From 8d3b018f5d14627cd0ed30cfc0a4b61ff5edef52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:24:13 -0500 Subject: [PATCH 01/46] Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 (#17612) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e4e78b47d7..9883d9a7bc 100644 --- a/go.mod +++ b/go.mod @@ -312,7 +312,7 @@ require ( google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect gopkg.in/mail.v2 v2.3.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index 866a29d973..84adf199ee 100644 --- a/go.sum +++ b/go.sum @@ -1855,8 +1855,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= From c82190b0092e80b5a06b9134e4bc1cfb88d6e812 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:24:58 -0500 Subject: [PATCH 02/46] Bump follow-redirects from 1.15.5 to 1.15.6 in /tools/fleetctl-npm (#17650) --- tools/fleetctl-npm/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/fleetctl-npm/yarn.lock b/tools/fleetctl-npm/yarn.lock index 3076f03fae..fabb81d6c0 100644 --- a/tools/fleetctl-npm/yarn.lock +++ b/tools/fleetctl-npm/yarn.lock @@ -52,9 +52,9 @@ delayed-stream@~1.0.0: integrity sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ== follow-redirects@^1.15.0: - version "1.15.5" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.5.tgz#54d4d6d062c0fa7d9d17feb008461550e3ba8020" - integrity sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw== + version "1.15.6" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b" + integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA== form-data@^4.0.0: version "4.0.0" From d896420421d21a0512628b978ac4fe6e4306dda2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:25:27 -0500 Subject: [PATCH 03/46] Bump follow-redirects from 1.15.4 to 1.15.6 (#17651) --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 3cd3f36bde..ac4c05043a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9598,9 +9598,9 @@ flow-parser@0.*: integrity sha512-ZJ6VuLe/BoqeI4GsF+ZuzlpfGi3FCnBrb4xDYhgEJxRt7SAj3ibRuRSsuJSRcY+lQhPZRPNbNWiQqFMxramUzw== follow-redirects@^1.14.0, follow-redirects@^1.15.0: - version "1.15.4" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf" - integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw== + version "1.15.6" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b" + integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA== for-each@^0.3.3: version "0.3.3" From fb68278b1b48f81a240ae1fa8f7fa03e4a2e7a25 Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Thu, 21 Mar 2024 11:25:40 -0500 Subject: [PATCH 04/46] Set host expiry window to 0 to see what happens (#17762) ^ what it says --- it-and-security/default.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/it-and-security/default.yml b/it-and-security/default.yml index 5a5a170fef..4349a6338a 100644 --- a/it-and-security/default.yml +++ b/it-and-security/default.yml @@ -29,8 +29,8 @@ org_settings: fleet_desktop: transparency_url: https://fleetdm.com/transparency host_expiry_settings: - host_expiry_enabled: false - host_expiry_window: 7 + host_expiry_enabled: true + host_expiry_window: 0 integrations: jira: [ ] zendesk: [ ] From 1e6c974844762db49f74bdeeb7f779f8160224e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:26:14 -0500 Subject: [PATCH 05/46] Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible (#17736) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9883d9a7bc..2b89ecb1ce 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/davecgh/go-spew v1.1.1 github.com/dgraph-io/badger/v2 v2.2007.2 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e - github.com/docker/docker v24.0.7+incompatible + github.com/docker/docker v24.0.9+incompatible github.com/docker/go-units v0.4.0 github.com/doug-martin/goqu/v9 v9.18.0 github.com/e-dard/netbug v0.0.0-20151029172837-e64d308a0b20 diff --git a/go.sum b/go.sum index 84adf199ee..616092fefd 100644 --- a/go.sum +++ b/go.sum @@ -394,8 +394,8 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= -github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.9+incompatible h1:HPGzNmwfLZWdxHqK9/II92pyi1EpYKsAqcl4G0Of9v0= +github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From 452d6b8d0d7ee900012844d758c6bb2a36c36184 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:30:00 -0400 Subject: [PATCH 06/46] Set host expiry in dogfood back (#17763) - Back to off --- it-and-security/default.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/it-and-security/default.yml b/it-and-security/default.yml index 4349a6338a..a30c72224b 100644 --- a/it-and-security/default.yml +++ b/it-and-security/default.yml @@ -29,8 +29,7 @@ org_settings: fleet_desktop: transparency_url: https://fleetdm.com/transparency host_expiry_settings: - host_expiry_enabled: true - host_expiry_window: 0 + host_expiry_enabled: false integrations: jira: [ ] zendesk: [ ] From 36dafbd969d1e1daa7c5ad67e4967c26a2742a8d Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 21 Mar 2024 11:58:45 -0500 Subject: [PATCH 07/46] Update vulnerability dashboard deploy action & update github maintainers in custom.js (#17602) Changes: - Updated the deploy-vulnerability-dashboard workflow to use the correct variables for the Heroku steps. - Added GitHub maintainers to `website/config/custom.js` for the GitHub workflows related to the vulnerability dashboard. --- .github/workflows/deploy-vulnerability-dashboard.yml | 4 ++-- website/config/custom.js | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-vulnerability-dashboard.yml b/.github/workflows/deploy-vulnerability-dashboard.yml index 7f453b8367..a8196535ab 100644 --- a/.github/workflows/deploy-vulnerability-dashboard.yml +++ b/.github/workflows/deploy-vulnerability-dashboard.yml @@ -22,9 +22,9 @@ jobs: # Configure our access credentials for the Heroku CLI - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8 with: - heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_DEPLOYMENT}} + heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}} heroku_app_name: "" # this has to be blank or it doesn't work - heroku_email: ${{secrets.HEROKU_EMAIL_FOR_DEPLOYMENT}} + heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}} justlogin: true - run: heroku auth:whoami diff --git a/website/config/custom.js b/website/config/custom.js index f57443fbc4..c31b77b5d3 100644 --- a/website/config/custom.js +++ b/website/config/custom.js @@ -232,6 +232,8 @@ module.exports.custom = { // Github workflows '.github/workflows/deploy-fleet-website.yml': ['eashaw','mikermcneil'],// (website deploy script) '.github/workflows/test-website.yml': ['eashaw','mikermcneil'],//« website CI test script + '.github/workflows/deploy-vulnerability-dashboard.yml': ['eashaw','mikermcneil'],// (vulnerabiltiy dashboard deploy script) + '.github/workflows/test-vulnerability-dashboard-changes.yml': ['eashaw','mikermcneil'],//« vulnerabiltiy dashboard CI test script '.github/workflows': ['lukeheath', 'mikermcneil'],//« CI/CD workflows & misc GitHub Actions. Note that some are also addressed more specifically below in relevant sections) // Repo automation and change control settings From 94da1ec032c7a149a7a6829beeaeeea073a4d01f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:17:16 -0500 Subject: [PATCH 08/46] Bump @okta/oidc-middleware from 4.0.1 to 5.0.0 in /ee/vulnerability-dashboard (#17601) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@okta/oidc-middleware](https://github.com/okta/okta-oidc-middleware) from 4.0.1 to 5.0.0.
Release notes

Sourced from @​okta/oidc-middleware's releases.

5.0.0

Breaking Changes

  • #54 Requires Node >= 12.19.0. Update production dependencies:
    • openid-client@5.1.9 (was 3.12.2)

4.5.1

Bug Fixes

  • #43 fix: correctly preprends appBaseUrl to redirect url when appBaseUrl contains a base path

4.5.0

Features

  • #40 Allows passing loginHint to ensureAuthenticated

Bug Fixes

  • #42 Fixes appBaseUrl option not prepending to login redirect url

4.4.0

Bug Fixes

  • #34 Fixes Org AS login issue
  • #3 Call res.redirect() after custom routes.loginCallback.handler
  • #37 fix: .logout no longer throws error without valid credentials
Changelog

Sourced from @​okta/oidc-middleware's changelog.

5.0.0

Breaking Changes

  • # Requires Node >= 12.19.0. Update production dependencies:
    • openid-client@5.1.9 (was 3.12.2)

4.6

-#53 Fix: prevents open redirects

4.5.1

Bug Fixes

  • #43 fix: correctly preprends appBaseUrl to redirect url when appBaseUrl contains a base path

4.5.0

Features

  • #40 Allows passing loginHint to ensureAuthenticated

Bug Fixes

  • #42 Fixes appBaseUrl option not prepending to login redirect url

4.4.0

Bug Fixes

  • #34 Fixes Org AS login issue
  • #3 Call res.redirect() after custom routes.loginCallback.handler
  • #37 fix: .logout no longer throws error without valid credentials

4.3.0

Other

  • Release after migrating from monorepo

4.2.0

Bug Fixes

  • #1020 Fixes issue with UUID returning null

4.1.0

Features

... (truncated)

Commits
  • 50c093b chore(deps): upgrade vulnerable dependencies (#54)
  • 5d10b3c Prevent open redirects (#53)
  • fe24bfc chore: Update dependencies
  • ebafab4 chore: dev dependency upgrades
  • 113e1a3 chore: updates github issue template
  • a9b6ad2 Merge remote-tracking branch 'origin/4.5' into sw-backport-4.5.1
  • 8b0691c fix: if appBaseUrl includes a base path
  • 94852df Releng: Revving up to version(s) 4.6.0 for artifact(s) None
  • 4e1414e fixes: 'appBaseUrl' option not prepended to login redirect url
  • 9c5e3b0 feat: allow passing loginHint option to ensureAuthenticated
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@okta/oidc-middleware&package-manager=npm_and_yarn&previous-version=4.0.1&new-version=5.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ee/vulnerability-dashboard/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/vulnerability-dashboard/package.json b/ee/vulnerability-dashboard/package.json index a72ab3d351..57364522da 100644 --- a/ee/vulnerability-dashboard/package.json +++ b/ee/vulnerability-dashboard/package.json @@ -5,7 +5,7 @@ "description": "Report and track progress on fixing and prioritizing thousands of installed CVEs.", "keywords": [], "dependencies": { - "@okta/oidc-middleware": "4.0.1", + "@okta/oidc-middleware": "5.0.0", "@okta/okta-sdk-nodejs": "3.2.0", "@sailshq/connect-redis": "^3.2.1", "@sailshq/lodash": "^3.10.3", From 14786afe209a833f20b63a5f8dff6bddb3c985b4 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Thu, 21 Mar 2024 19:30:48 +0100 Subject: [PATCH 09/46] API design: Increase character limit for saved scripts (#16699) API design for: #16668 --------- Co-authored-by: Rachael Shaw --- docs/REST API/rest-api.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 95d055eef7..7a559879b1 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -7461,8 +7461,11 @@ Run a live script and get results back (5 minute timeout). Live scripts only run | Name | Type | In | Description | | ---- | ------- | ---- | -------------------------------------------- | | host_id | integer | body | **Required**. The host id to run the script on. | -| script_id | integer | body | The ID of the existing saved script to run. Only one of either `script_id` or `script_contents` can be included in the request; omit this parameter if using `script_contents`. | -| script_contents | string | body | The contents of the script to run. Only one of either `script_id` or `script_contents` can be included in the request; omit this parameter if using `script_id`. | +| script_id | integer | body | The ID of the existing saved script to run. Only one of either `script_id`, `script_name` or `script_contents` can be included in the request; omit this parameter if using `script_contents` or `script_name`. | +| script_contents | string | body | The contents of the script to run. Only one of either `script_contents`, `script_id` or `script_name` can be included in the request; omit this parameter if using `script_id` or `script_name`. | +| script_name | string | body | The name of the existing saved script to run. Only one of either `script_name`, `script_id` or `script_contents` can be included in the request; omit this parameter if using `script_contents` or `script_id`. | +| team_id | integer | body | ID of the team the saved script referenced by `script_name` belongs to. Default: `0` (hosts assigned to "No team") | + > Note that if both `script_id` and `script_contents` are included in the request, this endpoint will respond with an error. From 4a0c62613f478a684d1a7d3da0c793ff1836cd0a Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:33:35 -0400 Subject: [PATCH 10/46] API design: See macOS hosts that failed DEP profile assignment (#15461) (#16166) API changes for the "See macOS hosts that failed DEP profile assignment" (#15461) story --- docs/REST API/rest-api.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 7a559879b1..8b8ca9c899 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -2030,9 +2030,10 @@ If `after` is being used with `created_at` or `updated_at`, the table must be sp }, "mdm": { "encryption_key_available": false, - "enrollment_status": null, - "name": "", - "server_url": null + "enrollment_status": "Pending", + "dep_profile_error": true, + "name": "Fleet", + "server_url": "https://example.fleetdm.com/mdm/apple/mdm" }, "software": [ { From 85209ae758277b497ed7d2bc105893cc77db99ee Mon Sep 17 00:00:00 2001 From: Roberto Dip Date: Thu, 21 Mar 2024 15:38:06 -0300 Subject: [PATCH 11/46] document permissions changes for Puppet gitops (#17367) #15337 --------- Co-authored-by: Rachael Shaw --- docs/Using Fleet/manage-access.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/Using Fleet/manage-access.md b/docs/Using Fleet/manage-access.md index c073b1a6f9..802c7c36f5 100644 --- a/docs/Using Fleet/manage-access.md +++ b/docs/Using Fleet/manage-access.md @@ -37,6 +37,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | ---------- | ----- | ------- | | View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities) | ✅ | ✅ | ✅ | ✅ | | | View all hosts | ✅ | ✅ | ✅ | ✅ | | +| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ | | Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | | Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | | Add and delete hosts | | | ✅ | ✅ | | @@ -83,6 +84,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | | | Edit [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | | Edit [MDM settings for teams](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | +| View all [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ | | Upload an EULA file for MDM automatic enrollment\* | | | | ✅ | | | View/download MDM macOS setup assistant\* | | | ✅ | ✅ | | | Edit/upload MDM macOS setup assistant\* | | | ✅ | ✅ | ✅ | @@ -119,6 +121,7 @@ Users with access to multiple teams can be assigned different roles for each tea | **Action** | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps | | -------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- | --------------- | ---------- | ----------- | | View hosts | ✅ | ✅ | ✅ | ✅ | | +| View a host by identifier | ✅ | ✅ | ✅ | ✅ | ✅ | | Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | | | Target hosts using labels | ✅ | ✅ | ✅ | ✅ | | | Add and delete hosts | | | ✅ | ✅ | | From 27a59ed37ceb2845fa7e1ba92bc7a70cb5f2e65b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 13:41:49 -0500 Subject: [PATCH 12/46] Bump grunt from 1.0.4 to 1.5.3 in /ee/vulnerability-dashboard (#17600) Bumps [grunt](https://github.com/gruntjs/grunt) from 1.0.4 to 1.5.3.
Release notes

Sourced from grunt's releases.

v1.5.3

  • Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
  • Patch up race condition in symlink copying. 58016ff
  • Merge pull request #1746 from JamieSlome/patch-1 0749e1d
  • Create SECURITY.md 69b7c50

https://github.com/gruntjs/grunt/compare/v1.5.2...v1.5.3

v1.5.2

  • Update Changelog 7f15fd5
  • Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
  • Clean up link handling 433f91b

https://github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2

v1.5.1

  • Merge pull request #1742 from gruntjs/update-symlink-test ad22608
  • Fix symlink test 0652305

https://github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1

v1.5.0

  • Updated changelog b2b2c2b
  • Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
  • Update testing matrix 47d32de
  • More updates 2e9161c
  • Remove console log 04b960e
  • Update dependencies, tests... aad3d45
  • Merge pull request #1736 from justlep/main fdc7056
  • support .cjs extension e35fe54

https://github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0

v1.4.1

  • Update Changelog e7625e5
  • Merge pull request #1731 from gruntjs/update-options 5d67e34
  • Fix ci install d13bf88
  • Switch to Actions 08896ae
  • Update grunt-known-options eee0673
  • Add note about a breaking change 1b6e288

https://github.com/gruntjs/grunt/compare/v1.4.0...v1.4.1

v1.4.0

  • Merge pull request #1728 from gruntjs/update-deps-changelog 63b2e89
  • Update changelog and util dep 106ed17
  • Merge pull request #1727 from gruntjs/update-deps-apr 49de70b
  • Update CLI and nodeunit 47cf8b6
  • Merge pull request #1722 from gruntjs/update-through e86db1c
  • Update deps 4952368

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: https://github.com/js-cli/js-liftoff/commit/e7a969d6706e730d90abb4e24d3cb4d3bce06ddb. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: gruntjs/grunt#1715) v1.2.0 date: 2020-07-03 changes: - Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugins. (PR: gruntjs/grunt#1677) - Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency.

