azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-21 10:42:33

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-21 10:42:33
This commit is contained in:
Howard Enos
2026-06-21 10:43:16 -07:00
parent a254e5f641
commit 5ede4fee26
5 changed files with 836 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

368
.claude/scripts/guruscan-agent-test.sh Normal file
View File

@@ -0,0 +1,368 @@
#!/usr/bin/env bash
# guruscan-agent-test.sh - Deploy GuruScan to a Windows GuruRMM agent and run an
# end-to-end smoke test (full 3-engine chain, EICAR-seeded, clean mode), pulling
# every log back for review.
#
# Phases:
# prep - upload module to C:\GuruScan, Defender-exclude tool/test dirs,
# download RKill+Emsisoft, fetch HitmanPro, seed EICAR, verify ready
# scan - dispatch Invoke-GuruScan.ps1 -Headless (clean mode) and poll
# collect - pull results.json + per-scanner logs into the repo
# all - prep then scan then collect
#
# Usage:
# bash guruscan-agent-test.sh <hostname|uuid> <prep|scan|collect|all>
#
# Mirrors the RMM plumbing in run-onboarding-diagnostic.sh (vault auth -> JWT ->
# chunked base64 upload -> dispatch -> poll). EICAR is the standard harmless AV
# test file; it is assembled on the endpoint (never written to this host) and
# dropped only into a Defender-excluded folder so GuruScan's own engines are what
# detect it.
set -u
TARGET="${1:-}"
PHASE="${2:-all}"
if [ -z "$TARGET" ]; then
echo "[ERROR] Usage: bash guruscan-agent-test.sh <hostname|uuid> <prep|scan|collect|all>" >&2
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
VAULT="$REPO_ROOT/.claude/scripts/vault.sh"
ALERT="$REPO_ROOT/.claude/scripts/post-bot-alert.sh"
GS_DIR="$REPO_ROOT/projects/msp-tools/guru-scan"
RESULTS_ROOT="$GS_DIR/test-results"
RMM="http://172.16.3.30:3001"
HITMANPRO_URL="https://dl.surfright.nl/HitmanPro_x64.exe"
_logerr() { bash "$REPO_ROOT/.claude/scripts/log-skill-error.sh" "guruscan-test" "$@" >/dev/null 2>&1 || true; }
post_alert() { [ -f "$ALERT" ] && bash "$ALERT" "$1" >/dev/null 2>&1 || true; }
for tool in jq curl base64 split; do
command -v "$tool" >/dev/null 2>&1 || { echo "[ERROR] Required tool not found: $tool" >&2; exit 1; }
done
# ---------------------------------------------------------------------------
# Auth
# ---------------------------------------------------------------------------
RMM_EMAIL="$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email 2>/dev/null)"
RMM_PASS="$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password 2>/dev/null)"
if [ -z "$RMM_EMAIL" ] || [ "$RMM_EMAIL" = "null" ] || [ -z "$RMM_PASS" ]; then
echo "[ERROR] Could not read GuruRMM credentials from vault" >&2
_logerr "vault read of GuruRMM creds failed"
exit 1
fi
TOKEN="$(curl -s -m 30 -X POST "$RMM/api/auth/login" -H "Content-Type: application/json" \
--data-binary "$(jq -nc --arg e "$RMM_EMAIL" --arg p "$RMM_PASS" '{email:$e,password:$p}')" | jq -r '.token // empty')"
if [ -z "$TOKEN" ]; then
echo "[ERROR] RMM login failed" >&2; _logerr "RMM login failed"; exit 1
fi
echo "[OK] Authenticated to GuruRMM"
