sync: auto-sync from GURU-BEAST-ROG at 2026-07-02 10:55:41
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-02 10:55:41
This commit is contained in:
@@ -62,6 +62,7 @@
|
|||||||
- [Mike — font preference](user_font_preference.md) — Mike prefers Lucida Console for monospace UI.
|
- [Mike — font preference](user_font_preference.md) — Mike prefers Lucida Console for monospace UI.
|
||||||
|
|
||||||
## Feedback
|
## Feedback
|
||||||
|
- [Report times in Arizona time](feedback_timezone_arizona_reporting.md) — All user-facing times in America/Phoenix (MST, no DST), labeled AZ; convert from UTC. Set by Winter 2026-07-02.
|
||||||
- [RMM dashboard: beta before main](rmm-dashboard-beta-before-main.md) — GuruRMM website/dashboard changes land on beta (rmm-beta.azcomputerguru.com) and get tested BEFORE pushing/merging to main, unless told otherwise. Pipeline auto-builds beta FROM main, so don't merge to get on beta — build the feature branch's dashboard and rsync to /var/www/gururmm/dashboard-beta via a git worktree. Promote beta→prod with promote-dashboard.sh --confirm.
|
- [RMM dashboard: beta before main](rmm-dashboard-beta-before-main.md) — GuruRMM website/dashboard changes land on beta (rmm-beta.azcomputerguru.com) and get tested BEFORE pushing/merging to main, unless told otherwise. Pipeline auto-builds beta FROM main, so don't merge to get on beta — build the feature branch's dashboard and rsync to /var/www/gururmm/dashboard-beta via a git worktree. Promote beta→prod with promote-dashboard.sh --confirm.
|
||||||
- [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — When a target has SSH (key auth) and the task is easier over it, default to `scp script + ssh run` (system OpenSSH); RMM runs as SYSTEM + hits the server-side timeout reaper. Reserve RMM as fallback when SSH/VPN is down.
|
- [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — When a target has SSH (key auth) and the task is easier over it, default to `scp script + ssh run` (system OpenSSH); RMM runs as SYSTEM + hits the server-side timeout reaper. Reserve RMM as fallback when SSH/VPN is down.
|
||||||
- [Re-clone submodule creds](reclone-submodule-creds.md) — Re-cloning the restructured claudetools (projects now submodules): set `credential.helper=store` GLOBALLY before `git submodule update --init --recursive` or every Gitea submodule fails "could not read Username". Steps in RECLONE.md.
|
- [Re-clone submodule creds](reclone-submodule-creds.md) — Re-cloning the restructured claudetools (projects now submodules): set `credential.helper=store` GLOBALLY before `git submodule update --init --recursive` or every Gitea submodule fails "could not read Username". Steps in RECLONE.md.
|
||||||
|
|||||||
10
.claude/memory/feedback_timezone_arizona_reporting.md
Normal file
10
.claude/memory/feedback_timezone_arizona_reporting.md
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
# Feedback: Report times in Arizona time
|
||||||
|
|
||||||
|
**Source:** Winter, via Discord bot thread, 2026-07-02
|
||||||
|
**Rule:** All times reported to users (Discord replies, reports, logs, tickets) are in
|
||||||
|
Arizona time — `America/Phoenix`, MST (UTC-7) year-round, no DST. Convert API/log UTC
|
||||||
|
timestamps before presenting and label them "AZ". Include UTC only when needed for
|
||||||
|
cross-referencing raw logs.
|
||||||
|
|
||||||
|
Applied to `projects/discord-bot/DISCORD_CLAUDE.md` (formatting rules + rolling-log
|
||||||
|
timestamp format changed from PT to AZ) same day.
|
||||||
48
clients/kittle/reports/2026-07-02-p2-security-scan.md
Normal file
48
clients/kittle/reports/2026-07-02-p2-security-scan.md
Normal file
@@ -0,0 +1,48 @@
|
|||||||
|
# Kittle Design & Construction — P2 Security Scan
|
||||||
|
**Date:** 2026-07-02 (UTC) | **Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
|
||||||
|
**Requested by:** Mike (via Discord) | **Executed by:** ClaudeTools Discord Bot
|
||||||
|
**Scope:** Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier
|
||||||
|
|
||||||
|
## Identity Protection (P2)
|
||||||
|
- **Risk detections (30d):** NONE
|
||||||
|
- **Risky users:** 5 accounts with prior risk history, ALL currently `riskLevel=none / riskState=remediated`:
|
||||||
|
- wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
|
||||||
|
- No active risky sign-ins.
