For #19936
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
Noticed several places where the structure of
`mdm.macos_settings.custom_settings` and
`mdm.windows_settings.custom_settings` didn't match the example response
for "Get configuration" (which I think is the most up-to-date).
(Will follow up and update the parameter descriptions for
`mdm.macos_settings.custom_settings`/`mdm.windows_settings.custom_settings`
to clarify they're objects with `path` and `labels` once
https://github.com/fleetdm/fleet/pull/19424 is merged.)
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
With #17321 we added support for `zsh` interpreter and we want to
document this.
@spokanemac had a hard time understanding that we don't support `.zsh`
extension while dogfooding the feature. I added note to explain that
user must create `.sh` file with `/bin/zsh` interpreter specified.
- Add redirect for error message on Fleet server startup if private key
is missing: #19455
- Move the APNs and ABM environment variables to contributor docs. They
will no longer be used
Feedback from prospect-redwine was that this page required more depth on
policies. We have documentation around policies, this PR is to add
linking and to glue the topics together.
---------
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: JD <spokanemac@users.noreply.github.com>
`server_settings.enable_analytics` was only documented in the "Get
configuration" endpoint and nowhere else. Added to "Modify
configuration" params and example response.
# Changes
I'm running orbit based osqueryd on a laptop with [Tuxedo
OS](https://www.tuxedocomputers.com/en/TUXEDO-OS_1.tuxedo#).
This OS identifies its platform via osquery as `tuxedo` and is therefore
not recognized by the Fleet server:
```json
{
"err": "unrecognized platform",
"hostID": 76,
"level": "error",
"platform": "tuxedo",
"ts": "2024-05-15T13:17:34.513509387Z"
}
```
This causes policy and scheduled queries to not being run on my system.
With this PR Im adding `tuxedo` to all occurrences found when searching
for `kali`.
Additionally pre-commit checks were failing for me locally as it could
not find the hook-id `RuboCop`. This could be solved by using `rubocop`
instead.
Afterwards all pre-commit checks succeeded locally.
# Checklist for submitter
- [x] Added/updated tests
Signed-off-by: Andreas Ulm <andreas.ulm@prisma-capacity.eu>
- Add S3 to AWS reference architecture docs
- Add note that GCP support for add/install software (deploy security
agents) and file carves is coming soon
- Add note that Render support for add/install software (deploy security
agents) is coming soon
- Update links to best practice Terraform example
Added a note to warn UI users against using dot notation for column
names in their queries.
Closes https://github.com/fleetdm/confidential/issues/6506
(@dherder, please check my interpretation of the issue.)
---------
Co-authored-by: Dave Herder <27025660+dherder@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
for https://github.com/fleetdm/fleet/issues/14921
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
#18925 (Should also fix #17660.)
Tests:
- Ubuntu 22.04.2
- Wayland
- Works with chrome ✅
- Doesn't work with Firefox. ❌
- Xorg
- Works with Chrome. ✅
- Works with Firefox. ✅
- Ubuntu 24.04
- Wayland
- Doesn't work with Chrome. ❌
- Doesn't work with Firefox. ❌
- Xorg (when using Xorg it defaults to `DISPLAY=:1`, and with the
changes in this PR it works):
- Works with Chrome. ✅
- Works with Firefox. ✅
---
How to change between Wayland and Xorg:
- Set `WaylandEnable=false` in `/etc/gdm3/custom.conf` and reboot.
---
How to determine what's running:
```sh
$ loginctl
SESSION UID USER SEAT TTY
2 1000 luk seat0 tty2
c2 1000 luk
$ loginctl show-session 2 -p Type
# will output
Type=wayland
or
Type=x11
```
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
I fixed a couple of typos, corrected a couple of header tags, and
tightened up a couple of margins.
