adding basic Windows agent support (#38)

* created auditd test branch

* don't reassign that variable

* move that down a bit in the case statements

* fix amazon linux repo url and auditd disabling

* updated spec for yum/amazon test

* use old style os fact

* ensure facts are in specs

* wow, okay. missed another spot.

* disable auditd on rhel like oses

* don't set param twice

* updated readme and changelog

* updated metadata

* updated gitignore

* adding windows support

* added windows specific paths

we shall see

* don't reassign variables

* missing a comma

* make sure vars are defined

clean this up later. we don't need to define some of those for windows,
like gpg key and friends.

* define another thing we don't need here.

just want to test basic functionality.

* fix missing brace

* allow upgrades

* ensure installed only for now

* skip configure hile testing

but get back to it

* wrong function there

man, i'm rusty.

* use lwf/remote_file to download

* missing comma

* more typos

* add bin paths for windows

see if config works

* trying another thing here

* added more params

made config do less on windows

* diff default ruleset for windows

* pass deploy key from top level

* append the deploy key to the windows install opts

* apparently order is important here

* ensure the package resource is named correctly on windows

* use the name reported by add/remove programs/registry

* updated docs a little

will have to go back to add new params, etc.

* add windows data yaml

will also need to flesh this out some

Author: rockpapergoat

.gitignore

@@ -1,9 +1,17 @@
+.DS_Store
 .kitchen/
 .bundle
 .kitchen.local.yml
 .librarian/
+*.swp
+*.orig
+*.log
+*.rpm
+*.deb
 .ruby-version
 .tmp/
+config.sh
+test.pp
 modules/
 pkg
 Gemfile.lock

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 We'll track changes here starting with details about the 2.0 release and reference to earlier releases.
 
+## 2.0.3
+### Added
+- added basic support for downloading, configuring, installing, running windows agent
+
 ## 2.0.2
 ### Fixed
 - fixed amazon linux 1 support and tests

README.md

@@ -21,15 +21,18 @@ Platforms
 * Debian
 * RedHat
 * Ubuntu
+* Windows
 
 Classes
 =======
 
 * `threatstack` - Main class
 * `threatstack::apt` (private) - Setup apt repository configuration and package install
 * `threatstack::yum` (private) - Setup yum repository configuration and package install
+* `threatstack::msi` (private) - Dummy repo class for Windows installs
 * `threatstack::configure` (private) - Register and configure the agent with the Threat Stack service
-* `threatstack::package` (private) - Install the Threat stack agent
+* `threatstack::package` (private) - Install the Threat Stack agent
+* `threatstack::service` (private) - Manage the Threat Stack service
 * `threatstack::params` (private) - Default setup values
 * `threatstack::site` (private) - Used by Puppet test-kitchen
 

data/os/Windows.yaml

@@ -0,0 +1,5 @@
+---
+threatstack::params:
+    repo_class: '::threatstack::msi'
+    gpg_key: undef
+    disable_auditd: false

manifests/configure.pp

@@ -18,7 +18,6 @@
 # Copyright 2019 Threat Stack, Inc.
 #
 class threatstack::configure {
-
   $rulesets       = $::threatstack::rulesets
   $ruleset_args   = $rulesets.map | $rule | {
         "--ruleset='${rule}'"
@@ -61,12 +60,18 @@
   } else {
       $config_args_content = ''
   }
-
-  exec { 'threatstack-agent-setup':
-    command   => "${cloudsight_bin} setup --deploy-key='${::threatstack::deploy_key}' --hostname='${::threatstack::ts_hostname}' ${full_setup_args}",
-    subscribe => Package[$threatstack::ts_package],
-    creates   => "${confdir}/.audit",
-    path      => ['/bin', '/usr/bin'],
-    unless    => 'ps auwwwx| grep [t]sagentd'
+  case $facts['os']['family'] {
+    'Windows': {
+      notice("Windows agent setup should be done at install time.")
+    }
+    default: {
+      exec { 'threatstack-agent-setup':
+        command   => "${cloudsight_bin} setup --deploy-key='${::threatstack::deploy_key}' --hostname='${::threatstack::ts_hostname}' ${full_setup_args}",
+        subscribe => Package[$threatstack::ts_package],
+        creates   => "${confdir}/.audit",
+        path      => $::threatstack::binpath,
+        unless    => $::threatstack::setup_unless
+      }
+    }
   }
 }

