Releases: fleetdm/fleet
fleet-v4.13.0
Changes
Known issues
This release contains an issue with path validation in SSO, resulting in SSO users not able to login following an upgrade from a previous version of Fleet. If you use SSO we recommend installing 4.13.1.
This is a security release.
-
Security: Fix several post-authentication authorization issues. Only Fleet Premium users that
have team users are affected. Fleet Free users do not have access to the teams feature and are
unaffected. See the following security advisory for details: GHSA-pr2g-j78h-84cr -
Improve performance of software inventory on Windows hosts.
-
Add
basic_auth.username
andbasic_auth.password
Prometheus configuration options. TheGET /metrics
API route is now disabled if these configuration options are left unspecified. -
Fleet Premium: Add ability to specify a team specific "Destination URL" for policy automations.
This allows the user to configure Fleet to send a webhook request to a unique location for
policies that belong to a specific team. Documentation on what data is included the webhook
request and when the webhook request is sent can be found here on fleedm.com/docs -
Add ability to see the total number of hosts with a specific macOS version (ex. 12.3.1) on the
Home > macOS page. This information is also available via theGET /os_versions
API route. -
Add ability to sort live query results in the Fleet UI.
-
Add a "Vulnerabilities" column to Host details > Software page. This allows the user see and search for specific vulnerabilities (CVEs) detected on a specific host.
-
Update vulnerability automations to fire anytime a vulnerability (CVE), that is detected on a
host, was published to the
National Vulnerability Database (NVD) in the last 30 days, is detected on a host. In previous
versions of Fleet, vulnerability automations would fire anytime a CVE was published to NVD in the
last 2 days. -
Update the Policies page to ask the user to wait to see accurate passing and failing counts for new and recently edited policies.
-
Improve API-only (integration) users by removing the requirement to reset these users' passwords
before use. Documentation on how to use API-only users can be found here on fleetdm.com/docs. -
Improve the responsiveness of the Fleet UI by adding tablet screen width support for the Software,
Queries, Schedule, Policies, Host details, Settings > Teams, and Settings > Users pages. -
Add Beta support for integrating with Jira to automatically create a Jira issue when a
new vulnerability (CVE) is detected on a host in Fleet. -
Add Beta support for Fleet Desktop on Windows. Fleet Desktop allows the device user to see
information about their device. To add Fleet Desktop to a Windows device, first add the
--fleet-desktop
flag to thefleectl package
command to generate a Fleet-osquery installer that
includes Fleet Desktop. Then, open this installer on the device. -
Fix a bug in which downloading Fleet's vulnerability database failed if the destination directory specified
was not in thetmp/
directory. -
Fix a bug in which the "Updated at" time was not being updated for the "Mobile device management
(MDM) enrollment" and "Munki versions" information on the Home > macOS page. -
Fix a bug in which Fleet would consider Docker network interfaces to be a host's primary IP address.
-
Fix a bug in which tables in the Fleet UI would present misaligned buttons.
-
Fix a bug in which Fleet failed to connect to Redis in standalone mode.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
07a377b78a973192d8eb5380d3effb6323f08700a44a6bf9da0f7906bd71eb7c fleetctl_v4.13.0_windows.tar.gz
36c59106d083476396983a44c53f06d91107cafb1ec08943a30a2385ec4b55b1 fleetctl_v4.13.0_linux.tar.gz
41580e1696c25e12ab882d5d40cd28b3947f131870da9c897ddf93304eb10015 fleetctl_v4.13.0_windows.zip
7a861552e6687364def9c55478d626e3da9a56ecf37ec978a17f9f8d77471522 fleet_v4.13.0_linux.tar.gz
3b97db442762a8c7acbdc8949b42637cb3f1c830b623e0d368b54fadd150b68b fleetctl_v4.13.0_macos.tar.gz
0da2cfd4936c5e359c3e4347ef7214cbf5543f3c0e1e621a59bf146531f0cf06 fleetctl_v4.13.0_macos.zip
daaddb3837c3bbfd68881756c56725fddd3320469efb69e9fcc41cd6c17cd568 fleetctl_v4.13.0_linux.zip
fleet-v4.12.1
Changes
- Fix login error for non-SSO users when Fleet is deployed with a MySQL read replica.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
05103f811a9fbbe0224c6fa34170bea4f856aaee2536c3fb9f531214d2e3cc2e fleetctl_v4.12.1_windows.zip
1198363148c73aae8d52cae2980807011b607861525016221520ebefa76772b8 fleet_v4.12.1_linux.tar.gz
4ab2110fcd0ca3b910144884df77998d0c6ae30c0d3d2c6f7ddd48375d0a6c8f fleetctl_v4.12.1_windows.tar.gz
795079e35b78f5f4e7b90dbf55cba457a09130739ce8ab1d9e7281c1f420fc0c fleetctl_v4.12.1_linux.zip
9b4f1d7e09fb9a5222e7d733766d35d9305643ae5c544cf39cb724bca3f4b321 fleetctl_v4.12.1_linux.tar.gz
590bfee426f7c2a122f06bc2502d4b47a23d25f613c3e7f2dfcd18324e9aa60f fleetctl_v4.12.1_macos.tar.gz
f360795aac7a27f73faf5a9476c72b62712f6c9f8113ab540550c2fe62cb2dca fleetctl_v4.12.1_macos.zip
fleet-v4.12.0
Changes
-
Add ability to update which platform (macOS, Windows, Linux) a policy is checked on.