# Checklist for submitter
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
This PR is a follow-up to https://github.com/fleetdm/fleet/issues/16660
to:
- Move all (non-recommended) deployment guides from the docs into
`/articles` under the `guides` category
- AWS ECS
- CentOS
- Cloud.gov
- AWS with Terraform
- Hetzner Cloud
- Render
- Kubernetes
- Set up redirects for migrated articles
- Add article thumbnail and cover images
# Checklist for submitter
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: Eric <eashaw@sailsjs.com>
- Update docs to reflect that, in order to use Autopilot, you must have
one Intune license per host (from #fleetdm/confidential#6283)
- Make "MDM setup" doc page cross platform
- Cut content
https://github.com/fleetdm/fleet/issues/16660
Changes:
- Added a new page (deploy-fleet.md) to the deploying docs
- Moved the content from the following pages to the
deploy/reference-architectures page:
- Systemd
- Proxies
- Public IPs
- Monitoring Fleet
- Introduction
- Reordered the pages in the Deploy docs folder
- Added a redirect: `/docs/deploy/introduction »
/docs/deploy/deploy-fleet`
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
> Related issue: #18330
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
## Notes
- ~I added an `includeTitle bool` parameter to
`ds.GetSoftwareInstallerMetadata`. This allows for the title of the
software (from the `software_titles` page) to be fetched in
`svc.DeleteSoftwareInstaller` without an additional call to the DB.~ We
wound up deciding to just fetch the title every time.
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(original here: https://github.com/fleetdm/fleet/pull/17369)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17711)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17841)
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17670)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(original: https://github.com/fleetdm/fleet/pull/16982)
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
File carves were moved to their own section in contributor docs
https://github.com/fleetdm/fleet/pull/16877
Fixed link on API page
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
#16767
To create a manual label:
```sh
cat labels.yml
---
apiVersion: v1
kind: label
spec:
name: Manually Managed Example
label_membership_type: manual
hosts:
- lucass-macbook-pro.local
```
To add/delete a manual label to/from a host:
```
curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}'
curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}'
```
API draft changes: https://github.com/fleetdm/fleet/pull/16979/files
Figma with error strings:
https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- ~[ ] If database migrations are included, checked table schema to
confirm autoupdate~
- ~For database migrations:~
- ~[ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.~
- ~[ ] Confirmed that updating the timestamps is acceptable, and will
not cause unwanted side effects.~
- ~[ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).~
- [x] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Docs improvements uncovered during
[dogfooding](https://github.com/fleetdm/confidential/issues/2506):
- Update end user auth docs to link to SSO docs. So the user knows what
do to get the necessary info from their IdP (create an Okta/GW app)
- Cut content from SSO docs and move Okta and Google Workspace to top
level headers
- "IDP" => "IdP"
- Use **bold** styling to indicate UI elements in docs (instead of
_italics_)
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Adds `webhook_settings.host_status_webhook` options to team config for
#14916.
Also updated conceptual docs that reference this config (and cut down
some content to make room).
The Wine developer does have an Apple Develeoper certificate but the
"Wine Stable" app bundle is not code-signed or notarized post-install &
disables Gatekeeper for the install. This adds a warning to the script
user about the app not being signed. post-install
---------
Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
#17827
Updated 1Password policy to only search one level deep for performance
reasons.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
For better readability: add periods as separation between the Fleet
Premium message and parameter descriptions.
✅ _Available in Fleet Premium_. Description text.
❌ _Available in Fleet Premium_ Description text.
- Updated `GET /api/v1/fleet/scripts`: documented `team_id` parameter
that was missing
- Replaced "Upload" with "Add" since that's the language we want to use
across the product and docs.
- Removed articles from headings
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
This instructions were inaccurate following these steps only `Fleet
Osquery` was installed not `orbit`
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Closes: #17582
Changes:
- Updated the `build-static-content` script to not generate HTML pages
for files in subfolders that are prefixed with an underscore
- Renamed the `docs/Deploy/kubernetes` folder »
`docs/Deploy/_kubernetes`
- Documented this new behavior on the communications page of the
handbook.