manifests/init.pp

@@ -8,6 +8,10 @@
 #   Arguments to be passed to `tsagent setup`
 #   type: array
 #
+# [*binpath*]
+#   Used to set bin path for exec in the config class
+#   type: Array
+#
 # [*disable_auditd*]
 #   Required to work around issues with auditd on some distros
 #   type: bool
@@ -16,6 +20,10 @@
 #   Systemd vs. SysV init, related to above
 #   type: string
 #
+# [*enable_sysmon*]
+#   Windows: optionally enable sysmon (not used yet)
+#   type: bool
+#
 # [*extra_args*]
 #   Extra arguments to pass on the command line during agent activation.
 #   type: array of hashes
@@ -54,10 +62,30 @@
 #   Ruleset(s) to apply to host.
 #   type: array
 #
+# [*setup_unless*]
+#   Used in the setup exec in the configure class
+#   type: String
+#
+# [*tmpdir*]
+#   Used to download Windows agent MSI
+#   type: string
+#
 # [*ts_hostname*]
 #   Hostname as reported to Threat Stack.
 #   type: string
 #
+# [*windows_download_url*]
+#   Windows MSI download url
+#   type: string
+#
+# [*windows_install_options*]
+#   Windows MSI install options
+#   type: array
+#
+# [*windows_ts_package*]
+#   Windows MSI package name
+#   type: string
+#
 # === Examples
 #
 # Standard usage:
@@ -78,25 +106,32 @@
 #
 # Pete Cheslock <pete.cheslock@threatstack.com>
 # Tom McLaughlin <tom.mclaughlin@threatstack.com>
+# Nate St. Germain <nate.stgermain@threatstack.com>
 #
 # === Copyright
 #
-# Copyright 2016 Threat Stack, Inc.
+# Copyright 2019 Threat Stack, Inc.
 #
 class threatstack (
-  $deploy_key         = undef,
-  $package_version    = $::threatstack::params::package_version,
-  $configure_agent    = true,
-  $extra_args         = $::threatstack::params::extra_args,
-  $agent_config_args  = undef,
-  $repo_class         = $::threatstack::params::repo_class,
-  $repo_url           = $::threatstack::params::repo_url,
-  $gpg_key            = $::threatstack::params::gpg_key,
-  $rulesets           = $::threatstack::params::rulesets,
-  $confdir            = $::threatstack::params::confdir,
-  $ts_hostname        = $::fqdn,
-  $disable_auditd     = $::threatstack::params::disable_auditd,
-  $disable_auditd_cmd = $::threatstack::params::disable_auditd_cmd
+  $deploy_key              = undef,
+  $package_version         = $::threatstack::params::package_version,
+  $configure_agent         = true,
+  $extra_args              = $::threatstack::params::extra_args,
+  $agent_config_args       = undef,
+  $repo_class              = $::threatstack::params::repo_class,
+  $repo_url                = $::threatstack::params::repo_url,
+  $gpg_key                 = $::threatstack::params::gpg_key,
+  $rulesets                = $::threatstack::params::rulesets,
+  $confdir                 = $::threatstack::params::confdir,
+  $ts_hostname             = $::fqdn,
+  $disable_auditd          = $::threatstack::params::disable_auditd,
+  $disable_auditd_cmd      = $::threatstack::params::disable_auditd_cmd,
+  $binpath                 = $::threatstack::params::binpath,
+  $setup_unless            = $::threatstack::params::setup_unless,
+  $windows_download_url    = $::threatstack::params::download_url,
+  $windows_tmp_path        = $::threatstack::params::tmp_path,
+  $windows_install_options = concat(["TSDEPLOYKEY=${deploy_key}"],$::threatstack::params::windows_install_options)
+
 ) inherits ::threatstack::params {
 
