix learn more about JIT provisioning link
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed a bug where the HTTP client used for MDM APNs push notifications did not support using a configured proxy.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Allow APNS key to be in unencrypted PKCS8 format, which may happen when migrating from another MDM.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Fixes a bug where the name of the setup experience script was not showing up in the activity for
|
||||
that script execution.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Added cleanup job to delete stuck pending Apple profiles, and requeue them.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Improved MDM `SELECT FROM nano_enrollment_queue` MySQL query performance, including calling it on DB reader much of the time.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Improved label validation when running live queries. Previously, when passing label(s) that do not exist, the labels were ignored. Now, an error is returned indicating which labels were not found. This change affects both the API and `fleetctl query` command.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added better documentation around how the --label flag works in the fleetctl query command.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed bug in `fleetdm/fleetctl` docker image where the `build` directory does not exist when generating deb/rpm packages.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Update nanomdm dependency with latest bug fixes and improvements.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Updates a link in the Fleet-maintained apps UI to point to the correct place.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* doc: document firefox_preferences table for Linux and Windows platforms
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed an issue where the github cli software name was not matching against the cpe vulnerability name
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
* Bypass the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.
|
||||
* Fixed releasing a DEP-enrolled macOS device if mTLS is configured for `fleetd`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fleet UI: Fix ability to clear policy automation that empties webhook URL
|
||||
|
|
@ -1 +0,0 @@
|
|||
Removed duplicate indexes from the database schema.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Added missing loading spinner for delete modals (delete configuration profile, delete script,
|
||||
delete setup script and delete software).
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
* Only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted
|
||||
but for which Fleet hasn't escrowed a valid key.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fixed breaking with gitops user role running `fleetctl gitops` command when MDM is enabled.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Exclude any custom sourced "users" from the host details "used by" display if Fleet doesn't have
|
||||
an email for them.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fixes a bug that would add "Fleet" to activities where it shouldn't be
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Present a nicely formatted and more informative UI for log destination in two places.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Fixed UI bug where "Actions" dropdown on host software page included "Install" and "Uninstall"
|
||||
options for software that is not able to be installed via Fleet.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Allowed calling `/api/v1/fleet/software/fleet_maintained_apps` with no team ID to retrieve the full global list of maintained apps
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Redirect when user provides an invalid URL param for fleet-maintained software id
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fixed potential deadlocks when deploying Apple configuration profiles.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Switched email template font to Inter to match previous changes in the rest of the UI
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Adds functionality for creating an automatic install policy for Fleet-maintained apps
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fixes a typo in the loading modal when adding a Fleet-maintained app.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Updated Go version to 1.23.4
|
||||
|
|
@ -8,7 +8,7 @@ version: v6.3.0
|
|||
home: https://github.com/fleetdm/fleet
|
||||
sources:
|
||||
- https://github.com/fleetdm/fleet.git
|
||||
appVersion: v4.60.1
|
||||
appVersion: v4.61.0
|
||||
dependencies:
|
||||
- name: mysql
|
||||
condition: mysql.enabled
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
hostName: fleet.localhost
|
||||
replicas: 3 # The number of Fleet instances to deploy
|
||||
imageRepository: fleetdm/fleet
|
||||
imageTag: v4.60.1 # Version of Fleet to deploy
|
||||
imageTag: v4.61.0 # Version of Fleet to deploy
|
||||
podAnnotations: {} # Additional annotations to add to the Fleet pod
|
||||
serviceAnnotations: {} # Additional annotations to add to the Fleet service
|
||||
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
task: "🦢📊 Design sprint review" # 2024-03-06 TODO: Link to responsibility or corresponding "how to" info e.g. https://fleetdm.com/handbook/company/product-groups#making-changes
|
||||
startedOn: "2024-03-07"
|
||||
frequency: "Triweekly"
|
||||
description: "1. For all stories that are not estimated, add their respective customer requests to the feature fest board. For stories that we're no longer working on, remove them from the drafting board, remove their respective customer requests from the 💝 Customer requests board, and notify stakeholders. 2. Record the number of dropped stories for KPIs (all user stories that did not meet the 3 week drafting timeline). 3. Retro: What went well? What could go better? What to remember for next time?"
|
||||
description: "1. Record the number of dropped stories for KPIs (all user stories that did not meet the 3 week drafting timeline). 2. For all stories that are not estimated, add their respective customer requests to the feature fest board. For stories that we're no longer working on, remove them from the drafting board, remove their respective customer requests from the 💝 Customer requests board, and notify stakeholders. 3. Retro: What went well? What could go better? What to remember for next time?"
