diff --git a/CHANGELOG.md b/CHANGELOG.md index 03e430be1b60..2fbe4360a863 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,49 @@ +## Fleet 4.41.0 (Nov 28, 2023) + +### Changes + +* **Endpoint operations**: + - Enhanced `fleetctl` and API to support PowerShell (.ps1) scripts. + - Updated several API endpoints to support `os_settings` filter, including Windows profiles status. + - Enabled `after` parameter for improved pagination in various endpoints. + - Improved the `fleet/queries/run` endpoint with better error handling. + - Increased frequency of metrics reporting from Fleet servers to daily. + - Added caching for policy results in MySQL for faster operations. + +* **Device management (MDM)**: + - Added database tables for Windows profiles support. + - Added validation for WSTEP certificate and key pair before enabling Windows MDM. + +* **Vulnerability management**: + - Fleet now uses NVD API 2.0 for CVE information download. + - Added support for JetBrains application vulnerability data. + - Tightened software matching to reduce false positives. + - Stopped reporting Atom editor packages in software inventory. + - Introduced support for Windows PowerShell scripts in the UI. + +* **UI improvements**: + - Updated activity feed for better communication around JIT-provisioned user logins. + - Query report now displays the host's display name instead of the hostname. + - Improved UI components like the manage page's label filter and edit columns modal. + - Enabled all sort headers in the UI to be fully clickable. + - Removed the creation of OS policies from a host's operating system in the UI. + - Ensured correct settings visibility in the Settings > Advanced section. + +### Bug fixes + + - Fixed long result cell truncation in live query results and query reports. + - Fixed a Redis cluster mode detection issue for RedisLabs hosted instances. + - Fixed a false positive vulnerability report for Citrix Workspace. + - Fixed an edge case sorting bug related to the `last_restarted` value for hosts. + - Fixed an issue with creating .deb installers with different enrollment keys. + - Fixed SMTP configuration validation issues for TLS-only servers. + - Fixed caching of team MDM configurations to improve performance at scale. + - Fixed delete pending issue during orbit.exe installation. + - Fixed a bug causing the disk encryption key banner to not display correctly. + - Fixed various error code inconsistencies across endpoints. + - Fixed filtering hosts with invalid team_id now returns a 400 error. + - Fixed false positives in software matching for similar names. + ## Fleet 4.40.0 (Nov 3, 2023) ### Changes diff --git a/changes/11446-queries-run-when-forbidden b/changes/11446-queries-run-when-forbidden deleted file mode 100644 index bd565affdca9..000000000000 --- a/changes/11446-queries-run-when-forbidden +++ /dev/null @@ -1,3 +0,0 @@ -Fixes to /fleet/queries/run endpoint: -- now returns 403 for an unauthorized user -- now returns 400 when query_ids or host_ids are not specified \ No newline at end of file diff --git a/changes/12409-allow-to-revert-deleted-munki b/changes/12409-allow-to-revert-deleted-munki deleted file mode 100644 index a8a9be54c992..000000000000 --- a/changes/12409-allow-to-revert-deleted-munki +++ /dev/null @@ -1 +0,0 @@ -When Munki is deleted and reinstalled on the host, Fleet will show Munki info again. \ No newline at end of file diff --git a/changes/12634-keep-user-email b/changes/12634-keep-user-email deleted file mode 100644 index 2d4099736f39..000000000000 --- a/changes/12634-keep-user-email +++ /dev/null @@ -1,2 +0,0 @@ -- Fixes bug where a deleted user's email would no longer show in the Activity feed for actions - they'd