-
Add ability to detect compatibility for custom policies.
-
Increase the default session duration to 5 days. Session duration can be updated using the
session_duration
configuration option. -
Add ability to see the percentage of hosts that responded to a live query.
-
Add ability for users with admin permissions to update any user's password.
-
Add
content_type_value
Kafka REST Proxy configuration option to allow the use of different versions of the Kafka REST Proxy. -
Add
database_path
GeoIP configuration option to specify a GeoIP database. When configured, geolocation information is presented on the Host details page and in theGET /hosts/{id}
API route. -
Add ability to retrieve a host's public IP address. This information is available on the Host details page and
GET /hosts/{id}
API route. -
Add instructions and materials needed to add hosts to Fleet using plain osquery. These instructions can be found in Hosts > Add hosts > Advanced in the Fleet UI.
-
Add Beta support for Fleet Desktop on macOS. Fleet Desktop allows the device user to see information about their device. To add Fleet Desktop to a macOS device, first add the
--fleet-desktop
flag to thefleectl package
command to generate a Fleet-osquery installer that includes Fleet Desktop. Then, open this installer on the device. -
Reduce the noise of osquery status logs by only running a host vital query, which populate the Host details page, when the query includes tables that are compatible with a specific host.
-
Fix a bug on the Edit pack page in which the "Select targets" element would display the hover effect for the wrong target.
-
Fix a bug on the Software page in which software items from deleted hosts were not removed.
-
Fix a bug in which the platform for Amazon Linux 2 hosts would be displayed incorrectly.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
0dd3189eea3d53960ef31f35437fc39df595473aaf176cb140f825453ae194a8 fleetctl_v4.12.0_linux.zip
0f21dd9e06553497bcd3a0b0419c644f5336bf261d6143ac6ce1bc55ca9f31bc fleetctl_v4.12.0_linux.tar.gz
1eccbf3a9f06f0eb8dae8107a8fc820ede3d0aeb8428bc0f840187115ba57bdf fleetctl_v4.12.0_windows.tar.gz
48456eef4f5226fb021563577a4bf546f8150a6d98404bb35a1acc0004f36c93 fleetctl_v4.12.0_windows.zip
ba8a497f10169e7e30ece33b9c7603bfd19f121d9f351f82e83ed2e3fd9dd906 fleet_v4.12.0_linux.tar.gz
79f3554f6969f256ae24575bf7b2f4f64e40f1dab527e737f8f16bff666d3852 fleetctl_v4.12.0_macos.tar.gz
3bfff767be17e08ad03dbe13a641a24530ec40d7794982a780fd5e963976ebcc fleetctl_v4.12.0_macos.zip
orbit-v0.0.7
Changes
-
Improve reliability of osquery extension connection at startup.
-
Fix orbit not detecting updates at startup when they are published while orbit was not running.
-
Set log path when launching osquery.
fleet-v4.11.0
Changes
-
Improve vulnerability processing to reduce the number of false positives for RPM packages on Linux hosts.
-
Fleet Premium: Add a
teams
key to thepacks
yaml document to allow adding teams as targets when using CI/CD to manage query packs. -
Fleet premium: Add the ability to retrieve configuration for a specific team with the
fleetctl get team --name <team-name-here>
command. -
Remove the expiration for API tokens for API-only users. API-only users can be created using the
fleetctl user create --api-only
command. -
Improve performance of the osquery query used to collect software inventory for Linux hosts.
-
Update the activity feed on the Home page to include add, edit, and delete policy activities.
Activity information is also available in theGET /activities
API route. -
Update Kinesis logging plugin to append newline character to raw message bytes to properly format NDJSON for downstream consumers.
