- Make the callout about these endpoints being internal
(UI/fleetctl/Fleet Desktop uses them) more prominent.
- Why? So customers/users that find themselves in this doc have hard a
time missing it.
- Noted that Fleet generates a new encryption key and the original one
does still remain under step #3 after a customer noted inconsistencies
in our docs.
- The statement was taken from our enforce-disk-encryption article.
- @noahtalerman: I think changing the Fleet web address means you'll
have to re-enroll all your hosts.
- We have a [feature
request](https://github.com/fleetdm/fleet/issues/29878) to add this copy
to the UI but I think we want to get this in the docs ASAP
---------
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
For #31048
This change includes some refactoring of orbit code. No functional
changes. Moved non-Linux-specific code from `securehw_linux.go` to
`securehw_tpm.go` so that tests on any platform can use it.
There are no server changes impacting the upcoming 4.72 release. Just
tests.
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a new TPM 2.0-based secure hardware interface, enabling
creation, loading, and management of ECC keys within a TPM device.
* Added support for both standard and RFC 9421-compatible HTTP
signatures using TPM-backed keys.
* **Bug Fixes**
* Improved error handling and resource management for TPM operations.
* **Tests**
* Added comprehensive unit tests for TPM key file loading scenarios.
* Introduced integration tests using a simulated TPM device to validate
end-to-end secure hardware and SCEP workflows.
* **Chores**
* Updated dependencies for enhanced compatibility and security.
* Modernized build constraints for improved maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
related to #29157
Adding a quick doc update to mention that the idp user info will not be
populated to the create account screen during setup experience if the
host is restarted during mdm enrollment
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Fixes#26404.
This means that for long vulns runs vulns will stick around longer, so
we don't wind up nuking vulns that were added earlier in the run, and in
cases where the vulns run takes less than 2h we'll see vulns clear
cleanly more quickly.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
- Add missing step of selecting "Trust Lifecycle" from the dropdown on
the first page when creating a service user.
- Fixed inconsistent deep links: some linked to the demo portal, others
linked to the main portal. Updated all links to go to the main portal.
- Fixed typos.
---------
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Add the capability to build a request body with `fleetctl api`,
including uploading files.
Example command to upload a software package:
```sh
fleetctl api --debug -X POST -F team_id=0 -F 'software=@./server/service/testdata/software-installers/ruby.deb' software/package
```
Unit tests are included for both simple POST requests and file uploads.
Closes#21754.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
relates to #31058
API doc updates BMAA feature
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [ ] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Added/updated automated tests
- [ ] Where appropriate, automated tests simulate multiple hosts and
test for host isolation (updates to one hosts's records do not affect
another.)
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
## #31333
- Include the "Other workflows" Policy automation option for all team
scenarios _except_ No team in regular (non-Primo) mode
- Manually confirmed this option is present in the intended situations
- Manually confirmed that Primo mode still does contain this option
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Mark ndes_scep_proxy as experimental.
@rachaelshaw We already discussed this. We forgot to mark this YAML
configuration as experimental, but the API is marked as experimental. We
want to deprecate these and transition to new endpoints, as discussed
during the MDM design review, to enable better scaling of this feature.
Fixes#30565. Applies to FMA-only extensions (DMG, ZIP), EXEs, and
tarballs. This means that MSI/PKG FMAs will still have package IDs
populated a day after server start if they aren't filled in, on the off
chance that admins use $PACKAGE_ID on uninstall scripts on either of
those, replicating existing behavior.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
> Closes#27756
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
Admins _should_ be upgrading orbit/osqueryd/fleet-desktop using TUF, but
there's no official path for pushing updates to the orbit environment
file (`/etc/default/orbit`).
Knowing that this file is installed by fleet-osquery, I naively pushed a
new fleet-osquery package to a user's machine, thinking that would be
fine installing over the existing package. Instead it actually broke
orbit entirely on the host, rendering it unreachable until the user
manually reinstalled the package. This is because the pre-removal script
unconditionally stops orbit even if it's being upgraded, and when orbit
is stopped it terminates any processes underneath it, including the
ongoing package installation.
To workaround this, we replace the simple
`systemctl restart orbit.service` with a check for the `INSTALLER_PATH`
environment variable that orbit sets during software installations. If
the variable is present, `systemd-run` is used to schedule the service
restart 60 seconds in the future, which is assumed to be more than
enough time for the package manager to finish and exit. Unfortunately,
this bugfix cannot be made retroactive, because the broken version of
the prerm script is called before the new package starts to be
unpacked/installed.
Although there are other ways of doing anything an administrator might
be trying to accomplish by pushing a new fleet-osquery package, bricking
an endpoint simply by pushing this package through the Software page
seems like a pretty massive footgun that is easy to protect against.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for safe in-band upgrades of DEB and RPM packages
generated by the `fleetctl package` command via the Software page, after
an initial manual update.
* **Documentation**
* Added a note clarifying the new upgrade process and the need for a
one-time manual update before using in-band upgrades.
* **Bug Fixes**
* Improved upgrade scripts to prevent the Orbit service from stopping
unexpectedly during package upgrades, ensuring smoother and safer
updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Dan Fuhry <dan@fuhry.com>
# Checklist for submitter
Commenting out test so that CI runs don't fail. This will be fixed in
https://github.com/fleetdm/fleet/issues/31303.
