search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3k stars 416 forks source link

Show who viewed macOS PIN when locking device #19790

Open getvictor opened 3 months ago

getvictor commented 3 months ago

Goal

User story
As a Fleet user,
I want to know who viewed macOS PIN when locking device
so that I can conduct a security audit.

Context

Issue #19545 added view_pin parameter to the Lock Host activity item. Frontend should use that parameter to update the activity text in the UI.

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
noahtalerman commented 3 months ago

Issue https://github.com/fleetdm/fleet/issues/19545 added view_pin parameter to the Lock Host activity item

Hey @getvictor, what does this view_pin key tell me as a user? https://github.com/fleetdm/fleet/pull/19792/files#diff-9f70e9133b8f91c2034329e45fbe2386fdc4fb0b27c114ce6e3b6f0310320551R1006

My understanding is that for macOS hosts, we always return the PIN when a user hits the POST /lock API. This will be clear in the REST API documentation (PR here).

Do we set view_pin to false if the user selects the Lock button in the UI?

That would kind of make sense because the user doesn't see the PIN when they select Lock. That said, it would also not make sense because the PIN shows up in the browser's console (Network tab).

getvictor commented 3 months ago

@noahtalerman I updated the REST API documentation (PR here) to reflect the implementation. The UI does not set view_pin, which defaults to false.