   $ts_package = $::threatstack::params::ts_package

manifests/msi.pp

@@ -0,0 +1,21 @@
+# == Class: threatstack::msi
+#
+# Download Threat Stack msi
+#
+# === Examples
+#
+# This class is not meant to be directly realized outside of
+# Class['::threatstack'].
+#
+# This is sort of a dummy class but might be used at some point.
+#
+# === Authors
+#
+# Nate St. Germain <nate.stgermain@threatstack.com>
+#
+# === Copyright
+#
+# Copyright 2019 Threat Stack, Inc.
+#
+class threatstack::msi inherits ::threatstack::params {
+}

manifests/package.pp

@@ -39,8 +39,26 @@
   # NOTE: We do not signal the tsagent service to restart because the
   # package takes care of this.  The workflow differs between fresh
   # installation and upgrades.
-  package { $::threatstack::ts_package:
-    ensure  => $::threatstack::package_version,
-    require => $required
+  case $facts['os']['family'] {
+  'Windows': {
+    remote_file { 'agent msi download':
+      ensure => present,
+      path   => $::threatstack::windows_tmp_path,
+      source => $::threatstack::windows_download_url
+    }
+
+    package { $::threatstack::ts_package:
+      ensure          => installed,
+      source          => $::threatstack::windows_tmp_path,
+      install_options => $::threatstack::windows_install_options,
+      require => Remote_file['agent msi download']
+    }
+  }
+  default: {
+    package { $::threatstack::ts_package:
+      ensure  => $::threatstack::package_version,
+      require => $required
+    }
   }
+ }
 }

manifests/params.pp

@@ -18,15 +18,57 @@
 #
 
 class threatstack::params {
-  $ts_package      = 'threatstack-agent'
-  $ts_service      = 'threatstack'
+  $ts_package = $facts['os']['family'] ? {
+    'Windows' => 'Threat Stack Cloud Security Platform',
+    default   =>  'threatstack-agent'
+  }
+
+  $ts_service = $facts['os']['family'] ? {
+    'Windows' => 'Threat Stack Agent',
+    default   => 'threatstack'
+  }
+
+  $cloudsight_bin  = $facts['os']['family'] ? {
+    'Windows' => "C:\\Program Files\\Threat Stack\\tsagent.exe",
+    default   => '/usr/bin/tsagent'
+  }
+
+  $binpath = $facts['os']['family'] ? {
+    'Windows' => ["C:\\Program Files\\Threat Stack\\"],
+    default   => ['/bin', '/usr/bin']
+  }
+
+  $setup_unless = $facts['os']['family'] ? {
+    'Windows' => 'tasklist.exe /fi "Imagename eq tsagent*"',
+    default   =>'ps auwwwx| grep [t]sagentd'
+  }
+
+  $confdir = $facts['os']['family'] ? {
+    'Windows' => "C:\\ProgramData\\Threat Stack\\config\\",
+    default   => '/opt/threatstack/etc'
+  }
+
+  $rulesets = $facts['os']['family'] ? {
+    'Windows' => ['Windows Rule Set'],
+    default   => ['Base Rule Set']
+  }
+
   $package_version = 'installed'
-  $rulesets        = ['Base Rule Set']
   $extra_args      = undef
-  $cloudsight_bin  = '/usr/bin/tsagent'
-  $confdir         = '/opt/threatstack/etc'
+  $windows_install_options = ["TSEVENTLOGLIST=Security,Microsoft-Windows-Sysmon/Operational"]
 
   case $facts['os']['family'] {
+    'Windows': {
+      $repo_class         = '::threatstack::msi'
+      $repo_url           = undef
+      $gpg_key            = undef
+      $disable_auditd     = false
+      $disable_auditd_cmd = undef
+      $windows_base_url   = "https://pkg.threatstack.com/v2/Windows"
+      $windows_pkg_name   = 'Threat+Stack+Cloud+Security+Agent.latest.msi'
+      $download_url       = "${windows_base_url}/${windows_pkg_name}"
+      $tmp_path           = "C:\\Windows\\Temp\\${windows_pkg_name}"
+    }
     'RedHat': {
       $repo_class       = '::threatstack::yum'
       $gpg_key          = 'https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK'
@@ -66,6 +108,4 @@
       fail("Module ${module_name} does not support ${::operatingsystem}")
     }
   }
-
-
 }

manifests/service.pp

@@ -23,4 +23,3 @@
   }
 
 }
-