taken. diff --git a/changes/13160-sort-order b/changes/13160-sort-order deleted file mode 100644 index 0470db24588a..000000000000 --- a/changes/13160-sort-order +++ /dev/null @@ -1,2 +0,0 @@ -- Fixed an edge case sorting bug by consolidating the logic for generating the `last_restarted` - value for hosts into the backend. diff --git a/changes/13260-deb-installer b/changes/13260-deb-installer deleted file mode 100644 index 61b00afdc574..000000000000 --- a/changes/13260-deb-installer +++ /dev/null @@ -1,2 +0,0 @@ -- Bug fix: creating 2 .deb installers one after the other with different enrollment keys no longer - results in the last installer failing at install time. \ No newline at end of file diff --git a/changes/13574-cache-policy-results b/changes/13574-cache-policy-results deleted file mode 100644 index b1baa11cc5bf..000000000000 --- a/changes/13574-cache-policy-results +++ /dev/null @@ -1,2 +0,0 @@ -- policy results are now cached in mysql for faster sort operations on policy counts. counts are -updated by the cleanups_then_aggregation cron job 1X per hour by default. \ No newline at end of file diff --git a/changes/14102-fix-label-filter-select b/changes/14102-fix-label-filter-select deleted file mode 100644 index 53543c9bfccf..000000000000 --- a/changes/14102-fix-label-filter-select +++ /dev/null @@ -1,2 +0,0 @@ -- Fix a bug in which the manage page's label filter selection menu did not close when open and - clicked. Added some additional UX improvements around this component. diff --git a/changes/14116-citrix-false-pos b/changes/14116-citrix-false-pos deleted file mode 100644 index 66937dc874e5..000000000000 --- a/changes/14116-citrix-false-pos +++ /dev/null @@ -1 +0,0 @@ -- Fixes a false positive vulnerabilty report for Citrix Workspace on Windows and MacOS. diff --git a/changes/14260-host-expiry-window b/changes/14260-host-expiry-window deleted file mode 100644 index 88a6165d8a8a..000000000000 --- a/changes/14260-host-expiry-window +++ /dev/null @@ -1,2 +0,0 @@ -* Only show the Settings > Advanced > "Host expiry window" input field when the "Host expiry" -setting is enabled diff --git a/changes/14345-JIT-provisioned-login-activities b/changes/14345-JIT-provisioned-login-activities deleted file mode 100644 index 76c76e557eac..000000000000 --- a/changes/14345-JIT-provisioned-login-activities +++ /dev/null @@ -1,2 +0,0 @@ -- Update activity feed to elegantly communicate when a JIT-provisioned user logs in for the first - time, thereby creating their account. diff --git a/changes/14361-fleetctl-apply-changes b/changes/14361-fleetctl-apply-changes deleted file mode 100644 index 7fd1d55eeafa..000000000000 --- a/changes/14361-fleetctl-apply-changes +++ /dev/null @@ -1 +0,0 @@ -* Allow fleetctl to configure windows mdm profiles for teams and "no team". diff --git a/changes/14362-mdm-profiles-summary-api b/changes/14362-mdm-profiles-summary-api deleted file mode 100644 index effc4dc017b0..000000000000 --- a/changes/14362-mdm-profiles-summary-api +++ /dev/null @@ -1,3 +0,0 @@ -- Added new endpoint `GET /mdm/profiles/summary` to get summarizes the current state of MDM - configuration profiles on each host in the specified team (or, if no team is specified, each host - that is not assigned to any team). diff --git a/changes/14424-hosts-filter-windows-profiles-status b/changes/14424-hosts-filter-windows-profiles-status deleted file mode 100644 index b48bc9f35a00..000000000000 --- a/changes/14424-hosts-filter-windows-profiles-status +++ /dev/null @@ -1,2 +0,0 @@ -- Updated API endpoints that support `os_setttings` filter to include Windows profiles status. -- Updated `GET /api/v1/hosts/:id` to include Windows MDM profiles. diff --git