sync: auto-sync from GURU-5070 at 2026-07-02 16:01:04

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-02 16:01:04
This commit is contained in:
2026-07-02 16:01:53 -07:00
parent b01105d1f9
commit 7ff092f7bb
5 changed files with 4071 additions and 0 deletions

View File

@@ -0,0 +1,165 @@
# 2026-07-02 — CrowdStrike (spec+rollout), VWP OneDrive, 365 app-suite docs + consent-audit
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Large multi-thread session. (1) Built the CrowdStrike Falcon RMM-integration spec via
/shape-spec and implemented the entire server side (Tasks 1-5) as a vendor-agnostic
integrations plugin framework in guru-rmm, each task pipeline-verified green. (2) Detoured
to actually DEPLOY the Falcon sensor to 5 ACG machines with the test CID. (3) Granted Shelly
Dooley access to Teresa Carpio's OneDrive at VWP (offboarding follow-up), which exposed that
the 365 app suite lacked SharePoint consent on VWP. (4) Properly DOCUMENTED the 365 app suite
and built a `consent-audit` command to detect per-tenant consent drift. (5) Billed the VWP
OneDrive work as a new linked Syncro ticket.
CrowdStrike RMM feature (guru-rmm submodule, all pipeline-green via ci-version-bump marker):
Task 1 migration 065 (5 vendor-agnostic tables: integrations, integration_credentials
[reuses the credentials TEXT/base64 encryptor], integration_client_mappings,
integration_sync_state, integration_agent_links). Task 2 IntegrationPlugin trait
(axum::async_trait) + PluginRegistry + credential encrypt/decrypt chokepoint + runtime-sqlx
DB layer (codebase uses runtime queries, NOT query! macros -> no .sqlx regen). Task 3 generic
/api/integrations REST (list/upsert/delete/credentials/test/mappings/sync-state; added
registry to AppState). Task 4 FalconClient (OAuth2 client-creds, region base-URL map, host
query+details) + CrowdStrikePlugin (test_connection, sync host.cid->mapped client->agent by
hostname); registered in PluginRegistry::build(). Task 5 periodic sync worker (60s tick, per-
integration due-check, parks bad-cred integrations). Server side COMPLETE + running; remaining
Tasks 6-9 (deploy job, agent installer, dashboard, e2e).
Falcon deployment (5/5 operational): installers staged on the RMM downloads server
(/var/www/gururmm/downloads/crowdstrike/, HTTP-served). Beast/Neptune/DC16 (Windows) via RMM
PowerShell (FalconSensor_Windows.exe /install /quiet /norestart CID=...); IX (CloudLinux 9)
via SSH + el9 rpm + falconctl -s --cid (rfm-state=false); Mac (macOS 26) via RMM pkg install +
falconctl license, then Mike approved the system extension + rebooted -> Sensor operational.
CID BB56861AF0944B82ACE88C9F68362C23-52 vaulted at infrastructure/crowdstrike-falcon.
VWP OneDrive + 365 docs: granted shelly@ site-collection admin on teresa@'s OneDrive
(~19.8GB) via SPO CSOM SetSiteAdmin. This required fixing VWP's partial consent (had the
Tenant Admin app but NO SharePoint app-only role) — granted it directly via appRoleAssignment
(tenant-admin holds AppRoleAssignment.ReadWrite.All). Mike (rightly) flagged the 365 suite as
under-documented; wrote references/app-suite.md (authoritative live-verified map + the
consent-drift problem + both fix methods) and built consent-audit.sh (audits a tenant/--all vs
baseline, grades GREEN/AMBER/RED, prints exact fixes). Verified: BirthBio GREEN, VWP/Cascades
AMBER (real drift caught). Billed the OneDrive work as new Syncro ticket #32499 linked to
#32487, 0.5h remote applied to VWP's prepaid block (10.0->9.5, $0 invoice).
## Key Decisions
- CrowdStrike = plugin #1 on a VENDOR-AGNOSTIC framework (5 generic tables + trait + registry),
not a one-off — matches Mike's "modular, each partner enables their own creds". MSSP-correct
via per-host cid -> mapped client (single-CID and Flight-Control both work).
- Pipeline build is the compile gate (local cargo check blocked: no MSVC linker on GURU-5070).