# ---------------------------------------------------------------------------
# Resolve agent (uuid -> exact host -> partial host)
# ---------------------------------------------------------------------------
AGENTS="$(curl -s -m 30 "$RMM/api/agents" -H "Authorization: Bearer $TOKEN")"
echo "$AGENTS" | jq -e 'type=="array"' >/dev/null 2>&1 || { echo "[ERROR] Could not list agents" >&2; exit 1; }
if echo "$TARGET" | grep -qiE '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'; then
AGENT="$(echo "$AGENTS" | jq --arg id "$TARGET" '[.[]|select(.id==$id)]|.[0]//empty')"
else
AGENT="$(echo "$AGENTS" | jq --arg h "$TARGET" '[.[]|select((.hostname|ascii_downcase)==($h|ascii_downcase))]|.[0]//empty')"
if [ -z "$AGENT" ] || [ "$AGENT" = "null" ]; then
MATCHES="$(echo "$AGENTS" | jq --arg h "$TARGET" '[.[]|select(.hostname|ascii_downcase|contains($h|ascii_downcase))]')"
COUNT="$(echo "$MATCHES" | jq 'length')"
[ "$COUNT" = "1" ] && AGENT="$(echo "$MATCHES" | jq '.[0]')"
if [ "$COUNT" != "1" ]; then
echo "[ERROR] $COUNT agents match '$TARGET'. Be more specific." >&2
echo "$MATCHES" | jq -r '.[]|" \(.hostname) (\(.os_type)) id=\(.id)"' >&2
exit 1
fi
fi
fi
[ -z "$AGENT" ] || [ "$AGENT" = "null" ] && { echo "[ERROR] No agent matching '$TARGET'." >&2; exit 1; }
AGENT_ID="$(echo "$AGENT" | jq -r '.id')"
AGENT_HOST="$(echo "$AGENT" | jq -r '.hostname')"
AGENT_OS="$(echo "$AGENT" | jq -r '.os_type')"
AGENT_STATUS="$(echo "$AGENT" | jq -r '.status // "unknown"')"
echo "[OK] Agent: $AGENT_HOST ($AGENT_OS) status=$AGENT_STATUS id=$AGENT_ID"
[ "$AGENT_OS" != "windows" ] && { echo "[ERROR] Windows-only. os_type=$AGENT_OS" >&2; exit 1; }
WORK_DIR="$(mktemp -d 2>/dev/null || echo "${TMPDIR:-/tmp}/guruscan-test-$$")"
mkdir -p "$WORK_DIR"
trap 'rm -rf "$WORK_DIR" 2>/dev/null || true' EXIT
# ---------------------------------------------------------------------------
# dispatch_one <script-file> <timeout_seconds> <max_polls> -> echoes result JSON
# ---------------------------------------------------------------------------
dispatch_one() {
local script_file="$1" to="$2" max_polls="${3:-72}"
local payload_file resp cmd_id status result count
payload_file="$WORK_DIR/payload.json"
jq -nc --rawfile cmd "$script_file" --argjson to "$to" \
'{command_type:"powershell", command:$cmd, timeout_seconds:$to}' > "$payload_file"
resp="$(curl -s -m 30 -X POST "$RMM/api/agents/$AGENT_ID/command" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
--data-binary "@$payload_file")"
cmd_id="$(echo "$resp" | jq -r '.command_id // empty')"
[ -z "$cmd_id" ] && { echo "[ERROR] Dispatch failed: $resp" >&2; return 1; }
count=0
while [ $count -lt "$max_polls" ]; do
result="$(curl -s -m 30 "$RMM/api/commands/$cmd_id" -H "Authorization: Bearer $TOKEN")"
status="$(echo "$result" | jq -r '.status // empty')"
case "$status" in
completed|failed|cancelled|interrupted)
printf '%s' "$cmd_id" > "$WORK_DIR/last_cmd_id"
echo "$result"; return 0 ;;
*) count=$((count+1)); sleep 5 ;;
esac
done
echo "[ERROR] Command $cmd_id did not finish (last=$status)" >&2; return 1
}
# run_ps <script-file> <timeout> <max_polls> <label> -> prints status, returns nonzero on failure
run_ps() {
local sf="$1" to="$2" mp="$3" label="$4" res st ec out err