-
Clarify why the "Performance impact" for some queries is displayed as "Undetermined" in the Fleet
UI. -
Add instructions for using plain osquery to add hosts to Fleet in the Fleet View these instructions by heading to Hosts > Add hosts > Advanced.
-
Fix a bug in which uninstalling Munki from one or more hosts would result in inaccurate Munki
versions displayed on the Home > macOS page. -
Fix a bug in which a user, with access limited to one or more teams, was able to run a live query
against hosts in any team. This bug is not exposed in the Fleet UI and is limited to users of the
POST run
API route. -
Fix a bug in the Fleet UI in which the "Select targets" search bar would not return the expected hosts.
-
Fix a bug in which global agent options were not updated correctly when editing these options in
the Fleet UI. -
Fix a bug in which the Fleet UI would incorrectly tag some URLs as invalid.
-
Fix a bug in which the Fleet UI would attempt to connect to an SMTP server when SMTP was disabled.
-
Fix a bug on the Software page in which the "Hosts" column was not filtered by team.
-
Fix a bug in which global maintainers were unable to add and edit policies that belonged to a
specific team. -
Fix a bug in which the operating system version for some Linux distributions would not be
displayed properly. -
Fix a bug in which configuring an identity provider name to a value shorter than 4 characters was
not allowed. -
Fix a bug in which the avatar would not appear in the top navigation.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
07a3828310dc08a73c932941072fd8aef215dd88eb062f11e92dba32f1f635a4 fleet_v4.11.0_linux.tar.gz
1048814ec8546a39e8afc184da42a084497fc0f0f3bb744dc6bdd974c76bca71 fleetctl_v4.11.0_windows.zip
38e9b9ef81087b4d6c48c1595bd3dac320cea804fc75befaeff598608f23ada5 fleetctl_v4.11.0_linux.tar.gz
7c011f53b6c242dec24efdfdeee9d54d7c7880c78601299075a05934d2136b46 fleetctl_v4.11.0_macos.tar.gz
b43dd53e8e655c666772af641a1d6bead5378ea56da2b404a7d76ec98b591104 fleetctl_v4.11.0_macos.zip
dfffd4384c105a6b7b000f32e23998832871ae9b52a0b69a504aa02f60e52311 fleetctl_v4.11.0_windows.tar.gz
e5e742d65bcb8da77e1b6d190b2acbf88a4ff210c73c4c39faa5af00a6b2e07a fleetctl_v4.11.0_linux.zip
fleet-v4.10.0
Changes
-
Upgrade Go to 1.17.7 with security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). These are not likely to be high impact in Fleet deployments, but we are upgrading in an abundance of caution.
-
Add aggregate software and vulnerability information on the new Software page.
-
Add ability to see how many hosts have a specific vulnerable software installed on the Software page. This information is also available in the
GET /api/v1/fleet/software
API route. -
Add ability to send a webhook request if a new vulnerability (CVE) is found on at least one host. Documentation on what data is included the webhook request and when the webhook request is sent can be found here on fleedm.com/docs.
-
Add aggregate Mobile Device Management and Munki data on the Home page.
-
Add email and URL validation across the entire Fleet UI.
-
Add ability to filter software by "Vulnerable" on the Host details page.
-
Update standard policy templates to use new naming convention. For example, "Is FileVault enabled on macOS devices?" is now "Full disk encryption enabled (macOS)."
-
Add db-innodb-status and db-process-list to
fleetctl debug
command. -
Fleet Premium: Add the ability to generate a Fleet installer and manage enroll secrets on the Team details page.
-
A ability for users with the observer role to view which platforms (macOS, Windows, Linux) a query is compatible with.
-
Improve the experience for editing queries and policies in the Fleet UI.
-
Improve vulnerability processing for NPM packages.
-
Support triggering a webhook for newly detected vulnerabilities with a list of affected hosts.
-
Add filter software by CVE.
-
Add the ability to disable scheduled query performance statistics.
-
Add ability to filter the host summary information by platform (macOS, Windows, Linux) on the Home page.
-
Fix a bug in Fleet installers for Linux in which a computer restart would stop the host from reporting to Fleet.
-
Make sure ApplyTeamSpec only works with premium deployments.
-
Disable MDM, Munki, and Chrome profile queries on unsupported platforms to reduce log noise.