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=grunt&package-manager=npm_and_yarn&previous-version=1.0.4&new-version=1.5.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ee/vulnerability-dashboard/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/vulnerability-dashboard/package.json b/ee/vulnerability-dashboard/package.json index 57364522da..f54c10bde6 100644 --- a/ee/vulnerability-dashboard/package.json +++ b/ee/vulnerability-dashboard/package.json @@ -21,7 +21,7 @@ }, "devDependencies": { "eslint": "5.16.0", - "grunt": "1.0.4", + "grunt": "1.5.3", "htmlhint": "0.11.0", "lesshint": "6.3.6", "sails-hook-grunt": "^5.0.0", From f018f68e46f55267120fe74a2f1162c8c794cc4b Mon Sep 17 00:00:00 2001 From: Katheryn Satterlee Date: Thu, 21 Mar 2024 13:50:18 -0500 Subject: [PATCH 13/46] Update script execution documentation (#17147) Removed reference to **Scripts** tab and added instructions for accessing the **Run Script** modal from the host detail page. # Checklist for submitter Docs-only change --------- Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com> Co-authored-by: Rachael Shaw --- docs/Using Fleet/Scripts.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/Using Fleet/Scripts.md b/docs/Using Fleet/Scripts.md index 5ed888688b..64b9957fff 100644 --- a/docs/Using Fleet/Scripts.md +++ b/docs/Using Fleet/Scripts.md @@ -30,7 +30,11 @@ Fleet UI: 2. Head to the **Hosts** page and select the host you want to run the script on. -3. On your target host's host details page, select the **Scripts** tab and select **Actions** to run the script. +3. On your target host's host details page, select the **Actions** dropdown and select **Run Script** to view the **Run Script** menu. + +4. In the **Run Script** menu, select the **Actions** dropdown for the script you'd like to execute and choose the **Run** option. + +Scripts run from the Fleet UI will run the next time your host checks in with Fleet. You can view the status of the script execution as well as the output in the target host's activity feed. Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script) From 8ed8f3daa7e3e24a5df5e246f5cecb6922aadb16 Mon Sep 17 00:00:00 2001 From: Jacob Thorne Date: Thu, 21 Mar 2024 19:59:45 +0100 Subject: [PATCH 14/46] Fix Incorrect Helm Chart Keys in MySQL Installation Documentation (#17160) This PR addresses an issue in the documentation for installing the MySQL chart using Helm. Previously, the documentation provided a Helm install command that incorrectly referenced mysqlUser and mysqlDatabase. However, these keys don't exist in the chart's values.yaml file anymore. --- docs/Deploy/Deploy-Fleet-on-Kubernetes.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Deploy/Deploy-Fleet-on-Kubernetes.md b/docs/Deploy/Deploy-Fleet-on-Kubernetes.md index c8a6204ec0..2d35599853 100644 --- a/docs/Deploy/Deploy-Fleet-on-Kubernetes.md +++ b/docs/Deploy/Deploy-Fleet-on-Kubernetes.md @@ -57,14 +57,14 @@ Helm v2 ```sh helm install \ --name fleet-database \ - --set mysqlUser=fleet,mysqlDatabase=fleet \ + --set auth.username=fleet,auth.database=fleet \ oci://registry-1.docker.io/bitnamicharts/mysql ``` Helm v3 ```sh helm install fleet-database \ - --set mysqlUser=fleet,mysqlDatabase=fleet \ + --set auth.username=fleet,auth.database=fleet \ oci://registry-1.docker.io/bitnamicharts/mysql ``` From bd3e775e67dbc72a24723e4ab6af3268d9af6b3a Mon Sep 17 00:00:00 2001 From: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:09:05 -0400 Subject: [PATCH 15/46] Windows MDM Fix Manual Detection (#17721) #15565 Replace the use of the isFederated registry key with a keys that check for AAD (Azure Active Directory, now Entra ID) Federated enrollment (`isFederated`) seems to be when windows uses a Discovery MDM endpoint to get its policy and management endpoint configuration. This is always the case when a client is enrolled with fleet, so installations always show up as automatic. It's being replaced by a different key, `AADResourceID`, which appears to identify the resource that controls the automated deployment. In my tests it only appears to be populated when the computer is enrolled through automated deployments. This key appears on both Windows 10 and 11. There is a similar key, `AADTenantID`, which appears to identify the client (tenant) to the Azure cloud. I haven't seen this ID in our systems, so it is likely exclusively used in Azure. Both this key and `AADResourceID` seem to always be set at the same time, so we only check for the `AADResourceID`. I've also added documentation on the registry keys I've analyzed for future reference. --- changes/15565-windows-automatic-enrollment | 1 + cmd/osquery-perf/agent.go | 4 +- .../windows-mdm-glossary-and-protocol.md | 84 ++++++++++++++++++- docs/Using Fleet/Understanding-host-vitals.md | 8 +- server/service/osquery_utils/queries.go | 8 +- server/service/osquery_utils/queries_test.go | 24 +++--- 6 files changed, 106 insertions(+), 23 deletions(-) create mode 100644 changes/15565-windows-automatic-enrollment diff --git a/changes/15565-windows-automatic-enrollment b/changes/15565-windows-automatic-enrollment new file mode 100644 index 0000000000..a89e709468 --- /dev/null +++ b/changes/15565-windows-automatic-enrollment @@ -0,0 +1 @@ +- Fix a bug where all Windows MDM enrollments were detected as automatic diff --git a/cmd/osquery-perf/agent.go b/cmd/osquery-perf/agent.go index 719b59b23c..756f6f0cd5 100644 --- a/cmd/osquery-perf/agent.go +++ b/cmd/osquery-perf/agent.go @@ -1514,12 +1514,12 @@ func (a *agent) mdmWindows() []map[string]string { if !a.mdmEnrolled() { return []map[string]string{ // empty service url means not enrolled - {"is_federated": "0", "discovery_service_url": "", "provider_id": "", "installation_type": "Client"}, + {"aad_resource_id": "", "discovery_service_url": "", "provider_id": "", "installation_type": "Client"}, } } return []map[string]string{ { - "is_federated": "0", + "aad_resource_id": "", "discovery_service_url": a.serverAddress, "provider_id": fleet.WellKnownMDMFleet, "installation_type": "Client", diff --git a/docs/Contributing/windows-mdm-glossary-and-protocol.md b/docs/Contributing/windows-mdm-glossary-and-protocol.md index 03d5283a48..94dc6095db 100644 --- a/docs/Contributing/windows-mdm-glossary-and-protocol.md +++ b/docs/Contributing/windows-mdm-glossary-and-protocol.md @@ -57,6 +57,88 @@ The certificate created through the WSTEP process is used to authenticate mTLS b https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f +## MDM Device Registration Summary + +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvrd/296ebf70-bd4b-489e-a531-460d8ef7519b + +# Registry + +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\` + Each enrollment gets its own subdirectory with a UUID as a key, + inside each directory is a set of keys associated with that enrollment + - `CurCryptoProvider` + Often `Microsoft Software Key Storage Provider` + Cryptographic Key storage provider + - `CurKeyContainer` + Key within key provider + - `DiscoveryServiceFullURL` + MDM Discovery service URL + - `DMPCertThumbPrint` + According to [this blog post](https://call4cloud.nl/2022/10/fullmetal-certificate-the-revenge-of-renewal/), this is the thumbprint of your MDM device certificate + - `EnrollmentFlags` + See [this link](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/cd22d3a0-f469-4a44-95ed-d10ce4dc2063) for details + + | Integer value | Meaning | + |---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | 0x00000001 | Instructs the client and CA to include an S/MIME extension, as specified in [RFC4262]. | + | 0x00000008 | Instructs the CA to append the issued certificate to the userCertificate attribute, on the user object in Active Directory. | + | 0x00000010 | Instructs the CA to check the user's userCertificate attribute in Active Directory, as specified in [RFC4523], for valid certificates that match the template enrolled for. | + | 0x00000040 | This flag instructs clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6. This flag also instructs the CA to process the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6. | + | 0x00000100 | Instructs the client to get a user's consent before attempting to enroll for a certificate based on the specified template. | + | 0x00000400 | Instructs the client to delete any expired, revoked, or renewed certificate from the user's certificate stores. | + | 0x00002000 | This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card. | + - `EnrollmentState` + The best documentation we can find is [here](https://learn.microsoft.com/en-us/graph/api/resources/intune-shared-enrollmentstate?view=graph-rest-beta) + + | Member | Value | Description | + |--------------|-------|--------------------------------------------------------------------------------------------------------------------| + | unknown | 0 | Device enrollment state is unknown | + | enrolled | 1 | Device is Enrolled. | + | pendingReset | 2 | Enrolled but it's enrolled via enrollment profile and the enrolled profile is different from the assigned profile. | + | failed | 3 | Not enrolled and there is enrollment failure record. | + | notContacted | 4 | Device is imported but not enrolled. | + | blocked | 5 | Device is enrolled as userless, but is blocked from moving to user enrollment because the app failed to install. | + + - `EnrollmentType` + According to [this PDF](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-MDE2/%5BMS-MDE2%5D.pdf) it can have three different values. + + Device, Full, and AppManaged + + From what I've seen, value 6 on AAD, 1 on manual + - `isFederated` + According to [this web page](https://learn.microsoft.com/en-us/windows/client-management/federated-authentication-device-enrollment), being federated means that the MDM + endpoints and details were fetched from a Discovery endpoint, + instead of being manually installed. The page does not make mention + of the specific registry key, but we are making an assumption that + it means the same thing. + - `ProviderID` + Set during enrollment. In our case it's the word "Fleet". + - `RenewalPeriod` + Set during enrollment. Period to renew WSTEP certificate. + - `RenewErrorCode` + Presumably set if there is an error renewing WSTEP certificate. + - `RenewROBOSupport` + According to [this post](https://call4cloud.nl/2022/10/fullmetal-certificate-the-revenge-of-renewal/) this means "Request On Behalf Of". + It seems to have to do with automatic certificate renewal + - `RenewStatus` + Status of the renewal + - `RenewTimestamp` + Presumably the timestamp of the last renewal + - `RootCertThumbPrint` + The thumbprint of the WSTEP root certificate + - `SID` + Security Identifier + - `UPN` + User Principal Name of the user that enrolled the device + - `AADResourceID` + Appears to be the domain of the server managing the enrollment, + always appears to be present on machines enrolled through Microsoft + Entra (Azure Active Directory) + - `AADTenantID` + Also related to Azure Active Directory, and also appears to be + present at the same time as AADResourceID. +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot` + Autopilot provisioning diagnostic data - \ No newline at end of file + diff --git a/docs/Using Fleet/Understanding-host-vitals.md b/docs/Using Fleet/Understanding-host-vitals.md index 10cc3f8548..47dca9f92c 100644 --- a/docs/Using Fleet/Understanding-host-vitals.md +++ b/docs/Using Fleet/Understanding-host-vitals.md @@ -176,10 +176,10 @@ WITH registry_keys AS ( enrollment_info AS ( SELECT MAX(CASE WHEN name = 'UPN' THEN data END) AS upn, - MAX(CASE WHEN name = 'IsFederated' THEN data END) AS is_federated, MAX(CASE WHEN name = 'DiscoveryServiceFullURL' THEN data END) AS discovery_service_url, MAX(CASE WHEN name = 'ProviderID' THEN data END) AS provider_id, - MAX(CASE WHEN name = 'EnrollmentState' THEN data END) AS state + MAX(CASE WHEN name = 'EnrollmentState' THEN data END) AS state, + MAX(CASE WHEN name = 'AADResourceID' THEN data END) AS aad_resource_id FROM registry_keys GROUP BY key ), @@ -190,7 +190,7 @@ WITH registry_keys AS ( LIMIT 1 ) SELECT - e.is_federated, + e.aad_resource_id, e.discovery_service_url, e.provider_id, i.installation_type @@ -374,7 +374,7 @@ SELECT * FROM os_version LIMIT 1 - Query: ```sql SELECT os.name, r.data as display_version, k.version - FROM + FROM registry r, os_version os, kernel_info k diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go index 27ec3932db..030294f5ed 100644 --- a/server/service/osquery_utils/queries.go +++ b/server/service/osquery_utils/queries.go @@ -473,10 +473,10 @@ var extraDetailQueries = map[string]DetailQuery{ enrollment_info AS ( SELECT MAX(CASE WHEN name = 'UPN' THEN data END) AS upn, - MAX(CASE WHEN name = 'IsFederated' THEN data END) AS is_federated, MAX(CASE WHEN name = 'DiscoveryServiceFullURL' THEN data END) AS discovery_service_url, MAX(CASE WHEN name = 'ProviderID' THEN data END) AS provider_id, - MAX(CASE WHEN name = 'EnrollmentState' THEN data END) AS state + MAX(CASE WHEN name = 'EnrollmentState' THEN data END) AS state, + MAX(CASE WHEN name = 'AADResourceID' THEN data END) AS aad_resource_id FROM registry_keys GROUP BY key ), @@ -487,7 +487,7 @@ var extraDetailQueries = map[string]DetailQuery{ LIMIT 1 ) SELECT - e.is_federated, + e.aad_resource_id, e.discovery_service_url, e.provider_id, i.installation_type @@ -1612,7 +1612,7 @@ func directIngestMDMWindows(ctx context.Context, logger log.Logger, host *fleet. serverURL := data["discovery_service_url"] if serverURL != "" { enrolled = true - if isFederated := data["is_federated"]; isFederated == "1" { + if data["aad_resource_id"] != "" { // NOTE: We intentionally nest this condition to eliminate `enrolled == false && automatic == true` // as a possible status for Windows hosts (which would be otherwise be categorized as // "Pending"). Currently, the "Pending" status is supported only for macOS hosts. diff --git a/server/service/osquery_utils/queries_test.go b/server/service/osquery_utils/queries_test.go index 022c00aa7d..4a6da7a2ad 100644 --- a/server/service/osquery_utils/queries_test.go +++ b/server/service/osquery_utils/queries_test.go @@ -692,7 +692,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "", - "is_federated": "1", + "aad_resource_id": "https://example.com", "provider_id": "Some_ID", "installation_type": "Client", }, @@ -703,7 +703,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { wantServerURL: "", }, { - name: "off missing is_federated and server url", + name: "off missing aad_resource_id and server url", data: []map[string]string{ { "provider_id": "Some_ID", @@ -728,7 +728,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://example.com", - "is_federated": "1", + "aad_resource_id": "https://example.com", "provider_id": "Some_ID", "installation_type": "Client", }, @@ -743,7 +743,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://example.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -754,7 +754,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { wantServerURL: "https://example.com", }, { - name: "on manual missing is_federated", + name: "on manual missing aad_resource_id", data: []map[string]string{ { "discovery_service_url": "https://example.com", @@ -772,7 +772,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://example.com", - "is_federated": "1", + "aad_resource_id": "https://example.com", "provider_id": "Some_ID", "installation_type": "Windows SeRvEr 99.9", }, @@ -790,7 +790,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://jumpcloud.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -806,7 +806,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://airwatch.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -822,7 +822,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://awmdm.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -838,7 +838,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://microsoft.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -854,7 +854,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://fleetdm.com", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Local_Management", "installation_type": "Client", }, @@ -871,7 +871,7 @@ func TestDirectIngestMDMWindows(t *testing.T) { data: []map[string]string{ { "discovery_service_url": "https://myinstall.local", - "is_federated": "0", + "aad_resource_id": "", "provider_id": "Fleet", "installation_type": "Client", }, From 9a91dad2a4057823670dbcd4530536dd2850342b Mon Sep 17 00:00:00 2001 From: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:16:54 -0500 Subject: [PATCH 16/46] Added writing principles (#17392) --- handbook/company/communications.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/handbook/company/communications.md b/handbook/company/communications.md index c0f6a7afcd..86b100c5bc 100644 --- a/handbook/company/communications.md +++ b/handbook/company/communications.md @@ -712,7 +712,9 @@ Learn how to communicate as Fleet with guidelines for tone of voice, our approac - Infuse the core [values](https://fleetdm.com/handbook/company#values) into everything you write. - Read and reread, then rewrite to make it shorter. Use links rather than explanations, short sentences. - Get to where you feel like it’s really good, short, simple, and clear, hack away at any word that’s too confusing. - - Don’t sound formal, sound welcoming so that anyone can understand. Translate "[puffery](https://www.linkedin.com/pulse/puffery-adam-frankl%3FtrackingId=SBVWxzqXTBm9qlO7Rw3ddw%253D%253D/?trackingId=SBVWxzqXTBm9qlO7Rw3ddw%3D%3D)" into "ease of use" or "readability". + - Don’t sound formal, sound welcoming so that anyone can understand. Translate "[puffery](https://www.linkedin.com/pulse/puffery-adam-frankl%3FtrackingId=SBVWxzqXTBm9qlO7Rw3ddw%253D%253D/?trackingId=SBVWxzqXTBm9qlO7Rw3ddw%3D%3D)" into "ease of use" or "readability". + - Disarm puffery for engineers by replacing puffery with real data. + - Disarm puffery for the business by replacing puffery with ROI/RTO (how much time and/or money is it going save the business? Forget the details. When will it pay itself back?) - Apply the advice about writing linked from the company values (the [Paul Graham](http://www.paulgraham.com/simply.html) essays). - Create headings that make good permalinks, use links and add missing links. Indicate links by highlighting words that describe the content (Better SEO than lighting up “click here”). - Don’t duplicate content, link to other places like the [values](https://fleetdm.com/handbook/company#values) or [“why this way”](https://fleetdm.com/handbook/company/why-this-way#why-this-way), but don’t make it awkward. From f287d23cf706ca48306074dd8d345eee88a42bcb Mon Sep 17 00:00:00 2001 From: George Karr Date: Thu, 21 Mar 2024 14:30:39 -0500 Subject: [PATCH 17/46] Adding a script to automate patch / minor releases (#17198) This script was used to generate 4.45.1 and 4.46.0. Workflow is tag issues with correct milestone, run `./patch_release.sh` (with -m for release with more than bugfixes) --------- Co-authored-by: George Karr --- tools/release/patch_release.sh | 659 +++++++++++++++++++++++++++++++++ 1 file changed, 659 insertions(+) create mode 100755 tools/release/patch_release.sh diff --git a/tools/release/patch_release.sh b/tools/release/patch_release.sh new file mode 100755 index 0000000000..30e61662b8 --- /dev/null +++ b/tools/release/patch_release.sh @@ -0,0 +1,659 @@ +#!