res="$(dispatch_one "$sf" "$to" "$mp")" || { echo "[ERROR] $label: dispatch failed" >&2; return 1; }
st="$(echo "$res" | jq -r '.status')"; ec="$(echo "$res" | jq -r '.exit_code // "null"')"
out="$(echo "$res" | jq -r '.stdout // ""')"; err="$(echo "$res" | jq -r '.stderr // ""')"
echo "--- $label: status=$st exit=$ec ---"
[ -n "$out" ] && printf '%s\n' "$out"
[ -n "$err" ] && { echo " [stderr]"; printf '%s\n' "$err" | head -30; }
printf '%s' "$res" > "$WORK_DIR/last_result.json"
[ "$st" = "completed" ] || return 1
return 0
}
# upload_file <local> <remote_win_path> (chunked base64, decode on endpoint)
upload_file() {
local local_path="$1" remote="$2" b64="$WORK_DIR/up.b64" chunk_dir="$WORK_DIR/chunks"
local remote_b64="${remote}.b64"
[ -f "$local_path" ] || { echo "[ERROR] missing local file: $local_path" >&2; return 1; }
rm -rf "$chunk_dir"; mkdir -p "$chunk_dir"
if base64 -w0 "$local_path" > "$b64" 2>/dev/null; then :
elif base64 -i "$local_path" > "$b64" 2>/dev/null; then :
else base64 < "$local_path" | tr -d '\n' > "$b64"; fi
split -b 24000 "$b64" "$chunk_dir/chunk_"
local chunks idx=0 nch sf data
chunks=$(ls -1 "$chunk_dir"/chunk_* | sort)
nch=$(echo "$chunks" | wc -l | tr -d ' ')
for ch in $chunks; do
idx=$((idx+1)); data="$(cat "$ch")"; sf="$WORK_DIR/chunkcmd.ps1"
if [ "$idx" -eq 1 ]; then
cat > "$sf" <<PS
\$ErrorActionPreference='Stop'
\$d=Split-Path "$remote" -Parent
if(-not (Test-Path \$d)){New-Item -ItemType Directory -Path \$d -Force|Out-Null}
[System.IO.File]::WriteAllText("$remote_b64","$data")
Write-Output "CHUNK $idx OK"
PS
else
cat > "$sf" <<PS
\$ErrorActionPreference='Stop'
[System.IO.File]::AppendAllText("$remote_b64","$data")
Write-Output "CHUNK $idx OK"
PS
fi
local r; r="$(dispatch_one "$sf" 60)" || { echo "[ERROR] $(basename "$remote") chunk $idx dispatch failed" >&2; return 1; }
[ "$(echo "$r" | jq -r '.status')" = "completed" ] || { echo "[ERROR] $(basename "$remote") chunk $idx failed" >&2; return 1; }
done
# decode
local df="$WORK_DIR/decode.ps1"
cat > "$df" <<PS
\$ErrorActionPreference='Stop'
\$b64=(Get-Content "$remote_b64" -Raw) -replace '\s',''
[System.IO.File]::WriteAllBytes("$remote",[System.Convert]::FromBase64String(\$b64))
Remove-Item "$remote_b64" -Force -ErrorAction SilentlyContinue
\$len=(Get-Item "$remote").Length
Write-Output ("WROTE $remote (\$len bytes)")
PS
local r; r="$(dispatch_one "$df" 60)" || { echo "[ERROR] decode dispatch failed for $remote" >&2; return 1; }
[ "$(echo "$r" | jq -r '.status')" = "completed" ] || { echo "[ERROR] decode failed for $remote: $(echo "$r"|jq -r '.stderr'|head -c160)" >&2; return 1; }
echo "[OK] uploaded $(basename "$remote") ($nch chunk(s)) -> $(echo "$r"|jq -r '.stdout'|tr -d '\r')"
}
# ===========================================================================
phase_prep() {
echo ""; echo "=== PHASE: prep ==="
# 1) upload module files
local files="GuruScan.psm1 GuruScan.psd1 scanners.json Invoke-GuruScan.ps1 Invoke-ScannerCleanup.ps1 Download-Scanners.ps1"
for f in $files; do
upload_file "$GS_DIR/$f" "C:\\GuruScan\\$f" || { _logerr "upload failed" --context "file=$f host=$AGENT_HOST"; return 1; }
