sync: auto-sync from GURU-5070 at 2026-07-02 16:01:04
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-02 16:01:04
This commit is contained in:
@@ -0,0 +1,165 @@
|
||||
# 2026-07-02 — CrowdStrike (spec+rollout), VWP OneDrive, 365 app-suite docs + consent-audit
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Large multi-thread session. (1) Built the CrowdStrike Falcon RMM-integration spec via
|
||||
/shape-spec and implemented the entire server side (Tasks 1-5) as a vendor-agnostic
|
||||
integrations plugin framework in guru-rmm, each task pipeline-verified green. (2) Detoured
|
||||
to actually DEPLOY the Falcon sensor to 5 ACG machines with the test CID. (3) Granted Shelly
|
||||
Dooley access to Teresa Carpio's OneDrive at VWP (offboarding follow-up), which exposed that
|
||||
the 365 app suite lacked SharePoint consent on VWP. (4) Properly DOCUMENTED the 365 app suite
|
||||
and built a `consent-audit` command to detect per-tenant consent drift. (5) Billed the VWP
|
||||
OneDrive work as a new linked Syncro ticket.
|
||||
|
||||
CrowdStrike RMM feature (guru-rmm submodule, all pipeline-green via ci-version-bump marker):
|
||||
Task 1 migration 065 (5 vendor-agnostic tables: integrations, integration_credentials
|
||||
[reuses the credentials TEXT/base64 encryptor], integration_client_mappings,
|
||||
integration_sync_state, integration_agent_links). Task 2 IntegrationPlugin trait
|
||||
(axum::async_trait) + PluginRegistry + credential encrypt/decrypt chokepoint + runtime-sqlx
|
||||
DB layer (codebase uses runtime queries, NOT query! macros -> no .sqlx regen). Task 3 generic
|
||||
/api/integrations REST (list/upsert/delete/credentials/test/mappings/sync-state; added
|
||||
registry to AppState). Task 4 FalconClient (OAuth2 client-creds, region base-URL map, host
|
||||
query+details) + CrowdStrikePlugin (test_connection, sync host.cid->mapped client->agent by
|
||||
hostname); registered in PluginRegistry::build(). Task 5 periodic sync worker (60s tick, per-
|
||||
integration due-check, parks bad-cred integrations). Server side COMPLETE + running; remaining
|
||||
Tasks 6-9 (deploy job, agent installer, dashboard, e2e).
|
||||
|
||||
Falcon deployment (5/5 operational): installers staged on the RMM downloads server
|
||||
(/var/www/gururmm/downloads/crowdstrike/, HTTP-served). Beast/Neptune/DC16 (Windows) via RMM
|
||||
PowerShell (FalconSensor_Windows.exe /install /quiet /norestart CID=...); IX (CloudLinux 9)
|
||||
via SSH + el9 rpm + falconctl -s --cid (rfm-state=false); Mac (macOS 26) via RMM pkg install +
|
||||
falconctl license, then Mike approved the system extension + rebooted -> Sensor operational.
|
||||
CID BB56861AF0944B82ACE88C9F68362C23-52 vaulted at infrastructure/crowdstrike-falcon.
|
||||
|
||||
VWP OneDrive + 365 docs: granted shelly@ site-collection admin on teresa@'s OneDrive
|
||||
(~19.8GB) via SPO CSOM SetSiteAdmin. This required fixing VWP's partial consent (had the
|
||||
Tenant Admin app but NO SharePoint app-only role) — granted it directly via appRoleAssignment
|
||||
(tenant-admin holds AppRoleAssignment.ReadWrite.All). Mike (rightly) flagged the 365 suite as
|
||||
under-documented; wrote references/app-suite.md (authoritative live-verified map + the
|
||||
consent-drift problem + both fix methods) and built consent-audit.sh (audits a tenant/--all vs
|
||||
baseline, grades GREEN/AMBER/RED, prints exact fixes). Verified: BirthBio GREEN, VWP/Cascades
|
||||
AMBER (real drift caught). Billed the OneDrive work as new Syncro ticket #32499 linked to
|
||||
#32487, 0.5h remote applied to VWP's prepaid block (10.0->9.5, $0 invoice).