/usr/bin/env bash + +# +# ,::;;, +# ,:;;;:,,;: +# ,::;;+: ,:;;: +# ,;;;:,,++;;:, +# :;;;::++:, +# ++:, ,;: +# ,, ,;: ::+;::: ,,, +# ,:;::;: ::: ,:,;:,*;;;;+,,,,::,,, +# ;: :+: ,;:, ,:++;;:;**;++::::::;;;;:, +# ,; ,::,:;:, :,: :,;;+*+;, :: :;:;;:, +# ,;:;, :;:, ,;:*: ,::?*: :: ,,,, ,:::::;++;;:::::,, +# :; :;:, ,;+; ,:;;; ,::;;;::::::;;:,,,,:+,,,,,:::;;::, +# ;, ,;:, :+, ,:;;, ;::;:,,,:: :: :; ,;?+ +# ,;, ,;:, ,;: ,:;:, ,+;, ::, ::,,:;: ,,,::;;;+; +# ,; ,+;, :::,:;++, :;;;;;;;;;;;;;;+;;;::;;;;;::,,:;:, +# :: ,;:,;;, ,;;;:,:+, ,,: ,,:::;;;;;;**;,,,, ,:;:, +# :: ,;:, ,;;, ,;;:, :;;:, ,,::::,,:;:,, ;+*+ ,:;;;, +# ;, ,::, ,:;;;:, ::;,:,,::::, ,:;: ,++:,::;;:, +# ,;, :;, ,:;++, ::+:;:,, :;:, ,:;;;:, +# ,;,;: ,:;++:, ,:;++;, ,;+:, ,:;;;:, +# :; ,,:;+;:, ,:::,,,,,,, :;;+; ,:;;::, +# ;: :;+;:, ,:::, ,;+;;;:::;;,:;;::, +# ;;,;*+:,,:, ,:::, ,;, ,;: :,++:,, +# :;:*;: :;, ,::, ,:, ::, ::; +# ,:+:, :: ,:: ,:, ;: ,;; +# ,;, ,,,: ;;,,,;; ,;; ,:, ,;:,:+;, ,,,,, +# ;::;;;::*;:;;;:::;;++, ,:, ,+;;::;+;;;:::;+, +# +;, :?;;:::, ,+, ,:, :;,,,:;;:, :; +# ,+, :+,,,,,;,,,;; ,:, ;+;;;:;; ,;; +# :; :; ,::;+, ,:,,;:,,, :: ,,:;;, +# ;: :; ;; ,: ++;+;; ,;+;;;::, +# ,;, :: :;: ,: ::,,,::+?*+;: +# :; :: ;::, ,: ,;:,:;;:,;;:*+; +# ,;: :: ,: : ,: :;,;:, :+;+, +# ,;, ;: ;,,: ,:,;+ ,: ,;+: +# ;;;;: ,: :, ,;:*++;;;+++**+: +# ;:,, ;, ;:;+::,, ,:;+:::+; +# ,:,;;:, ,,:;;::::;;: +# +;:,,,:;;;;;;;;::, +# ;?+;;;:,:;;::, +# ,,,+;,,:; +# :;::, +# +# +# /$$$$$$$$ /$$ /$$$$$$$$ /$$$$$$$$ /$$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$$ /$$$$$$ /$$ /$$ +# | $$_____/| $$ | $$_____/| $$_____/|__ $$__/ | $$__ $$ /$$__ $$|__ $$__//$$__ $$| $$ | $$ +# | $$ | $$ | $$ | $$ | $$ | $$ \ $$| $$ \ $$ | $$ | $$ \__/| $$ | $$ +# | $$$$$ | $$ | $$$$$ | $$$$$ | $$ | $$$$$$$/| $$$$$$$$ | $$ | $$ | $$$$$$$$ +# | $$__/ | $$ | $$__/ | $$__/ | $$ | $$____/ | $$__ $$ | $$ | $$ | $$__ $$ +# | $$ | $$ | $$ | $$ | $$ | $$ | $$ | $$ | $$ | $$ $$| $$ | $$ +# | $$ | $$$$$$$$| $$$$$$$$| $$$$$$$$ | $$ | $$ | $$ | $$ | $$ | $$$$$$/| $$ | $$ +# |__/ |________/|________/|________/ |__/ |__/ |__/ |__/ |__/ \______/ |__/ |__/ +# +# /$$$$$$$ /$$$$$$$$ /$$ /$$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$$ /$$$$$$$ +# | $$__ $$| $$_____/| $$ | $$_____/ /$$__ $$ /$$__ $$| $$_____/| $$__ $$ +# | $$ \ $$| $$ | $$ | $$ | $$ \ $$| $$ \__/| $$ | $$ \ $$ +# | $$$$$$$/| $$$$$ | $$ | $$$$$ | $$$$$$$$| $$$$$$ | $$$$$ | $$$$$$$/ +# | $$__ $$| $$__/ | $$ | $$__/ | $$__ $$ \____ $$| $$__/ | $$__ $$ +# | $$ \ $$| $$ | $$ | $$ | $$ | $$ /$$ \ $$| $$ | $$ \ $$ +# | $$ | $$| $$$$$$$$| $$$$$$$$| $$$$$$$$| $$ | $$| $$$$$$/| $$$$$$$$| $$ | $$ +# |__/ |__/|________/|________/|________/|__/ |__/ \______/ |________/|__/ |__/ +# + +usage() { + echo "Usage: $0 [options] (optional|start_version)" + echo "" + echo "Options:" + echo " -c, --cherry_pick_resolved The script has been run, had merge conflicts, and those have been resolved and all cherry picks completed manually." + echo " -d, --dry_run Perform a trial run with no changes made" + echo " -f, --force Skip all confirmations" + echo " -h, --help Display this help message and exit" + echo " -m, --minor Increment to a minor version instead of patch (Required if including non-bugs" + echo " -o, --open_api_key Set the Open API key for calling out to ChatGPT" + echo " -p, --print If the release is already drafted then print out the helpful info" + echo " -r, --release_notes Update the release notes in the named release on github and exit (requires changelog output from running the script previously)." + echo " -s, --start_version Set the target starting version (can also be the first positional arg) for the release, defaults to latest release on github" + echo " -t, --target_date Set the target date for the release, defaults to today if not provided" + echo " -v, --target_version Set the target version for the release" + echo "" + echo "Environment Variables:" + echo " OPEN_API_KEY Open API key used for fallback if not provided via -o or --open-api-key option" + echo "" + echo "Examples:" + echo " $0 -d Dry run the script" + echo " $0 -m -v 4.45.1 Set a minor release targeting version 4.45.1" + echo " $0 --target_version 4.45.1 --open_api_key examplekey" + echo "" +} + +# Usage example: Run a command and show spinner for n seconds +# Replace `sleep 5` with your command +# sleep 5 & show_spinner 5 +show_spinner() { + local pid=$! + local delay=0.1 + local spinstr='/-\|' + local elapsedTime=0 + local maxTime=$1 + + printf "Processing " + while [ $elapsedTime -lt $maxTime ]; do + local temp=${spinstr#?} + printf "%c" "$spinstr" + local spinstr=$temp${spinstr%"$temp"} + sleep $delay + printf "\b" + elapsedTime=$((elapsedTime+1)) + done + + printf "\nDone.\n" +} + +check_grep() { + # Check if `grep` supports the `-P` option by using it in a no-op search. + # Redirecting stderr to /dev/null to suppress error messages in case `-P` is not supported. + if echo "" | grep -P "" >/dev/null 2>&1; then + return + else + # Now check if `ggrep` is available. + if command -v ggrep >/dev/null 2>&1; then + return + else + echo "Please install latest grep with `brew install grep`" + exit 1 + fi + fi +} + +check_required_binaries() { + local missing_counter=0 + # List of required binaries used in the script + local required_binaries=("jq" "gh" "git" "curl" "awk" "sed" "make" "ack") + + for bin in "${required_binaries[@]}"; do + if ! command -v "$bin" &> /dev/null; then + echo "Error: Required binary '$bin' is not installed." >&2 + missing_counter=$((missing_counter + 1)) + fi + done + + if [ $missing_counter -ne 0 ]; then + echo "Error: $missing_counter required binary(ies) are missing. Install them before running this script." >&2 + exit 1 + fi + check_grep +} + +validate_and_format_date() { + local input_date="$1" + local formatted_date + local correct_format="%b %d, %Y" # e.g., Jan 01, 2024 + + # Try to convert input_date to the correct format + formatted_date=$(date -d "$input_date" +"$correct_format" 2>/dev/null) + + if [ $? -ne 0 ]; then + # date conversion failed + echo "Error: Incorrect date format. Expected format example: $correct_format (e.g., Jan 01, 2024)" >&2 + exit 1 + else + # Check if the formatted date matches the expected date format + if ! date -d "$formatted_date" +"$correct_format" &>/dev/null; then + # This means the formatted date does not match our correct format + echo "Error: Incorrect date format after conversion. Expected format example: $correct_format (e.g., Jan 01, 2024)" >&2 + exit 1 + fi + fi + + # If we reached here, the date is valid and correctly formatted + target_date="$formatted_date" # Update the target_date with the formatted date + echo "Validated and formatted date: $target_date" +} + +print_announce_info() { + echo + echo "For announcing in #help-engineering" + echo "====================================================" + echo "Release $target_milestone QA ticket and docker publish" + echo "QA ticket for Release $target_milestone " `gh issue list --search "Release QA: $target_milestone in:title" --json url | jq -r .[0].url` + echo "Docker Deploy status " `gh run list --workflow goreleaser-snapshot-fleet.yaml --json event,url,headBranch --limit 100 | jq -r "[.[]|select(.headBranch==\"$target_patch_branch\")][0].url"` + echo "List of tickets pulled into release https://github.com/fleetdm/fleet/milestone/$target_milestone_number" + echo +} + +update_release_notes() { + if [ ! -f temp_changelog ]; then + echo "cannot find changelog to populate release notes" + exit 1 + fi + cat temp_changelog | tail -n +3 > release_notes + echo "" >> release_notes + echo "### Upgrading" >> release_notes + echo "" >> release_notes + echo "Please visit our [update guide](https://fleetdm.com/docs/deploying/upgrading-fleet) for upgrade instructions." >> release_notes + echo "" >> release_notes + echo "### Documentation" >> release_notes + echo "" >> release_notes + echo "Documentation for Fleet is available at [fleetdm.com/docs](https://fleetdm.com/docs)." >> release_notes + echo "" >> release_notes + echo "### Binary Checksum" >> release_notes + echo "" >> release_notes + echo "**SHA256**" >> release_notes + echo "" >> release_notes + echo '```' >> release_notes + gh release download $next_tag -p checksums.txt --clobber + cat checksums.txt >> release_notes + echo '```' >> release_notes + + echo + echo "============== Release Notes ========================" + cat release_notes + echo "============== Release Notes ========================" + + if [ "$dry_run" = "false" ]; then + gh release edit --draft -F release_notes $next_tag + fi +} + +# Validate we have all commands required to perform this script +check_required_binaries + +# Initialize variables for the options +cherry_pick_resolved=false +dry_run=false +force=false +minor=false +open_api_key="" +start_version="" +target_date="" +target_version="" +print_info=false +release_notes=false + +# Parse long options manually +for arg in "$@"; do + shift + case "$arg" in + "--cherry_pick_resolved") set -- "$@" "-c" ;; + "--dry-run") set -- "$@" "-d" ;; + "--force") set -- "$@" "-f" ;; + "--help") set -- "$@" "-h" ;; + "--minor") set -- "$@" "-m" ;; + "--open_api_key") set -- "$@" "-o" ;; + "--print") set -- "$@" "-p" ;; + "--release_notes") set -- "$@" "-r" ;; + "--start_version") set -- "$@" "-s" ;; + "--target_date") set -- "$@" "-t" ;; + "--target_version") set -- "$@" "-v" ;; + *) set -- "$@" "$arg" + esac +done + +# Extract options and their arguments using getopts +while getopts "cdfhmo:prs:t:v:" opt; do + case "$opt" in + c) cherry_pick_resolved=true ;; + d) dry_run=true ;; + f) force=true ;; + h) usage; exit 0 ;; + m) minor=true ;; + o) open_api_key=$OPTARG ;; + p) print_info=true ;; + r) release_notes=true ;; + s) start_version=$OPTARG ;; + t) target_date=$OPTARG ;; + v) target_version=$OPTARG ;; + ?) usage; exit 1 ;; + esac +done + +# Shift off the options and optional -- +shift $((OPTIND -1)) + +# Function to determine the best grep variant to use +determine_grep_command() { + # Check if `ggrep` is available + if command -v ggrep >/dev/null 2>&1; then + echo "ggrep" # Use GNU grep if available + elif echo "" | grep -P "" >/dev/null 2>&1; then + echo "grep" # Use grep if it supports the -P option + else + echo "grep" # Default to grep if ggrep is not available and -P is not supported + # Note: You might want to handle the lack of -P support differently here + fi +} + +# Assign the best grep variant to a variable +GREP_CMD=$(determine_grep_command) + +# Now you can use the $dry_run variable to see if the option was set +if $dry_run; then + echo "Dry run mode enabled." +fi + +# Check for OPEN_API_KEY environment variable if no key was provided through command-line options +if [ -z "$open_api_key" ]; then + if [ -n "$OPEN_API_KEY" ]; then + open_api_key=$OPEN_API_KEY + else + echo "Error: No open API key provided. Set the key via -o/--open-api-key option or OPEN_API_KEY environment variable." >&2 + exit 1 + fi +fi + +if [[ "$target_date" != "" ]]; then + validate_and_format_date $target_date +fi + +# ex v4.43.0 +if [ -z "$start_version" ]; then + if [[ "$1" == "" ]]; then + # grab latest draft excluding test version 9.99.9 + draft=`gh release list | $GREP_CMD Draft | $GREP_CMD -v 9.99.9` + if [[ "$draft" != "" ]]; then + target_version=`echo $draft | awk '{print $1}' | cut -d '-' -f2` + start_version=`gh release list | $GREP_CMD Draft -A1 | tail -n1 | awk '{print $1}' | cut -d '-' -f2` + else + start_version=`gh release list | $GREP_CMD Latest | awk '{print $1}' | cut -d '-' -f2` + fi + else + start_version="$1" + fi +fi + +if [[ $start_version != v* ]]; then + start_version=`echo "v$start_version"` +fi + +if [[ "$target_version" != "" ]]; then + if [[ $target_version != v* ]]; then + target_version=`echo "v$target_version"` + fi + next_ver=$target_version +else + if [[ "$minor" == "true" ]]; then + next_ver=$(echo $start_version | awk -F. '{print $1"."($2+1)".0"}') + else + next_ver=$(echo $start_version | awk -F. '{print $1"."$2"."($3+1)}') + fi +fi + +start_ver_tag=fleet-$start_version + +echo "Patch release from $start_version to $next_ver" +if [ "$force" = "false" ]; then + read -r -p "If this is correct confirm yes to continue? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + echo + ;; + *) + exit 1 + ;; + esac +fi +start_milestone="${start_version:1}" +target_milestone="${next_ver:1}" +target_milestone_number=`gh api repos/:owner/:repo/milestones | jq -r ".[] | select(.title==\"$target_milestone\") | .number"` +target_patch_branch="patch-fleet-$next_ver" +next_tag="fleet-$next_ver" + +if [ "$print_info" = "true" ]; then + print_announce_info + exit 0 +fi + +if [ "$release_notes" = "true" ]; then + update_release_notes + exit 0 +fi + +if [[ "$target_milestone_number" == "" ]]; then + echo "Missing milestone $target_milestone, Please create one and tie tickets to the milestone to continue" + exit 1 +fi +echo "Found milestone $target_milestone with number $target_milestone_number" + +failed=false + +if [ "$cherry_pick_resolved" = "false" ]; then + if [ "$dry_run" = "false" ]; then + git fetch + fi + + # TODO Fail if not found + if [ "$dry_run" = "false" ]; then + git checkout $start_ver_tag + else + echo "DRYRUN: Would have checked out starting tag $start_ver_tag" + fi + + + local_exists=`git branch | $GREP_CMD $target_patch_branch` + + if [ "$dry_run" = "false" ]; then + if [[ $local_exists != "" ]]; then + # Clear previous + git branch -D $target_patch_branch + fi + git checkout -b $target_patch_branch + else + echo "DRYRUN: Would have cleared / checked out new branch $target_patch_branch" + fi + + + total_prs=() + + issue_list=`gh issue list --search 'milestone:"'"$target_milestone"'"' --json number | jq -r '.[] | .number'` + if [[ "$issue_list" == "" ]]; then + echo "Milestone $target_milestone has no target issues, please tie tickets to the milestone to continue" + exit 1 + fi + echo "Issue list for new patch $next_ver" + echo $issue_list + for issue in $issue_list; do + prs_for_issue=`gh api repos/fleetdm/fleet/issues/$issue/timeline --paginate | jq -r '.[]' | $GREP_CMD "fleetdm/fleet/" | $GREP_CMD -oP "pulls\/\K(?:\d+)"` + echo -n "https://github.com/fleetdm/fleet/issues/$issue" + if [[ "$prs_for_issue" == "" ]]; then + echo -n "NO PR's found, please verify they are not missing in the issue, if no PR's were required for this ticket please reconsider adding it to this release." + fi + for val in $prs_for_issue; do + echo -n " $val" + total_prs+=("$val") + done + echo + done + + + if [ "$force" = "false" ]; then + read -r -p "Check any issues that have no pull requests, no to cancel and yes to continue? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + echo "Continuing to cherry-pick" + echo + ;; + *) + exit 1 + ;; + esac + fi + + commits="" + + for pr in ${total_prs[*]}; + do + output=`gh pr view $pr --json state,mergeCommit,baseRefName` + state=`echo $output | jq -r .state` + commit=`echo $output | jq -r .mergeCommit.oid` + target_branch=`echo $output | jq -r .baseRefName` + echo -n "$pr $state $commit $target_branch:" + if [[ "$state" != "MERGED" || "$target_branch" != "main" ]]; then + echo " WARNING - Skipping pr https://github.com/fleetdm/fleet/pull/$pr" + else + if [[ "$commit" != "" && "$commit" != "null" ]]; then + echo " Commit looks valid - $commit, adding to cherry-pick" + commits+="$commit " + else + echo " WARNING - invalid commit for pr https://github.com/fleetdm/fleet/pull/$pr - $commit" + fi + fi + #echo "=======================================" + done + + for commit in $commits; + do + # echo $commit + timestamp=`git log -n 1 --pretty=format:%at $commit` + if [ $? -ne 0 ]; then + echo "Failed to identify $commit, exiting" + exit 1 + fi + # echo $timestamp + time_map[$timestamp]=$commit + done + + timestamps="" + for key in "${!time_map[@]}"; do + timestamps+="$key\n" + done + for ts in `echo -e $timestamps | sort`; do + commit_hash="${time_map[$ts]}" + # echo "# $ts $commit_hash" + if git branch --contains "$commit_hash" | $GREP_CMD -q "$(git rev-parse --abbrev-ref HEAD)"; then + echo "# Commit $commit_hash is on the current branch." + is_on_current_branch=true + else + # echo "# Commit $commit_hash is not on the current branch." + if [[ "$failed" == "false" ]]; then + + if [ "$dry_run" = "false" ]; then + git cherry-pick $commit_hash + if [ $? -ne 0 ]; then + echo "Cherry pick of $commit_hash failed. Please resolve then continue the cherry-picks manually" + failed=true + fi + else + echo "DRYRUN: Would have cherry picked $commit_hash" + fi + else + echo "git cherry-pick $commit_hash" + fi + is_on_current_branch=false + fi + done +fi + +if [[ "$failed" == "false" ]]; then + + if [ "$dry_run" = "false" ]; then + make changelog + git diff CHANGELOG.md | $GREP_CMD '^+' | sed 's/^+//g' | $GREP_CMD -v CHANGELOG.md > new_changelog + prompt=$'I am creating a changelog for an open source project from a list of commit messages. Please format it for me using the following rules:\n1. Correct spelling and punctuation.\n2. Sentence casing.\n3. Past tense.\n4. Each list item is designated with an asterisk.