done
# 2) Defender exclusions for tool + downloads + test dirs (so Defender does not
# nuke the scanner EXEs or grab EICAR before GuruScan's engines run).
local sf="$WORK_DIR/defender.ps1"
cat > "$sf" <<'PS'
$ErrorActionPreference='Continue'
foreach($p in @('C:\GuruScan','C:\GuruScan\downloads','C:\GuruScanTest','C:\EmsisoftCmd')){
try { Add-MpPreference -ExclusionPath $p -ErrorAction Stop; Write-Output "EXCLUDED $p" }
catch { Write-Output ("EXCLUDE-SKIP " + $p + " : " + $_.Exception.Message) }
}
PS
run_ps "$sf" 60 24 "defender-exclusions" || echo "[WARN] Defender exclusion step had issues (continuing)"
# 3) download RKill + Emsisoft via the module's downloader
local sf2="$WORK_DIR/dl.ps1"
cat > "$sf2" <<'PS'
$ErrorActionPreference='Continue'
& C:\GuruScan\Download-Scanners.ps1
PS
run_ps "$sf2" 600 130 "download-rkill-emsisoft" || echo "[WARN] scanner download reported issues (HitmanPro is expected MANUAL)"
# 4) fetch HitmanPro directly to downloads\
local sf3="$WORK_DIR/hmp.ps1"
cat > "$sf3" <<PS
\$ErrorActionPreference='Continue'
\$ProgressPreference='SilentlyContinue'
\$dst='C:\\GuruScan\\downloads\\HitmanPro_x64.exe'
try {
[Net.ServicePointManager]::SecurityProtocol=[Net.ServicePointManager]::SecurityProtocol -bor 3072
\$wc=New-Object System.Net.WebClient
\$wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 10.0; Win64; x64)')
\$wc.DownloadFile('$HITMANPRO_URL',\$dst)
\$len=(Get-Item \$dst).Length
Write-Output ("HITMANPRO OK \$len bytes")
} catch { Write-Output ("HITMANPRO FAIL: " + \$_.Exception.Message) }
PS
run_ps "$sf3" 300 70 "download-hitmanpro" || echo "[WARN] HitmanPro download dispatch issue"
# 5) seed EICAR into the Defender-excluded test folder (assembled on endpoint)
local sf4="$WORK_DIR/eicar.ps1"
cat > "$sf4" <<'PS'
$ErrorActionPreference='Continue'
$dir='C:\GuruScanTest'
if(-not (Test-Path $dir)){New-Item -ItemType Directory -Path $dir -Force|Out-Null}
# Standard EICAR test signature, assembled from fragments so it is never stored
# contiguously anywhere except the on-disk test file.
$e = 'X5O!P%@AP[4\PZX54(P^)7CC)7}' + '$EICAR' + '-STANDARD-ANTIVIRUS-' + 'TEST-FILE!$H+H*'
$f = Join-Path $dir 'eicar_test.com'
Set-Content -Path $f -Value $e -Encoding ASCII -NoNewline
Start-Sleep -Seconds 2
if(Test-Path $f){
$sz=(Get-Item $f).Length
Write-Output ("EICAR seeded: $f ($sz bytes) - survived (Defender exclusion working)")
} else {
Write-Output "EICAR MISSING after write - Defender (or other AV) grabbed it despite exclusion"
}
PS
run_ps "$sf4" 60 24 "seed-eicar" || { _logerr "EICAR seed failed" --context "host=$AGENT_HOST"; return 1; }
# 6) readiness check - confirm all three scanner binaries present + EICAR present
local sf5="$WORK_DIR/ready.ps1"
cat > "$sf5" <<'PS'
$ErrorActionPreference='Continue'
$need=@{
'RKill' ='C:\GuruScan\downloads\rkill.exe';
'Emsisoft' ='C:\GuruScan\downloads\EmsisoftCommandlineScanner64.exe';
'HitmanPro' ='C:\GuruScan\downloads\HitmanPro_x64.exe';
'Module' ='C:\GuruScan\GuruScan.psm1';
'EICAR' ='C:\GuruScanTest\eicar_test.com'
}
$ok=$true
foreach($k in $need.Keys){
if(Test-Path $need[$k]){ Write-Output ("READY {0,-10} {1} ({2} bytes)" -f $k,$need[$k],(Get-Item $need[$k]).Length) }
else { Write-Output ("MISSING {0,-10} {1}" -f $k,$need[$k]); $ok=$false }
}
if($ok){Write-Output 'ALL-READY'}else{Write-Output 'NOT-READY'}
PS
run_ps "$sf5" 60 24 "readiness" || return 1
if grep -q 'ALL-READY' "$WORK_DIR/last_result.json" 2>/dev/null || \
echo "$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)" | grep -q 'ALL-READY'; then
echo "[OK] prep complete - endpoint is READY for scan"
post_alert "[RMM] GuruScan test: prepped $AGENT_HOST (module+3 scanners+EICAR staged)"
else
echo "[WARN] prep finished but not all components READY - review output above before scanning"
fi
}
# ===========================================================================
phase_scan() {
echo ""; echo "=== PHASE: scan (clean mode, full chain, headless - LONG) ==="
local sf="$WORK_DIR/scan.ps1"
cat > "$sf" <<'PS'
$ErrorActionPreference='Continue'