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- CrowdStrike = plugin #1 on a VENDOR-AGNOSTIC framework (5 generic tables + trait + registry),
|
||||
not a one-off — matches Mike's "modular, each partner enables their own creds". MSSP-correct
|
||||
via per-host cid -> mapped client (single-CID and Flight-Control both work).
|
||||
- Pipeline build is the compile gate (local cargo check blocked: no MSVC linker on GURU-5070).
|
||||
Each task pushed by explicit SHA, rebased over concurrent CI version-bumps, verified via the
|
||||
ci-version-bump marker.
|
||||
- Falcon staging: authorized GURU-5070's SSH key on the RMM server via its OWN root RMM agent
|
||||
(.30 refuses password SSH) -> scp installers to the HTTP downloads dir. DF-site machines
|
||||
(Neptune/DC16/IX) can't reach office-internal 172.16.3.30 -> use public rmm.azcomputerguru.com.
|
||||
- Architecture answer to Mike: do NOT split the 365 apps (tier-by-privilege split is correct;
|
||||
more apps = more consent drift). The gap was INSTRUMENTATION, not decomposition — extend the
|
||||
proven assign-exchange-role --verify pattern to all permissions = consent-audit.sh.
|
||||
- Fixed VWP SharePoint gap via direct appRoleAssignment (Method B), not just re-consent — the
|
||||
adminconsent flow grants Graph but often skips the SharePoint app-only role.
|
||||
- VWP billing: new ticket #32499 (since #32487 already Invoiced), 0.5h remote applied to the
|
||||
prepaid block; referenced #32487 in subject/desc (no Syncro API for formal ticket link).
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- ps-encoded.sh (shell->cmd->powershell -EncodedCommand) returns "Access is denied" on Windows
|
||||
Server 2016 (DC16); direct command_type=powershell works. Logged as friction.
|
||||
- Long Falcon download+install exceeds the RMM command timeout on slow-egress boxes (DC16/Mac)
|
||||
-> command reports failed/"Command timeout" but the install COMPLETES in background; verify
|
||||
service/state after. Logged.
|
||||
- macOS 26 EDR system extension stuck [activated waiting for user] even after FDA enabled —
|
||||
extension Allow is a separate toggle (Login Items & Extensions on macOS 26); a REBOOT
|
||||
reconciled it to [activated enabled] + Sensor operational.
|
||||
- IX first attempt: el8 rpm vs CloudLinux 9 (el9) mismatch — waited for Mike to drop the el9
|
||||
rpm; installed clean, rfm-state=false.
|
||||
- consent-audit.sh v1 bug: jwt_roles read the token from stdin while the heredoc also claimed
|
||||
stdin -> every role decoded empty (false-flagged BirthBio). Fixed to pass the token as argv.
|
||||
- My own new block-tmp-path hook correctly blocked a `curl -o /tmp/..` mid-session (dogfood).
|
||||
- Two rebase conflicts (errorlog.md + MEMORY.md) from concurrent auto-sync; resolved by union
|
||||
(errorlog) and take-origin-then-re-add-line (MEMORY).
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
guru-rmm submodule (main, pipeline-green):
|
||||
- specs/crowdstrike-falcon/{plan,shape,references,standards}.md
|
||||
- server/migrations/065_integrations_framework.sql
|
||||
- server/src/db/integrations.rs, server/src/db/mod.rs
|
||||
- server/src/integrations/{mod.rs, worker.rs, crowdstrike/mod.rs, crowdstrike/client.rs}
|
||||
- server/src/api/integrations.rs, server/src/api/mod.rs
|
||||
- server/src/main.rs (AppState.registry + integrations sync worker spawn)
|
||||
|
||||
claudetools (main):
|
||||
- .claude/skills/remediation-tool/scripts/consent-audit.sh (new)
|
||||
- .claude/skills/remediation-tool/references/app-suite.md (new)
|
||||
- .claude/skills/remediation-tool/scripts/get-token.sh (exchange-op-graph tier, from prior)
|
||||
- .claude/skills/remediation-tool/SKILL.md (consent-audit pointer; repo + global)
|
||||
- .claude/memory/reference_365_app_suite.md + MEMORY.md index
|
||||
- errorlog.md (ps-encoded/server2016, long-install-reaper, consent-drift correction, +others)
|
||||
|
||||
vault: infrastructure/crowdstrike-falcon.sops.yaml (CID install key) — committed.
|
||||
|
||||
RMM server .30: appended GURU-5070 ed25519 pubkey to /home/guru/.ssh/authorized_keys (via
|
||||
root RMM agent); staged crowdstrike installers under /var/www/gururmm/downloads/crowdstrike/.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- CrowdStrike Falcon CID / install key: `BB56861AF0944B82ACE88C9F68362C23-52` — vaulted at
|
||||
`infrastructure/crowdstrike-falcon` field `credentials.cid`. Enrollment key (not an API cred).