a/changes/14493-truncate-long-results-columns b/changes/14493-truncate-long-results-columns deleted file mode 100644 index 03743df8ece2..000000000000 --- a/changes/14493-truncate-long-results-columns +++ /dev/null @@ -1 +0,0 @@ -* Internally truncate very long result cells in live query results and query reports tables. diff --git a/changes/14519-header-clickability b/changes/14519-header-clickability deleted file mode 100644 index 5a776f0a72b3..000000000000 --- a/changes/14519-header-clickability +++ /dev/null @@ -1 +0,0 @@ -* Enable the entirety of all sort headers to be clickable, except for in filter text inputs diff --git a/changes/14571-carves-after-parameter b/changes/14571-carves-after-parameter deleted file mode 100644 index 5c339342e45c..000000000000 --- a/changes/14571-carves-after-parameter +++ /dev/null @@ -1,14 +0,0 @@ -Enabled support and validation of 'after' parameter for the following endpoints: -- GET /api/v1/fleet/carves - -Setting 'after' parameter no longer returns SQL syntax error for the following endpoints: -- GET /api/v1/fleet/carves -- GET /api/v1/fleet/invites -- GET /api/v1/fleet/labels -- GET /api/v1/fleet/packs -- GET /api/v1/fleet/global/policies -- GET /api/v1/fleet/teams/{id}/policies -- GET /api/v1/fleet/queries -- GET /api/v1/fleet/packs/{id}/scheduled -- GET /api/v1/fleet/teams -- GET /api/v1/fleet/users diff --git a/changes/14629-smtp-validation-fix b/changes/14629-smtp-validation-fix deleted file mode 100644 index e8f9d8761de3..000000000000 --- a/changes/14629-smtp-validation-fix +++ /dev/null @@ -1,2 +0,0 @@ -- Fixed: SMTP configuration was failing validation when attempting to send a test email to an SMTP server - that only supports TLS \ No newline at end of file diff --git a/changes/14752-windows-scripts b/changes/14752-windows-scripts deleted file mode 100644 index 3514dd4847e6..000000000000 --- a/changes/14752-windows-scripts +++ /dev/null @@ -1 +0,0 @@ -* Support Windows powershell scripts (.ps1) in the UI diff --git a/changes/14753-windows-ps1-api b/changes/14753-windows-ps1-api deleted file mode 100644 index 2e6ba1c5cba6..000000000000 --- a/changes/14753-windows-ps1-api +++ /dev/null @@ -1,4 +0,0 @@ -- Updated `POST /scripts` to allow `.ps1` scripts for Windows -- Updated `fleetctl` output to reflect support for `.ps1` scripts -- Updated `GET /hosts/{id}/scripts` to return `.sh` scripts for MacOS hosts and `.ps1` scripts for - Windows hosts. diff --git a/changes/14763-show-host-display-name-in-query-report b/changes/14763-show-host-display-name-in-query-report deleted file mode 100644 index 0a9574165c1d..000000000000 --- a/changes/14763-show-host-display-name-in-query-report +++ /dev/null @@ -1 +0,0 @@ -Query report now shows the host display name instead of hostname. \ No newline at end of file diff --git a/changes/14824-NVD-work b/changes/14824-NVD-work deleted file mode 100644 index 3bbc56282ddf..000000000000 --- a/changes/14824-NVD-work +++ /dev/null @@ -1 +0,0 @@ -* Increase the metrics report from Fleet servers from once every 3 days to once a day. diff --git a/changes/14888-nvd-cve-sync-conversion b/changes/14888-nvd-cve-sync-conversion deleted file mode 100644 index 885a97d729c3..000000000000 --- a/changes/14888-nvd-cve-sync-conversion +++ /dev/null @@ -1 +0,0 @@ -* Fleet now uses the 2.0 API to download CVE information from NVD. diff --git a/changes/14991-bump-minimum-osquery-versions b/changes/14991-bump-minimum-osquery-versions deleted file mode 100644 index 1ac0da95efe4..000000000000 --- a/changes/14991-bump-minimum-osquery-versions +++ /dev/null @@ -1 +0,0 @@ -- - Updated the list of minimum osquery versions to include the latest releases up to 5.10.2 diff --git a/changes/15037-hosts-invalid-team_id-filter