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
Closes: https://github.com/fleetdm/confidential/issues/11365
Changes:
- Updated the User model's supported `primaryBuyingSituation` values.
- Updated the /start questionnaire to use the new
`primaryBuyingSituation` values.
- Updated the contact form to use the new `primaryBuyingSituation`
values.
* Explain how we get the base dir for $INSTALLER_PATH
* Underscore that install/uninstall scripts are required for tarballs
* Remove inaccurate reference to $INSTALLER_PATH on uninstall scripts
(we don't use it there)
for #30109
# Details
This PR fixes an issue in our current SQL parsing library that was
causing queries like this to be marked invalid:
```
SELECT * FROM table_name WHERE column_name LIKE '\_%' ESCAPE '\'
```
This is valid in SQLite because the `\` is not considered an escape
character by default. From [the SQLite
docs](https://www.sqlite.org/lang_expr.html) (see section 3 "Literal
Values (Constants)"; emphasis mine):
> A string constant is formed by enclosing the string in single quotes
('). A single quote within the string can be encoded by putting two
single quotes in a row - as in Pascal. C-style escapes using the
backslash character are not supported because they are not standard SQL.
# Use of forked code
Part of the fix for this was [submitted as a PR to the node-sql-parser
library](https://github.com/taozhi8833998/node-sql-parser/pull/2496) we
now use, and merged. I then found that another fix was needed, which I
submitted as [a separate
PR](https://github.com/taozhi8833998/node-sql-parser/pull/2512). As
these fixes have yet to be made part of an official release of the
library, I made a fork off of the release we were using (5.3.10) and
bundled the necessary build artifacts with Fleet. We have an [ADR
proposing the use of submodules for this
purpose](https://github.com/fleetdm/fleet/pull/31079); I'm happy to
implement that instead if we approve that, although for a front-end
module with a build step it's a bit more complicated. Hopefully this
code will be released in `node-sql-parser` soon and we can revert back
to using the dependency.
Here is the [full set of
changes](https://github.com/taozhi8833998/node-sql-parser/compare/master...sgress454:node-sql-parser:5.3.10-plus).
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
We'll want to pull this into a feed so fixes don't take a Fleet release
to propagate, and some fixes currently in the vulns mutations list
should probably move over here (as they're also dealing with non-semver
versions), but that's out of scope for this particular fix.
Fixes#31123.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
For #29793
# Details
This PR changes the way that Orbit launches processes such as the
desktop app on Linux, in order to ensure that on SELinux-enabled systems
the correct user context is set when running the command.
Previously, `sudo -u` was used to launch commands on Linux. This PR
switches to use `runuser` instead, which is recommended in situations
where the root user wants to execute a command as a user with reduced
privileges (see [the blog post by one of the creators of
runuser](https://danwalsh.livejournal.com/55588.html)). This avoids
certain errors that can come from interacting with PAM modules as the
system user.
Additionally, if we detect that SELinux is set up on a system, we now
use `runcon` to force the command to run using the logged-in user's
SELinux context. It's possible that on some systems they may have
configuration where `sudo` will switch to the user's SELinux context
automatically, but this is not guaranteed. Using `runuser` + `runcon` is
our best bet for ensuring that the desktop app (and anything that it
spawns) runs under the correct context.
This PR also does some refactoring so that the three `run` methods for
Linux (`run`, `runWithOutput` and `runWithStdin`) all use the same base
code to create the command with the correct args and env vars, and
differ only in how they handle the i/o.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- For Orbit and Fleet Desktop changes:
- [x] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] ~Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~ (n/a, code is linux only)
- [x] ~Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ n/a
# Testing
- [x] Ubuntu with SELinux on
- [x] Ubuntu with SELinux off
- [ ] Fedora with SELinux on
- [ ] Fedora with SELinux off
- [ ] Debian with SELinux on
- [x] Debian with SELinux off
- [x] `runWithOutput` still works (tested with `go run
./tools/dialog/main.go --dialog=zenity`)
- [ ] ~`runWithStdin` still works~ (this isn't currently used by Linux)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved security and user context handling when launching the fleet
desktop application on Linux systems.
* **Refactor**
* Enhanced process launch mechanism to use proper SELinux context and
user session, ensuring processes start under the correct user and
security environment.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
relates to #31058
this updates the software library tab to show a message saying we do not
currently support software installs for personally enrolled mdm devices.
<img width="1107" height="288" alt="image"
src="https://github.com/user-attachments/assets/bbd3e62d-a2c9-4f17-81de-8f433cd5c40d"
/>
- [x] Manual QA for all new/changed functionality
One last change for #28818.
Do we need these `TPM2_ContextSave` command calls?
This PR is working for me. Double checking with @getvictor in case he
thinks there's a need for these commands.
## This is a foundational UI component shared between my current dev
work and @RachelElysia's. This PR is to share that component while we
are both developing on top of it.
Much of this logic exists in the current `SoftwareDetailsModal` (under
the hosts details page, not the identically named Activity feed
component - will be clarifying that naming in an upcoming PR). This PR
is the first step in a reorganization of much of these abstractions to
better suit the desired UX around software modals. Much more detail to
come shortly in actual feature work in upcoming PRs from both Rachel and
I.
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