\n5. Output in markdown format.' + content=$(cat new_changelog | sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g') + question="${prompt}\n\n${content}" + + # API endpoint for ChatGPT + api_endpoint="https://api.openai.com/v1/chat/completions" + output="null" + + while [[ "$output" == "null" ]]; do + data_payload=$(jq -n \ + --arg prompt "$question" \ + --arg model "gpt-3.5-turbo" \ + '{model: $model, messages: [{"role": "user", "content": $prompt}]}') + + response=$(curl -s -X POST $api_endpoint \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $open_api_key" \ + --data "$data_payload") + + output=`echo $response | jq -r .choices[0].message.content` + echo "${output}" + done + else + echo "DRYRUN: Would have run make changelog and sent to ChatGPT to format" + fi + + if [ "$dry_run" = "false" ]; then + git checkout CHANGELOG.md + if [[ "$target_date" == "" ]]; then + tartget_date=`date +"%b %d, %Y"` + fi + echo "## Fleet $target_milestone ($tartget_date)" > temp_changelog + echo "" >> temp_changelog + echo "### Bug fixes" >> temp_changelog + echo "" >> temp_changelog + echo -e "${output}" >> temp_changelog + echo "" >> temp_changelog + cp CHANGELOG.md old_changelog + cat temp_changelog > CHANGELOG.md + cat old_changelog >> CHANGELOG.md + rm -f old_changelog + update_changelog_patch_branch="update-changelog-pb-$target_milestone" + local_exists=`git branch | $GREP_CMD $update_changelog_patch_branch` + if [[ $local_exists != "" ]]; then + # Clear previous + git branch -D $update_changelog_patch_branch + fi + git checkout -b $update_changelog_patch_branch + git add CHANGELOG.md + git commit -m "Adding changes for patch $target_milestone" + git push origin $update_changelog_patch_branch -f + gh pr create -f -B $target_patch_branch + + cp CHANGELOG.md /tmp + git checkout main + git pull origin main + update_changelog_branch="update-changelog-$target_milestone" + local_exists=`git branch | $GREP_CMD $update_changelog_branch` + if [[ $local_exists != "" ]]; then + # Clear previous + git branch -D $update_changelog_branch + fi + git checkout -b $update_changelog_branch + cp /tmp/CHANGELOG.md . + git add CHANGELOG.md + escaped_start_version=$(echo "$start_milestone" | sed 's/\./\\./g') + version_files=`ack -l --ignore-file=is:CHANGELOG.md "$escaped_start_version"` + unameOut="$(uname -s)" + case "${unameOut}" in + Linux*) echo "$version_files" | xargs sed -i "s/$escaped_start_version/$target_milestone/g";; + Darwin*) echo "$version_files" | xargs sed -i '' "s/$escaped_start_version/$target_milestone/g";; + *) echo "unknown distro to parse version" + esac + git add terraform charts infrastructure tools + git commit -m "Updating changelog for $target_milestone" + git push origin $update_changelog_branch -f + gh pr create -f + + git checkout $target_patch_branch + else + echo "DRYRUN: Would have formatted changelog and created PR on main" + fi + + # Check for QA issue + if [ "$dry_run" = "false" ]; then + found=$(gh issue list --search "Release QA: $target_milestone in:title" --json number | jq length) + if [[ "$found" == "0" ]]; then + cat .github/ISSUE_TEMPLATE/release-qa.md | awk 'BEGIN {count=0} /^---$/ {count++} count==2 && /^---$/ {getline; count++} count > 2 {print}' > temp_qa_issue_file + gh issue create --title "Release QA: $target_milestone" -F temp_qa_issue_file \ + --assignee "sabrinabuckets" --assignee "xpkoala" --label ":release" --label "#g-mdm" --label "#g-endpoint-ops" + rm -f temp_qa_issue_file + fi + else + echo "DRYRUN: Would have searched for and created if not found QA release ticket" + fi + + if [ "$dry_run" = "false" ]; then + echo "Waiting for github actions to propogate..." + show_spinner 200 + # For announce in #help-engineering + print_announce_info + else + echo "DRYRUN: Would have printed announce in #help-engineering text w/ qa ticket, deploy to docker link, and milestone issue list link" + fi + + if [ "$dry_run" = "false" ]; then + echo "waiting for Changelog PR to merge..." + echo `gh pr view $update_changelog_patch_branch --json url | jq -r .url` + echo + waiting=true + while waiting; do + pr_state=`gh pr view $update_changelog_patch_branch --json state | jq -r .state` + if [[ "$pr_state" == "MERGED" ]]; then + waiting=false + else + show_spinner 50 + fi + done + git pull origin $target_patch_branch + + git tag $next_tag + git push origin $next_tag + + show_spinner 200 + else + echo "DRYRUN: Would have tagged and pushed $next_tag" + fi + + if [ "$dry_run" = "false" ]; then + releaser_out=`gh run list --workflow goreleaser-fleet.yaml --json databaseID,event,headBranch,url | jq "[.[]|select(.headBranch==\"$next_tag\")[0]` + echo "Releaser running " `echo $releaser_out | jq -r ".url"` + + gh run watch `echo $releaser_out | jq -r ".databaseID"` + else + echo "DRYRUN: Would found goreleaser action and waited for it to complete" + fi + + + update_release_notes +else + # TODO echo what to do + echo "Placeholder, Cherry pick failed....figure out what to do..." + exit 1 +fi + From 1bb81c9e1005f5ab3113b3f15c35fa99180029fe Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:44:23 -0400 Subject: [PATCH 18/46] Update rest-api.md (#17686) - Remove note about fleetd - Update note about MDM being turned on --- docs/REST API/rest-api.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 8b8ca9c899..12d9f89060 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -3718,13 +3718,10 @@ created_at,updated_at,id,detail_updated_at,label_updated_at,policy_updated_at,la ### Get host's disk encryption key -For macOS, requires the [macadmins osquery extension](https://github.com/macadmins/osquery-extension) which comes bundled -in [Fleet's osquery installers](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer). - -Requires Fleet's MDM properly [enabled and configured](https://fleetdm.com/docs/using-fleet/mdm-macos-setup). - Retrieves the disk encryption key for a host. +Requires that disk encryption is enforced and the host has MDM turned on. + `GET /api/v1/fleet/mdm/hosts/:id/encryption_key` #### Parameters From 44c3ba83e5c73b6ceeb09e90483fb0c218659d44 Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Thu, 21 Mar 2024 15:03:14 -0500 Subject: [PATCH 19/46] Reduce CIS benchmark documentation page contents (#17108) + Move specific CIS benchmark details into READMEs + Reduce content in Using Fleet > CIS Benchmarks --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- docs/Using Fleet/CIS-Benchmarks.md | 79 +++++------------------------- ee/cis/macos-13/README.md | 37 ++++++++++++++ ee/cis/macos-14/README.md | 37 ++++++++++++++ ee/cis/win-10/README.md | 15 ++++++ ee/cis/win-11/README.md | 15 ++++++ 5 files changed, 116 insertions(+), 67 deletions(-) create mode 100644 ee/cis/macos-13/README.md create mode 100644 ee/cis/macos-14/README.md create mode 100644 ee/cis/win-10/README.md create mode 100644 ee/cis/win-11/README.md diff --git a/docs/Using Fleet/CIS-Benchmarks.md b/docs/Using Fleet/CIS-Benchmarks.md index bf12e3ba44..1bcbb2e1fc 100644 --- a/docs/Using Fleet/CIS-Benchmarks.md +++ b/docs/Using Fleet/CIS-Benchmarks.md @@ -1,19 +1,21 @@ # CIS Benchmarks -> Available in Fleet Premium +_Available in Fleet Premium_. ## Overview + CIS Benchmarks represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently. For more information about CIS Benchmarks check out [Center for Internet Security](https://www.cisecurity.org/cis-benchmarks)'s website. Fleet has implemented native support for CIS Benchmarks for the following platforms: -- macOS 13.0 Ventura (96 checks) -- Windows 10 Enterprise (496 checks) -- Windows 11 Enterprise (521 checks) +- macOS 13.0 Ventura +- macOS 14.0 Sonoma +- Windows 10 Enterprise +- Windows 11 Enterprise [Where possible](#limitations), each CIS Benchmark is implemented with a [policy query](./REST-API.md#policies) in Fleet. -These benchmarks are intended to gauge your organization's security posture, rather than the current state of a given host. A host may fail a CIS Benchmark policy despite having the correct settings enabled if there is not a specific policy in place to enforce that setting. For example, this is the query for **CIS - Ensure FileVault Is Enabled (MDM Required)**: +These benchmarks are intended to gauge your organization's security posture, rather than the current state of a given host. A host may fail a CIS Benchmark policy despite having the correct settings enabled if there is no configuration profile or Group Policy Object (GPO) in place to enforce the setting. For example, this is the query for **CIS - Ensure FileVault Is Enabled (MDM Required)**: ```sql SELECT 1 WHERE @@ -88,14 +90,13 @@ fleetctl apply --policies-team "Workstations" -f cis-policy-queries.yml ``` ## Limitations -Fleet's current set of benchmarks only implements benchmark *auditing* steps that can be *automated*. -In practice, Fleet is able to cover a large majority of benchmarks: -* macOS 13 Ventura - 96 of 104 -* Windows 10 Enterprise - All CIS items (496) -* Windows 11 Enterprise - All CIS items (521) +Certain benchmarks require human action to audit, and cannot be automated by a policy in Fleet. For a list of specific benchmarks which are not covered, please visit the README for each benchmark: -For a list of specific checks which are not covered by Fleet, please visit the section devoted to each benchmark. +- [macOS 13.0 Ventura](https://github.com/fleetdm/fleet/blob/main/ee/cis/macos-13/README.md) +- [macOS 14.0 Sonoma](https://github.com/fleetdm/fleet/blob/main/ee/cis/macos-14/README.md) +- [Windows 10 Enterprise](https://github.com/fleetdm/fleet/blob/main/ee/cis/win-10/README.md) +- [Windows 11 Enterprise](https://github.com/fleetdm/fleet/blob/main/ee/cis/win-11/README.md) ### Audit vs. remediation Each benchmark has two elements: @@ -106,18 +107,6 @@ Since Fleetd is currently read-only without the ability to execute actions on th To implement automated remediation, you can install a separate agent such as Munki, Chef, Puppet, etc. which has write functionality. -### Manual vs. automated - -For both the audit and remediation elements of a CIS Benchmark, there are two types: -1. Automated - the element can be audited or remediated without human intervention -2. Manual - the element requires human intervention to be audited or remediated - -Fleet only implements automated audit checks. Manual checks require administrators to implement other processes to conduct the check. - -* macOS 13 Ventura - 96 of 104 are automated -* Windows 10 Enterprise - All CIS items (496) are automated -* Windows 11 Enterprise - All CIS items (521) are automated - ## Levels 1 and 2 CIS designates various benchmarks as Level 1 or Level 2 to describe the level of thoroughness and burden that each benchmark represents. @@ -137,50 +126,6 @@ This profile extends the "Level 1" profile. Items in this profile exhibit one or - are intended for environments or use cases where security is paramount or acts as defense in depth measure - may negatively inhibit the utility or performance of the technology. -## macOS 13.0 Ventura benchmark - -Fleet's policies have been written against v1.0 of the benchmark. Please refer to the "CIS Apple macOS 13.0 Ventura Benchmark v1.0.0 - 11-14-2022" PDF from the CIS website for full details. - -### Checks that require customer decision - -CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation. - -Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query. -The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`. - -- 2.1.1.1 Audit iCloud Keychain -- 2.1.1.2 Audit iCloud Drive -- 2.5.1 Audit Siri -- 2.8.1 Audit Universal Control - -Furthermore, CIS has decided to not require the following password complexity settings: -- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured -- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured -- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured -- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured - -However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policy. - -### macOS 13.0 Ventura manual checks - -The following CIS benchmark checks cannot be automated and must be addressed manually: -- 2.1.2 Audit App Store Password Settings -- 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information -- 2.6.6 Audit Lockdown Mode -- 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings -- 2.13.1 Audit Passwords System Preference Setting -- 2.14.1 Audit Notification & Focus Settings -- 3.7 Audit Software Inventory -- 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled - -## Windows 10 & 11 Enterprise benchmarks - -Fleet's policies have been written against v2.0.0 of the benchmarks. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. - -### Checks that require a Group Policy template - -Several items require Group Policy templates in place in order to audit them. -These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`. ## Performance testing In August 2023, we completed scale testing on 10k Windows hosts and 70k macOS hosts. Ultimately, we validated both server and host performance at that scale. diff --git a/ee/cis/macos-13/README.md b/ee/cis/macos-13/README.md new file mode 100644 index 0000000000..e49628ac6e --- /dev/null +++ b/ee/cis/macos-13/README.md @@ -0,0 +1,37 @@ +# macOS 13.0 Ventura benchmark + +Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. + +For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation. + +### Limitations + +The following CIS benchmarks cannot be checked with a policy in Fleet: +1. 2.1.2 Audit App Store Password Settings +2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +3. 2.6.6 Audit Lockdown Mode +4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings +5. 2.13.1 Audit Passwords System Preference Setting +6. 2.14.1 Audit Notification & Focus Settings +7. 3.7 Audit Software Inventory +8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + +### Checks that require decision + +CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation. + +Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query. +The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`. + +- 2.1.1.1 Audit iCloud Keychain +- 2.1.1.2 Audit iCloud Drive +- 2.5.1 Audit Siri +- 2.8.1 Audit Universal Control + +Furthermore, CIS has decided to not require the following password complexity settings: +- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured +- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured +- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + +However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies. \ No newline at end of file diff --git a/ee/cis/macos-14/README.md b/ee/cis/macos-14/README.md new file mode 100644 index 0000000000..a83cd38d4a --- /dev/null +++ b/ee/cis/macos-14/README.md @@ -0,0 +1,37 @@ +# macOS 14.0 Sonoma benchmark + +Fleet's policies have been written against v1.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. + +For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation. + +### Limitations + +The following CIS benchmarks cannot be checked with a policy in Fleet: +1. 2.1.2 Audit App Store Password Settings +2. 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information +3. 2.6.6 Audit Lockdown Mode +4. 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings +5. 2.13.1 Audit Passwords System Preference Setting +6. 2.14.1 Audit Notification & Focus Settings +7. 3.7 Audit Software Inventory +8. 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled + +### Checks that require decision + +CIS has left the parameters of the following checks up to the benchmark implementer. CIS recommends that an organization make a conscious decision for these benchmarks, but does not make a specific recommendation. + +Fleet has provided both an "enabled" and "disabled" version of these benchmarks. When both policies are added, at least one will fail. Once your organization has made a decision, you can delete one or the other policy query. +The policy will be appended with a `-enabled` or `-disabled` label, such as `2.1.1.1-enabled`. + +- 2.1.1.1 Audit iCloud Keychain +- 2.1.1.2 Audit iCloud Drive +- 2.5.1 Audit Siri +- 2.8.1 Audit Universal Control + +Furthermore, CIS has decided to not require the following password complexity settings: +- 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured +- 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +- 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured +- 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + +However, Fleet has provided these as policies. If your organization declines to implement these, simply delete the corresponding policies. \ No newline at end of file diff --git a/ee/cis/win-10/README.md b/ee/cis/win-10/README.md new file mode 100644 index 0000000000..880dd1445b --- /dev/null +++ b/ee/cis/win-10/README.md @@ -0,0 +1,15 @@ +# Windows 10 Enterprise benchmarks + +Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. + +For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation. + +### Limitations + +> None. All items in this version of the benchmark are able to be automated. + + +### Checks that require a Group Policy template + +Several items require Group Policy templates in place in order to audit them. +These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`. \ No newline at end of file diff --git a/ee/cis/win-11/README.md b/ee/cis/win-11/README.md new file mode 100644 index 0000000000..428a365217 --- /dev/null +++ b/ee/cis/win-11/README.md @@ -0,0 +1,15 @@ +# Windows 11 Enterprise benchmarks + +Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. + +For requirements and usage details, see the [CIS Benchmarks](https://fleetdm.com/docs/using-fleet/cis-benchmarks) documentation. + +### Limitations + +> None. All items in this version of the benchmark are able to be automated. + + +### Checks that require a Group Policy template + +Several items require Group Policy templates in place in order to audit them. +These items are tagged with the label `CIS_group_policy_template_required` in the YAML file, and details about the required Group Policy templates can be found in each item's `resolution`. \ No newline at end of file From 43432f0835e1414702cedc2667c80fbcc143c1a5 Mon Sep 17 00:00:00 2001 From: Nathanael Holliday <100959072+hollidayn@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:56:12 -0500 Subject: [PATCH 20/46] Adding vendor process to handbook (#17554) For reference: https://github.com/fleetdm/confidential/issues/5719 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com> --- handbook/business-operations/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/handbook/business-operations/README.md b/handbook/business-operations/README.md index 6bea61ddf0..4c8f16f444 100644 --- a/handbook/business-operations/README.md +++ b/handbook/business-operations/README.md @@ -265,6 +265,13 @@ Within 60 days of the end of the year, follow these steps: - Afterward, post in #random letting folks know that the quarterly tool reconciliation and seat clearing is complete, and that any members who lost access to anything they still need can submit a ZenHub issue to BizOps to have their access restored. - The goal is to build deep, integrated knowledge of tool usage across Fleet and cut costs whenever possible. It will also force conversations on redundancies and decisions that aren't helping the business that otherwise might not be looked at a second time. +### Process a new vendor invoice +- After making sure that an invoice received from a new vendor is valid, add the new vendor to the recurring expenses section of ["The numbers"](https://docs.google.com/spreadsheets/d/1X-brkmUK7_Rgp7aq42drNcUg8ZipzEiS153uKZSabWc/edit#gid=2112277278) before paying the invoice. + +### Process a request to cancel a vendor +- Make the cancellation notification in accordance with the contract terms between Fleet and the vendor, typically these notifications are made via email and may have a specific address that notice must be sent to. If the vendor has an autorenew contract with Fleet there will often be a window of time in which Fleet can cancel, if notification is made after this time period Fleet may be obligated to pay for the subsequent year even if we don't use the vendor during the next contract term. +- Once cancelled, update the recurring expenses section of [The Numbers](https://docs.google.com/spreadsheets/d/1X-brkmUK7_Rgp7aq42drNcUg8ZipzEiS153uKZSabWc/edit#gid=2112277278) to reflect the cancellation by changing the projected monthly burn in column G to $0 and adding "CANCELLED" in front of the vendor's name in column C. + ### Update weekly KPIs - Create the