|
||||
moreInfoUrl:
|
||||
dri: "noahtalerman"
|
||||
-
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ variable "database_name" {
|
|||
|
||||
variable "fleet_image" {
|
||||
description = "the name of the container image to run"
|
||||
default = "fleetdm/fleet:v4.60.1"
|
||||
default = "fleetdm/fleet:v4.61.0"
|
||||
}
|
||||
|
||||
variable "software_inventory" {
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ variable "redis_mem" {
|
|||
}
|
||||
|
||||
variable "image" {
|
||||
default = "fleetdm/fleet:v4.60.1"
|
||||
default = "fleetdm/fleet:v4.61.0"
|
||||
}
|
||||
|
||||
variable "software_installers_bucket_name" {
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/aws" {
|
||||
version = "4.60.1"
|
||||
constraints = ">= 3.0.0, >= 4.8.0, >= 4.9.0, ~> 4.60.1"
|
||||
version = "4.61.0"
|
||||
constraints = ">= 3.0.0, >= 4.8.0, >= 4.9.0, ~> 4.61.0"
|
||||
hashes = [
|
||||
"h1:fuIdjl9f2JEH0TLoq5kc9NIPbJAAV7YBbZ8fvNp5XSg=",
|
||||
"zh:0341a460210463a0bebd5c12ce13dc49bd8cae2399b215418c5efa607fed84e4",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ terraform {
|
|||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 4.60.1"
|
||||
version = "~> 4.61.0"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ terraform {
|
|||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 4.60.1"
|
||||
version = "~> 4.61.0"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/aws" {
|
||||
version = "4.60.1"
|
||||
constraints = ">= 3.63.0, ~> 4.60.1"
|
||||
version = "4.61.0"
|
||||
constraints = ">= 3.63.0, ~> 4.61.0"
|
||||
hashes = [
|
||||
"h1:fuIdjl9f2JEH0TLoq5kc9NIPbJAAV7YBbZ8fvNp5XSg=",
|
||||
"zh:0341a460210463a0bebd5c12ce13dc49bd8cae2399b215418c5efa607fed84e4",
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ terraform {
|
|||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 4.60.1"
|
||||
version = "~> 4.61.0"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/aws" {
|
||||
version = "4.60.1"
|
||||
constraints = ">= 3.0.0, >= 4.8.0, >= 4.9.0, ~> 4.60.1"
|
||||
version = "4.61.0"
|
||||
constraints = ">= 3.0.0, >= 4.8.0, >= 4.9.0, ~> 4.61.0"
|
||||
hashes = [
|
||||
"h1:fuIdjl9f2JEH0TLoq5kc9NIPbJAAV7YBbZ8fvNp5XSg=",
|
||||
"zh:0341a460210463a0bebd5c12ce13dc49bd8cae2399b215418c5efa607fed84e4",
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ terraform {
|
|||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 4.60.1"
|
||||
version = "~> 4.61.0"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ terraform {
|
|||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 4.60.1"
|
||||
version = "~> 4.61.0"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
|
|
|||
|
|
@ -79,3 +79,12 @@ org_settings:
|
|||
policies:
|
||||
queries:
|
||||
- path: ./lib/all/queries/collect-fleetd-update-channels.yml
|
||||
controls:
|
||||
enable_disk_encryption: true
|
||||
macos_migration:
|
||||
enable: true
|
||||
mode: voluntary
|
||||
webhook_url: $DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL
|
||||
windows_enabled_and_configured: true
|
||||
windows_migration:
|
||||
enable: true
|
||||
|
|
|
|||
|
|
@ -7,4 +7,4 @@
|
|||
min_osquery_version: ""
|
||||
observer_can_run: true
|
||||
platform: darwin,linux
|
||||
query: SELECT model, vendor FROM usb_devices;
|
||||
query: SELECT model, vendor FROM usb_devices;
|
||||
|
|
|
|||
|
|
@ -9,4 +9,4 @@
|
|||
observer_can_run: false
|
||||
platform: darwin,linux,windows
|
||||
query: SELECT extension.name, extension.publisher, extension.version FROM users
|
||||
JOIN vscode_extensions extension USING (uid);
|
||||
JOIN vscode_extensions extension USING (uid);
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ kind: query
|
|||
spec:
|
||||
name: All debian hosts
|
||||
query: SELECT * FROM os_version WHERE platform_like = 'debian';
|
||||
platform: "darwin"
|
||||
platform: "darwin"
|
||||
6
it-and-security/lib/linux/queries/all-rpm-hosts.yml
Normal file
6
it-and-security/lib/linux/queries/all-rpm-hosts.yml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
name: All rpm hosts
|
||||
query: SELECT * FROM os_version WHERE platform_like = 'rhel';