|
||||
- No other new secrets. VWP SharePoint access granted to the ComputerGuru Tenant Admin app
|
||||
(709e6eed) via appRoleAssignment on tenant 5c53ae9f (Mike consented).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- Falcon targets: Beast GURU-BEAST-ROG (5233d75b, Win11), Neptune NEPTUNE (b3a9b454, WinSvr),
|
||||
DC16 ACG-DC16 (77ddf8a1, Server 2016 DC), IX ix.azcomputerguru.com (4ad2e426 / 172.16.3.10,
|
||||
CloudLinux 9.8), Mac Mikes-MacBook-Air (0cb6148e, macOS 26.5.2). All enrolled to the CID.
|
||||
- RMM server: 172.16.3.30 (Ubuntu 22.04, SSH guru, publickey-only), own root RMM agent
|
||||
9b92b187 (hostname gururmm). Downloads dir served at http://172.16.3.30/downloads/ (LAN) +
|
||||
https://rmm.azcomputerguru.com/downloads/ (public, Cloudflare).
|
||||
- VWP tenant 5c53ae9f-7071-4248-b834-8685b646450f (valleywideplastering.com; onmicrosoft
|
||||
prefix valleywideplastering; SPO admin valleywideplastering-admin.sharepoint.com). Users:
|
||||
Shelly Dooley da8f7037 (enabled), Teresa Carpio 615d8ef9 (disabled). Tenant Admin SP in VWP:
|
||||
fccda86c-77ca-4248-b876-b0cdba8605d4. BirthBio tenant 19a568e8 = fully-consented reference.
|
||||
- 365 app suite (App IDs): investigator bfbc12a4, exchange-op b43e7342, user-manager 64fac46b,
|
||||
tenant-admin 709e6eed, defender dbf8ad1a, intune 46986910, mailbox 1873b1b0 (ACG-internal).
|
||||
SharePoint resource 00000003-0000-0ff1-ce00-000000000000, Sites.FullControl.All role id
|
||||
678536fe-1083-478a-9c59-b99265e6b0d3.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- consent-audit: `bash .claude/skills/remediation-tool/scripts/consent-audit.sh <domain|guid|--all>`
|
||||
- Falcon deploy scripts in scratchpad (cs_install_win.ps1 / cs_install_win_public.ps1 /
|
||||
cs_install_mac.sh). Windows install: `FalconSensor_Windows.exe /install /quiet /norestart
|
||||
CID=<cid>`; Linux: `dnf install el9.rpm; /opt/CrowdStrike/falconctl -s --cid=<cid>;
|
||||
systemctl enable --now falcon-sensor`; mac: `installer -pkg ...; falconctl license <cid>`.
|
||||
- Fix partial 365 consent (Method B): POST /servicePrincipals/{recipientSP}/appRoleAssignments
|
||||
{principalId, resourceId=SharePoint SP, appRoleId=Sites.FullControl.All} with a tenant-admin token.
|
||||
- SPO SetSiteAdmin: POST <admin>/_vti_bin/client.svc/ProcessQuery (CSOM XML) with sharepoint-admin
|
||||
cert token.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- CrowdStrike RMM feature: Tasks 6 (deploy job + migration 066), 7 (agent installer, Win first),
|
||||
8 (dashboard Integrations page + Falcon panels), 9 (e2e verification). Spec plan.md is the
|
||||
source of truth (Tasks 1-5 marked DONE).
|
||||
- VWP is AMBER on consent-audit: investigator (missing User.Read.All, Sites.Read.All),
|
||||
exchange-op-graph (Mail.ReadWrite, MailboxSettings.ReadWrite), user-manager
|
||||
(Directory.ReadWrite.All) still on old partial grants -> full re-consent sweep recommended.
|
||||
- Cascades AMBER: missing SharePoint app-only role (same class as VWP) -> Method B or re-consent.
|
||||
- Optional follow-up (Mike's call, not built): consent-audit --all to regenerate tenants.md as
|
||||
a live matrix; schedule a fleet audit via coord todo.
|
||||
- guru-rmm parent gitlink lags; advance on a later /sync if desired.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- guru-rmm commits: spec dd646f6; T1 8b75274; T2 cac7e1d; T3 6c83a03; T4 847cff6; T5 5f38ef3.
|
||||
- claudetools consent-audit commit 8152476e.
|
||||
- Syncro: VWP customer 31694734; new ticket #32499 (id 113383258) invoice 1650932291 ($0,
|
||||
applied 0.5 prepay, block 10.0->9.5); linked-ref offboarding ticket #32487 (id 113195707,
|
||||
Invoiced). Remote labor product 1190473 @ $150 (category Labor).
|
||||
- Docs: .claude/skills/remediation-tool/references/app-suite.md (authoritative 365 map).
|
||||
Reference in New Issue
Block a user