weekly update issue from the template in ZenHub every Friday and update the [KPIs for BizOps](https://docs.google.com/spreadsheets/d/1Hso0LxqwrRVINCyW_n436bNHmoqhoLhC8bcbvLPOs9A/edit#gid=0) by 5pm US central time. - Check the KPI sheet at 5pm US central time to ensure all departments have updated their KPIs on time. If any departments are delinquent, notify the department head and let the [Apprentice to the CEO](https://fleetdm.com/handbook/ceo#team) know so they can put it on the agenda for their next one-on-one with the CEO. From 8ae24ac4a9b092e137fc479efb17e102c3dcf78d Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 21 Mar 2024 13:56:42 -0700 Subject: [PATCH 21/46] [StepSecurity] ci: Harden GitHub Actions (#17767) ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @lukeheath. Please merge the Pull Request to incorporate the requested changes. Please tag @lukeheath on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot Signed-off-by: StepSecurity Bot --- .github/workflows/deploy-vulnerability-dashboard.yml | 5 +++++ .github/workflows/dogfood-gitops.yml | 4 ++-- .github/workflows/test-vulnerability-dashboard-changes.yml | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-vulnerability-dashboard.yml b/.github/workflows/deploy-vulnerability-dashboard.yml index a8196535ab..05c0b4ff88 100644 --- a/.github/workflows/deploy-vulnerability-dashboard.yml +++ b/.github/workflows/deploy-vulnerability-dashboard.yml @@ -6,8 +6,13 @@ on: paths: - 'ee/vulnerability-dashboard/**' +permissions: + contents: read + jobs: build: + permissions: + contents: write # for Git to git push if: ${{ github.repository == 'fleetdm/fleet' }} runs-on: ubuntu-latest diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml index e50cbc7a33..de7974b29a 100644 --- a/.github/workflows/dogfood-gitops.yml +++ b/.github/workflows/dogfood-gitops.yml @@ -23,10 +23,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout our repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkout GitOps repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: fleetdm/fleet-gitops ref: main diff --git a/.github/workflows/test-vulnerability-dashboard-changes.yml b/.github/workflows/test-vulnerability-dashboard-changes.yml index abc11f57ae..6c7cf2e2a9 100644 --- a/.github/workflows/test-vulnerability-dashboard-changes.yml +++ b/.github/workflows/test-vulnerability-dashboard-changes.yml @@ -9,6 +9,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} cancel-in-progress: true +permissions: + contents: read + jobs: build: permissions: From 424d7e576a0b59a54b5f03e5d583029cccfac6a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:02:13 -0500 Subject: [PATCH 22/46] Bump webpack-dev-middleware from 6.1.1 to 6.1.2 (#17776) --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index ac4c05043a..eca3a26a55 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17840,9 +17840,9 @@ webpack-cli@5.0.1: webpack-merge "^5.7.3" webpack-dev-middleware@^6.1.1: - version "6.1.1" - resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-6.1.1.tgz#6bbc257ec83ae15522de7a62f995630efde7cc3d" - integrity sha512-y51HrHaFeeWir0YO4f0g+9GwZawuigzcAdRNon6jErXy/SqV/+O6eaVAzDqE6t3e3NpGeR5CS+cCDaTC+V3yEQ== + version "6.1.2" + resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-6.1.2.tgz#0463232e59b7d7330fa154121528d484d36eb973" + integrity sha512-Wu+EHmX326YPYUpQLKmKbTyZZJIB8/n6R09pTmB03kJmnMsVPTo9COzHZFr01txwaCAuZvfBJE4ZCHRcKs5JaQ== dependencies: colorette "^2.0.10" memfs "^3.4.12" From 38ea8db7cd9f6349d61718e2fe925301da5a06b5 Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Thu, 21 Mar 2024 16:04:53 -0500 Subject: [PATCH 23/46] Set GitHub workflow DRIs (#17777) --- .github/workflows/{test.yml => test-js.yml} | 2 +- CODEOWNERS | 51 +++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) rename .github/workflows/{test.yml => test-js.yml} (99%) diff --git a/.github/workflows/test.yml b/.github/workflows/test-js.yml similarity index 99% rename from .github/workflows/test.yml rename to .github/workflows/test-js.yml index cf9c08157f..d0e660ba72 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test-js.yml @@ -1,4 +1,4 @@ -name: Run Tests +name: JavaScript Tests on: push: diff --git a/CODEOWNERS b/CODEOWNERS index 45f22c8841..ead9ee8a62 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -106,5 +106,56 @@ go.mod @fleetdm/go ############################################################################################## /.github/ISSUE_TEMPLATE @mikermcneil @sampfluger88 @lukeheath # See https://github.com/fleetdm/fleet/pull/16203 +############################################################################################## +# 🌐 GitHub workflows +############################################################################################## +/.github/workflows/markdown-link-check-config.json @eashaw +/.github/workflows/deploy-vulnerability-dashboard.yml @eashaw +/.github/workflows/test-website.yml @eashaw +/.github/workflows/test-vulnerability-dashboard-changes.yml @eashaw +/.github/workflows/docs.yml @eashaw +/.github/workflows/deploy-fleet-website.yml @eashaw + +############################################################################################## +# 🚀 GitHub workflows +############################################################################################## +/.github/workflows/README.md @lukeheath +/.github/workflows/goreleaser-fleet.yaml @lukeheath +/.github/workflows/update-certs.yml @lukeheath +/.github/workflows/codeql-analysis.yml @lukeheath +/.github/workflows/codeql.yml @lukeheath +/.github/workflows/scorecards-analysis.yml @lukeheath +/.github/workflows/integration.yml @lukeheath +/.github/workflows/fleetctl-preview.yml @lukeheath +/.github/workflows/fleetctl-preview-latest.yml @lukeheath +/.github/workflows/goreleaser-orbit.yaml @lukeheath +/.github/workflows/trivy-scan.yml @lukeheath +/.github/workflows/goreleaser-snapshot-fleet.yaml @lukeheath +/.github/workflows/build-and-push-fleetctl-docker.yml @lukeheath +/.github/workflows/fleetd-tuf.yml @lucasmrod +/.github/workflows/generate-desktop-targets.yml @lucasmrod +/.github/workflows/test-yml-specs.yml @lucasmrod +/.github/workflows/build-binaries.yaml @lucasmrod +/.github/workflows/fleet-and-orbit.yml @lucasmrod +/.github/workflows/build-orbit.yaml @lucasmrod +/.github/workflows/generate-osqueryd-targets.yml @lucasmrod +/.github/workflows/test-packaging.yml @lucasmrod +/.github/workflows/release-helm.yaml @rfairburn +/.github/workflows/pr-helm.yaml @rfairburn +/.github/workflows/tfvalidate.yml @rfairburn +/.github/workflows/dogfood-deploy.yml @rfairburn +/.github/workflows/test-db-changes.yml @roperzh +/.github/workflows/test-go.yaml @roperzh +/.github/workflows/golangci-lint.yml @roperzh +/.github/workflows/test-native-tooling-packaging.yml @roperzh +/.github/workflows/check-tuf-timestamps.yml @roperzh +/.github/workflows/test-puppet.yml @roperzh +/.github/workflows/generate-nudge-targets.yml @roperzh +/.github/workflows/test-js.yml @ghernandez345 +/.github/workflows/dogfood-gitops.yml @getvictor +/.github/workflows/test-fleetd-chrome.yml @getvictor +/.github/workflows/release-fleetd-chrome.yml @getvictor +/.github/workflows/release-fleetd-chrome-beta.yml @getvictor + # ℹ️ But wait, there's more! # See the comments up top to learn where else DRIs and maintainers are configured. From 4aa854b9d49534b09823ca888eb87e0a290b80bb Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 21 Mar 2024 16:24:09 -0500 Subject: [PATCH 24/46] Website: Update footer height. (#17781) Closes: #17778 Changes: - Updated the styles for pages with reduced footer links --- website/assets/styles/layout.less | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/website/assets/styles/layout.less b/website/assets/styles/layout.less index de314d96ae..42b4574d6b 100644 --- a/website/assets/styles/layout.less +++ b/website/assets/styles/layout.less @@ -417,7 +417,7 @@ html, body { } } [purpose='page-wrap'].reduced-footer-links { - padding-bottom: 67px; + padding-bottom: 70px; } // Landing page footer styles @@ -425,7 +425,7 @@ html, body { position: absolute; bottom: 0px; width: 100%; - height: 67px; + height: 70px; padding: 24px 32px; color: @core-fleet-black-75; a { @@ -451,9 +451,9 @@ body.detected-mobile { [purpose='page-footer'] { padding: 64px 40px; height: 460px; - } - [purpose='footer-socials'] { - margin-bottom: 32px; + [purpose='footer-socials'] { + margin-bottom: 32px; + } } } @@ -479,15 +479,22 @@ body.detected-mobile { padding: 64px 32px; height: 701px; } + [purpose='page-wrap'].reduced-footer-links { + padding-bottom: 121px; + } + [purpose='reduced-nav-footer'] { + height: 121px; + [purpose='footer-socials'] { + margin-bottom: 32px; + } + } + } @media (max-width: 575px) { [purpose='page-wrap'] { padding-bottom: 925px; } - [purpose='page-wrap'].reduced-footer-links { - padding-bottom: 97px; - } [purpose='page-header'] { padding: 19px 24px; [purpose='mobile-nav'] { @@ -499,8 +506,12 @@ body.detected-mobile { } } } + [purpose='page-wrap'].reduced-footer-links { + padding-bottom: 173px; + } [purpose='reduced-nav-footer'] { - height: 97px; + height: 173px; + padding: 24px; } [purpose='page-footer'] { height: 925px; From 1d8e208c32890561813974b71da70539f14060f1 Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 21 Mar 2024 16:31:20 -0500 Subject: [PATCH 25/46] Vulnerability dashboard: Add a way to start a local vulnerability dashboard with Docker (#17676) Related to: https://github.com/fleetdm/confidential/issues/5637 Changes: - Added a way to start a vulnerability dashboard with Docker. - Updated the folder readme to include instructions for starting the vulnerability dashboard with docker --- ee/vulnerability-dashboard/.dockerignore | 2 ++ ee/vulnerability-dashboard/Dockerfile | 35 +++++++++++++++++++ ee/vulnerability-dashboard/README.md | 27 +++++++++++++- ee/vulnerability-dashboard/crontab | 1 + ee/vulnerability-dashboard/docker-compose.yml | 31 ++++++++++++++++ ee/vulnerability-dashboard/entrypoint.sh | 31 ++++++++++++++++ 6 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 ee/vulnerability-dashboard/.dockerignore create mode 100644 ee/vulnerability-dashboard/Dockerfile create mode 100644 ee/vulnerability-dashboard/crontab create mode 100644 ee/vulnerability-dashboard/docker-compose.yml create mode 100644 ee/vulnerability-dashboard/entrypoint.sh diff --git a/ee/vulnerability-dashboard/.dockerignore b/ee/vulnerability-dashboard/.dockerignore new file mode 100644 index 0000000000..9303c347ee --- /dev/null +++ b/ee/vulnerability-dashboard/.dockerignore @@ -0,0 +1,2 @@ +node_modules/ +npm-debug.log \ No newline at end of file diff --git a/ee/vulnerability-dashboard/Dockerfile b/ee/vulnerability-dashboard/Dockerfile new file mode 100644 index 0000000000..84a2056fda --- /dev/null +++ b/ee/vulnerability-dashboard/Dockerfile @@ -0,0 +1,35 @@ +# Use the official Node.js 14 image as a base +FROM node:20 + +# Set the working directory in the container +WORKDIR /usr/src/app + +# Copy the package.json +COPY package.json ./ + +# Install vulnerability dashboard dependencies +RUN npm install + +# Copy the vulnerability dashboard into the container +COPY . . + +# Install cron on the Docker image +RUN apt-get update && apt-get install -y cron + +# Add the crontab file for the update reports script to the cron directory +ADD crontab /etc/cron.d/update-reports-cron + +# Give execution rights on the cron job and apply it +RUN chmod 0644 /etc/cron.d/update-reports-cron && crontab /etc/cron.d/update-reports-cron + +# Copy the entrypoint script into the container +COPY entrypoint.sh /usr/src/app/entrypoint.sh + +# Make sure the entrypoint script is executable +RUN chmod +x /usr/src/app/entrypoint.sh + +# Expose the port the vulnerability dashboard runs on +EXPOSE 1337 + +# Set the entrypoint script as the entry point +ENTRYPOINT ["/usr/src/app/entrypoint.sh"] diff --git a/ee/vulnerability-dashboard/README.md b/ee/vulnerability-dashboard/README.md index 82c068793e..e6e6988188 100644 --- a/ee/vulnerability-dashboard/README.md +++ b/ee/vulnerability-dashboard/README.md @@ -26,6 +26,32 @@ f.k.a. "scooper" Original raw notes and context: (private google doc since it contains competitor information: https://docs.google.com/document/d/1ByNWY6n_C-rvL75lI6jca2OniHt5FqA5_nYMf61S0pM/edit#) +## Running the vulnerability dashboard with Docker. + +To run a local vulnerability dashboard with docker, you can follow these instructions. + +1. Clone this repo +2. Update the following ENV variables `ee/vulnerability-dashboard/docker-compose.yml` file: + + 1. `sails_custom__fleetBaseUrl`: The full URL of your Fleet instance. (e.g., https://fleet.example.com) + + 2. `sails_custom__fleetApiToken`: AN API token for an API-only user on your Fleet instance. + + >You can read about how to create an API-only user and get it's token [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) + +3. Open the `ee/vulnerability-dashboard/` folder in your terminal +4. Run `docker compose up --build` to build the vulnerability dashboard's Docker image. + + > The first time the vulnerability dashboard starts it will Initalize the database and run the `update-reports` script before the server starts. + +5. Once the container is done building, the vulnerability dashboard will be available at http://localhost:1337 + + > You can login with the default admin login: + > + >- Email address: `admin@example.com` + > + >- Password: `abc123` + ## How it's made This is a [Sails v1](https://sailsjs.com) application: @@ -35,4 +61,3 @@ This is a [Sails v1](https://sailsjs.com) application: + [Community support options](https://sailsjs.com/support) + **Version info**: This app was originally generated on Sat Dec 10 2022 15:56:06 GMT-0600 (Central Standard Time) using Sails v1.5.3. + This project's boilerplate is based on an expanded seed app provided by the [Sails core team](https://sailsjs.com/about) to make it easier for you to build on top of ready-made features like authentication, enrollment, email verification, and billing. - diff --git a/ee/vulnerability-dashboard/crontab b/ee/vulnerability-dashboard/crontab new file mode 100644 index 0000000000..31f359cb44 --- /dev/null +++ b/ee/vulnerability-dashboard/crontab @@ -0,0 +1 @@ +0 * * * * cd /usr/src/app && /usr/local/bin/node ./node_modules/.bin/sails run update-reports >> /usr/src/app/cron.log 2>&1 diff --git a/ee/vulnerability-dashboard/docker-compose.yml b/ee/vulnerability-dashboard/docker-compose.yml new file mode 100644 index 0000000000..a1c92cdaed --- /dev/null +++ b/ee/vulnerability-dashboard/docker-compose.yml @@ -0,0 +1,31 @@ +version: '3' +services: + vuln-dash: + build: . + ports: + - "1337:1337" + depends_on: + - redis + - postgres + environment: + sails_datastores__default__url: postgres://user:password@postgres:5432/dbname + sails_datastores__default__adapter: sails-postgresql + sails_sockets__url: redis://redis:6379 + sails_session__url: redis://redis:6379 + sails_custom__fleetBaseUrl: '' #Add the base url of your Fleet instance: ex: https://fleet.example.com + sails_custom__fleetApiToken: '' # Add the API token of an API-only user [?] Here's how you get one: https://fleetdm.com/docs/using-fleet/fleetctl-cli#get-the-api-token-of-an-api-only-user + + redis: + image: "redis:alpine" + + postgres: + image: "postgres:alpine" + environment: + POSTGRES_USER: user + POSTGRES_PASSWORD: password + POSTGRES_DB: dbname + volumes: + - pgdata:/var/lib/postgresql/data + +volumes: + pgdata: diff --git a/ee/vulnerability-dashboard/entrypoint.sh b/ee/vulnerability-dashboard/entrypoint.sh new file mode 100644 index 0000000000..8d5566eb15 --- /dev/null +++ b/ee/vulnerability-dashboard/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +if [ -z "$sails_custom__fleetBaseUrl" ] && [ -z "$sails_custom__fleetApiToken" ]; then + echo 'ERROR: Missing environment variables. Please set "sails_custom__fleetApiToken" and "sails_custom__fleetBaseUrl" and and try starting this container again' + exit 1 +elif [ -z "$sails_custom__fleetBaseUrl" ]; then + echo 'ERROR: Missing environment variables. Please set "sails_custom__fleetBaseUrl" and try starting this container again' + exit 1 +elif [ -z "$sails_custom__fleetApiToken" ]; then + echo 'ERROR: Missing environment variables. Please set "sails_custom__fleetApiToken" and and try starting this container again' + exit 1 +fi + +# Check if the vulnerability dashboard has been initialized before +if [ ! -f "/usr/src/app/.initialized" ]; then + # if it hasn't, lift the app with in console mode with the --drop flag to create our databsae tables. + echo '.exit' | node ./node_modules/sails/bin/sails console --drop + + touch /usr/src/app/.initialized + # run the `update-reports` script + node ./node_modules/sails/bin/sails run update-reports +fi + +# Expose the container's ENV variables to cron +printenv >> /etc/environment + +# Start cron +cron + +# Start the vulnerability dashboard +exec node app.js From ceddd26a736ef272ffbd8b980b410bb91aecbd14 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 17:57:21 -0400 Subject: [PATCH 26/46] Update macos-device-health.policies.yml (#17783) - Fix guest account and password policies --- .../lib/macos-device-health.policies.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml index 401c086fa0..6fdc883204 100644 --- a/it-and-security/lib/macos-device-health.policies.yml +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -11,13 +11,25 @@ resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. platform: darwin - name: macOS - Disable guest account - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1; + query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; critical: false description: This policy checks if the guest account is disabled. resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. platform: darwin - name: macOS - Require 10 character password - query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; + query: SELECT 1 WHERE + EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='askForPassword' AND + CAST(value AS INT) + ) + AND EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='minLength' AND + CAST(value AS INT) <= 10 + ); critical: false description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. @@ -40,4 +52,4 @@ critical: false description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. - platform: darwin \ No newline at end of file + platform: darwin From a9b5619d1c52f69533ef00ab9cd0086b53993e60 Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 21 Mar 2024 17:16:22 -0500 Subject: [PATCH 27/46] Website: Update number of hosts input on /contact page (#17784) Closes: https://github.com/fleetdm/confidential/issues/5826 Changes: - Added a minimum to the number of hosts input on the /contact page --- website/views/pages/contact.ejs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/views/pages/contact.ejs b/website/views/pages/contact.ejs index 386ace9101..d7bcf17d6a 100644 --- a/website/views/pages/contact.ejs +++ b/website/views/pages/contact.ejs @@ -89,7 +89,7 @@
- +