b/changes/15037-hosts-invalid-team_id-filter deleted file mode 100644 index 740c99934d20..000000000000 --- a/changes/15037-hosts-invalid-team_id-filter +++ /dev/null @@ -1 +0,0 @@ -For endpoint fleet/hosts, filtering hosts with invalid team_id now returns 400 error. \ No newline at end of file diff --git a/changes/15068-host-disk-encryption b/changes/15068-host-disk-encryption deleted file mode 100644 index 7768ef6e5c77..000000000000 --- a/changes/15068-host-disk-encryption +++ /dev/null @@ -1,2 +0,0 @@ -* Fixed a bug causing the disk encryption key banner to not appear if the host - had disk encryption turned on manually without FV escrow. diff --git a/changes/15135-remove-atom-packages b/changes/15135-remove-atom-packages deleted file mode 100644 index a4985c731d10..000000000000 --- a/changes/15135-remove-atom-packages +++ /dev/null @@ -1 +0,0 @@ -* Stop reporting Atom editor packages in software inventory. The Atom editor is retired and the relevant tables are being removed from osquery. diff --git a/changes/15143-CPE-false-matches-on-bundle-id b/changes/15143-CPE-false-matches-on-bundle-id deleted file mode 100644 index 203256a98720..000000000000 --- a/changes/15143-CPE-false-matches-on-bundle-id +++ /dev/null @@ -1,4 +0,0 @@ -Previous fix for #13889 caused false positives on software with similar names. Tightening the matching to reduce false positive rate. -- Google Chrome Helper.app no longer matches Google Chrome.app -- Acrobat Uninstaller.app no longer matches Acrobat.app -- UmbrellaMenu.app no longer matches Cisco Umbrella \ No newline at end of file diff --git a/changes/fix-redis-cluster-disabled-detection b/changes/fix-redis-cluster-disabled-detection deleted file mode 100644 index 9c99401824f0..000000000000 --- a/changes/fix-redis-cluster-disabled-detection +++ /dev/null @@ -1 +0,0 @@ -* Fixed detection of disabled Redis cluster mode for Redis hosted on RedisLabs. diff --git a/changes/issue-11665-two-column-edit-columns-modal b/changes/issue-11665-two-column-edit-columns-modal deleted file mode 100644 index 365a3c12b6b1..000000000000 --- a/changes/issue-11665-two-column-edit-columns-modal +++ /dev/null @@ -1 +0,0 @@ -- change the edit columns modal on the hosts page to show the table headers names in two columns. diff --git a/changes/issue-14360-add-windows-profiles-tables b/changes/issue-14360-add-windows-profiles-tables deleted file mode 100644 index 11b1196ee46d..000000000000 --- a/changes/issue-14360-add-windows-profiles-tables +++ /dev/null @@ -1 +0,0 @@ -* Added database tables to support the Windows profiles feature. diff --git a/changes/issue-14363-api-windows-profiles b/changes/issue-14363-api-windows-profiles deleted file mode 100644 index 6915149b6831..000000000000 --- a/changes/issue-14363-api-windows-profiles +++ /dev/null @@ -1,2 +0,0 @@ -* Added endpoint `DELETE /mdm/profiles/{id}` to delete an existing MDM profile (Windows and macOS). -* Added endpoint `GET /mdm/profiles/{id}` to get or download an existing MDM profile (Windows and macOS). diff --git a/changes/issue-14366-api-upload-profiles b/changes/issue-14366-api-upload-profiles deleted file mode 100644 index 1364c73efb88..000000000000 --- a/changes/issue-14366-api-upload-profiles +++ /dev/null @@ -1 +0,0 @@ -* Added the `POST /mdm/profiles` endpoint to upload a Windows or macOS custom profile. diff --git a/changes/issue-14446-validate-enable-windows-mdm b/changes/issue-14446-validate-enable-windows-mdm deleted file mode 100644 index 731eea060a76..000000000000 --- a/changes/issue-14446-validate-enable-windows-mdm +++ /dev/null @@ -1 +0,0 @@ -* Added a validation that the WSTEP certificate and key pair is configured before allowing the user to enable Windows