- Updated commands on the Deploy Fleet on Kubernetes page.
---------
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
Typo: "removing" /past from host's activities API
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
#15565
Replace the use of the isFederated registry key with a keys that check
for AAD (Azure Active Directory, now Entra ID)
Federated enrollment (`isFederated`) seems to be when windows uses a
Discovery MDM endpoint to get its policy and management endpoint
configuration. This is always the case when a client is enrolled with
fleet, so installations always show up as automatic.
It's being replaced by a different key, `AADResourceID`, which appears
to identify the resource that controls the automated deployment. In my
tests it only appears to be populated when the computer is enrolled
through automated deployments. This key appears on both Windows 10 and
11.
There is a similar key, `AADTenantID`, which appears to identify the
client (tenant) to the Azure cloud. I haven't seen this ID in our
systems, so it is likely exclusively used in Azure. Both this key and
`AADResourceID` seem to always be set at the same time, so we only
check for the `AADResourceID`.
I've also added documentation on the registry keys I've analyzed for future reference.
This PR addresses an issue in the documentation for installing the MySQL
chart using Helm. Previously, the documentation provided a Helm install
command that incorrectly referenced mysqlUser and mysqlDatabase.
However, these keys don't exist in the chart's values.yaml file anymore.
Removed reference to **Scripts** tab and added instructions for
accessing the **Run Script** modal from the host detail page.
# Checklist for submitter
Docs-only change
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
```mermaid
sequenceDiagram
participant windows as Windows
participant orbit as Orbit
participant server as fleet server
loop every 30 seconds
orbit->>+server: POST /api/fleet/orbit/config
server-->>-orbit: pending notifications
end
note over orbit: receive enrollment notification
orbit->>windows: mdmregistration.dll<br/>RegisterDeviceWithManagement
windows->>+server: POST /api/mdm/microsoft/discovery
server-->>-windows: EnrollmentServiceURL, EnrollmentPolicyServiceUrl
windows->>+server: POST /api/mdm/microsoft/policy<br/>DeviceEnrollmentUserToken
server-->>-windows: Policy Schema, Certificate requirements
activate windows
note left of windows: Generate keypair
deactivate windows
windows->>+server: POST /api/mdm/microsoft/enroll<br/>Self-signed CSR & cert values
note right of server: Creates certificate signed by WSTEP ident key
server-->>-windows: Signed certificate, management endpoint, enrollment parameters
loop SYNCML MDM Protocol (mTLS)
windows->>+server: POST /api/mdm/microsoft/management
server-->>-windows: Response
end
```
REST API changes for #15919
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Tim Lee <timlee@fleetdm.com>
The _"Fleet's best practice `fleet-deployment.yml` file"_ link on the
["Deploy Fleet on Kubernetes" docs
page](https://fleetdm.com/docs/deploy/deploy-fleet-on-kubernetes)
doesn't actually target the YAML file it purports to and, instead, it
just points to the Markdown version of the "Deploy Fleet on Kubernetes"
docs on GitHub.
This PR changes the target URL so that link actually goes to the place
where one would expect it to (the YAML file).
Closes: #16797
Changes:
- Updated `build-static-content` to throw an error if an extensionless
Markdown link containing a hash link is found.
- Fixed two broken relative links in the contributing documentation
Python >= 3.12 no longer ships with the `distutils` module out of the
box. It can be installed using `pip install setuptools`.
This may be fixed when updating node packages that rely on python, but
until then it may come up during `make deps`.
Reference: https://stackoverflow.com/a/76691103
Moving mdm_profiles to it-and-security/lib/mdm_profiles so that they are
together with other gitops config files.
---------
Co-authored-by: Noah Talerman <noahtal@umich.edu>
+ Changed a bunch of instances of "member" to "user" to match the
updated UI (https://github.com/fleetdm/fleet/issues/15893)
+ Cut some step-by-step instructions for using the team UI from the
"Segment hosts" docs
+ Add some missing "_Available in Fleet Premium_." flags to `team_id`
parameter descriptions for API endpoints available in Fleet Free.
