Solves #23955
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Changes to add `team_identifier` signing information to macOS
applications on the `/api/latest/fleet/hosts/:id/software` API endpoint.
Docs: https://github.com/fleetdm/fleet/pull/23743
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests
- [X] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ X Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [X] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Tim Lee <timlee@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
The core osquery schema incorrectly lists Windows as a supported os for
this query:https://osquery.io/schema/5.12.1/#yara_events
Adding a yaml override to reflect this in Fleet's docu
---------
Co-authored-by: Harrison John <harrisonjohn@Harrisons-MacBook-Pro.local>
Co-authored-by: Eric <eashaw@sailsjs.com>
Missing comma between u.username, u.uid causes the query to fail with
this error (Note the query is only applicable to Mac OS):
```
osquery> SELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
Error: near ".": syntax error
```
Output after fixing the missing , (removed part of the output):
```
osquery> SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
+--------------+------------+------------------------+--------------------+------------------------+
| username | uid | password_last_set_time | failed_login_count | failed_login_timestamp |
+--------------+------------+------------------------+--------------------+------------------------+
| nobody | 4294967294 | | | |
| root | 0 | | | |
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/15651
Changes:
- Removed `hidden: true` from the YAML override file for the iptables
table.
- Regenerated osquery_fleet_schema.json
Closes: #19271Closes: #19286
Changes:
- Updated the example in the schema folder readme
- Updated the block scalar used in Fleet's osquery override
documentation (`>-` » `|-`) and removed extra newlines
- Updated the block scalar used in URLs used to create new yaml override
files
- Regenerated osqeury_fleet_schema.json
Changes:
- Updated the version of osquery schema that is merged with Fleet's
overrides: (5.11.0 » 5.12.1)
- Regenerated schema/osquery_fleet_schema.json
Closes: #18240
Changes:
- Updated the schema override files to use only one YAML block scalar
(`>-`)
- Updated the template yaml included in the link to create a new
override file in get-extended-osquery-schema helper to use the `>-`
block scalar
- regenerated osquery_fleet_schema.json
Changes:
- Updated the `build-static-content` script to remove support for the
`requires_user_context` column attribute
- Updated `get-extended-osquery-schema` to not set a
`requires_user_context` value in the merged schema json.
- Regenerated `schema/osquery_fleet_schema.json`
For #17577
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux. (performed only on macOS)
Closes: #17883
Changes:
- Updated the `get-extended-osquery-schema` helper to set the `type`
values of columns of tables with Fleet overrides to be lowercase.
- Regenerated `osquery_fleet_schema.json`
Related to: https://github.com/fleetdm/fleet/issues/17861
Changes:
- Updated `get-extended-osquery-schema` helper to remove `examples`
values from the merged schema JSON if they are an empty array.
- regenerated `osqeury_fleet_schema.json`
Closes: https://github.com/fleetdm/fleet/issues/17188
Changes:
- Updated `get-extended-osquery-schema.js` to only include the last
example from the osquery schema if a table has an override file that
does not contain an `examples` value.
- Regenerated osquery_fleet_schema.json with the correct `examples`
values
Changes:
- Added a newline before the code block in the example of the
`vscode_extensions` table override to fix the formatting of the page
generated for this table (see screenshot)
- Ran the `generate-merged-schema` script to regenerate
`osquery_fleet_schema.json`
<img width="860" alt="image"
src="https://github.com/fleetdm/fleet/assets/7445991/1f6f1b37-1240-4d16-b102-f67ecff5fb28">
For https://github.com/fleetdm/fleet/issues/13891
Changes:
- Updated the version of the osquery schema used to generate
osqeury_fleet_schema.json (`5.9.1` » `5.11.0`)
- Removed the table override file for the `atom_packages` table (It was
removed from the osquery schema, our override file was previously hiding
the table)
- Ran the `generate-merged-schema` script to regenerate
osquery_fleet_schema.json
When running a live query recently, I noticed some columns in the
results that we didn't have documented, and realized we weren't using
the latest osquery schema version when regenerating the merged schema.
According to the docs, [we support the latest version of
osquery](https://fleetdm.com/docs/using-fleet/enroll-hosts#supported-osquery-versions),
so figure we ought to update the schema version to the latest.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: #13722
Changes:
- Updated the `get-extended-osquery-schema` helper to sort the merged
schema by table name.
- Regenerated `/schema/osquery_fleet_schema.JSON`
#10292, #12554
When scanning tens of thousands of files for permissions, using the
`find` command exposed as a fleetd table is more performant than trying
to use the `file` table. This change caused the watchdog to *stop*
killing osquery because of exceeding memory or CPU limit.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