-
Properly handle paths in CVE URL prefix.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
4271c4443c98a5a8d991e177733b9f23415ff18bb1a3e8af0db54743795ee9ec fleetctl_v4.10.0_windows.zip
6c04039feab80d5dc1a449e23167d182236889d9712cae04370e7e2e99dfa179 fleetctl_v4.10.0_linux.tar.gz
74df98b823a9096db1c3b9b748a24ce2bbed7413a5d89a5c1751aba6d29e12eb fleetctl_v4.10.0_windows.tar.gz
2d2ae88e855a127b2d9e97582a37930657c09604717fc98d239a56f43df02b36 fleetctl_v4.10.0_macos.tar.gz
f39d88bf24ca2d04c1c130a44a43a618f195fe4803a66d7686c7572cf519097e fleetctl_v4.10.0_macos.zip
9fc801df0171d6170158303d225e2d76c99449102f0134f7b7c6365330fc345e fleet_v4.10.0_linux.tar.gz
ca265f141cea5fe91410c9a5efd38cf12e6d68d8cc986aec2dd981e6b5afedc3 fleetctl_v4.10.0_linux.zip
fleet-v4.9.1
Changes
This is a security release.
-
Security: Fix a vulnerability in Fleet's SSO implementation that could allow a malicious or compromised SAML Service Provider (SP) to log into Fleet as an existing Fleet user. See GHSA-ch68-7cf4-35vr for details.
-
Allow MSI packages generated by
fleetctl package
to reinstall on Windows without uninstall. -
Fix a bug in which a team's scheduled queries didn't render correctly on the Schedule page.
-
Fix a bug in which a new policy would always get added to "All teams" rather than the selected team.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available on fleetdm.com/docs.
Binary Checksum
SHA256
9f2ca99d482d249d0fc7d17f71a11592155c7f0cb43fff019da30ed1b875bf42 fleetctl_v4.9.1_macos.tar.gz
2f7e1b857eaee1c66bc1ccf2bfc3a0195c44a5c2f3831ad4fc938c5312d541e5 fleetctl_v4.9.1_macos.zip
3f22f610d7e46c66b9eeb4ff4b6eb87ce5452b3ec1473f6ecabb0086a07db415 fleet_v4.9.1_linux.tar.gz
9153bbd792ebb1fc154cd742c19cd2248137bab49968bcaf5c0ac6ee577718fb fleetctl_v4.9.1_windows.zip
a255c0ab198ceaf4344b80e7d7fc2fd307b98d223fc1ffcadf2df9d0729e981b fleetctl_v4.9.1_linux.zip
bf29eb09d0583bb629893bb7a6177cbef4fbc967996c7db77471a4585085c2a3 fleetctl_v4.9.1_windows.tar.gz
c930085bae6d8ad852924d4ec5d2b0dec33abd7c621452a0c365a61f75088fb9 fleetctl_v4.9.1_linux.tar.gz
fleet-v4.9.0
Changes
-
Add ability to apply a
policy
yaml document so that GitOps workflows can be used to create and
modify policies. -
Add ability to run a live query that returns 1,000+ results in the Fleet UI by adding
client-side pagination to the results table. -
Improve the accuracy of query platform compatibility detection by adding recognition for queries
with theWITH
expression. -
Add ability to open a page in the Fleet UI in a new tab by "right-clicking" an item in the navigation.
-
Improve the live query API route (
GET /api/v1/queries/run
) so that it successfully return results for Fleet
instances using a load balancer by reducing the wait period to 25 seconds. -
Improve performance of the Fleet UI by updating loading states and reducing the number of requests
made to the Fleet API. -
Improve performance of the MySQL database by updating the queries used to populate host vitals and
caching the results. -
Add
read_timeout
Redis configuration
option to customize the
maximum amount of time Fleet should wait to receive a response from a Redis server. -
Add
write_timeout
Redis configuration
option to customize the
maximum amount of time Fleet should wait to send a command to a Redis server. -
Fix a bug in which browser extensions (Google Chrome, Firefox, and Safari) were not included in
software inventory. -
Improve the security of the Organization settings page by preventing the browser from requesting
to save SMTP credentials. -
Fix a bug in which an existing pack's targets were not cleaned up after deleting hosts, labels, and teams.
-
Fix a bug in which non-existent queries and policies would not return a 404 not found response.
Performance
- Our testing demonstrated an increase in max devices served in our load test infrastructure to 70,000 from 60,000 in v4.8.0.
Load Test Infrastructure
-
Fleet server
- AWS Fargate
- 2 tasks with 1024 CPU units and 2048 MiB of RAM.
-
MySQL
- Amazon RDS
- db.r5.2xlarge
-
Redis
- Amazon ElastiCache
- cache.m5.large with 2 replicas (no cluster mode)
What was changed to accomplish these improvements?
-
Optimized the updating and fetching of host data to only send and receive the bare minimum data
needed. -
Reduced the number of times host information is updated by caching more data.