Each task pushed by explicit SHA, rebased over concurrent CI version-bumps, verified via the
ci-version-bump marker.
- Falcon staging: authorized GURU-5070's SSH key on the RMM server via its OWN root RMM agent
(.30 refuses password SSH) -> scp installers to the HTTP downloads dir. DF-site machines
(Neptune/DC16/IX) can't reach office-internal 172.16.3.30 -> use public rmm.azcomputerguru.com.
- Architecture answer to Mike: do NOT split the 365 apps (tier-by-privilege split is correct;
more apps = more consent drift). The gap was INSTRUMENTATION, not decomposition — extend the
proven assign-exchange-role --verify pattern to all permissions = consent-audit.sh.
- Fixed VWP SharePoint gap via direct appRoleAssignment (Method B), not just re-consent — the
adminconsent flow grants Graph but often skips the SharePoint app-only role.
- VWP billing: new ticket #32499 (since #32487 already Invoiced), 0.5h remote applied to the
prepaid block; referenced #32487 in subject/desc (no Syncro API for formal ticket link).
## Problems Encountered
- ps-encoded.sh (shell->cmd->powershell -EncodedCommand) returns "Access is denied" on Windows
Server 2016 (DC16); direct command_type=powershell works. Logged as friction.
- Long Falcon download+install exceeds the RMM command timeout on slow-egress boxes (DC16/Mac)
-> command reports failed/"Command timeout" but the install COMPLETES in background; verify
service/state after. Logged.
- macOS 26 EDR system extension stuck [activated waiting for user] even after FDA enabled —
extension Allow is a separate toggle (Login Items & Extensions on macOS 26); a REBOOT
reconciled it to [activated enabled] + Sensor operational.
- IX first attempt: el8 rpm vs CloudLinux 9 (el9) mismatch — waited for Mike to drop the el9
rpm; installed clean, rfm-state=false.
- consent-audit.sh v1 bug: jwt_roles read the token from stdin while the heredoc also claimed
stdin -> every role decoded empty (false-flagged BirthBio). Fixed to pass the token as argv.
- My own new block-tmp-path hook correctly blocked a `curl -o /tmp/..` mid-session (dogfood).
- Two rebase conflicts (errorlog.md + MEMORY.md) from concurrent auto-sync; resolved by union
(errorlog) and take-origin-then-re-add-line (MEMORY).
## Configuration Changes
guru-rmm submodule (main, pipeline-green):
- specs/crowdstrike-falcon/{plan,shape,references,standards}.md
- server/migrations/065_integrations_framework.sql
- server/src/db/integrations.rs, server/src/db/mod.rs
- server/src/integrations/{mod.rs, worker.rs, crowdstrike/mod.rs, crowdstrike/client.rs}
- server/src/api/integrations.rs, server/src/api/mod.rs
- server/src/main.rs (AppState.registry + integrations sync worker spawn)
claudetools (main):
- .claude/skills/remediation-tool/scripts/consent-audit.sh (new)
- .claude/skills/remediation-tool/references/app-suite.md (new)
- .claude/skills/remediation-tool/scripts/get-token.sh (exchange-op-graph tier, from prior)
- .claude/skills/remediation-tool/SKILL.md (consent-audit pointer; repo + global)
- .claude/memory/reference_365_app_suite.md + MEMORY.md index
- errorlog.md (ps-encoded/server2016, long-install-reaper, consent-drift correction, +others)
vault: infrastructure/crowdstrike-falcon.sops.yaml (CID install key) — committed.
RMM server .30: appended GURU-5070 ed25519 pubkey to /home/guru/.ssh/authorized_keys (via
root RMM agent); staged crowdstrike installers under /var/www/gururmm/downloads/crowdstrike/.
## Credentials & Secrets
- CrowdStrike Falcon CID / install key: `BB56861AF0944B82ACE88C9F68362C23-52` — vaulted at
`infrastructure/crowdstrike-falcon` field `credentials.cid`. Enrollment key (not an API cred).
- No other new secrets. VWP SharePoint access granted to the ComputerGuru Tenant Admin app
(709e6eed) via appRoleAssignment on tenant 5c53ae9f (Mike consented).
