mirror of
https://github.com/fleetdm/fleet
synced 2026-04-26 07:57:29 +00:00
2a18f56655
For #24473 # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. ## Details This PR adds the ability to manage labels via GitOps. Usage is as follows: * If a top-level `labels:` key is provided in the global YAML file provided to GitOps, then any labels in this list will be created (if using a new name) or updated (if using an existing name). * If no top-level `labels:` key is provided, no changes will be made to labels. This allows backwards-compatibility; customers won't blow away all of their labels if they don't immediately use `labels:` in their YAML Additionally, some new validation has been added so that label usage is checked prior to application. This means that when the gitops command is run, it will verify that any labels referenced elsewhere in the YAML (e.g. by software installers or mdm profiles) exist, and will bail with an error message if they don't. ## Testing **Test label deletion** 1. Add some labels via the UI 2. Run `fleetctl gitops --dry-run` with a default.yml file _without_ `labels:` in it, and verify that it doesn't say it will update or delete any labels 2. Run `fleetctl gitops` with a default.yml file _without_ `labels:` in it, and verify that it doesn't modify or remove your labels 4. Run `fleetctl gitops --dry-run` with a default.yml file with `labels:` in it and nothing underneath, and verify that it says that it will delete your labels 4. Run `fleetctl gitops` with a default.yml file with `labels:` in it and nothing underneath, and verify that it removes all your labels **Test label create/update** 1. Add a label "foo" via the UI 2. Run `fleetctl gitops --dry-run` with a default.yml file with two `labels:` in it, one named "foo" and one named "bar". Verify that the output says that one label will be created and one will be updated. 2. Run `fleetctl gitops` with a default.yml file with two `labels:` in it, one named "foo" and one named "bar". Verify that the two labels now exist in the UI with the configuration you specified. **Test label usage** 1. Add a label "foo" in the UI. 1. Run `fleetctl gitops --dry-run` with a default.yml file _without_ `labels:` in it, where a software installer or mdm profile uses the "foo" label via `labels_include_any`. Verify that the output doesn't complain about unknown labels. 1. Run `fleetctl gitops --dry-run` with a default.yml file _with_ `labels:` in it with nothing underneath, and a software installer or mdm profile uses the "foo" label via `labels_include_any`. Verify that the output complains about unknown label "foo" 1. Run `fleetctl gitops --dry-run` with a default.yml file _with_ `labels:` in it with a "foo" label defined underneath, and a software installer or mdm profile uses the "foo" label via `labels_include_any`. Verify that the output doesn't complain about unknown labels.
203 lines
5.9 KiB
YAML
203 lines
5.9 KiB
YAML
# Test config
|
|
controls: # Controls added to "No team"
|
|
macos_settings:
|
|
custom_settings:
|
|
- path: ./lib/macos-password.mobileconfig
|
|
windows_settings:
|
|
custom_settings:
|
|
- path: ./lib/windows-screenlock.xml
|
|
scripts:
|
|
- path: ./lib/collect-fleetd-logs.sh
|
|
enable_disk_encryption: true
|
|
macos_migration:
|
|
enable: false
|
|
mode: ""
|
|
webhook_url: ""
|
|
macos_setup:
|
|
bootstrap_package: null
|
|
enable_end_user_authentication: false
|
|
macos_setup_assistant: null
|
|
macos_updates:
|
|
deadline: null
|
|
minimum_version: null
|
|
ios_updates:
|
|
deadline: null
|
|
minimum_version: null
|
|
ipados_updates:
|
|
deadline: null
|
|
minimum_version: null
|
|
windows_enabled_and_configured: true
|
|
windows_migration_enabled: false
|
|
windows_updates:
|
|
deadline_days: null
|
|
grace_period_days: null
|
|
queries:
|
|
- name: Scheduled query stats
|
|
description: Collect osquery performance stats directly from osquery
|
|
query: SELECT *,
|
|
(SELECT value from osquery_flags where name = 'pack_delimiter') AS delimiter
|
|
FROM osquery_schedule;
|
|
interval: 0
|
|
platform: darwin,linux,windows
|
|
min_osquery_version: all
|
|
observer_can_run: false
|
|
automations_enabled: false
|
|
logging: snapshot
|
|
- name: orbit_info
|
|
query: SELECT * from orbit_info;
|
|
interval: 0
|
|
platform: darwin,linux,windows
|
|
min_osquery_version: all
|
|
observer_can_run: false
|
|
automations_enabled: true
|
|
logging: snapshot
|
|
- name: osquery_info
|
|
query: SELECT * from osquery_info;
|
|
interval: 604800 # 1 week
|
|
platform: darwin,linux,windows,chrome
|
|
min_osquery_version: all
|
|
observer_can_run: false
|
|
automations_enabled: true
|
|
logging: snapshot
|
|
policies:
|
|
- name: 😊 Failing policy
|
|
platform: linux
|
|
description: This policy should always fail.
|
|
resolution: There is no resolution for this policy.
|
|
query: SELECT 1 FROM osquery_info WHERE start_time < 0;
|
|
- name: Passing policy
|
|
platform: linux,windows,darwin,chrome
|
|
description: This policy should always pass.