|
||||||
|
|
||||||
|
## Sign-in activity (30d)
|
||||||
|
- **Ken@kittlearizona.com: 140 failed foreign sign-in attempts** from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. **All failed; zero successful non-US sign-ins tenant-wide.** CA non-US block is holding.
|
||||||
|
- No other accounts targeted from abroad.
|
||||||
|
|
||||||
|
## Conditional Access (all enabled)
|
||||||
|
- ACG - Require MFA for all users
|
||||||
|
- ACG - Block legacy authentication
|
||||||
|
- ACG - Block non-US sign-ins
|
||||||
|
- ACG - Block known attacker IPs
|
||||||
|
- Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.
|
||||||
|
|
||||||
|
## MFA registration
|
||||||
|
- All 15 internal users MFA-registered and capable.
|
||||||
|
- Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
|
||||||
|
- Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.
|
||||||
|
|
||||||
|
## Items needing human review
|
||||||
|
1. **Guest invite created TODAY 2026-07-02 17:02 UTC** by Accounting@ for external user `darlenecabrera87@gmail.com` — verify this was intentional.
|
||||||
|
2. Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
|
||||||
|
3. admin@/scott@ SMS-only MFA.
|
||||||
|
4. Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
|
||||||
|
|
||||||
|
## Related changes same session
|
||||||
|
- License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).
|
||||||
|
|
||||||
|
Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)
|
||||||
|
|
||||||
|
## Addendum — CA hardening deployed (report-only), 2026-07-02
|
||||||
|
Four new policies created via tenant-admin tier, all `enabledForReportingButNotEnforced`,
|
||||||
|
all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):
|
||||||
|
1. ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
|
||||||
|
2. ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
|
||||||
|
3. ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
|
||||||
|
4. ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
|
||||||
|
|
||||||
|
Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only
|
||||||
|
with explicit confirmation from Mike.
|
||||||
@@ -0,0 +1,132 @@
|
|||||||
|
# Kittle Design & Construction — Licensing, P2 Security Scan, CA Hardening
|
||||||
|
|
||||||
|
## User
|
||||||
|
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||||
|
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||||
|
- **Role:** automation (acting on the requester's behalf)
|
||||||
|
|
||||||
|
(Thread opener: Winter. Mike (@azcomputerguru) directed the license reassignment, security
|
||||||
|
scan, CA hardening, and ticket/billing decisions in the same thread.)
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
|
||||||
|
Winter asked for a breakdown of Kittle Design & Construction's (kittlearizona.com, tenant
|
||||||
|
3d073ebe-806a-4a5e-9035-3c7c4a264fc0) 12 Business Premium and 13 "Microsoft Azure Active
|
||||||
|
Directory" license assignments. Via the remediation-tool investigator tier, produced the
|
||||||
|
full assignment list: 11 of 12 Business Premium (no Teams) assigned, all 13 AAD Premium P2
|
||||||
|
assigned. Flagged that disabled user Wrex Watson still held a BP seat, and that 4 users
|
||||||
|
(Alexis Schagel, Josh Boggie, Ken Schagel, Tyrele Sandoval) were on a lapsed O365 E3 (no
|
||||||
|
Teams) SKU (0 purchased / 4 consumed).
|
||||||
|
|
||||||
|
Mike directed reassignment of E3 users to Business Premium. With only 1 free BP seat (2
|
||||||
|
after reclaiming Wrex's), Winter chose: unassign Wrex, move Alexis and Ken to BP. Executed
|
||||||
|
via user-manager tier: Wrex's BP removed, Alexis and Ken each got BP added + E3 removed in
|
||||||
|
one assignLicense call. Verified: BP 12/12, Wrex zero licenses, Josh Boggie + Tyrele remain
|
||||||
|
on lapsed E3 (2 consumed / 0 purchased) pending more seats.
