for #18977
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
/api/latest/fleet/hosts/:id/lock returns `unlock_pin` for Apple hosts
#19545
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Backend changes for #19010.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
Enable gitops to create teams with no enroll secrets, or clear enroll
secrets for an existing team
#19332
`fleetctl apply` also gains this extra functionality. In `fleetctl
apply` secrets will not be change if one of the following:
- secrets is missing from yml
- They are blank in yml, like: `secrets:`
- They are null in yml, like: `secrets: null`
They will only be cleared with `fleetctl apply` if the user explicitly
sets them to an empty array, like:
- `secrets: []`
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Changelog
ADD:
ADD - 18.10.75.1 (L1) Ensure 'Automatic Data Collection' is set to
'Enabled'
ADD - 18.10.92.2 (L1) Ensure 'Enable features introduced via servicing
that are off by default' is set to 'Disabled'
ADD - 18.10.92.4 (L1) Ensure 'Enable optional updates' is set to
'Disabled'
ADD - 18.8 (L2) Ensure 'Remove Personalized Website Recommendations from
the Recommended section in the Start Menu' is set to 'Enabled'
ADD - 18.9.19 (L1) 'Configure security policy processing: Do not apply
during periodic background processing' is set to 'False'
ADD - 18.9.19 (L1) 'Configure security policy processing: Process even
if the Group Policy objects have not changed' is set to 'True'
ADD - 18.9.25 (L1) Ensure 'Configure password backup directory' is set
to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
ADD - 18.9.25 (L1) Ensure 'Enable password encryption' is set to
'Enabled'
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Actions' is set
to 'Enabled: Reset the password and logoff the managed account' or
higher
ADD - 18.9.25 (L1) Ensure 'Post-authentication actions: Grace period
(hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
ADD - 19.7.38 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Audit
Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
ADD - 2.3.11 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM
traffic to remote servers' is set to 'Audit all' or higher
REMOVE:
REMOVE - 18.10.76.3 (L1) Ensure 'Prevent bypassing Windows Defender
SmartScreen prompts for sites' is set to 'Enabled'
REMOVE - 5 (L1) Ensure 'Internet Connection Sharing (ICS)
(SharedAccess)' is set to 'Disabled'
REMOVE - 9.1 (L1) Ensure 'Windows Firewall: Domain: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.2 (L1) Ensure 'Windows Firewall: Private: Outbound
connections' is set to 'Allow (default)'
REMOVE - 9.3 (L1) Ensure 'Windows Firewall: Public: Outbound
connections' is set to 'Allow (default)'
UPDATE:
UPDATE - 18.10.42.7 (L2 -> L1) Ensure 'Enable file hash computation
feature' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Script Block
Logging' is set to 'Enabled'
UPDATE - 18.10.86 (L1 -> L2) Ensure 'Turn on PowerShell Transcription'
is set to 'Enabled'
UPDATE - 18.5 'MSS: (AutoAdminLogon) Enable Automatic Logon (not
recommended)' TO 'MSS: (AutoAdminLogon) Enable Automatic Logon'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting IPv6) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting IPv6) IP source routing protection level'
UPDATE - 18.5 'MSS: (DisableIPSourceRouting) IP source routing
protection level (protects against packet spoofing)' TO 'MSS:
(DisableIPSourceRouting) IP source routing protection level'
UPDATE - 18.5 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)' TO 'MSS:
(PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses'
UPDATE - 18.5 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)' TO 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'
UPDATE - 18.5 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires (0 recommended)' TO 'MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver
grace period expires'
UPDATE - 18.5 'MSS: (KeepAliveTime) How often keep-alive packets are
sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes
(recommended)' TO 'Enabled: 300,000 or 5 minutes'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Client' is set
to 'Enabled'
UPDATE - 18.9.50.1 (L2 -> L1) Ensure 'Enable Windows NTP Server' is set
to 'Disabled'
---------
Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Co-authored-by: Sharon Katz <sharon@fleetdm.com>
#19152
`fleetctl gitops --dry-run` now errors on duplicate (or conflicting)
global/team enroll secrets.
- One check is done on the backend to check against existing secrets
- Another check is done in fleetctl to detect duplicate secrets coming
in
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
For #19016
This changes all the places where we previously assumed that certs were
hardcoded when the Fleet server started to query the database instead.
The plan is to loadtest afterwards, but as a first preemptive measure,
this adds a caching layer on top the mysql datastore.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated tests
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Manual QA for all new/changed functionality
> Related issue: #18461
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
#18811
* Fixed bug where fleetd-chrome sent multiple read requests to Fleet
server at the same time.
* Improved console log output messages when Fleet server is down.
#19041 (it falls back on filename)
# Checklist for submitter
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
Related to https://github.com/fleetdm/confidential/issues/6523
Changes:
- Updated the update-reports batch warnings and surface them after the
script runs.
- Updated logged warning messages to include what the impact of the
warning is.
- Updated the script to only check for duplicate uninstalled vulnerable
install records when it processes vulnerable software.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Roberto Dip <rroperzh@gmail.com>
Specified by Marko, this should be returned by the API:
<img width="642" alt="image"
src="https://github.com/fleetdm/fleet/assets/4419992/945e899e-9527-43cb-ac42-88b02d4bc844">
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
for #18325
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
#18940
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Added/updated tests
- [x] Manual QA for all new/changed functionality
Related to: https://github.com/fleetdm/confidential/issues/6523
Changes:
- (Vulnerability dashboard) Updated the `update-reports` script to log a
warning and continue running if the Fleet API returns a 404 response
when we expect to receive an array of hosts.
Related to: https://github.com/fleetdm/confidential/issues/6523
Changes:
- Updated the vulnerability dashboard's update-reports script to
continue if a Fleet instance returns a 404 response when a request is
sent to get a filtered array of hosts with a vulnerable software item
installed.
#18775
Fixed bug where fleetd-chrome sent multiple read requests to Fleet
server at the same time.
# Checklist for submitter
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- Use `title_id` + `team_id` for package endpoints instead of the
software title
- Add ability to filter software titles by software available for
install
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
