The core osquery schema incorrectly lists Windows as a supported os for
this query:https://osquery.io/schema/5.12.1/#yara_events
Adding a yaml override to reflect this in Fleet's docu
---------
Co-authored-by: Harrison John <harrisonjohn@Harrisons-MacBook-Pro.local>
Co-authored-by: Eric <eashaw@sailsjs.com>
Missing comma between u.username, u.uid causes the query to fail with
this error (Note the query is only applicable to Mac OS):
```
osquery> SELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
Error: near ".": syntax error
```
Output after fixing the missing , (removed part of the output):
```
osquery> SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
+--------------+------------+------------------------+--------------------+------------------------+
| username | uid | password_last_set_time | failed_login_count | failed_login_timestamp |
+--------------+------------+------------------------+--------------------+------------------------+
| nobody | 4294967294 | | | |
| root | 0 | | | |
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/15651
Changes:
- Removed `hidden: true` from the YAML override file for the iptables
table.
- Regenerated osquery_fleet_schema.json
Closes: #19271Closes: #19286
Changes:
- Updated the example in the schema folder readme
- Updated the block scalar used in Fleet's osquery override
documentation (`>-` » `|-`) and removed extra newlines
- Updated the block scalar used in URLs used to create new yaml override
files
- Regenerated osqeury_fleet_schema.json
Changes:
- Updated the version of osquery schema that is merged with Fleet's
overrides: (5.11.0 » 5.12.1)
- Regenerated schema/osquery_fleet_schema.json
Closes: #18240
Changes:
- Updated the schema override files to use only one YAML block scalar
(`>-`)
- Updated the template yaml included in the link to create a new
override file in get-extended-osquery-schema helper to use the `>-`
block scalar
- regenerated osquery_fleet_schema.json
Changes:
- Updated the `build-static-content` script to remove support for the
`requires_user_context` column attribute
- Updated `get-extended-osquery-schema` to not set a
`requires_user_context` value in the merged schema json.
- Regenerated `schema/osquery_fleet_schema.json`
For #17577
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux. (performed only on macOS)
Closes: #17883
Changes:
- Updated the `get-extended-osquery-schema` helper to set the `type`
values of columns of tables with Fleet overrides to be lowercase.
- Regenerated `osquery_fleet_schema.json`
Related to: https://github.com/fleetdm/fleet/issues/17861
Changes:
- Updated `get-extended-osquery-schema` helper to remove `examples`
values from the merged schema JSON if they are an empty array.
- regenerated `osqeury_fleet_schema.json`
Closes: https://github.com/fleetdm/fleet/issues/17188
Changes:
- Updated `get-extended-osquery-schema.js` to only include the last
example from the osquery schema if a table has an override file that
does not contain an `examples` value.
- Regenerated osquery_fleet_schema.json with the correct `examples`
values
Changes:
- Added a newline before the code block in the example of the
`vscode_extensions` table override to fix the formatting of the page
generated for this table (see screenshot)
- Ran the `generate-merged-schema` script to regenerate
`osquery_fleet_schema.json`
<img width="860" alt="image"
src="https://github.com/fleetdm/fleet/assets/7445991/1f6f1b37-1240-4d16-b102-f67ecff5fb28">
For https://github.com/fleetdm/fleet/issues/13891
Changes:
- Updated the version of the osquery schema used to generate
osqeury_fleet_schema.json (`5.9.1` » `5.11.0`)
- Removed the table override file for the `atom_packages` table (It was
removed from the osquery schema, our override file was previously hiding
the table)
- Ran the `generate-merged-schema` script to regenerate
osquery_fleet_schema.json
When running a live query recently, I noticed some columns in the
results that we didn't have documented, and realized we weren't using
the latest osquery schema version when regenerating the merged schema.
According to the docs, [we support the latest version of
osquery](https://fleetdm.com/docs/using-fleet/enroll-hosts#supported-osquery-versions),
so figure we ought to update the schema version to the latest.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: #13722
Changes:
- Updated the `get-extended-osquery-schema` helper to sort the merged
schema by table name.
- Regenerated `/schema/osquery_fleet_schema.JSON`
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
## Addresses #11037
### Implement the `privacy_preferences` table for the Fleetd Chrome
extension. Columns correspond to the available properties of
[`chrome.privacy`](https://developer.chrome.com/docs/extensions/reference/privacy/).
Chrome on mac:
<img width="816" alt="Screenshot 2023-06-23 at 11 55 21 AM"
src="https://github.com/fleetdm/fleet/assets/61553566/a4700749-6325-442e-acf2-c14b1c9adf8f">
Chromebook with enterprise access (actual use case):
* Chromebook w/o enterprise access: as you can see, sometimes certain
APIs are not available - this error occurs because the expected API
object that would have a `get` method is actually `undefined` TODO – How
to handle this case given that we want to let errors bubble up to the
level at which Fleet can catch them? Maybe it would be nice to catch
such errors and send them up to the Fleet layer, and still allow the
loop to continue to populate the columns whose APIs _are_ available.
_Decision: catch API errors here to preserve functionality of the
remaining columns_
- [x] Changes file
- [x] Manual QA
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Changes:
- Updated the `platform` value for osquery tables and columns that
support chromeos to be `chrome` (Previously `chromeos`)
- Updated `get-exteneded-osquery-schema.js` to use the new `platform`
value
- Updated the Fleet website to use the `chrome` `platform`.
- Regenerated `schema/osquery_fleet_schema.json` with ChromeOS tables.
This relates to #11244
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Roberto Dip <me@roperzh.com>
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