& C:\GuruScan\Invoke-GuruScan.ps1 -Headless
PS
# Emsisoft timeout_min=120, HitmanPro=60. Give the command 2.5h and poll up to 3h.
run_ps "$sf" 9000 2160 "guruscan-run" || { _logerr "GuruScan run failed" --context "host=$AGENT_HOST"; echo "[ERROR] scan phase failed"; return 1; }
# surface the structured result line
local out; out="$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)"
echo ""
echo "$out" | grep 'GURUSCAN_RESULT_JSON:' | sed 's/^GURUSCAN_RESULT_JSON://' | jq '.' 2>/dev/null \
|| echo "[WARN] no GURUSCAN_RESULT_JSON line in stdout (see full output above)"
local cmd_id; cmd_id="$(cat "$WORK_DIR/last_cmd_id" 2>/dev/null||echo ?)"
post_alert "[RMM] GuruScan test: scan finished on $AGENT_HOST -> cmd:${cmd_id:0:8}"
}
# ===========================================================================
phase_collect() {
echo ""; echo "=== PHASE: collect (pull results.json + logs) ==="
local stamp; stamp="$(date -u +%Y%m%dT%H%M%S)"
local outdir="$RESULTS_ROOT/${AGENT_HOST}-${stamp}"
mkdir -p "$outdir"
# newest scan log dir + results.json + per-scanner logs, emitted as base64 blobs
local sf="$WORK_DIR/collect.ps1"
cat > "$sf" <<'PS'
$ErrorActionPreference='Continue'
$root='C:\ScanLogs'
if(-not (Test-Path $root)){ Write-Output 'NO-SCANLOGS'; return }
$dir=Get-ChildItem $root -Directory | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if(-not $dir){ Write-Output 'NO-SCAN-DIR'; return }
Write-Output ("SCANDIR=" + $dir.FullName)
Get-ChildItem $dir.FullName -File | ForEach-Object {
$b=[Convert]::ToBase64String([IO.File]::ReadAllBytes($_.FullName))
Write-Output ("===FILE===" + $_.Name + "===")
Write-Output $b
}
Write-Output "===END==="
PS
run_ps "$sf" 180 72 "collect-logs" || { echo "[ERROR] collect failed"; return 1; }
local out; out="$(jq -r '.stdout' "$WORK_DIR/last_result.json")"
printf '%s' "$out" > "$WORK_DIR/collect.out"
# split the marker-delimited base64 blobs into files
awk -v outdir="$WORK_DIR/blobs" '
BEGIN{ system("mkdir -p \"" outdir "\""); name="" }
/^===FILE===/ { n=$0; sub(/^===FILE===/,"",n); sub(/===$/,"",n); name=n; next }
/^===END===/ { name=""; next }
name!="" { print > (outdir "/" name ".b64") }
' "$WORK_DIR/collect.out"
if [ -d "$WORK_DIR/blobs" ]; then
for bf in "$WORK_DIR/blobs"/*.b64; do
[ -e "$bf" ] || continue
local name; name="$(basename "$bf" .b64)"
tr -d '\r\n' < "$bf" | base64 -d > "$outdir/$name" 2>/dev/null \
&& echo "[OK] pulled $name ($(wc -c < "$outdir/$name") bytes)" \
|| echo "[WARN] could not decode $name"
done
fi
# save raw stdout (incl. SCANDIR line) too
printf '%s\n' "$out" | grep -E '^(SCANDIR=|NO-)' > "$outdir/_collect-meta.txt" 2>/dev/null || true
echo ""
if [ -f "$outdir/results.json" ]; then
echo "=== results.json ==="
jq '.' "$outdir/results.json" 2>/dev/null || cat "$outdir/results.json"
else
echo "[WARN] results.json not among pulled files - check $outdir"
fi
echo ""
echo "[OK] logs saved to: $outdir"
}
case "$PHASE" in
prep) phase_prep ;;
scan) phase_scan ;;
collect) phase_collect ;;
all) phase_prep && phase_scan && phase_collect ;;
*) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|all)" >&2; exit 1 ;;
esac