|
||||
platform: "darwin"
|
||||
4
it-and-security/lib/linux/software/slack-deb.yml
Normal file
4
it-and-security/lib/linux/software/slack-deb.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
url: https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-desktop-4.41.105-amd64.deb
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-deb-hosts.yml
|
||||
4
it-and-security/lib/linux/software/slack-rpm.yml
Normal file
4
it-and-security/lib/linux/software/slack-rpm.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
url: https://downloads.slack-edge.com/desktop-releases/linux/x64/4.41.105/slack-4.41.105-0.1.el8.x86_64.rpm
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-rpm-hosts.yml
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
url: https://zoom.us/client/6.2.11.5069/zoom_amd64.deb
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-debian-hosts.yml
|
||||
path: ../queries/all-deb-hosts.yml
|
||||
4
it-and-security/lib/linux/software/zoom-rpm.yml
Normal file
4
it-and-security/lib/linux/software/zoom-rpm.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
url: https://zoom.us/client/6.3.0.5527/zoom_x86_64.rpm
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-rpm-hosts.yml
|
||||
|
|
@ -3,4 +3,4 @@ kind: query
|
|||
spec:
|
||||
name: Check if Mac has Apple silicon
|
||||
query: SELECT 1 FROM system_info WHERE cpu_type = "arm64e";
|
||||
platform: "darwin"
|
||||
platform: "darwin"
|
||||
|
|
|
|||
|
|
@ -11,4 +11,4 @@
|
|||
platform: "darwin"
|
||||
query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp
|
||||
FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count
|
||||
> 0;
|
||||
> 0;
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@
|
|||
description: "Research for #16899"
|
||||
query: SELECT * from tcc_system;
|
||||
interval: 3600 # 1 hour
|
||||
platform: darwin
|
||||
platform: darwin
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@
|
|||
description: "Research for #16899"
|
||||
query: SELECT * from tcc_user;
|
||||
interval: 3600 # 1 hour
|
||||
platform: darwin
|
||||
platform: darwin
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
url: https://dl.google.com/chrome/mac/stable/accept_tos%3Dhttps%253A%252F%252Fwww.google.com%252Fintl%252Fen_ph%252Fchrome%252Fterms%252F%26_and_accept_tos%3Dhttps%253A%252F%252Fpolicies.google.com%252Fterms/googlechrome.pkg
|
||||
self_service: true
|
||||
self_service: true
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
url: https://zoom.us/client/6.2.10.43047/ZoomInstallerIT.pkg
|
||||
self_service: true
|
||||
self_service: true
|
||||
|
|
|
|||
|
|
@ -28,4 +28,4 @@
|
|||
description: Checks the status of antivirus and signature updates from the Windows Security Center.
|
||||
resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
|
||||
platform: windows
|
||||
|
||||
|
||||
7
it-and-security/lib/windows/queries/all-arm-hosts.yml
Normal file
7
it-and-security/lib/windows/queries/all-arm-hosts.yml
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
name: All ARM hosts
|
||||
query: SELECT * FROM os_version WHERE arch LIKE 'ARM%';
|
||||
platform: "windows"
|
||||
|
||||
7
it-and-security/lib/windows/queries/all-x86-hosts.yml
Normal file
7
it-and-security/lib/windows/queries/all-x86-hosts.yml
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: query
|
||||
spec:
|
||||
name: All ARM hosts
|
||||
query: SELECT * FROM os_version WHERE arch NOT LIKE 'ARM%';
|
||||
platform: "windows"
|
||||
|
||||
|
|
@ -7,4 +7,5 @@
|
|||
min_osquery_version: ""
|
||||
observer_can_run: true
|
||||
platform: "windows"
|
||||
query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
|
||||
query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
|
||||
|
||||
2
it-and-security/lib/windows/software/google-chrome.yml
Normal file
2
it-and-security/lib/windows/software/google-chrome.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
url: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B53CCDE8D-FD40-46DE-67E7-61E96CFEFCAA%7D%26lang%3Den%26browser%3D4%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dtrue%26ap%3Dx64-stable-statsdef_0%26brand%3DGCEA/dl/chrome/install/googlechromestandaloneenterprise64.msi