|
||||||
|
|
||||||
|
Mike then requested a P2-data security scan of all accounts. Ran tenant-sweep.sh (30d
|
||||||
|
window) + Identity Protection queries: zero risk detections in 30 days; 5 users with prior
|
||||||
|
remediated risk (wrex, scott, Ken, alexis, Marco); Ken was the target of a distributed
|
||||||
|
password spray 2026-06-11 to 06-18 (140 failed foreign attempts, 140 unique IPs, AU/DE/GB)
|
||||||
|
with zero successful non-US sign-ins tenant-wide; all 15 internal users MFA-registered
|
||||||
|
(admin@ and scott@ SMS-only; sysadmin@ has email method); 4 ACG baseline CA policies
|
||||||
|
enabled. Flagged a same-day guest invite (darlenecabrera87@gmail.com, invited by
|
||||||
|
Accounting@ at 10:02 AM AZ) for human verification. Report:
|
||||||
|
clients/kittle/reports/2026-07-02-p2-security-scan.md.
|
||||||
|
|
||||||
|
Mike then directed P1 CA hardening for all accounts. Created 4 new policies via
|
||||||
|
tenant-admin tier, ALL report-only (enabledForReportingButNotEnforced), all excluding the
|
||||||
|
break-glass account sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756): block device code
|
||||||
|
flow + auth transfer; admins 12h sign-in frequency + no persistent browser (9 admin roles);
|
||||||
|
block guest access to admin portals; require MFA to register security info. Enforcement
|
||||||
|
pending ~5-7 day sign-in log review and Mike's explicit approval.
|
||||||
|
|
||||||
|
Winter also set a standing rule: all reported times in Arizona time (America/Phoenix, MST,
|
||||||
|
no DST). Applied to DISCORD_CLAUDE.md and shared memory. Finally, Mike approved a Syncro
|
||||||
|
ticket: #32496 created with hidden internal notes only, 1.0 hr warranty labor, invoice
|
||||||
|
#67982 ($0.00), ticket marked Invoiced, bot alert posted.
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
|
||||||
|
- Used assignLicense with simultaneous addLicenses (BP) + removeLicenses (E3) per user to
|
||||||
|
avoid a licensing gap for Alexis and Ken.
|
||||||
|
- Winter's seat allocation: reclaim Wrex's seat (disabled account), prioritize Alexis + Ken
|
||||||
|
for the 2 available BP seats; Josh.B + Tyrele wait for purchased seats.
|
||||||
|
- All 4 new CA policies created report-only with break-glass exclusion per the mandatory CA
|
||||||
|
discipline; enforcement only after sign-in log impact review + explicit Mike approval.
|
||||||
|
- Identified break-glass account from the consistent excludeUsers GUID across the 4
|
||||||
|
existing ACG policies rather than asking.
|
||||||
|
- Ticket notes hidden + do_not_email per Mike's "internal notes only"; warranty labor
|
||||||
|
(1049360, Exempt Labor, $0.00) per "1hr warranty labor".
|
||||||
|
- Drafted Syncro comment directly (not Ollama) due to security-sensitive content.
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
|
||||||
|
- get-token.sh could not find identity.json at ~/.claude/identity.json (it lives at
|
||||||
|
ClaudeTools/.claude/identity.json on BEAST) — worked around with VAULT_ROOT_ENV env var.
|
||||||
|
- Graph users?$filter=assignedLicenses/any(...) returned empty without ConsistencyLevel
|
||||||
|
header — switched to pulling all users with $select=assignedLicenses and filtering in jq.
|
||||||
|
- Wrex's license removal showed stale assignedLicenses immediately after the call
|
||||||
|
(replication lag); confirmed removed on re-query.
|
||||||
|
- reports/getMailboxUsageDetail returned S2SUnauthorized (investigator app lacks
|
||||||
|
Reports.Read.All) — could not verify Alexis/Ken mailbox sizes before the E3->BP downgrade
|
||||||
|
(E3=100GB, BP=50GB). Flagged as a watch item.
|
||||||
|
- Winter reported the first license-report Discord message never rendered on her end —
|
||||||
|
reposted as plain numbered list.