-
Updated cleanup jobs and deletion logic.
Future improvements
- At maximum DB utilization, we found that some hosts fail to respond to live queries. Future releases of Fleet will improve upon this.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet can be found at https://fleetdm.com/docs.
Binary Checksum
SHA256
3b6ab86cbe11c42a474c08c62b1a6ea7131f37a654e6f74da63cef824f1c7381 fleetctl_v4.9.0_linux.zip
5b020272939906e342146097c33c9378d2af4ffe95ddde03ee59e9ae602f3eec fleetctl_v4.9.0_windows.tar.gz
7f9281f6035715f88e881d6c73ed66615fc692581e7f528bcf930c7480668d7e fleetctl_v4.9.0_macos.tar.gz
a851495359ce42edab4ebce90bb64d2462749e0448cd49a217772145a3c8f893 fleetctl_v4.9.0_macos.zip
74e3d67f84edc29bbee3934aeedaf8f46707f6bd7eebe2c8791e8461b07eaf4c fleet_v4.9.0_linux.tar.gz
b385fa63f4a49fb269710b43f2cb5bf2004a746d11b727a70ef8e78bf49c754e fleetctl_v4.9.0_linux.tar.gz
ea7cd9fe4155ed5e75a03e488c5ce74d939b5cdd6531fc24b60445f04d90d268 fleetctl_v4.9.0_windows.zip
orbit-v0.0.6
Changes
-
Add logging when running as a Windows Service (because Windows discards stdout/stderr).
-
Improve flaky startups by adding wait for osquery extension socket.
fleet-v4.8.0
Changes
-
Add ability to configure Fleet to send a webhook request with all hosts that failed a policy. Documentation on what data is included the webhook request and when the webhook request is sent can be found here on fleedm.com/docs.
-
Add ability to find a user's device in Fleet by filtering hosts by email associated with a Google Chrome profile. Requires the macadmins osquery extension which comes bundled in Fleet's osquery installers.
-
Add ability to see a host's Google Chrome profile information using the
GET api/v1/fleet/hosts/{id}/device_mapping
API route. -
Add ability to see a host's mobile device management (MDM) enrollment status, MDM server URL, and Munki version on a host's Host details page. Requires the macadmins osquery extension which comes bundled in Fleet's osquery installers.
-
Add ability to see a host's MDM and Munki information with the
GET api/v1/fleet/hosts/{id}/macadmins
API route. -
Improve the handling of certificates in the
fleetctl package
command by adding a check for a valid PEM file. -
Update Prometheus Go client library which results in the following breaking changes to the
GET /metrics
API route:http_request_duration_microseconds
is nowhttp_request_duration_seconds_bucket
,http_request_duration_microseconds_sum
is nowhttp_request_duration_seconds_sum
,http_request_duration_microseconds_count
is nowhttp_request_duration_seconds_count
,http_request_size_bytes
is nowhttp_request_size_bytes_bucket
, andhttp_response_size_bytes
is nowhttp_response_size_bytes_bucket
. -
Improve performance when searching and sorting hosts in the Fleet UI.
-
Improve performance when running a live query feature by reducing the load on Redis.
-
Improve performance when viewing software installed across all hosts in the Fleet UI.
-
Fix a bug in which the Fleet UI presented the option to download an undefined certificate in the "Generate installer" instructions.
-
Fix a bug in which database migrations failed when using MariaDB due to a migration introduced in Fleet 4.7.0.
-
Fix a bug that prevented hosts from checking in to Fleet when Redis was down.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
a14f9ced0f606f6760e8c5297a62fccf0b1ffa7bed4c8ababc8e04a264531019 fleetctl_v4.8.0_macos.tar.gz
b4416c5c0f302ec46493ea4328b2413fca89366a24017984a567f9b5ed107ead fleetctl_v4.8.0_macos.zip
35d7586bf8bdc14419ddf2a0fb6367ed068dca487e61586a877095056dc54223 fleetctl_v4.8.0_linux.zip
4ae66acf77299a6c20c3305657c26e7ce385f3617ea5820cac32c3918d2651e7 fleet_v4.8.0_linux.tar.gz
4f4944676f0addfdfd95d500585f39ebbd99570d432932a6a50488f2d048570d fleetctl_v4.8.0_linux.tar.gz
7cf2cd759713b56b2c3d05e26e0f7d05e48aa9dc1a1be985810679e87b9770d8 fleetctl_v4.8.0_windows.tar.gz
d5dd7e0feff3d62e991c0eef0b3675d04b53acd0583dbb178b7aefe53d0b2a10 fleetctl_v4.8.0_windows.zip