MDM. diff --git a/changes/issue-14708-fix-cached-team-mdm b/changes/issue-14708-fix-cached-team-mdm deleted file mode 100644 index 553cfb63de3a..000000000000 --- a/changes/issue-14708-fix-cached-team-mdm +++ /dev/null @@ -1 +0,0 @@ -* Fixed caching of a team's MDM configuration so that it implements a custom cloning, avoiding performance issues at scale. diff --git a/changes/issue-14958-installer-windows-delete-pending b/changes/issue-14958-installer-windows-delete-pending deleted file mode 100644 index a90bea43ec76..000000000000 --- a/changes/issue-14958-installer-windows-delete-pending +++ /dev/null @@ -1 +0,0 @@ -* Fixes delete pending issue on orbit.exe during installation diff --git a/changes/issue-15050-pluralize-query-deletion-activity-log b/changes/issue-15050-pluralize-query-deletion-activity-log deleted file mode 100644 index 87ddbfc7ddaf..000000000000 --- a/changes/issue-15050-pluralize-query-deletion-activity-log +++ /dev/null @@ -1 +0,0 @@ -- * Pluralize the activity log rendered when multiple queries were deleted diff --git a/changes/issue-15111-list-profiles b/changes/issue-15111-list-profiles deleted file mode 100644 index 774048190974..000000000000 --- a/changes/issue-15111-list-profiles +++ /dev/null @@ -1 +0,0 @@ -* Added endpoint `GET /mdm/profiles` to get a paginated list of MDM custom profiles. diff --git a/changes/windows-custom-settings-configs b/changes/windows-custom-settings-configs deleted file mode 100644 index e9de79fd2c7d..000000000000 --- a/changes/windows-custom-settings-configs +++ /dev/null @@ -1 +0,0 @@ -* Allow to save a list of Windows custom settings via yaml configs and the API. diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index f4e3708951fc..4ce9052fe62a 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -8,7 +8,7 @@ version: v6.0.1 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git -appVersion: v4.40.0 +appVersion: v4.41.0 dependencies: - name: mysql condition: mysql.enabled diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 757f1828ba5b..8cfefb76a9db 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -2,7 +2,7 @@ # All settings related to how Fleet is deployed in Kubernetes hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy -imageTag: v4.40.0 # Version of Fleet to deploy +imageTag: v4.41.0 # Version of Fleet to deploy podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account resources: diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf index 5378db764695..172f8e6a1f82 100644 --- a/infrastructure/dogfood/terraform/aws/variables.tf +++ b/infrastructure/dogfood/terraform/aws/variables.tf @@ -56,7 +56,7 @@ variable "database_name" { variable "fleet_image" { description = "the name of the container image to run" - default = "fleetdm/fleet:v4.40.0" + default = "fleetdm/fleet:v4.41.0" } variable "software_inventory" { diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf index a81a7fabffe8..9fe94f3a2c8f 100644 --- a/infrastructure/dogfood/terraform/gcp/variables.tf +++ b/infrastructure/dogfood/terraform/gcp/variables.tf @@ -68,5 +68,5 @@ variable "redis_mem" { } variable "image" { - default = "fleet:v4.40.0" + default = "fleet:v4.41.0" } diff --git a/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf b/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf index aecaa4681288..ec90d6fcee02 100644 --- a/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf +++ b/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf @@ -156,8 +156,8 @@ module "jitprovisioner-lambda-warmer" { version = "3.0.1" function_name = aws_lambda_function.jitprovisioner.function_name function_arn = aws_lambda_function.jitprovisioner.arn -# This just needs to have a request to parse. - input = <