+ Remove one duplicate instance of `team_id`
- Remove example YAML file from docs to deduplicate
- Update "Prepare a new version of Fleet" handbook instructions to point
to the best practice YAML
- Add README to point to docs
- Move tools for deploying Fleet on Kubernetes to `Deploy/` folder.
- Add @dherder as CODEOWNER so that Dave gets pinged every time a
contributor wants to make a change to the Kubernetes
---------
Co-authored-by: Dave Herder <27025660+dherder@users.noreply.github.com>
Co-authored-by: Luke Heath <luke@fleetdm.com>
updated URL for orbit docs. The previous location forwarded to
https://fleetdm.com/docs/using-fleet/enroll-hosts and did not give info
about Orbit.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Removing entry. 1) failed to build again. Now that this is "device
health" this query probably doesn't really fit with the rest of the list
anyway. Sorry for all the approvals...
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
When attempting to follow the kubernetes install directions I
encountered a few issues.
1. The image version was no longer hosted on dockerhub. And new versions
now are tagged with a "v" prefix.
2. The webserver was not able to bind to port 443 on a managed version
of k8s.
3. The dns name(s) for the latest redis helm chart have changed. They
are now `{release}-master` for read-write and `{release}-replica` for
read only nodes.
4. The deployment API is out of date.
This PR fixes those issues.
- Cut down on user facing doc content so first time Fleet users can find
the right information. This could be moved into an "Advanced" section in
the future.
Docs for the "Windows OS updates" (#11951) user story
- Update "macOS updates" doc page to cross-platform "OS updates" page
- Update pricing page
- Update copy in the UI to clarify behavior of Windows updates
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Part of #9949
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
Changes:
- Updated two (broken) relative links on the "macOS updates"
documentation page to point to the documentation page on fleetdm.com
- Added a redirect to fix broken links to the product design handbook
page (/handbook/product » /handbook/product-design)
Addresses the following subtask: #16073
Fleet is investing in more automated testing for MDM features.
Update the table to reflect the versions that Fleet is running tests
against:
- macOS 13 and 14
- Windows 10 and 11
- Ubuntu Linux 20+
To support `fleetctl gitops`, gitops role can now read policies/queries
and write scripts.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Closes: #16451
Changes:
- Updated the "spin up for yourself" link in the FAQ to go to the
deploying docs.
- Updated the custom idp integration card link to go to the IDP
configuration section of the SSO docs page.
- Update "Custom macOS settings" page to cross-platform "Custom OS
settings" page
- Match format w/ "Disk encryption" and "OS updates" pages
- Cut content and make the docs more of reference
- Link to best practice GitOps
- Update pricing page
- Add redirects
It is very easy for data collection like this to veer into double /
triple negative mulitverse of madness stuff...
That said, I may have a lack of understanding about how the product
works, i.e., that a query literally must return a 0 value & not null in
order to "pass" in a policy. If so, then this works as expected.
However, if a query just needs to return empty (null) & 0 is implied in
the logic that sets a policy flag to green or red, then, as a rule,
queries like this should be always be simplified & should default to
using "positive" as opposed to "negative" logic, i.e., check if
something exists, never check if a thing does NOT exist.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests: Tested by adding dummy Emergency Kit.pdf
files to Desktop & Downloads, running query, then, removing files &
running query.
API changes for the "Upcoming activities: Run scripts on online/offline
hosts" (#15529) story
Changes:
- Script endpoints are available in Fleet Free and Fleet Premium
- Update `POST /scripts/run` to add a script to the bottom of the
upcoming activities
- Update `POST /scripts/run/sync`
- Add `GET /hosts/:id/activities` to show past activity feed
- Add `GET /hosts/:id/activities/upcoming` to show upcoming activity
feed
- Move docs for `GET /hosts/:id/scripts` to a new "Get host's scripts
section" under "Hosts"