## Infrastructure & Servers
- Falcon targets: Beast GURU-BEAST-ROG (5233d75b, Win11), Neptune NEPTUNE (b3a9b454, WinSvr),
DC16 ACG-DC16 (77ddf8a1, Server 2016 DC), IX ix.azcomputerguru.com (4ad2e426 / 172.16.3.10,
CloudLinux 9.8), Mac Mikes-MacBook-Air (0cb6148e, macOS 26.5.2). All enrolled to the CID.
- RMM server: 172.16.3.30 (Ubuntu 22.04, SSH guru, publickey-only), own root RMM agent
9b92b187 (hostname gururmm). Downloads dir served at http://172.16.3.30/downloads/ (LAN) +
https://rmm.azcomputerguru.com/downloads/ (public, Cloudflare).
- VWP tenant 5c53ae9f-7071-4248-b834-8685b646450f (valleywideplastering.com; onmicrosoft
prefix valleywideplastering; SPO admin valleywideplastering-admin.sharepoint.com). Users:
Shelly Dooley da8f7037 (enabled), Teresa Carpio 615d8ef9 (disabled). Tenant Admin SP in VWP:
fccda86c-77ca-4248-b876-b0cdba8605d4. BirthBio tenant 19a568e8 = fully-consented reference.
- 365 app suite (App IDs): investigator bfbc12a4, exchange-op b43e7342, user-manager 64fac46b,
tenant-admin 709e6eed, defender dbf8ad1a, intune 46986910, mailbox 1873b1b0 (ACG-internal).
SharePoint resource 00000003-0000-0ff1-ce00-000000000000, Sites.FullControl.All role id
678536fe-1083-478a-9c59-b99265e6b0d3.
## Commands & Outputs
- consent-audit: `bash .claude/skills/remediation-tool/scripts/consent-audit.sh <domain|guid|--all>`
- Falcon deploy scripts in scratchpad (cs_install_win.ps1 / cs_install_win_public.ps1 /
cs_install_mac.sh). Windows install: `FalconSensor_Windows.exe /install /quiet /norestart
CID=<cid>`; Linux: `dnf install el9.rpm; /opt/CrowdStrike/falconctl -s --cid=<cid>;
systemctl enable --now falcon-sensor`; mac: `installer -pkg ...; falconctl license <cid>`.
- Fix partial 365 consent (Method B): POST /servicePrincipals/{recipientSP}/appRoleAssignments
{principalId, resourceId=SharePoint SP, appRoleId=Sites.FullControl.All} with a tenant-admin token.
- SPO SetSiteAdmin: POST <admin>/_vti_bin/client.svc/ProcessQuery (CSOM XML) with sharepoint-admin
cert token.
## Pending / Incomplete Tasks
- CrowdStrike RMM feature: Tasks 6 (deploy job + migration 066), 7 (agent installer, Win first),
8 (dashboard Integrations page + Falcon panels), 9 (e2e verification). Spec plan.md is the
source of truth (Tasks 1-5 marked DONE).
- VWP is AMBER on consent-audit: investigator (missing User.Read.All, Sites.Read.All),
exchange-op-graph (Mail.ReadWrite, MailboxSettings.ReadWrite), user-manager
(Directory.ReadWrite.All) still on old partial grants -> full re-consent sweep recommended.
- Cascades AMBER: missing SharePoint app-only role (same class as VWP) -> Method B or re-consent.
- Optional follow-up (Mike's call, not built): consent-audit --all to regenerate tenants.md as
a live matrix; schedule a fleet audit via coord todo.
- guru-rmm parent gitlink lags; advance on a later /sync if desired.
## Reference Information
- guru-rmm commits: spec dd646f6; T1 8b75274; T2 cac7e1d; T3 6c83a03; T4 847cff6; T5 5f38ef3.
- claudetools consent-audit commit 8152476e.
- Syncro: VWP customer 31694734; new ticket #32499 (id 113383258) invoice 1650932291 ($0,
applied 0.5 prepay, block 10.0->9.5); linked-ref offboarding ticket #32487 (id 113195707,
Invoiced). Remote labor product 1190473 @ $150 (category Labor).
- Docs: .claude/skills/remediation-tool/references/app-suite.md (authoritative 365 map).