|
|
resolution: There is no resolution for this policy.
|
|
query: SELECT 1;
|
|
- name: No root logins (macOS, Linux)
|
|
platform: linux,darwin
|
|
query: SELECT 1 WHERE NOT EXISTS (SELECT * FROM last
|
|
WHERE username = "root"
|
|
AND time > (( SELECT unix_time FROM time ) - 3600 ))
|
|
critical: true
|
|
- name: 🔥 Failing policy
|
|
platform: linux
|
|
description: This policy should always fail.
|
|
resolution: There is no resolution for this policy.
|
|
query: SELECT 1 FROM osquery_info WHERE start_time < 0;
|
|
- name: 😊😊 Failing policy
|
|
platform: linux
|
|
description: This policy should always fail.
|
|
resolution: There is no resolution for this policy.
|
|
query: SELECT 1 FROM osquery_info WHERE start_time < 0;
|
|
agent_options:
|
|
command_line_flags:
|
|
distributed_denylist_duration: 0
|
|
config:
|
|
decorators:
|
|
load:
|
|
- SELECT uuid AS host_uuid FROM system_info;
|
|
- SELECT hostname AS hostname FROM system_info;
|
|
options:
|
|
disable_distributed: false
|
|
distributed_interval: 10
|
|
distributed_plugin: tls
|
|
distributed_tls_max_attempts: 3
|
|
logger_tls_endpoint: /api/v1/osquery/log
|
|
pack_delimiter: /
|
|
org_settings:
|
|
server_settings:
|
|
debug_host_ids:
|
|
- 10728
|
|
deferred_save_host: false
|
|
enable_analytics: true
|
|
live_query_disabled: false
|
|
query_report_cap: 2000
|
|
query_reports_disabled: false
|
|
scripts_disabled: false
|
|
server_url: https://fleet.example.com
|
|
org_info:
|
|
contact_url: https://fleetdm.com/company/contact
|
|
org_logo_url: ""
|
|
org_logo_url_light_background: ""
|
|
org_name: Fleet Device Management
|
|
smtp_settings:
|
|
authentication_method: authmethod_plain
|
|
authentication_type: authtype_username_password
|
|
configured: false
|
|
domain: ""
|
|
enable_smtp: false
|
|
enable_ssl_tls: true
|
|
enable_start_tls: true
|
|
password: ""
|
|
port: 587
|
|
sender_address: ""
|
|
server: ""
|
|
user_name: ""
|
|
verify_ssl_certs: true
|
|
sso_settings:
|
|
enable_jit_provisioning: false
|
|
enable_jit_role_sync: false
|
|
enable_sso: true
|
|
enable_sso_idp_login: false
|
|
entity_id: https://saml.example.com/entityid
|
|
idp_image_url: ""
|
|
idp_name: MockSAML
|
|
issuer_uri: ""
|
|
metadata: ""
|
|
metadata_url: https://mocksaml.com/api/saml/metadata
|
|
integrations:
|
|
jira:
|
|
- api_token: JIRA_TOKEN
|
|
enable_failing_policies: true
|
|
enable_software_vulnerabilities: false
|
|
project_key: JIR
|
|
url: https://fleetdm.atlassian.net
|
|
username: reed@fleetdm.com
|
|
zendesk: []
|
|
mdm:
|
|
apple_bm_default_team: ""
|
|
end_user_authentication:
|
|
entity_id: ""
|
|
idp_name: ""
|
|
issuer_uri: ""
|
|
metadata: ""
|
|
metadata_url: ""
|
|
webhook_settings:
|
|
failing_policies_webhook:
|
|
destination_url: https://host.docker.internal:8080/bozo
|
|
enable_failing_policies_webhook: false
|
|
host_batch_size: 0
|
|
policy_ids: []
|
|
host_status_webhook:
|
|
days_count: 0
|
|
destination_url: ""
|
|
enable_host_status_webhook: false
|
|
host_percentage: 0
|
|
interval: 24h0m0s
|
|
vulnerabilities_webhook:
|
|
destination_url: ""
|
|
enable_vulnerabilities_webhook: false
|
|
host_batch_size: 0
|
|
fleet_desktop: # Applies to Fleet Premium only
|
|
transparency_url: https://fleetdm.com/transparency
|
|
host_expiry_settings: # Applies to all teams
|
|
host_expiry_enabled: false
|
|
activity_expiry_settings:
|
|
activity_expiry_enabled: true
|
|
activity_expiry_window: 30
|
|
features: # Features added to all teams
|
|
enable_host_users: true
|
|
enable_software_inventory: true
|
|
vulnerability_settings:
|
|
databases_path: ""
|
|
secrets: # These secrets are used to enroll hosts to the "All teams" team
|
|
- secret: SampleSecret123
|
|
- secret: ABC
|
|
labels:
|
|
- name: Global label numero uno
|
|
description: A cool global label
|
|
query: SELECT 1 FROM osquery_info
|
|
label_membership_type: dynamic
|
|
- name: Global label numero dos
|
|
description: A fly global label
|
|
hosts:
|
|
- host1
|
|
- host2
|
|
label_membership_type: manual
|