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
|
||||||
|
- kittlearizona.com tenant: licenses — wrex@ BP removed; alexis@ + Ken@ E3 removed, BP added.
|
||||||
|
- kittlearizona.com tenant: 4 new CA policies (report-only):
|
||||||
|
- ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
|
||||||
|
- ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
|
||||||
|
- ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
|
||||||
|
- ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
|
||||||
|
- projects/discord-bot/DISCORD_CLAUDE.md — Arizona-time reporting rule added; rolling-log
|
||||||
|
timestamp format PT -> AZ (takes effect at next bot restart).
|
||||||
|
- .claude/memory/feedback_timezone_arizona_reporting.md created + MEMORY.md index line.
|
||||||
|
- clients/kittle/reports/2026-07-02-p2-security-scan.md created (scan + CA addendum).
|
||||||
|
|
||||||
|
## Credentials & Secrets
|
||||||
|
|
||||||
|
- No new credentials created. Vault paths accessed (read-only): MSP app certs via
|
||||||
|
get-token.sh (msp-tools/computerguru-security-investigator, -user-manager,
|
||||||
|
-tenant-admin). Syncro API key: Mike's per-user token (baked into /syncro skill).
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
|
||||||
|
- Tenant: kittlearizona.com = 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
|
||||||
|
- Break-glass: sysadmin@kittlearizona.com = 6139d1af-eee3-4e0b-b240-21e4827df756
|
||||||
|
- SKUs: BP (no Teams) 00e1ec7b-e4a3-40d1-9441-b69b597ab222 (12/12); AAD_PREMIUM_P2
|
||||||
|
84a661c4-e949-4bd2-a560-ed7766fcaf2b (13/13); E3 (no Teams)
|
||||||
|
46c3a859-c90d-40b3-9551-6178a48d5c18 (2 consumed / 0 purchased — lapsed)
|
||||||
|
- Syncro customer: Kittle Design & Construction LLC = 32460233 (no prepay block)
|
||||||
|
|
||||||
|
## Commands & Outputs
|
||||||
|
|
||||||
|
- `get-token.sh <tenant> investigator|user-manager|tenant-admin` with
|
||||||
|
`VAULT_ROOT_ENV=C:/Users/guru/vault` (identity.json path workaround)
|
||||||
|
- License moves: `POST /users/{upn}/assignLicense` (add BP / remove E3)
|
||||||
|
- Sweep: `tenant-sweep.sh kittlearizona.com` — key finding: Ken 140 failed foreign
|
||||||
|
attempts, 140 IPs, AU/DE/GB, 6/11-6/18, all blocked
|
||||||
|
- CA creates: `POST /identity/conditionalAccess/policies` x4 — all returned IDs, verified
|
||||||
|
by GET (list initially showed 6 of 8 — replication lag)
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks
|
||||||
|
|
||||||
|
- ~2026-07-09: review report-only CA policy impact in sign-in logs; flip to enabled only
|
||||||
|
on Mike's explicit YES. Consider adding P2 risk-based CA policies (offered, no decision).
|
||||||
|
- Josh Boggie + Tyrele Sandoval still on lapsed E3 — need 2 BP seats purchased or a plan.
|
||||||
|
- Verify guest invite darlenecabrera87@gmail.com (created by Accounting@ 7/2 10:02 AM AZ).
|
||||||
|
- Watch for over-quota mailbox warnings from Alexis/Ken post-downgrade (sizes unverified).
|
||||||
|
- admin@ + scott@ SMS-only MFA; consider Authenticator/passkey. Ken = repeat spray target;
|
||||||
|
passkey recommended.
|
||||||
|
- Bot restart (nssm restart ClaudeToolsDiscordBot) will pick up the AZ-time instruction edit.
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
|
||||||
|
- Syncro ticket #32496 (id 113335896): https://computerguru.syncromsp.com/tickets/113335896
|
||||||
|
- Invoice #67982 (id 1650928145), $0.00, warranty
|
||||||
|
- Report: clients/kittle/reports/2026-07-02-p2-security-scan.md
|
||||||
|
- Discord thread: 1522275102509629602 (#botmagic)
|
||||||
|
- Vault: clients/kittle/m365-ken-schagel-incident.sops.yaml (prior Ken incident context)
|
||||||
1
session-logs/bot/2026-07/2026-07-02-bot-activity.md
Normal file
1
session-logs/bot/2026-07/2026-07-02-bot-activity.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
16:20 PT - Winter (@winterguru) - Kittle license assignment report (kittlearizona.com): listed 11 Business Premium + 13 AAD P2 assignees via Graph investigator tier; flagged disabled user wrex@ holding a BP seat - read-only, no changes
|
||||||
Reference in New Issue
Block a user