|
||||
self-service: true
|
||||
5
it-and-security/lib/windows/software/slack.yml
Normal file
5
it-and-security/lib/windows/software/slack.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
url: https://downloads.slack-edge.com/desktop-releases/windows/x64/4.41.105/SlackSetup.exe
|
||||
self_service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-x86-hosts.yml
|
||||
|
||||
5
it-and-security/lib/windows/software/zoom-arm.yml
Normal file
5
it-and-security/lib/windows/software/zoom-arm.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=winarm64
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-arm-hosts.yml
|
||||
|
||||
5
it-and-security/lib/windows/software/zoom.yml
Normal file
5
it-and-security/lib/windows/software/zoom.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
url: https://zoom.us/client/6.3.0.52884/ZoomInstallerFull.exe?archType=x64
|
||||
self-service: true
|
||||
pre_install_query:
|
||||
path: ../queries/all-x86-hosts.yml
|
||||
|
||||
|
|
@ -32,4 +32,7 @@ policies:
|
|||
queries:
|
||||
software:
|
||||
packages:
|
||||
- path: ../lib/linux/software/zoom.yml # Zoom for Ubuntu
|
||||
- path: ../lib/linux/software/zoom-deb.yml # Zoom for Ubuntu
|
||||
- path: ../lib/linux/software/zoom-rpm.yml # Zoom for RHEL
|
||||
- path: ../lib/linux/software/slack-deb.yml # Zoom for Ubuntu
|
||||
- path: ../lib/linux/software/slack-rpm.yml # Zoom for RHEL
|
||||
|
|
|
|||
|
|
@ -1,25 +1,4 @@
|
|||
name: No team
|
||||
policies:
|
||||
controls:
|
||||
enable_disk_encryption: true
|
||||
macos_migration:
|
||||
enable: true
|
||||
mode: voluntary
|
||||
webhook_url: $DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL
|
||||
macos_settings:
|
||||
custom_settings: null
|
||||
macos_setup:
|
||||
bootstrap_package: ""
|
||||
enable_end_user_authentication: false
|
||||
macos_setup_assistant: null
|
||||
macos_updates:
|
||||
deadline: "2023-06-13"
|
||||
minimum_version: 13.4.1
|
||||
windows_enabled_and_configured: true
|
||||
windows_settings:
|
||||
custom_settings: []
|
||||
windows_updates:
|
||||
deadline_days: 3
|
||||
grace_period_days: 2
|
||||
scripts: []
|
||||
queries:
|
||||
software:
|
||||
|
|
|
|||
|
|
@ -151,7 +151,10 @@ queries:
|
|||
software:
|
||||
packages:
|
||||
- path: ../lib/macos/software/mozilla-firefox.yml # Mozilla Firefox for MacOS (universal)
|
||||
- path: ../lib/linux/software/zoom.yml # Zoom for Ubuntu
|
||||
- path: ../lib/linux/software/zoom-deb.yml # Zoom for Ubuntu
|
||||
- path: ../lib/linux/software/zoom-rpm.yml # Zoom for RedHat
|
||||
- path: ../lib/linux/software/slack-deb.yml # Slack for Ubuntu
|
||||
- path: ../lib/linux/software/slack-rpm.yml # Slack for RedHat
|
||||
app_store_apps:
|
||||
- app_store_id: '803453959' # Slack Desktop
|
||||
- app_store_id: '1333542190' # 1Password 7 Desktop
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ No requirements.
|
|||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
|
||||
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.61.0 |
|
||||
|
||||
## Modules
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ variable "fleet_config" {
|
|||
vuln_processing_cpu = optional(number, 2048)
|
||||
vuln_data_stream_mem = optional(number, 1024)
|
||||
vuln_data_stream_cpu = optional(number, 512)
|
||||
image = optional(string, "fleetdm/fleet:v4.60.1")
|
||||
image = optional(string, "fleetdm/fleet:v4.61.0")
|
||||
family = optional(string, "fleet-vuln-processing")
|
||||
sidecars = optional(list(any), [])
|
||||
extra_environment_variables = optional(map(string), {})
|
||||
|
|
@ -82,7 +82,7 @@ variable "fleet_config" {
|
|||
vuln_processing_cpu = 2048
|
||||
vuln_data_stream_mem = 1024
|
||||
vuln_data_stream_cpu = 512
|
||||
image = "fleetdm/fleet:v4.60.1"
|
||||
image = "fleetdm/fleet:v4.61.0"
|
||||
family = "fleet-vuln-processing"
|
||||
sidecars = []
|
||||
extra_environment_variables = {}
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue