Run policies and scripts offline

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.67k stars 381 forks source link

Run policies and scripts offline #19877

Open dherder opened 2 weeks ago

dherder commented 2 weeks ago

Goal

User story
As a Client Platform Engineer,
I want hosts to evaluate policies and run scripts if they're failing policies
so that I can ensure my hosts are compliant even when they're not connected to the internet.

Context

Product designer: @noahtalerman

Changes

Product

[ ] UI changes: TODO
[ ] CLI usage changes: TODO
[ ] REST API changes: TODO
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: TODO
[ ] Changes to paid features or tiers: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman commented 2 weeks ago

Hey @dherder, @kennyb-222, and @williamtheaker what's an example of one of these scripts? As a guess, I'm thinking these are scripts that set and keep a host in a desired state. As an example script: "Linux - Turn Firewall on"

So, I'm guessing the expected behavior here is the CPE adds this script to Fleet and every 30 minutes the host runs the script w/o checking into the Fleet server.

Currently, the host has to checkin with the fleet server in order to get the instruction to run the script

@dherder the host has to checkin at least once to get the script it should run, right? And checkin at some interval to see if the script(s) changed.

So, I'm guessing the host should check in to the server every 30 minutes to see if the script changed or there are new scripts to run.

Does that sounds right?

noahtalerman commented 2 weeks ago

Hey @dherder heads up, I updated this issue to user story format and moved your original issue description below.

Problem

As a CPE, I want to declare a group of actions to run on hosts or groups of hosts (teams). Currently, the host has to checkin with the fleet server in order to get the instruction to run the script, which is not ideal. Similar to how we are planning to declare which version of software to pin on a host, declaring the list of scripts to run on a host is desired.