Includes computers, servers, containers, and other hosts.

Please enter a number of devices
From 92771a629e38a381244fbdb989929a4817865cf9 Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 21 Mar 2024 17:26:35 -0500 Subject: [PATCH 28/46] Website: Update `build-static-content` script to ignore pages in the docs/contributing/ folder. (#17706) Closes: #17667 Changes: - Updated `build-static-content` to skip pages in the docs/contributing folder when Markdown pages are converted to HTML partials. --- website/scripts/build-static-content.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/website/scripts/build-static-content.js b/website/scripts/build-static-content.js index 9ab8a3f846..4e039ab4fd 100644 --- a/website/scripts/build-static-content.js +++ b/website/scripts/build-static-content.js @@ -202,6 +202,11 @@ module.exports = { .replace(/(^|\/)([^/]+)\.[^/]*$/, '$1$2') .split(/\//).map((fileOrFolderName) => fileOrFolderName.toLowerCase().replace(/\s+/g, '-')).join('/') ); + + // If this page is in the docs/contributing/ folder, skip it. + if(sectionRepoPath === 'docs/' && _.startsWith(pageUnextensionedUnwhitespacedLowercasedRelPath, 'contributing/')){ + continue; + } let RX_README_FILENAME = /\/?readme\.?m?d?$/i;// « for matching `readme` or `readme.md` (case-insensitive) at the end of a file path // Determine this page's default (fallback) display title. From 7ae21d2fda8b2159ff856620cf0a37335884e862 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 18:38:05 -0400 Subject: [PATCH 29/46] Update macos-device-health.policies.yml (#17785) - Add 1Password recovery kit policy --- it-and-security/lib/macos-device-health.policies.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml index 6fdc883204..ea00f2baa6 100644 --- a/it-and-security/lib/macos-device-health.policies.yml +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -53,3 +53,9 @@ description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. platform: darwin +- name: macOS - No 1Password emergency kit stored on desktop or in downloads + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared')); + critical: false + description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits." + resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location." + platform: darwin From 3c33e830855380fbca08a884c38313e31a19ca0e Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 21 Mar 2024 18:48:56 -0400 Subject: [PATCH 30/46] Update standard-query-library.yml (#17782) - Policy's fail when they return no results --- .../standard-query-library/standard-query-library.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index f5fb4ee816..4e451247b6 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -880,7 +880,7 @@ apiVersion: v1 kind: policy spec: name: No 1Password emergency kit stored on desktop or in downloads (macOS) - query: SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared'); + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared')); description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits." resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location." platform: darwin From a71e4c7d926a40d2c334a07667cbaadcd7e5f6ad Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Fri, 22 Mar 2024 11:42:11 +0100 Subject: [PATCH 31/46] Typo: "removing" /past from host's activities API (#16871) Typo: "removing" /past from host's activities API # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Rachael Shaw --- docs/REST API/rest-api.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 12d9f89060..671831ccb5 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -3875,19 +3875,19 @@ To wipe a macOS or Windows host, the host must have MDM turned on. To lock a Lin ### Get host's past activity -`GET /api/v1/fleet/hosts/:id/activites/past` +`GET /api/v1/fleet/hosts/:id/activities` #### Parameters | Name | Type | In | Description | | ---- | ------- | ---- | ---------------------------- | -| id | integer | path | **Required**. The host's id. | +| id | integer | path | **Required**. The host's ID. | | page | integer | query | Page number of the results to fetch.| | per_page | integer | query | Results per page.| #### Example -`GET /api/v1/fleet/hosts/12/activities/past` +`GET /api/v1/fleet/hosts/12/activities` ##### Default response From 4246d25914db3babf88376d59dc21c4f7abe71a2 Mon Sep 17 00:00:00 2001 From: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com> Date: Fri, 22 Mar 2024 10:32:18 -0500 Subject: [PATCH 32/46] Update custom.js (#17795) --- website/config/custom.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/config/custom.js b/website/config/custom.js index c31b77b5d3..099b220802 100644 --- a/website/config/custom.js +++ b/website/config/custom.js @@ -143,7 +143,7 @@ module.exports.custom = { 'ee/vulnerability-dashboard/config': 'mikermcneil', 'ee/vulnerability-dashboard/config/routes.js': 'eashaw',//« Vulnerability dashboard redirects and URLs 'ee/vulnerability-dashboard/scripts': 'mikermcneil', - 'ee/vulnerability-dashboard/package.json': 'eashaw', + 'ee/vulnerability-dashboard/package.json': 'mikermcneil', // 🫧 Pricing and features // 'website/views/pages/pricing.ejs': '', // « Covered in CODEOWNERS (2023-07-22) From 2fe01741df1d3a78baf125da14760d877ce42503 Mon Sep 17 00:00:00 2001 From: Nathanael Holliday <100959072+hollidayn@users.noreply.github.com> Date: Fri, 22 Mar 2024 11:49:35 -0500 Subject: [PATCH 33/46] Update security-policies.md (#17648) Replaced zwass with JoStableford and updated effective dates for the new DRIs --- .../business-operations/security-policies.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/handbook/business-operations/security-policies.md b/handbook/business-operations/security-policies.md index c4f3842cfc..cde44d2837 100644 --- a/handbook/business-operations/security-policies.md +++ b/handbook/business-operations/security-policies.md @@ -25,7 +25,7 @@ All Fleet employees and long-term collaborators are expected to read and electro | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2023-06-01 | +| @Jostableford | 2024-03-14 | Fleet requires all team members to comply with the following acceptable use requirements and procedures: @@ -60,7 +60,7 @@ When in doubt, **ASK!** (in [#g-security](https://fleetdm.slack.com/archives/C03 | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet requires all workforce members to comply with the following acceptable use requirements and procedures, such that: @@ -117,7 +117,7 @@ Fleet policy requires that: | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | You can't protect what you can't see. Therefore, Fleet must maintain an accurate and up-to-date inventory of its physical and digital assets. @@ -134,7 +134,7 @@ Fleet policy requires that: | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | The Fleet business continuity and disaster recovery plan establishes procedures to recover Fleet following a disruption resulting from a disaster. @@ -341,7 +341,7 @@ This process is followed when offboarding a customer and deleting all of the pro | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet requires all workforce members to comply with the encryption policy, such that: @@ -708,7 +708,7 @@ incident response plan annually. | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet Device Management is committed to conducting business in compliance with all applicable laws, regulations, and company policies. Fleet has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use. @@ -728,7 +728,7 @@ CTO | Oversight over information sec | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet policy requires @@ -749,7 +749,7 @@ Fleet policy requires | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet policy requires: @@ -811,7 +811,7 @@ Fleet policy requires that: | Policy owner | Effective date | | -------------- | -------------- | -| @zwass | 2022-06-01 | +| @Jostableford | 2024-03-14 | Fleet policy requires that: From 6b28474362ebe5f812ad0338a659baf70bf5a63d Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Fri, 22 Mar 2024 12:51:03 -0400 Subject: [PATCH 34/46] Update product design handbook (#17790) - Only notify channel if there are changes. Why? Less noise --- handbook/product-design/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handbook/product-design/README.md b/handbook/product-design/README.md index 21e61fe871..835982d970 100644 --- a/handbook/product-design/README.md +++ b/handbook/product-design/README.md @@ -170,7 +170,7 @@ Every week, a member of the product team looks up whether there is: 4. a release of CIS Benchmarks for [macOS 14 Sonoma](https://workbench.cisecurity.org/community/20/benchmarks?q=sonoma&status=&sortBy=version&type=desc) 5. a new major or minor version of [ChromeOS](https://chromereleases.googleblog.com/search/label/Chrome%20OS) -The DRI should record the latest versions in the [maintenance tracker](https://docs.google.com/spreadsheets/d/1IWfQtSkOQgm_JIQZ0i2y3A8aaK5vQW1ayWRk6-4FOp0/edit#gid=0) and then notify the [#help-product-design Slack channel](https://fleetdm.slack.com/archives/C02A8BRABB5) with an update, noting the current versions and highlighting any changes. +The DRI should record the latest versions in the [maintenance tracker](https://docs.google.com/spreadsheets/d/1IWfQtSkOQgm_JIQZ0i2y3A8aaK5vQW1ayWRk6-4FOp0/edit#gid=0). If there are any changes, the DRI sends an update in the [#help-product-design Slack channel](https://fleetdm.slack.com/archives/C02A8BRABB5). ### View Fleet usage statistics In order to understand the usage of the Fleet product, we [collect statistics](https://fleetdm.com/docs/using-fleet/usage-statistics) from installations where this functionality is enabled. From 0d8b51a5b3adfc7adaf63dd5cacdffc4cb4e25c0 Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 22 Mar 2024 11:54:23 -0500 Subject: [PATCH 35/46] Website: Remove /upgrade page. (#17754) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes: #17477 Changes: - Removed the /upgrade page - Added a redirect: `/upgrade` » `/pricing` --- .../deliver-premium-upgrade-form.js | 72 ------ website/api/controllers/view-upgrade.js | 27 -- .../images/premium-landing-feature-1.svg | 72 ------ .../images/premium-landing-feature-2.svg | 148 ----------- .../images/premium-landing-feature-3.svg | 231 ------------------ .../images/premium-landing-feature-4.svg | 123 ---------- .../images/premium-landing-feature-5.svg | 74 ------ website/assets/js/pages/upgrade.page.js | 64 ----- website/assets/styles/importer.less | 1 - website/assets/styles/pages/upgrade.less | 199 --------------- website/config/policies.js | 2 - website/config/routes.js | 11 +- website/views/layouts/layout.ejs | 1 - website/views/pages/upgrade.ejs | 109 --------- 14 files changed, 1 insertion(+), 1133 deletions(-) delete mode 100644 website/api/controllers/deliver-premium-upgrade-form.js delete mode 100644 website/api/controllers/view-upgrade.js delete mode 100644 website/assets/images/premium-landing-feature-1.svg delete mode 100644 website/assets/images/premium-landing-feature-2.svg delete mode 100644 website/assets/images/premium-landing-feature-3.svg delete mode 100644 website/assets/images/premium-landing-feature-4.svg delete mode 100644 website/assets/images/premium-landing-feature-5.svg delete mode 100644 website/assets/js/pages/upgrade.page.js delete mode 100644 website/assets/styles/pages/upgrade.less delete mode 100644 website/views/pages/upgrade.ejs diff --git a/website/api/controllers/deliver-premium-upgrade-form.js b/website/api/controllers/deliver-premium-upgrade-form.js deleted file mode 100644 index 783191f13e..0000000000 --- a/website/api/controllers/deliver-premium-upgrade-form.js +++ /dev/null @@ -1,72 +0,0 @@ -module.exports = { - - - friendlyName: 'Deliver premium upgrade form', - - - description: 'Delivers a Fleet Premium upgrade form submission to a Zapier webhook', - - - inputs: { - organization: { - type: 'string', - required: true, - }, - - monthsUsingFleetFree: { - type: 'string', - required: true, - example: '1 - 3 months' - }, - - emailAddress: { - type: 'string', - isEmail: true, - required: true, - }, - - numberOfHosts: { - type: 'number', - required: true, - isInteger: true, - } - }, - - - exits: { - success: { - description: 'The Fleet Premium upgrade form submission was sent to Zapier successfully.' - } - }, - - - fn: async function ({organization, monthsUsingFleetFree, emailAddress, numberOfHosts}) { - - if(!sails.config.custom.zapierSandboxWebhookSecret) { - throw new Error('Message not delivered: zapierSandboxWebhookSecret needs to be configured in sails.config.custom.'); - } - - // Send a POST request to Zapier - await sails.helpers.http.post( - 'https://hooks.zapier.com/hooks/catch/3627242/bvxxkjf/', - { - 'emailAddress': emailAddress, - 'organization': organization, - 'numberOfHosts': numberOfHosts, - 'monthsUsingFleetFree': monthsUsingFleetFree, - 'webhookSecret': sails.config.custom.zapierSandboxWebhookSecret - } - ) - .timeout(5000) - .tolerate(['non200Response', 'requestFailed', {name: 'TimeoutError'}], (err)=>{ - // Note that Zapier responds with a 2xx status code even if something goes wrong, so just because this message is not logged doesn't mean everything is hunky dory. More info: https://github.com/fleetdm/fleet/pull/6380#issuecomment-1204395762 - sails.log.warn(`When a user submitted the Fleet Premium upgrade form, an error occurred while sending a request to Zapier. Raw error: ${require('util').inspect(err)}`); - return; - });//∞ - - // All done. - return; - } - - -}; diff --git a/website/api/controllers/view-upgrade.js b/website/api/controllers/view-upgrade.js deleted file mode 100644 index e946b02700..0000000000 --- a/website/api/controllers/view-upgrade.js +++ /dev/null @@ -1,27 +0,0 @@ -module.exports = { - - - friendlyName: 'View upgrade', - - - description: 'Display "Upgrade" page.', - - - exits: { - - success: { - viewTemplatePath: 'pages/upgrade' - } - - }, - - - fn: async function () { - - // Respond with view. - return {}; - - } - - -}; diff --git a/website/assets/images/premium-landing-feature-1.svg b/website/assets/images/premium-landing-feature-1.svg deleted file mode 100644 index 39945d4cfd..0000000000 --- a/website/assets/images/premium-landing-feature-1.svg +++ /dev/null @@ -1,72 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/website/assets/images/premium-landing-feature-2.svg b/website/assets/images/premium-landing-feature-2.svg deleted file mode 100644 index 61e48c60d3..0000000000 --- a/website/assets/images/premium-landing-feature-2.svg +++ /dev/null @@ -1,148 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/website/assets/images/premium-landing-feature-3.svg b/website/assets/images/premium-landing-feature-3.svg deleted file mode 100644 index 28a0ffeaea..0000000000 --- a/website/assets/images/premium-landing-feature-3.svg +++ /dev/null @@ -1,231 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/website/assets/images/premium-landing-feature-4.svg b/website/assets/images/premium-landing-feature-4.svg deleted file mode 100644 index 239a1cc75c..0000000000 --- a/website/assets/images/premium-landing-feature-4.svg +++ /dev/null @@ -1,123 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/website/assets/images/premium-landing-feature-5.svg b/website/assets/images/premium-landing-feature-5.svg deleted file mode 100644 index 50ddd2e529..0000000000 --- a/website/assets/images/premium-landing-feature-5.svg +++ /dev/null @@ -1,74 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/website/assets/js/pages/upgrade.page.js b/website/assets/js/pages/upgrade.page.js deleted file mode 100644 index 9281c1a9b7..0000000000 --- a/website/assets/js/pages/upgrade.page.js +++ /dev/null @@ -1,64 +0,0 @@ -parasails.registerPage('upgrade', { - // ╦╔╗╔╦╔╦╗╦╔═╗╦ ╔═╗╔╦╗╔═╗╔╦╗╔═╗ - // ║║║║║ ║ ║╠═╣║ ╚═╗ ║ ╠═╣ ║ ║╣ - // ╩╝╚╝╩ ╩ ╩╩ ╩╩═╝ ╚═╝ ╩ ╩ ╩ ╩ ╚═╝ - data: { - formData: { - monthsUsingFleetFree: 'Please select one', - }, - - // For tracking client-side validation errors in our form. - // > Has property set to `true` for each invalid property in `formData`. - formErrors: { /* … */ }, - - // Form rules - formRules: { - organization: {required: true }, - monthsUsingFleetFree: { - required: true, - isIn:[ - '1 - 3 months', - '3 - 6 months', - '6 - 12 months', - '12+ months', - ] - }, - emailAddress: {required: true, isEmail: true}, - numberOfHosts: {required: true }, - }, - cloudError: '', - // Syncing / loading state - syncing: false, - cloudSuccess: false, - }, - - // ╦ ╦╔═╗╔═╗╔═╗╦ ╦╔═╗╦ ╔═╗ - // ║ ║╠╣ ║╣ ║ ╚╦╝║ ║ ║╣ - // ╩═╝╩╚ ╚═╝╚═╝ ╩ ╚═╝╩═╝╚═╝ - beforeMount: function() { - //… - }, - mounted: async function() { - //… - }, - - // ╦╔╗╔╔╦╗╔═╗╦═╗╔═╗╔═╗╔╦╗╦╔═╗╔╗╔╔═╗ - // ║║║║ ║ ║╣ ╠╦╝╠═╣║ ║ ║║ ║║║║╚═╗ - // ╩╝╚╝ ╩ ╚═╝╩╚═╩ ╩╚═╝ ╩ ╩╚═╝╝╚╝╚═╝ - methods: { - typeClearOneFormError: async function(field) { - if(this.formErrors[field]){ - this.formErrors = _.omit(this.formErrors, field); - } - }, - submittedForm: function() { - this.cloudSuccess = true; - }, - _resetForms: async function() { - this.cloudError = ''; - this.formData = {}; - this.formErrors = {}; - await this.forceRender(); - }, - } -}); diff --git a/website/assets/styles/importer.less b/website/assets/styles/importer.less index 7d4131d5cf..0d2f94d678 100644 --- a/website/assets/styles/importer.less +++ b/website/assets/styles/importer.less @@ -65,7 +65,6 @@ @import 'pages/vanta-authorization.less'; @import 'pages/admin/generate-license.less'; @import 'pages/device-management.less'; -@import 'pages/upgrade.less'; @import 'pages/endpoint-ops.less'; @import 'pages/transparency.less'; @import 'pages/press-kit.less'; diff --git a/website/assets/styles/pages/upgrade.less b/website/assets/styles/pages/upgrade.less deleted file mode 100644 index e883a27e38..0000000000 --- a/website/assets/styles/pages/upgrade.less +++ /dev/null @@ -1,199 +0,0 @@ -#upgrade { - background: linear-gradient(180deg, rgba(232, 241, 246, 0.5) 4.75%, rgba(255, 255, 255, 0) 37.29%); - [purpose='page-container'] { - padding-top: 100px; - padding-bottom: 120px; - max-width: 1200px; - margin-left: auto; - margin-right: auto; - padding-left: 40px; - padding-right: 40px; - } - h1 { - font-weight: 800; - font-size: 40px; - line-height: 48px; - text-align: left; - margin-bottom: 80px; - } - h2 { - font-weight: 800; - font-size: 28px; - line-height: 38px; - } - h3 { - font-weight: 700; - font-size: 20px; - line-height: 24px; - margin-bottom: 16px; - } - a { - font-size: 14px; - color: @core-vibrant-blue; - text-decoration: underline; - } - - [purpose='feature'] { - img { - margin-left: auto; - margin-right: auto; - } - [purpose='feature-image'] { - min-width: 160px; - margin-right: 40px; - } - margin-bottom: 80px; - } - [purpose='upgrade-form'] { - margin-left: 80px; - padding: 40px; - background: #F9FAFC; - box-shadow: 0px 0px 0px 1px #E2E4EA; - border-radius: 8px; - width: 480px; - input { - border: 1px solid #C5C7D1; - border-radius: 6px; - height: 48px; - font-size: 16px; - color: @core-fleet-black; - -webkit-appearance: none; - } - select { - // for hiding the -
Please enter the name of your company.
- -
- - -
Please select an option
-
-
- - -
This doesn’t appear to be a valid email address
-
-
- - -
Please enter a number of devices.
-
- -
- Submit -
- -

We will never spam you.

- - <%// Form success state %> -
-

We’ll be in touch soon!

-

A member of our team will be in touch within one business day.

-
- - - - -<%- /* Expose server-rendered data as window.SAILS_LOCALS :: */ exposeLocalsToBrowser() %> From 413107b93a9b615370e24c47630a485d4a6a0c23 Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 22 Mar 2024 12:01:15 -0500 Subject: [PATCH 36/46] Vuln dashboard: Update Okta SSO hook (#17773) Closes: #17772 More context: https://github.com/fleetdm/fleet/pull/17601#issuecomment-2013383611 Changes: - Updated the order of the vulnerability dashboard's HTTP middleware if Okta SSO is enabled. --- .../api/hooks/{OktaSSO => okta-sso}/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename ee/vulnerability-dashboard/api/hooks/{OktaSSO => okta-sso}/index.js (96%) diff --git a/ee/vulnerability-dashboard/api/hooks/OktaSSO/index.js b/ee/vulnerability-dashboard/api/hooks/okta-sso/index.js similarity index 96% rename from ee/vulnerability-dashboard/api/hooks/OktaSSO/index.js rename to ee/vulnerability-dashboard/api/hooks/okta-sso/index.js index d66c67db1e..d50c580c98 100644 --- a/ee/vulnerability-dashboard/api/hooks/OktaSSO/index.js +++ b/ee/vulnerability-dashboard/api/hooks/okta-sso/index.js @@ -35,6 +35,7 @@ module.exports = function (sails){ } // Clone the existing routes + // NOTE: Changing sails.config after the app lifts goes against Sails.js conventions and this code should not be reproduced. let appRoutes = Object.assign({}, sails.config.routes); // Remove the routes for the built-in login page.. delete appRoutes['GET /login']; @@ -45,9 +46,9 @@ module.exports = function (sails){ 'bodyParser', 'compress', 'poweredBy', + 'www',// Note: This changes the conventions of Sails.js. Don't ever replicate this or use Passport.js. 'oktaSSO', 'router', - 'www', 'favicon', ]; // Specify a custom http middleware order, placing the Okta middleware before the router. This is so the routes generated by Okta will take precedence over the sails router. From b5a81f93d948428823f051e299e8a7b7e072e4bf Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Fri, 22 Mar 2024 12:29:07 -0500 Subject: [PATCH 37/46] Add myself as codeowner to all engineering workflows (#17800) --- CODEOWNERS | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index ead9ee8a62..4c3dcb908e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -132,30 +132,30 @@ go.mod @fleetdm/go /.github/workflows/trivy-scan.yml @lukeheath /.github/workflows/goreleaser-snapshot-fleet.yaml @lukeheath /.github/workflows/build-and-push-fleetctl-docker.yml @lukeheath -/.github/workflows/fleetd-tuf.yml @lucasmrod -/.github/workflows/generate-desktop-targets.yml @lucasmrod -/.github/workflows/test-yml-specs.yml @lucasmrod -/.github/workflows/build-binaries.yaml @lucasmrod -/.github/workflows/fleet-and-orbit.yml @lucasmrod -/.github/workflows/build-orbit.yaml @lucasmrod -/.github/workflows/generate-osqueryd-targets.yml @lucasmrod -/.github/workflows/test-packaging.yml @lucasmrod -/.github/workflows/release-helm.yaml @rfairburn -/.github/workflows/pr-helm.yaml @rfairburn -/.github/workflows/tfvalidate.yml @rfairburn -/.github/workflows/dogfood-deploy.yml @rfairburn -/.github/workflows/test-db-changes.yml @roperzh -/.github/workflows/test-go.yaml @roperzh -/.github/workflows/golangci-lint.yml @roperzh -/.github/workflows/test-native-tooling-packaging.yml @roperzh -/.github/workflows/check-tuf-timestamps.yml @roperzh -/.github/workflows/test-puppet.yml @roperzh -/.github/workflows/generate-nudge-targets.yml @roperzh -/.github/workflows/test-js.yml @ghernandez345 -/.github/workflows/dogfood-gitops.yml @getvictor -/.github/workflows/test-fleetd-chrome.yml @getvictor -/.github/workflows/release-fleetd-chrome.yml @getvictor -/.github/workflows/release-fleetd-chrome-beta.yml @getvictor +/.github/workflows/fleetd-tuf.yml @lucasmrod @lukeheath +/.github/workflows/generate-desktop-targets.yml @lucasmrod @lukeheath +/.github/workflows/test-yml-specs.yml @lucasmrod @lukeheath +/.github/workflows/build-binaries.yaml @lucasmrod @lukeheath +/.github/workflows/fleet-and-orbit.yml @lucasmrod @lukeheath +/.github/workflows/build-orbit.yaml @lucasmrod @lukeheath +/.github/workflows/generate-osqueryd-targets.yml @lucasmrod @lukeheath +/.github/workflows/test-packaging.yml @lucasmrod @lukeheath +/.github/workflows/release-helm.yaml @rfairburn @lukeheath +/.github/workflows/pr-helm.yaml @rfairburn @lukeheath +/.github/workflows/tfvalidate.yml @rfairburn @lukeheath +/.github/workflows/dogfood-deploy.yml @rfairburn @lukeheath +/.github/workflows/test-db-changes.yml @roperzh @lukeheath +/.github/workflows/test-go.yaml @roperzh @lukeheath +/.github/workflows/golangci-lint.yml @roperzh @lukeheath +/.github/workflows/test-native-tooling-packaging.yml @roperzh @lukeheath +/.github/workflows/check-tuf-timestamps.yml @roperzh @lukeheath +/.github/workflows/test-puppet.yml @roperzh @lukeheath +/.github/workflows/generate-nudge-targets.yml @roperzh @lukeheath +/.github/workflows/test-js.yml @ghernandez345 @lukeheath +/.github/workflows/dogfood-gitops.yml @getvictor @lukeheath +/.github/workflows/test-fleetd-chrome.yml @getvictor @lukeheath +/.github/workflows/release-fleetd-chrome.yml @getvictor @lukeheath +/.github/workflows/release-fleetd-chrome-beta.yml @getvictor @lukeheath # ℹ️ But wait, there's more! # See the comments up top to learn where else DRIs and maintainers are configured. From 644dddce4f692c1116cb83e92debad50852d40ca Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Fri, 22 Mar 2024 15:12:19 -0400 Subject: [PATCH 38/46] =?UTF-8?q?[released=20bug]=20Fleet=20UI:=20standard?= =?UTF-8?q?=20query=20library=20platforms=20render=20prop=E2=80=A6=20(#177?= =?UTF-8?q?12)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- changes/17662-render-standard-query-platforms-correctly | 1 + .../queries/edit/components/EditQueryForm/EditQueryForm.tsx | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changes/17662-render-standard-query-platforms-correctly diff --git a/changes/17662-render-standard-query-platforms-correctly b/changes/17662-render-standard-query-platforms-correctly new file mode 100644 index 0000000000..c625264580 --- /dev/null +++ b/changes/17662-render-standard-query-platforms-correctly @@ -0,0 +1 @@ +- Fixes UI bug to render the query platform correctly for queries imported from the standard query library diff --git a/frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx b/frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx index e6ac26e7c2..c5b70d70a9 100644 --- a/frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx +++ b/frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx @@ -724,7 +724,7 @@ const EditQueryForm = ({ placeholder="Select" label="Platform" onChange={onChangeSelectPlatformOptions} - value={lastEditedQueryPlatforms} + value={lastEditedQueryPlatforms.replace(/\s/g, "")} // NOTE: FE requires no whitespace to render UI multi wrapperClassName={`${baseClass}__form-field form-field--platform`} helpText="By default, your query collects data on all compatible platforms." From d5df23964b0b52f1d442b66ffe4451dc2a9ef969 Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Fri, 22 Mar 2024 15:26:09 -0400 Subject: [PATCH 39/46] Fleet UI: Clickable elements include cursor hover state (#17688) --- changes/17208-hover-states | 1 + .../forms/fields/Checkbox/_styles.scss | 23 +++++++++++++++++++ .../forms/fields/Dropdown/_styles.scss | 2 ++ .../pages/DashboardPage/cards/MDM/MDM.tsx | 1 + .../components/LabelFilterSelect/_styles.scss | 4 ++++ 5 files changed, 31 insertions(+) create mode 100644 changes/17208-hover-states diff --git a/changes/17208-hover-states b/changes/17208-hover-states new file mode 100644 index 0000000000..5ae0c7f17a --- /dev/null +++ b/changes/17208-hover-states @@ -0,0 +1 @@ +Fleet UI: Add hover states to clickable elements diff --git a/frontend/components/forms/fields/Checkbox/_styles.scss b/frontend/components/forms/fields/Checkbox/_styles.scss index 1bd81b1e2a..3aa8725df1 100644 --- a/frontend/components/forms/fields/Checkbox/_styles.scss +++ b/frontend/components/forms/fields/Checkbox/_styles.scss @@ -22,6 +22,13 @@ border: solid 2px $core-vibrant-blue; } + &:hover { + &::after { + background-color: $core-vibrant-blue-over; + border: solid 2px $core-vibrant-blue-over; + } + } + &::before { @include position(absolute, 50% null null 50%); transform: rotate(45deg); @@ -42,6 +49,7 @@ @include size(20px); @include position(absolute, 0 null null 0); display: inline-block; + cursor: pointer; &::after { @include size(20px); @@ -54,11 +62,17 @@ background-color: $core-white; visibility: visible; } + &:hover { + &::after { + border: solid 2px $core-vibrant-blue-over; + } + } &--disabled { &::after { background-color: $ui-fleet-black-25; } + cursor: default; } &--indeterminate { @@ -67,6 +81,15 @@ border: solid 1px $core-vibrant-blue; } + &:hover { + &::after { + &::after { + background-color: $core-vibrant-blue-over; + border: solid 1px $core-vibrant-blue-over; + } + } + } + &::before { @include position(absolute, 50% null null 50%); box-sizing: border-box; diff --git a/frontend/components/forms/fields/Dropdown/_styles.scss b/frontend/components/forms/fields/Dropdown/_styles.scss index d955d357f2..5523158b09 100644 --- a/frontend/components/forms/fields/Dropdown/_styles.scss +++ b/frontend/components/forms/fields/Dropdown/_styles.scss @@ -75,6 +75,8 @@ background-color: $ui-light-grey; border: 0; border-radius: $border-radius; + cursor: pointer; + .Select-value { font-size: $small; background-color: $ui-light-grey; diff --git a/frontend/pages/DashboardPage/cards/MDM/MDM.tsx b/frontend/pages/DashboardPage/cards/MDM/MDM.tsx index e102869a4d..2e79bd8749 100644 --- a/frontend/pages/DashboardPage/cards/MDM/MDM.tsx +++ b/frontend/pages/DashboardPage/cards/MDM/MDM.tsx @@ -166,6 +166,7 @@ const Mdm = ({ isAllPagesSelected={false} disableCount disablePagination + disableMultiRowSelect onClickRow={handleSolutionRowClick} /> )} diff --git a/frontend/pages/hosts/ManageHostsPage/components/LabelFilterSelect/_styles.scss b/frontend/pages/hosts/ManageHostsPage/components/LabelFilterSelect/_styles.scss index 0c1ed6fac5..72ab4f59e9 100644 --- a/frontend/pages/hosts/ManageHostsPage/components/LabelFilterSelect/_styles.scss +++ b/frontend/pages/hosts/ManageHostsPage/components/LabelFilterSelect/_styles.scss @@ -26,6 +26,10 @@ border-radius: $border-radius; height: 40px; + :hover { + cursor: pointer; + } + &--is-focused, &--menu-is-open, &:hover { From b6ab842db223990e6340e5c36bfa2c6090d166bd Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Fri, 22 Mar 2024 15:32:09 -0500 Subject: [PATCH 40/46] Add EMs to engineering workflows codeowners (#17808) --- CODEOWNERS | 74 +++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 4c3dcb908e..a44b1a2d2a 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -119,43 +119,43 @@ go.mod @fleetdm/go ############################################################################################## # 🚀 GitHub workflows ############################################################################################## -/.github/workflows/README.md @lukeheath -/.github/workflows/goreleaser-fleet.yaml @lukeheath -/.github/workflows/update-certs.yml @lukeheath -/.github/workflows/codeql-analysis.yml @lukeheath -/.github/workflows/codeql.yml @lukeheath -/.github/workflows/scorecards-analysis.yml @lukeheath -/.github/workflows/integration.yml @lukeheath -/.github/workflows/fleetctl-preview.yml @lukeheath -/.github/workflows/fleetctl-preview-latest.yml @lukeheath -/.github/workflows/goreleaser-orbit.yaml @lukeheath -/.github/workflows/trivy-scan.yml @lukeheath -/.github/workflows/goreleaser-snapshot-fleet.yaml @lukeheath -/.github/workflows/build-and-push-fleetctl-docker.yml @lukeheath -/.github/workflows/fleetd-tuf.yml @lucasmrod @lukeheath -/.github/workflows/generate-desktop-targets.yml @lucasmrod @lukeheath -/.github/workflows/test-yml-specs.yml @lucasmrod @lukeheath -/.github/workflows/build-binaries.yaml @lucasmrod @lukeheath -/.github/workflows/fleet-and-orbit.yml @lucasmrod @lukeheath -/.github/workflows/build-orbit.yaml @lucasmrod @lukeheath -/.github/workflows/generate-osqueryd-targets.yml @lucasmrod @lukeheath -/.github/workflows/test-packaging.yml @lucasmrod @lukeheath -/.github/workflows/release-helm.yaml @rfairburn @lukeheath -/.github/workflows/pr-helm.yaml @rfairburn @lukeheath -/.github/workflows/tfvalidate.yml @rfairburn @lukeheath -/.github/workflows/dogfood-deploy.yml @rfairburn @lukeheath -/.github/workflows/test-db-changes.yml @roperzh @lukeheath -/.github/workflows/test-go.yaml @roperzh @lukeheath -/.github/workflows/golangci-lint.yml @roperzh @lukeheath -/.github/workflows/test-native-tooling-packaging.yml @roperzh @lukeheath -/.github/workflows/check-tuf-timestamps.yml @roperzh @lukeheath -/.github/workflows/test-puppet.yml @roperzh @lukeheath -/.github/workflows/generate-nudge-targets.yml @roperzh @lukeheath -/.github/workflows/test-js.yml @ghernandez345 @lukeheath -/.github/workflows/dogfood-gitops.yml @getvictor @lukeheath -/.github/workflows/test-fleetd-chrome.yml @getvictor @lukeheath -/.github/workflows/release-fleetd-chrome.yml @getvictor @lukeheath -/.github/workflows/release-fleetd-chrome-beta.yml @getvictor @lukeheath +/.github/workflows/README.md @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/goreleaser-fleet.yaml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/update-certs.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/codeql-analysis.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/codeql.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/scorecards-analysis.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/integration.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/fleetctl-preview.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/fleetctl-preview-latest.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/goreleaser-orbit.yaml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/trivy-scan.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/goreleaser-snapshot-fleet.yaml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/build-and-push-fleetctl-docker.yml @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/fleetd-tuf.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/generate-desktop-targets.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-yml-specs.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/build-binaries.yaml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/fleet-and-orbit.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/build-orbit.yaml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/generate-osqueryd-targets.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-packaging.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/release-helm.yaml @rfairburn @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/pr-helm.yaml @rfairburn @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/tfvalidate.yml @rfairburn @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/dogfood-deploy.yml @rfairburn @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-db-changes.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-go.yaml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/golangci-lint.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-native-tooling-packaging.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/check-tuf-timestamps.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-puppet.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/generate-nudge-targets.yml @roperzh @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-js.yml @ghernandez345 @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/dogfood-gitops.yml @getvictor @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/test-fleetd-chrome.yml @getvictor @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/release-fleetd-chrome.yml @getvictor @lukeheath @georgekarrv @sharon-fdm +/.github/workflows/release-fleetd-chrome-beta.yml @getvictor @lukeheath @georgekarrv @sharon-fdm # ℹ️ But wait, there's more! # See the comments up top to learn where else DRIs and maintainers are configured. From 6ebc308eb4b9d4e3d5add4177446c09ff4297f6a Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Fri, 22 Mar 2024 15:32:23 -0500 Subject: [PATCH 41/46] [StepSecurity] ci: Harden GitHub Actions (#17780) --- .../build-and-push-fleetctl-docker.yml | 5 +++ .github/workflows/build-binaries.yaml | 5 +++ .github/workflows/build-orbit.yaml | 5 +++ .github/workflows/check-tuf-timestamps.yml | 5 +++ .github/workflows/codeql-analysis.yml | 5 +++ .github/workflows/deploy-fleet-website.yml | 5 +++ .../deploy-vulnerability-dashboard.yml | 5 +++ .github/workflows/docs.yml | 5 +++ .github/workflows/dogfood-deploy.yml | 5 +++ .github/workflows/dogfood-gitops.yml | 5 +++ .github/workflows/fleet-and-orbit.yml | 40 +++++++++++++++++++ .github/workflows/fleetctl-preview-latest.yml | 5 +++ .github/workflows/fleetctl-preview.yml | 5 +++ .github/workflows/fleetd-tuf.yml | 5 +++ .../workflows/generate-desktop-targets.yml | 15 +++++++ .github/workflows/generate-nudge-targets.yml | 5 +++ .../workflows/generate-osqueryd-targets.yml | 15 +++++++ .github/workflows/golangci-lint.yml | 5 +++ .github/workflows/goreleaser-fleet.yaml | 5 +++ .github/workflows/goreleaser-orbit.yaml | 15 +++++++ .../workflows/goreleaser-snapshot-fleet.yaml | 5 +++ .github/workflows/integration.yml | 35 ++++++++++++++++ .github/workflows/pr-helm.yaml | 5 +++ .../workflows/push-osquery-perf-to-ecr.yml | 5 +++ .../workflows/release-fleetd-chrome-beta.yml | 5 +++ .github/workflows/release-fleetd-chrome.yml | 5 +++ .github/workflows/release-helm.yaml | 5 +++ .github/workflows/scorecards-analysis.yml | 5 +++ .github/workflows/test-db-changes.yml | 5 +++ .github/workflows/test-fleetd-chrome.yml | 5 +++ .github/workflows/test-go.yaml | 5 +++ .github/workflows/test-js.yml | 10 +++++ .../test-native-tooling-packaging.yml | 5 +++ .github/workflows/test-packaging.yml | 5 +++ .github/workflows/test-puppet.yml | 5 +++ .../test-vulnerability-dashboard-changes.yml | 5 +++ .github/workflows/test-website.yml | 5 +++ .github/workflows/test-yml-specs.yml | 5 +++ .github/workflows/tfvalidate.yml | 5 +++ .github/workflows/trivy-scan.yml | 5 +++ .github/workflows/update-certs.yml | 5 +++ 41 files changed, 305 insertions(+) diff --git a/.github/workflows/build-and-push-fleetctl-docker.yml b/.github/workflows/build-and-push-fleetctl-docker.yml index a42eb0ddd3..8ae3c7069e 100644 --- a/.github/workflows/build-and-push-fleetctl-docker.yml +++ b/.github/workflows/build-and-push-fleetctl-docker.yml @@ -29,6 +29,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/build-binaries.yaml b/.github/workflows/build-binaries.yaml index 29faa1eacf..ed18437c74 100644 --- a/.github/workflows/build-binaries.yaml +++ b/.github/workflows/build-binaries.yaml @@ -24,6 +24,11 @@ jobs: build-binaries: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/build-orbit.yaml b/.github/workflows/build-orbit.yaml index 40e3c84909..09f296aece 100644 --- a/.github/workflows/build-orbit.yaml +++ b/.github/workflows/build-orbit.yaml @@ -33,6 +33,11 @@ jobs: build: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/check-tuf-timestamps.yml b/.github/workflows/check-tuf-timestamps.yml index 4a67a3d5b0..f5c01ec136 100644 --- a/.github/workflows/check-tuf-timestamps.yml +++ b/.github/workflows/check-tuf-timestamps.yml @@ -29,6 +29,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check remote timestamp.json file run: | expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 37e1fd9850..246c6418a1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,6 +45,11 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/deploy-fleet-website.yml b/.github/workflows/deploy-fleet-website.yml index 538291617b..9fc044e13b 100644 --- a/.github/workflows/deploy-fleet-website.yml +++ b/.github/workflows/deploy-fleet-website.yml @@ -34,6 +34,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Configure our access credentials for the Heroku CLI diff --git a/.github/workflows/deploy-vulnerability-dashboard.yml b/.github/workflows/deploy-vulnerability-dashboard.yml index 05c0b4ff88..5030c2eb1c 100644 --- a/.github/workflows/deploy-vulnerability-dashboard.yml +++ b/.github/workflows/deploy-vulnerability-dashboard.yml @@ -22,6 +22,11 @@ jobs: node-version: [14.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Configure our access credentials for the Heroku CLI diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8b0b3a22fe..ec0df78a4d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -28,6 +28,11 @@ jobs: contents: read # to read files to check dead links runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15 with: diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml index 393102abd0..d13d2f4761 100644 --- a/.github/workflows/dogfood-deploy.yml +++ b/.github/workflows/dogfood-deploy.yml @@ -41,6 +41,11 @@ jobs: name: Deploy Fleet Dogfood Environment runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - id: fail-on-main run: "false" diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml index de7974b29a..43761a5fbb 100644 --- a/.github/workflows/dogfood-gitops.yml +++ b/.github/workflows/dogfood-gitops.yml @@ -22,6 +22,11 @@ jobs: timeout-minutes: 10 runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout our repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/fleet-and-orbit.yml b/.github/workflows/fleet-and-orbit.yml index 29d4d82c7a..2849c0f561 100644 --- a/.github/workflows/fleet-and-orbit.yml +++ b/.github/workflows/fleet-and-orbit.yml @@ -44,6 +44,11 @@ jobs: address: ${{ steps.gen.outputs.address }} enroll_secret: ${{ steps.gen.outputs.enroll_secret }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - id: gen run: | UUID=$(uuidgen) @@ -62,6 +67,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -171,6 +181,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -214,6 +229,11 @@ jobs: # or if we revise our minimum supported macOS version. runs-on: macos-12 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -255,6 +275,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, build-macos-targets] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -317,6 +342,11 @@ jobs: runs-on: macos-latest needs: [gen, run-tuf-and-gen-pkgs] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -366,6 +396,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, run-tuf-and-gen-pkgs] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download deb id: download uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2 @@ -412,6 +447,11 @@ jobs: needs: [gen, run-tuf-and-gen-pkgs] runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download msi id: download uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2 diff --git a/.github/workflows/fleetctl-preview-latest.yml b/.github/workflows/fleetctl-preview-latest.yml index 839072ed83..dda4e0f73c 100644 --- a/.github/workflows/fleetctl-preview-latest.yml +++ b/.github/workflows/fleetctl-preview-latest.yml @@ -57,6 +57,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/fleetctl-preview.yml b/.github/workflows/fleetctl-preview.yml index 9bcfdb7376..ab9a69c2b2 100644 --- a/.github/workflows/fleetctl-preview.yml +++ b/.github/workflows/fleetctl-preview.yml @@ -27,6 +27,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Test fleetctl preview run: | npm install -g fleetctl diff --git a/.github/workflows/fleetd-tuf.yml b/.github/workflows/fleetd-tuf.yml index 26faf617c5..c1617cb860 100644 --- a/.github/workflows/fleetd-tuf.yml +++ b/.github/workflows/fleetd-tuf.yml @@ -25,6 +25,11 @@ jobs: pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/generate-desktop-targets.yml b/.github/workflows/generate-desktop-targets.yml index b2557c1a06..fef2d6075b 100644 --- a/.github/workflows/generate-desktop-targets.yml +++ b/.github/workflows/generate-desktop-targets.yml @@ -40,6 +40,11 @@ jobs: runs-on: macos-12 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -88,6 +93,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -111,6 +121,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/generate-nudge-targets.yml b/.github/workflows/generate-nudge-targets.yml index b1771f6703..4b7f025f4e 100644 --- a/.github/workflows/generate-nudge-targets.yml +++ b/.github/workflows/generate-nudge-targets.yml @@ -33,6 +33,11 @@ jobs: generate-macos: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/generate-osqueryd-targets.yml b/.github/workflows/generate-osqueryd-targets.yml index e2d4933e61..0af9f64bea 100644 --- a/.github/workflows/generate-osqueryd-targets.yml +++ b/.github/workflows/generate-osqueryd-targets.yml @@ -33,6 +33,11 @@ jobs: generate-macos: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -49,6 +54,11 @@ jobs: generate-linux: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -69,6 +79,11 @@ jobs: generate-windows: runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 6de7068ccf..1d00e3c0d9 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -41,6 +41,11 @@ jobs: go-version: ['${{ vars.GO_VERSION }}'] runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml index 8f8f2cd67d..f192a624ff 100644 --- a/.github/workflows/goreleaser-fleet.yaml +++ b/.github/workflows/goreleaser-fleet.yaml @@ -25,6 +25,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: diff --git a/.github/workflows/goreleaser-orbit.yaml b/.github/workflows/goreleaser-orbit.yaml index 1efd3faec1..2f1eb3905b 100644 --- a/.github/workflows/goreleaser-orbit.yaml +++ b/.github/workflows/goreleaser-orbit.yaml @@ -24,6 +24,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -73,6 +78,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -101,6 +111,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/goreleaser-snapshot-fleet.yaml b/.github/workflows/goreleaser-snapshot-fleet.yaml index c6fb9c1419..65ac166c1b 100644 --- a/.github/workflows/goreleaser-snapshot-fleet.yaml +++ b/.github/workflows/goreleaser-snapshot-fleet.yaml @@ -40,6 +40,11 @@ jobs: runs-on: ubuntu-20.04 environment: Docker Hub steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 04f61e743b..a6200e9849 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -31,6 +31,11 @@ jobs: subdomain: ${{ steps.gen.outputs.subdomain }} address: ${{ steps.gen.outputs.address }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - id: gen run: | UUID=$(uuidgen) @@ -41,6 +46,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Start tunnel env: CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }} @@ -136,6 +146,11 @@ jobs: token: ${{ steps.login.outputs.token }} steps: # Download fleet and fleetctl binaries from last successful build on main + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download binaries uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 with: @@ -178,6 +193,11 @@ jobs: runs-on: macos-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -234,6 +254,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies run: | npm install -g fleetctl @@ -299,6 +324,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies run: | docker pull fleetdm/wix:latest & @@ -335,6 +365,11 @@ jobs: needs: [gen, login, orbit-windows-build] runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies shell: bash run: | diff --git a/.github/workflows/pr-helm.yaml b/.github/workflows/pr-helm.yaml index c81c21f7b4..4f119e04a6 100644 --- a/.github/workflows/pr-helm.yaml +++ b/.github/workflows/pr-helm.yaml @@ -28,6 +28,11 @@ jobs: kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26 runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: create temp dir diff --git a/.github/workflows/push-osquery-perf-to-ecr.yml b/.github/workflows/push-osquery-perf-to-ecr.yml index c905c92e08..0760d03900 100644 --- a/.github/workflows/push-osquery-perf-to-ecr.yml +++ b/.github/workflows/push-osquery-perf-to-ecr.yml @@ -35,6 +35,11 @@ jobs: build-docker: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-fleetd-chrome-beta.yml b/.github/workflows/release-fleetd-chrome-beta.yml index 7c81d9be4f..8f50b02d60 100644 --- a/.github/workflows/release-fleetd-chrome-beta.yml +++ b/.github/workflows/release-fleetd-chrome-beta.yml @@ -24,6 +24,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-fleetd-chrome.yml b/.github/workflows/release-fleetd-chrome.yml index dc168426d5..6751d7705e 100644 --- a/.github/workflows/release-fleetd-chrome.yml +++ b/.github/workflows/release-fleetd-chrome.yml @@ -25,6 +25,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml index 91ef4e34c1..d6d738c362 100644 --- a/.github/workflows/release-helm.yaml +++ b/.github/workflows/release-helm.yaml @@ -24,6 +24,11 @@ jobs: contents: write # to push helm charts runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 with: diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index af1990e9c5..59dfd8a7ff 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -24,6 +24,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.github/workflows/test-db-changes.yml b/.github/workflows/test-db-changes.yml index 46aafcc9d4..301645008e 100644 --- a/.github/workflows/test-db-changes.yml +++ b/.github/workflows/test-db-changes.yml @@ -30,6 +30,11 @@ jobs: test-db-changes: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-fleetd-chrome.yml b/.github/workflows/test-fleetd-chrome.yml index d9772cf225..82fa08fc82 100644 --- a/.github/workflows/test-fleetd-chrome.yml +++ b/.github/workflows/test-fleetd-chrome.yml @@ -31,6 +31,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/test-go.yaml b/.github/workflows/test-go.yaml index 0a924f3876..69c9b3be6c 100644 --- a/.github/workflows/test-go.yaml +++ b/.github/workflows/test-go.yaml @@ -52,6 +52,11 @@ jobs: GO_TEST_TIMEOUT: 15m steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml index d0e660ba72..9d63523737 100644 --- a/.github/workflows/test-js.yml +++ b/.github/workflows/test-js.yml @@ -37,6 +37,11 @@ jobs: steps: # Set the Node.js version + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Node.js ${{ vars.NODE_VERSION }} uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: @@ -76,6 +81,11 @@ jobs: steps: # Set the Node.js version + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Node.js ${{ vars.NODE_VERSION }} uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: diff --git a/.github/workflows/test-native-tooling-packaging.yml b/.github/workflows/test-native-tooling-packaging.yml index a109100ffb..db242cee0c 100644 --- a/.github/workflows/test-native-tooling-packaging.yml +++ b/.github/workflows/test-native-tooling-packaging.yml @@ -45,6 +45,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-packaging.yml b/.github/workflows/test-packaging.yml index bdf5940aab..113f3c33ce 100644 --- a/.github/workflows/test-packaging.yml +++ b/.github/workflows/test-packaging.yml @@ -51,6 +51,11 @@ jobs: # Docker needs to be installed manually on macOS. # From https://github.com/docker/for-mac/issues/2359#issuecomment-943131345 # FIXME: lock Docker version to 4.10.0 as newer versions fail to initialize + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Docker timeout-minutes: 20 if: matrix.os == 'macos-latest' diff --git a/.github/workflows/test-puppet.yml b/.github/workflows/test-puppet.yml index 82531fc272..f537913a52 100644 --- a/.github/workflows/test-puppet.yml +++ b/.github/workflows/test-puppet.yml @@ -28,6 +28,11 @@ jobs: test-puppet: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Puppet Development Kit run: brew install --cask puppetlabs/puppet/pdk diff --git a/.github/workflows/test-vulnerability-dashboard-changes.yml b/.github/workflows/test-vulnerability-dashboard-changes.yml index 6c7cf2e2a9..d2c5cb45fc 100644 --- a/.github/workflows/test-vulnerability-dashboard-changes.yml +++ b/.github/workflows/test-vulnerability-dashboard-changes.yml @@ -23,6 +23,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Set the Node.js version diff --git a/.github/workflows/test-website.yml b/.github/workflows/test-website.yml index a9fd54ef31..3045c9d4a7 100644 --- a/.github/workflows/test-website.yml +++ b/.github/workflows/test-website.yml @@ -32,6 +32,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Set the Node.js version diff --git a/.github/workflows/test-yml-specs.yml b/.github/workflows/test-yml-specs.yml index d4e0ed7db0..75e46d6af0 100644 --- a/.github/workflows/test-yml-specs.yml +++ b/.github/workflows/test-yml-specs.yml @@ -37,6 +37,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 05da7c6e6e..6513377a08 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -30,6 +30,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Clone repo uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 0d362fe9b4..9e0686c46b 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -34,6 +34,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 diff --git a/.github/workflows/update-certs.yml b/.github/workflows/update-certs.yml index 1aa054f68a..c5227657f3 100644 --- a/.github/workflows/update-certs.yml +++ b/.github/workflows/update-certs.yml @@ -25,6 +25,11 @@ jobs: pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v.24.0 From 80335d88d14ce70b5fe43a7fa441e039df04a8b2 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 22 Mar 2024 14:19:11 -0700 Subject: [PATCH 42/46] [StepSecurity] Apply security best practices (#17811) --- .github/workflows/dependency-review.yml | 27 +++++++++++++++++++ .pre-commit-config.yaml | 35 +++++++++++++++++++++++++ ee/vulnerability-dashboard/Dockerfile | 2 +- infrastructure/kubequery/Dockerfile | 4 +-- server/mdm/scep/Dockerfile | 2 +- tools/tuf/test/Dockerfile | 2 +- 6 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..3f3456223b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..aee9602607 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,35 @@ +repos: +- repo: https://github.com/digitalpulp/pre-commit-php + rev: 1.4.0 + hooks: + - id: php-lint-all +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: RuboCop + - id: shellcheck +- repo: https://github.com/pocc/pre-commit-hooks + rev: v1.3.5 + hooks: + - id: cpplint +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint diff --git a/ee/vulnerability-dashboard/Dockerfile b/ee/vulnerability-dashboard/Dockerfile index 84a2056fda..0d96a8a8ff 100644 --- a/ee/vulnerability-dashboard/Dockerfile +++ b/ee/vulnerability-dashboard/Dockerfile @@ -1,5 +1,5 @@ # Use the official Node.js 14 image as a base -FROM node:20 +FROM node:20@sha256:e06aae17c40c7a6b5296ca6f942a02e6737ae61bbbf3e2158624bb0f887991b5 # Set the working directory in the container WORKDIR /usr/src/app diff --git a/infrastructure/kubequery/Dockerfile b/infrastructure/kubequery/Dockerfile index a3088c1a3e..5480212ad9 100644 --- a/infrastructure/kubequery/Dockerfile +++ b/infrastructure/kubequery/Dockerfile @@ -5,7 +5,7 @@ # # SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) -FROM ubuntu:20.04 AS builder +FROM ubuntu:20.04@sha256:80ef4a44043dec4490506e6cc4289eeda2d106a70148b74b5ae91ee670e9c35d AS builder ARG BASEQUERY_VERSION=5.0.2 @@ -15,7 +15,7 @@ RUN dpkg -i /tmp/basequery.deb # ===== -FROM uptycs/busybox:v1.33.0 +FROM uptycs/busybox:v1.33.0@sha256:6a312f5959d374420eedce83f42d2ad19a027bd4e448ed734372bc1a07ad8b10 ARG BASEQUERY_VERSION ARG KUBEQUERY_VERSION diff --git a/server/mdm/scep/Dockerfile b/server/mdm/scep/Dockerfile index c34882b76b..89e0abca6d 100644 --- a/server/mdm/scep/Dockerfile +++ b/server/mdm/scep/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3 +FROM alpine:3@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b COPY ./scepclient-linux-amd64 /usr/bin/scepclient COPY ./scepserver-linux-amd64 /usr/bin/scepserver diff --git a/tools/tuf/test/Dockerfile b/tools/tuf/test/Dockerfile index eef0bfc90f..d83db1c41a 100644 --- a/tools/tuf/test/Dockerfile +++ b/tools/tuf/test/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:ccb33c3ac5b02588fc1d9e4fc09b952e433d0c54d8618d0ee1afadf1f3cf2455 WORKDIR /usr/src/app From 6ae3880704cd715e30dcdfe0e18519dea33e95ca Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 22 Mar 2024 18:15:01 -0500 Subject: [PATCH 43/46] Website: Update build script to exclude folders with an underscore prefix & rename docs/Deploy/kubernetes/ (#17817) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes: #17582 Changes: - Updated the `build-static-content` script to not generate HTML pages for files in subfolders that are prefixed with an underscore - Renamed the `docs/Deploy/kubernetes` folder » `docs/Deploy/_kubernetes` - Documented this new behavior on the communications page of the handbook. - Updated commands on the Deploy Fleet on Kubernetes page. --------- Co-authored-by: Mike McNeil --- CODEOWNERS | 2 +- docs/Deploy/Deploy-Fleet-on-Kubernetes.md | 12 ++++++------ docs/Deploy/{kubernetes => _kubernetes}/README.md | 0 .../{kubernetes => _kubernetes}/fleet-deployment.yml | 0 .../{kubernetes => _kubernetes}/fleet-migrations.yml | 0 .../{kubernetes => _kubernetes}/fleet-service.yml | 0 handbook/company/communications.md | 2 ++ website/scripts/build-static-content.js | 4 ++++ 8 files changed, 13 insertions(+), 7 deletions(-) rename docs/Deploy/{kubernetes => _kubernetes}/README.md (100%) rename docs/Deploy/{kubernetes => _kubernetes}/fleet-deployment.yml (100%) rename docs/Deploy/{kubernetes => _kubernetes}/fleet-migrations.yml (100%) rename docs/Deploy/{kubernetes => _kubernetes}/fleet-service.yml (100%) diff --git a/CODEOWNERS b/CODEOWNERS index a44b1a2d2a..6813739818 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -68,7 +68,7 @@ go.mod @fleetdm/go /docs/Using-Fleet/REST-API.md @rachaelshaw # « REST API reference documentation /docs/Contributing/API-for-contributors.md @rachaelshaw # « Advanced / contributors-only API reference documentation /schema @eashaw # « Data tables (osquery/fleetd schema) documentation -/docs/Deploy/kubernetes/ @dherder # « Kubernetes best practice +/docs/Deploy/_kubernetes/ @dherder # « Kubernetes best practice ############################################################################################## # 🫧 Pricing and features # diff --git a/docs/Deploy/Deploy-Fleet-on-Kubernetes.md b/docs/Deploy/Deploy-Fleet-on-Kubernetes.md index 2d35599853..c5318ccb22 100644 --- a/docs/Deploy/Deploy-Fleet-on-Kubernetes.md +++ b/docs/Deploy/Deploy-Fleet-on-Kubernetes.md @@ -8,7 +8,7 @@ There are 2 primary ways to deploy the Fleet server to a Kubernetes cluster. The We will assume you have `kubectl` and MySQL and Redis are all set up and running. Optionally you have minikube to test your deployment locally on your machine. -To deploy the Fleet server and connect to its dependencies (MySQL and Redis), we will use [Fleet's best practice `fleet-deployment.yml` file](https://github.com/fleetdm/fleet/blob/main/docs/Deploy/kubernetes/fleet-deployment.yml). +To deploy the Fleet server and connect to its dependencies (MySQL and Redis), we will use [Fleet's best practice `fleet-deployment.yml` file](https://github.com/fleetdm/fleet/blob/main/docs/Deploy/_kubernetes/fleet-deployment.yml). Let's tell Kubernetes to create the cluster by running the below command. @@ -83,14 +83,14 @@ Note: this step is not neccessary when using the Fleet Helm Chart as it handles The last step is to run the Fleet database migrations on your new MySQL server. To do this, run the following: ```sh -kubectl create -f ./docs/Deploy/kubernetes/fleet-migrations.yml +kubectl create -f ./docs/Deploy/_kubernetes/fleet-migrations.yml ``` In Kubernetes, you can only run a job once. If you'd like to run it again (i.e.: you'd like to run the migrations again using the same file), you must delete the job before re-creating it. To delete the job and re-run it, you can run the following commands: ```sh -kubectl delete -f ./docs/Deploy/kubernetes/fleet-migrations.yml -kubectl create -f ./docs/Deploy/kubernetes/fleet-migrations.yml +kubectl delete -f ./docs/Deploy/_kubernetes/fleet-migrations.yml +kubectl create -f ./docs/Deploy/_kubernetes/fleet-migrations.yml ``` #### Redis @@ -158,7 +158,7 @@ kubectl create secret tls fleet-tls --key=./tls.key --cert=./tls.crt First we must deploy the instances of the Fleet webserver. The Fleet webserver is described using a Kubernetes deployment object. To create this deployment, run the following: ```sh -kubectl apply -f ./docs/Deploy/fleet-deployment.yml +kubectl apply -f ./docs/Deploy/_kubernetes/fleet-deployment.yml ``` You should be able to get an instance of the webserver running via `kubectl get pods` and you should see the following logs: @@ -174,7 +174,7 @@ ts=2017-11-16T02:48:38.441148166Z transport=https address=0.0.0.0:443 msg=listen Now that the Fleet server is running on our cluster, we have to expose the Fleet webservers to the internet via a load balancer. To create a Kubernetes `Service` of type `LoadBalancer`, run the following: ```sh -kubectl apply -f ./docs/Deploy/fleet-service.yml +kubectl apply -f ./docs/Deploy/_kubernetes/fleet-service.yml ``` #### Configure DNS diff --git a/docs/Deploy/kubernetes/README.md b/docs/Deploy/_kubernetes/README.md similarity index 100% rename from docs/Deploy/kubernetes/README.md rename to docs/Deploy/_kubernetes/README.md diff --git a/docs/Deploy/kubernetes/fleet-deployment.yml b/docs/Deploy/_kubernetes/fleet-deployment.yml similarity index 100% rename from docs/Deploy/kubernetes/fleet-deployment.yml rename to docs/Deploy/_kubernetes/fleet-deployment.yml diff --git a/docs/Deploy/kubernetes/fleet-migrations.yml b/docs/Deploy/_kubernetes/fleet-migrations.yml similarity index 100% rename from docs/Deploy/kubernetes/fleet-migrations.yml rename to docs/Deploy/_kubernetes/fleet-migrations.yml diff --git a/docs/Deploy/kubernetes/fleet-service.yml b/docs/Deploy/_kubernetes/fleet-service.yml similarity index 100% rename from docs/Deploy/kubernetes/fleet-service.yml rename to docs/Deploy/_kubernetes/fleet-service.yml diff --git a/handbook/company/communications.md b/handbook/company/communications.md index 86b100c5bc..bc96271f7f 100644 --- a/handbook/company/communications.md +++ b/handbook/company/communications.md @@ -296,6 +296,8 @@ Our handbook and docs pages are written in Markdown and are editable from our we 6. GitHub will run a series of automated checks and notify the reviewer. At this point, you are done and can safely close the browser page at any time. 8. Check the “Files changed” section on the Open a pull request page to double-check your proposed changes. +> Note: Pages in the `./docs/Contributing/` folder and folders with a underscore prefix (e.g., `./docs/Deploy/_kubernetes/`) are not included in the documentation on the Fleet website. + ### Merging changes When merging a PR to the master branch of the [Fleet repo](https://github.com/fleetdm/fleet), remember that whatever you merge gets deployed live immediately. Ensure that the appropriate quality checks have been completed before merging. [Learn about the website QA process](#quality). diff --git a/website/scripts/build-static-content.js b/website/scripts/build-static-content.js index 4e039ab4fd..67060ea9ac 100644 --- a/website/scripts/build-static-content.js +++ b/website/scripts/build-static-content.js @@ -207,6 +207,10 @@ module.exports = { if(sectionRepoPath === 'docs/' && _.startsWith(pageUnextensionedUnwhitespacedLowercasedRelPath, 'contributing/')){ continue; } + // Skip pages in folders starting with an underscore character. + if(sectionRepoPath === 'docs/' && _.startsWith(pageRelSourcePath.split(/\//).slice(-2)[0], '_')){ + continue; + } let RX_README_FILENAME = /\/?readme\.?m?d?$/i;// « for matching `readme` or `readme.md` (case-insensitive) at the end of a file path // Determine this page's default (fallback) display title. From 776ea4d7fd86ecb57e7cf9505297b9c575380120 Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 22 Mar 2024 19:36:06 -0500 Subject: [PATCH 44/46] Website: Update order of columns on osquery schema table pages. (#17818) Related to: #17727 Changes: - Updated the `build-static-content` script to sort the columns of tables alphabetically by the name of the column when the pages for fleetdm.com/tables are generated. --- website/scripts/build-static-content.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/scripts/build-static-content.js b/website/scripts/build-static-content.js index 67060ea9ac..02f437763d 100644 --- a/website/scripts/build-static-content.js +++ b/website/scripts/build-static-content.js @@ -704,7 +704,7 @@ module.exports = { } // Iterate through the columns of the table, we'll add a row to the markdown table element for each column in this schema table - for(let column of table.columns) { + for(let column of _.sortBy(table.columns, 'name')) { if(!column.hidden) { // If the column is hidden, we won't add it to the final table. // Create an object for this column to add to the osqueryTables config. let columnInfoForQueryReports = { From 6145877c491bc947d0655bf0f122297b843c9e1c Mon Sep 17 00:00:00 2001 From: Eric Date: Sat, 23 Mar 2024 11:56:27 -0500 Subject: [PATCH 45/46] Website: Update logo carousel animation (#17820) Closes: #17823 Changes: - Updated the animation of the logo carousel on the homepage. --- website/assets/styles/pages/homepage.less | 21 +++++++++++---------- website/views/pages/homepage.ejs | 23 +++++++++++++++++++++-- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/website/assets/styles/pages/homepage.less b/website/assets/styles/pages/homepage.less index 79445817c7..80fbb8029d 100644 --- a/website/assets/styles/pages/homepage.less +++ b/website/assets/styles/pages/homepage.less @@ -82,7 +82,8 @@ position: relative; width: 100%; overflow: hidden; - div { + + [purpose='logo-row'] { white-space: nowrap; animation: scroll-horizontal 80s linear infinite; } @@ -110,7 +111,14 @@ background: linear-gradient(90deg, rgba(255, 255, 255, 0.00) 0%, #FFF 100%); } } - + @keyframes scroll-horizontal { + 0% { + transform: translateX(-25%); + } + 100% { + transform: translateX(-125%); + } + } [purpose='homepage-content'] { max-width: 1200px; @@ -1428,13 +1436,6 @@ } - @keyframes scroll-horizontal { - 0% { - transform: translateX(50%); - } - 100% { - transform: translateX(-50%); - } - } + } diff --git a/website/views/pages/homepage.ejs b/website/views/pages/homepage.ejs index 20b048c4f9..91db1122b6 100644 --- a/website/views/pages/homepage.ejs +++ b/website/views/pages/homepage.ejs @@ -22,7 +22,7 @@
-
+
Notion logo Pinterest logo Gusto logo @@ -41,7 +41,26 @@ Reddit logo
-
+
+ Notion logo + Pinterest logo + Gusto logo + Epic Games logo + Rivian logo + Deloitte logo + Flywire logo + Snowflake logo + Uber logo + Atlassian logo + Toast logo + + Fastly logo + Hashicorp logo + Dropbox logo + + Reddit logo +
+
Notion logo Pinterest logo Gusto logo From 04d4cbd647829e3c095afa47b6987da4064c3e41 Mon Sep 17 00:00:00 2001 From: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com> Date: Sat, 23 Mar 2024 15:39:46 -0500 Subject: [PATCH 46/46] Add "Archive a document" responsibility (#17824) --- handbook/digital-experience/README.md | 44 ++++++++++++--------------- 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/handbook/digital-experience/README.md b/handbook/digital-experience/README.md index de58d211fd..e8d0626b78 100644 --- a/handbook/digital-experience/README.md +++ b/handbook/digital-experience/README.md @@ -185,6 +185,18 @@ Fleet's public relations firm is directly responsible for the accuracy of event 2. Update the workbook with the latest location, dates, and CFP deadlines from the website. +### Archive a document +Follow these steps to archive any document: +1. Create a copy of the document prefixed with the date using the format "`YYYY-MM-DD` Backup of `DOCUMENT_NAME`" (e.g. "2024-03-22 Backup of 🪂🗞️ Customer voice"). +2. Be sure to "Share it with the same people", "Copy comments and suggestions", and "Include resolved comments and suggestions" as shown below. + +Screenshot 2024-03-23 at 12 14 00 PM + +3. Save this backup copy to the same location in Google Drive where the original is found. +4. Link to the backup copy at the top of the original document. Be sure to use the full URL, no abbreviated pill links (e.g. "Notes from last time: URL_OF_MOST_RECENT_BACKUP_DOCUMENT"). +5. Delete all non-structural content from the original document, including past meeting notes and current answers to "evergreen" questions. + + ### Schedule CEO interview From time to time, you will need to schedule an interview between a candidate and the CEO: 1. [Make a copy of the "¶¶ CEO interview template"](https://docs.google.com/document/d/1yARlH6iZY-cP9cQbmL3z6TbMy-Ii7lO64RbuolpWQzI/copy) (private Google doc) @@ -382,34 +394,16 @@ You can also grab a copy of the [original slides](https://fleetdm.com/handbook/c ### Process and backup Sid agenda Every two weeks, our CEO Mike has a meeting with Sid Sijbrandij. The CEO uses dedicated (blocked, recurring) time to prepare for this meeting earlier in the week. - -30 minutes After each meeting (to allow all parties to collect action items), the Apprentice makes a copy of the "💻 Sid : Mike(Fleet)" doc and renames it "YYYY-MM-DD Backup of 💻 Sid : Mike(Fleet)". Then moves the backup version into the [(¶¶) Sid archive](https://drive.google.com/drive/folders/1izVfIBt2nr4APlkm36E6DJg1k1PDjmae) - -Then process the backup Sid agenda by: -- Leaving google doc comments assigning all Fleet TODOs to correct Fleeties. -- In the ¶¶¶¶🦿🌪️CEO Roundup doc, update the URL in `Sam: FYI: Agenda from last time:` [LINK](link). - -**Being sure to preserve agenda format**, process the 💻 Sid : Mike(Fleet) master doc by: -- (Unless otherwise prefixed) Delete all agenda items, **being sure to leave 3 empty bullets in every section**. +1. 30 minutes After each meeting [archive the "💻 Sid : Mike(Fleet)" agenda](https://fleetdm.com/handbook/digital-experience#archive-a-document), moving it to the [(¶¶) Sid archive](https://drive.google.com/drive/folders/1izVfIBt2nr4APlkm36E6DJg1k1PDjmae) folder in Google Drive. +2. **In the backup copy**, leave Google Doc comments assigning all Fleet TODOs to the correct DRI. +3. In the ¶¶¶¶🦿🌪️CEO Roundup doc, update the URL in `Sam: FYI: Agenda from last time:` [LINK](link). ### Process and backup E-group agenda -Immediately after every e-group the Apprentice makes a copy of the E-group agenda doc and renames it "YYYY-MM-DD backup of E-group agenda". Then saves it to the [(¶¶) E-group archive](https://drive.google.com/drive/u/0/folders/1IsSGMgbt4pDcP8gSnLj8Z8NGY7_6UTt6). - -Then process the backup E-group agenda by: -- Leaving google doc comments assigning all TODOs to correct individuals. -- In the E-group master doc, update the URL in `Sam: FYI: Agenda from last time:` [LINK](link). - -**Being sure to preserve agenda format**, process the E-group master doc by: -- Clearing all bullets from the "Mike: Hear from each department" section. - - Delete the "Blockers" and "Last week" bullets from each department's section. - - Move contents from "This week" to "Last week". -- (Unless otherwise prefixed) Delete all agenda items from the "Mike: This weeks focus" section. -- (Unless otherwise prefixed) Delete all agenda items from the "Today's other topics" section. - -If it's the day of an All hands: - - Remove any spotlights that aren't a permanent staple (e.g. Mike: Every time: Pick a value, present on it.). - +Follow these steps to process and backup the E-group agenda: +1. [Archive the E-group agenda](https://fleetdm.com/handbook/digital-experience#archive-a-document) after each meeting, moving it to the ["¶¶ E-group archive"](https://drive.google.com/drive/u/0/folders/1IsSGMgbt4pDcP8gSnLj8Z8NGY7_6UTt6) folder in Google Drive. +2. **In the backup copy**, leave Google Doc comments assigning all TODOs to the correct DRI. +3. If the "All hands" meeting has happened today ### Check LinkedIn for unread messages Once a day the Apprentice will confirm check LinkedIn for unread messages.