diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index e994789f..ed436792 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -39,6 +39,3 @@ jobs: env: FLEET_URL: ${{ secrets.FLEET_URL }} FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }} - FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }} - FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }} - FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }} diff --git a/README.md b/README.md index 91fd8c74..33f2e360 100644 --- a/README.md +++ b/README.md @@ -2,39 +2,25 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a GitOps workflow. -[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage#basic-article) +[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage) ## GitHub setup -1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2 and 3). +1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2). 2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin. -3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters. - - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`. - - If you do not have a Premium Fleet license, delete the `teams` directory. - -4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`. - - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. - -5. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only. +3. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only. ## GitLab setup -1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2 and 3). +1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2). 2. Add `FLEET_URL` and `FLEET_API_TOKEN` as masked CI/CD variables. Learn how [here](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user), then, grant it the `GitOps` role via the **Settings** > **Users** page so it can make changes. -3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters. - - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`. - - If you do not have a Premium Fleet license, delete the `teams` directory. - -4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`. - - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. +3. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only. -5. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only. - -6. (Optional) To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline: +4. To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline: - In your GitLab project, go to the left sidebar and navigate to **Build > Pipeline schedules**. (In some GitLab versions, this may appear as **CI/CD > Schedules**.) - Click **Create a new pipeline schedule** (or **Schedule a new pipeline**). - Fill in the form: @@ -48,11 +34,10 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git For all configuration options, go to the [YAML files reference](https://fleetdm.com/docs/using-fleet/gitops) in the Fleet docs. -## Fleet UI +## GitOps mode Once you're set up with GitOps in Fleet, you can optionally put the UI in GitOps mode. This prevents you from making changes in the UI that would be overridden by GitOps workflows. An admin can enable GitOps mode in **Settings** > **Integrations** > **Change management**. Note that this is a UI-only setting. API permissions are restricted based on user role. - diff --git a/default.yml b/default.yml index 7db0a067..222f020b 100644 --- a/default.yml +++ b/default.yml @@ -1,22 +1,13 @@ -# For Fleet Free: -# - This file updates policies, queries, agent_options, and controls for all hosts. - -# For Fleet Premium: -# - This file updates policies and queries that run on all hosts ("All teams"). -# - Remove "controls" and add this to your YAML files in teams/ instead. +# default.yml controls global settings and policies/queries that run on all hosts ("All teams"). policies: queries: agent_options: - path: ./lib/agent-options.yml -controls: # This cannot be set here and in no-team.yml +controls: org_settings: server_settings: server_url: $FLEET_URL org_info: org_name: Fleet secrets: - - secret: "$FLEET_GLOBAL_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" diff --git a/gitops.sh b/gitops.sh index 9a3c2b98..bcff87c1 100755 --- a/gitops.sh +++ b/gitops.sh @@ -21,13 +21,14 @@ else FLEET_DELETE_OTHER_TEAMS=false fi -# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. -# Adds spaces to all but the first line of metadata keeps the multiline string in bounds. -# See README for more information +# If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment the below: # FLEET_SSO_METADATA=$( sed '2,$s/^/ /' <<< "${FLEET_MDM_SSO_METADATA}") # FLEET_MDM_SSO_METADATA=$( sed '2,$s/^/ /' <<< "${FLEET_MDM_SSO_METADATA}") +# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. +# Adds spaces to all but the first line of metadata keeps the multiline string in bounds. + if compgen -G "$FLEET_GITOPS_DIR"/teams/*.yml > /dev/null; then # Validate that every team has a unique name. # This is a limited check that assumes all team files contain the phrase: `name: ` diff --git a/lib/README.md b/lib/README.md deleted file mode 100644 index 2f391173..00000000 --- a/lib/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# `lib/` - -This folder is for files referenced by `path` in Fleet config YAML. - -This can reduce duplication for policies, scripts, and other config that is the same across multiple teams in Fleet Premium. - -### Examples - -##### Policies - -```yaml -# default.yml -policies: - - path: ./lib/macos/policies/macos-device-health.policies.yml -``` - -##### Queries - -```yaml -# default.yml -queries: - - path: ./lib/all/queries/collect-usb-devices.queries.yml -``` - -##### Scripts - -```yaml -# default.yml -controls: - scripts: - - path: ./lib/macos/scripts/remove-zoom-artifacts.script.sh -``` - -##### Agent options - -```yaml -# default.yml -agent_options: - path: ./lib/agent-options.yml -``` diff --git a/lib/agent-options.yml b/lib/agent-options.yml deleted file mode 100644 index af5a94aa..00000000 --- a/lib/agent-options.yml +++ /dev/null @@ -1,13 +0,0 @@ -command_line_flags: -config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - options: - disable_distributed: false - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - logger_tls_endpoint: /api/v1/osquery/log - pack_delimiter: / diff --git a/lib/all/agent-options/.keep b/lib/all/agent-options/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/agent-options/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/icons/.keep b/lib/all/icons/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/icons/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/labels/.keep b/lib/all/labels/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/labels/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/queries/.keep b/lib/all/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/queries/collect-failed-login-attempts.queries.yml b/lib/all/queries/collect-failed-login-attempts.queries.yml deleted file mode 100644 index 8ca3b86e..00000000 --- a/lib/all/queries/collect-failed-login-attempts.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect failed login attempts - description: Lists the users at least one failed login attempt and timestamp of failed login. Number of failed login attempts reset to zero after a user successfully logs in. - query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count > 0; - interval: 300 # 5 minutes - observer_can_run: false - automations_enabled: false - platform: darwin,linux,windows diff --git a/lib/all/queries/collect-fleetd-update-channels.queries.yml b/lib/all/queries/collect-fleetd-update-channels.queries.yml deleted file mode 100644 index a90ea083..00000000 --- a/lib/all/queries/collect-fleetd-update-channels.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect fleetd update channels - description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." - query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; - interval: 300 # 5 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux,windows diff --git a/lib/all/queries/collect-usb-devices.queries.yml b/lib/all/queries/collect-usb-devices.queries.yml deleted file mode 100644 index ce1ee13d..00000000 --- a/lib/all/queries/collect-usb-devices.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect USB devices - description: Collects the USB devices that are currently connected to macOS and Linux hosts. - query: SELECT model, vendor FROM usb_devices; - interval: 360 # 6 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux diff --git a/lib/ios/configuration-profiles/.keep b/lib/ios/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ios/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ios/declaration-profiles/.keep b/lib/ios/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ios/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ipados/configuration-profiles/.keep b/lib/ipados/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ipados/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ipados/declaration-profiles/.keep b/lib/ipados/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ipados/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/policies/.keep b/lib/linux/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/policies/linux-device-health.policies.yml b/lib/linux/policies/linux-device-health.policies.yml deleted file mode 100644 index 607e12c3..00000000 --- a/lib/linux/policies/linux-device-health.policies.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Linux - Enable disk encryption - platform: linux - description: This policy checks if disk encryption is enabled. - resolution: As an IT admin, deploy an image that includes disk encryption. - query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1'; diff --git a/lib/linux/queries/.keep b/lib/linux/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/scripts/.keep b/lib/linux/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/software/.keep b/lib/linux/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/commands/.keep b/lib/macos/commands/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/commands/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/configuration-profiles/.keep b/lib/macos/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/configuration-profiles/passcode-settings-ddm.json b/lib/macos/configuration-profiles/passcode-settings-ddm.json deleted file mode 100644 index 9b7d59f1..00000000 --- a/lib/macos/configuration-profiles/passcode-settings-ddm.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Type": "com.apple.configuration.passcode.settings", - "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5", - "Payload": { - "MaximumFailedAttempts": 10, - "MaximumInactivityInMinutes": 5, - "MinimumLength": 12, - "MinimumComplexCharacters": 1 - } -} diff --git a/lib/macos/declaration-profiles/.keep b/lib/macos/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/enrollment-profiles/.keep b/lib/macos/enrollment-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/enrollment-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/enrollment-profiles/automatic-enrollment.dep.json b/lib/macos/enrollment-profiles/automatic-enrollment.dep.json deleted file mode 100644 index 43807f48..00000000 --- a/lib/macos/enrollment-profiles/automatic-enrollment.dep.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "profile_name": "Fleet's example automatic enrollment profile", - "allow_pairing": true, - "is_mdm_removable": true, - "org_magic": "1", - "language": "en", - "region": "US", - "skip_setup_items": [ - "Accessibility", - "Appearance", - "AppleID", - "AppStore", - "Biometric", - "Diagnostics", - "FileVault", - "iCloudDiagnostics", - "iCloudStorage", - "Location", - "Payment", - "Privacy", - "Restore", - "ScreenTime", - "Siri", - "TermsOfAddress", - "TOS", - "UnlockWithWatch" - ] -} \ No newline at end of file diff --git a/lib/macos/misc/.keep b/lib/macos/misc/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/misc/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/policies/.keep b/lib/macos/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/policies/macos-device-health.policies.yml b/lib/macos/policies/macos-device-health.policies.yml deleted file mode 100644 index 0a29e6ec..00000000 --- a/lib/macos/policies/macos-device-health.policies.yml +++ /dev/null @@ -1,52 +0,0 @@ -- name: macOS - Enable FileVault - platform: darwin - description: This policy checks if FileVault (disk encryption) is enabled. - resolution: As an IT admin, turn on disk encryption in Fleet. - query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.'; -- name: macOS - Disable guest account - platform: darwin - description: This policy checks if the guest account is disabled. - resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1; -- name: macOS - Enable Firewall - platform: darwin - description: This policy checks if Firewall is enabled. - resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1; -- name: macOS - Require 10 character password - platform: darwin - description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. - resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. - query: | - SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='askForPassword' AND - CAST(value AS INT) - ) - AND EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='minLength' AND - CAST(value AS INT) <= 10 - ); -- name: macOS - Enable screen saver after 20 minutes - platform: darwin - description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. - resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. - query: | - SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) <= 1200 AND - username = '' - ) - AND NOT EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) > 1200 - ); diff --git a/lib/macos/queries/.keep b/lib/macos/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/scripts/.keep b/lib/macos/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/scripts/collect-fleetd-logs.sh b/lib/macos/scripts/collect-fleetd-logs.sh deleted file mode 100644 index 887af2ac..00000000 --- a/lib/macos/scripts/collect-fleetd-logs.sh +++ /dev/null @@ -1,7 +0,0 @@ -cp /var/log/orbit/orbit.stderr.log ~/Library/Logs/Fleet/fleet-desktop.log /Users/Shared - -echo "Successfully copied fleetd logs to the /Users/Shared folder." - -echo "To retrieve logs, ask the end user to open Finder and in the menu bar select Go > Go to Folder." - -echo "Then, ask the end user to type in /Users/Shared, press Return, and locate orbit.stderr.log (Orbit logs) and fleet-desktop.log (Fleet Desktop logs) files." \ No newline at end of file diff --git a/lib/macos/scripts/install-santa.sh b/lib/macos/scripts/install-santa.sh deleted file mode 100644 index 8a1136c2..00000000 --- a/lib/macos/scripts/install-santa.sh +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a script that installs Santa onto macOS hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages \ No newline at end of file diff --git a/lib/macos/scripts/macos-password.mobileconfig b/lib/macos/scripts/macos-password.mobileconfig deleted file mode 100644 index 2fe2f717..00000000 --- a/lib/macos/scripts/macos-password.mobileconfig +++ /dev/null @@ -1,55 +0,0 @@ - - - - - PayloadContent - - - PayloadDescription - Configures Passcode settings - PayloadDisplayName - Passcode - PayloadIdentifier - com.github.erikberglund.ProfileCreator.F7CF282E-D91B-44E9-922F-A719634F9C8E.com.apple.mobiledevice.passwordpolicy.231DFC90-D5A7-41B8-9246-564056048AC5 - PayloadOrganization - - PayloadType - com.apple.mobiledevice.passwordpolicy - PayloadUUID - 231DFC90-D5A7-41B8-9246-564056048AC5 - PayloadVersion - 1 - allowSimple - - forcePIN - - maxFailedAttempts - 11 - maxGracePeriod - 1 - maxInactivity - 15 - minLength - 10 - requireAlphanumeric - - - - PayloadDescription - Configures our Macs to require passwords that are 10 character long - PayloadDisplayName - Password policy - require 10 characters - PayloadIdentifier - com.github.erikberglund.ProfileCreator.F7CF282E-D91B-44E9-922F-A719634F9C8E - PayloadOrganization - FleetDM - PayloadScope - System - PayloadType - Configuration - PayloadUUID - F7CF282E-D91B-44E9-922F-A719634F9C8E - PayloadVersion - 1 - - \ No newline at end of file diff --git a/lib/macos/scripts/remove-zoom-artifacts.script.sh b/lib/macos/scripts/remove-zoom-artifacts.script.sh deleted file mode 100644 index 55b2c615..00000000 --- a/lib/macos/scripts/remove-zoom-artifacts.script.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that removes Zoom artifacts from macOS hosts. diff --git a/lib/macos/scripts/set-timezone.script.sh b/lib/macos/scripts/set-timezone.script.sh deleted file mode 100644 index 09d1b0a7..00000000 --- a/lib/macos/scripts/set-timezone.script.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that sets the timezone on macOS hosts. diff --git a/lib/macos/scripts/uninstall-santa.sh b/lib/macos/scripts/uninstall-santa.sh deleted file mode 100644 index f30f48c6..00000000 --- a/lib/macos/scripts/uninstall-santa.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that uninstalls Santa from macOS hosts. \ No newline at end of file diff --git a/lib/macos/software/.keep b/lib/macos/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/software/santa.yml b/lib/macos/software/santa.yml deleted file mode 100644 index d4d1d76b..00000000 --- a/lib/macos/software/santa.yml +++ /dev/null @@ -1,2 +0,0 @@ -# This will be the configuration for a custom package on macOS hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/windows/configuration-profiles/.keep b/lib/windows/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/configuration-profiles/passcode-settings-ddm.json b/lib/windows/configuration-profiles/passcode-settings-ddm.json deleted file mode 100644 index 9b7d59f1..00000000 --- a/lib/windows/configuration-profiles/passcode-settings-ddm.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Type": "com.apple.configuration.passcode.settings", - "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5", - "Payload": { - "MaximumFailedAttempts": 10, - "MaximumInactivityInMinutes": 5, - "MinimumLength": 12, - "MinimumComplexCharacters": 1 - } -} diff --git a/lib/windows/policies/.keep b/lib/windows/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/policies/windows-device-health.policies.yml b/lib/windows/policies/windows-device-health.policies.yml deleted file mode 100644 index 09b3ca19..00000000 --- a/lib/windows/policies/windows-device-health.policies.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: Windows - Enable BitLocker - platform: windows - description: "This policy checks if BitLocker (disk encryption) is enabled on the C: volume." - resolution: As an IT admin, turn on disk encryption in Fleet. - query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1; -- name: Windows - Disable guest account - platform: windows - description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system. - resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus" and CAST(mdm_command_output AS INT) = 0; -- name: Windows - Require 10 character password - platform: windows - description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. - resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled" and CAST(mdm_command_output AS INT) = 0; -- name: Windows - Enable screen saver after 20 minutes - platform: windows - description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. - resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock" and CAST(mdm_command_output AS INT) <= 20; diff --git a/lib/windows/queries/.keep b/lib/windows/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/scripts/.keep b/lib/windows/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/scripts/default-exe-install-script.ps1 b/lib/windows/scripts/default-exe-install-script.ps1 deleted file mode 100644 index 857cf7e3..00000000 --- a/lib/windows/scripts/default-exe-install-script.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a default script that can install packages on Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/windows/scripts/uninstall-slack.ps1 b/lib/windows/scripts/uninstall-slack.ps1 deleted file mode 100644 index 8d762f1c..00000000 --- a/lib/windows/scripts/uninstall-slack.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a script that uninstalls Slack from Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/windows/scripts/windows-screenlock.xml b/lib/windows/scripts/windows-screenlock.xml deleted file mode 100644 index 3d7d52de..00000000 --- a/lib/windows/scripts/windows-screenlock.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled - - 0 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock - - 15 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength - - 10 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters - - 2 - - diff --git a/lib/windows/software/.keep b/lib/windows/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/software/slack.yml b/lib/windows/software/slack.yml deleted file mode 100644 index ca4c36d1..00000000 --- a/lib/windows/software/slack.yml +++ /dev/null @@ -1,2 +0,0 @@ -# This will be the configuration for a custom package on Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/teams/dedicated-devices.yml b/teams/dedicated-devices.yml new file mode 100644 index 00000000..849eb79d --- /dev/null +++ b/teams/dedicated-devices.yml @@ -0,0 +1,9 @@ +name: 🖥️ Dedicated devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_1" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml new file mode 100644 index 00000000..14ba6a13 --- /dev/null +++ b/teams/employee-issued-mobile-devices.yml @@ -0,0 +1,9 @@ +name: 📱🏢 Employee-issued mobile devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_2" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/it-servers.yml b/teams/it-servers.yml new file mode 100644 index 00000000..a8b928c0 --- /dev/null +++ b/teams/it-servers.yml @@ -0,0 +1,9 @@ +name: ☁️ IT servers +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_4" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/no-team.yml b/teams/no-team.yml deleted file mode 100644 index cb7471a7..00000000 --- a/teams/no-team.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, controls, and software for hosts assigned to "No team." - -# To update queries and agent options for hosts assigned to "No team," use the default.yml file. - -name: No team -policies: -controls: # This cannot be set here and in default.yml -software: diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml new file mode 100644 index 00000000..84dc813b --- /dev/null +++ b/teams/personal-mobile-devices.yml @@ -0,0 +1,9 @@ +name: 📱🔐 Personal mobile devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_3" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/workstations-canary.yml b/teams/workstations-canary.yml deleted file mode 100644 index 5ffc375d..00000000 --- a/teams/workstations-canary.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations (canary)" team. - -# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file. -# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. -# Then add that secret to .github/workflows/workflow.yml as an env variable. -# The secret name in the YAML file must match the secret name in GitHub Actions secrets. - -name: Workstations (canary) -policies: - - path: ../lib/macos/policies/macos-device-health.policies.yml - - path: ../lib/windows/policies/windows-device-health.policies.yml - - path: ../lib/linux/policies/linux-device-health.policies.yml -queries: - - path: ../lib/all/queries/collect-usb-devices.queries.yml - - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml -agent_options: - path: ../lib/agent-options.yml -controls: - scripts: - - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh - - path: ../lib/macos/scripts/set-timezone.script.sh -team_settings: - secrets: - - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true -software: - diff --git a/teams/workstations.yml b/teams/workstations.yml index d818561d..9fbc0d4f 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -1,30 +1,9 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations" team. - -# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file. -# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. -# Then add that secret to .github/workflows/workflow.yml as an env variable. -# The secret name in the YAML file must match the secret name in GitHub Actions secrets. - -name: Workstations +name: "💻 Workstations" policies: - - path: ../lib/macos/policies/macos-device-health.policies.yml - - path: ../lib/windows/policies/windows-device-health.policies.yml - - path: ../lib/linux/policies/linux-device-health.policies.yml queries: - - path: ../lib/all/queries/collect-usb-devices.queries.yml - - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml agent_options: - path: ../lib/agent-options.yml controls: - scripts: - - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh - - path: ../lib/macos/scripts/set-timezone.script.sh +software: team_settings: secrets: - - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true -software: + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_5" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops