WAPT Documentation Release 2.1.0
Total Page:16
File Type:pdf, Size:1020Kb
WAPT Documentation Release 2.1.0 Tranquil-IT Systems Oct 07, 2021 PRESENTING WAPT i ii WAPT Documentation, Release 2.1.0 Welcome to WAPT’s official documentation by Tranquil IT, last compiled on 2021-10-07. Click here for a PDF version of the complete documentation. WAPT is a software and configuration deployment tool that may be compared to Microsoft SCCM (System Center Configuration Management) (now called MECM (Microsoft Endpoint Configuration Management)), Ivanti UIM (Unified Endpoint Manager), IBM Bigfix, Tanium, OPSI, PDQDeploy, or Matrix42. WAPT exists in two flavors, WAPT Discovery and WAPT Enterprise. For System Administrators: • Install software and configurations silently. • Maintain up to date an installed base of software and configurations. • Configure software at the system and user level to reduce the load on support teams. • Remove unwanted or out of cycle software and configurations silently. • Reduce your need for support by your IT teams, whose reaction times are often long because of their workloads. • Reduce as much as possible the consumption of bandwidth on remote sites to preserve it for productive uses. For IT Security Officers • Pilot the software installed base to converge to a security standard acceptable to the organization. • Prepare your enterprise for the coming GDPR and help your DPO keep his register of data processing, because you two will become close colleagues. • No longer tolerate machines operating in Administrator mode. • No longer tolerate users downloading and running software binaries from their home directory. • Start applying SRPs (Software Restriction Policies), also known as Applocker or WDAC (Windows Defender Application Control) to improve application level IT security. • Reduce the level of exposure to software vulnerabilities and lateral movement attacks. • Bring up audit indicators for a better knowledge of the state of installed IT devices and their global security level. • Be prompt to deploy updates to react to cyber attacks like Wannacry or notPetya. For End-Users PRESENTING WAPT 1 WAPT Documentation, Release 2.1.0 • Have installed software configured to work well in the context of your Organization and trust that they will work correctly. • Give Users more autonomy to install software safely and reliably. • Have better working and more predictable professional systems because of standard software configurations. 2 PRESENTING WAPT CHAPTER ONE INTRODUCTION TO WAPT 1.1 For what purpose is WAPT useful? WAPT installs, updates and removes software and configurations on Windows, Linux and macOS devices. Software deployment (Firefox, MS Office, etc.) can be carried out from a central server using a graphical console. WAPT is taking many ideas fromDebian Linux apt package management tool, hence its name. Private companies of all sizes, Colleges, Schools, Universities, research labs, local and state governments, Hospitals, city governments, state ministries around the world are successfully using WAPT. WAPT exists in two versions, Discovery and Enterprise, both proprietary, the Community version having been friendly forked to the Opensource Community. WAPT is very efficient to address recurrent Firefox or Chrome update needs and it is often to cover that basic need that WAPT is initially adopted; it then becomes a tool of choice for the sysadmin’s daily tasks. 1.2 Security Certification from French Cyberdefense Agency ANSSI Following its first level security certification obtained on 14 February 2018, WAPT has obtained on 15 march2018a higher level certification from ANSSI. 1.3 The genesis of WAPT 1.3.1 Our assessment after 15 years of IT management Managing large IT installed bases of Microsoft Windows computers is today a difficult task in a secured environment: • Common ghosting methods (Clonezilla or Ghost) are efficient on homogeneous IT infrastructures with roaming user profiles. • Deployment tools (OCSInventory or WPKG) can broadcast software but do not easily allow software level or user level cus- tomizations that are useful to prevent or limit user support requests. • Software from smaller vendors often need Local Administrator rights to run properly. • Currently available solutions to address theses problems are either too expensive or too inefficient, and they are in every case too complex. 3 WAPT Documentation, Release 2.1.0 Fig. 1: Security Visa from ANSSI dated 14th of February 2018 for WAPT Enterprise Edition 1.5.0.13 4 Chapter 1. Introduction to WAPT WAPT Documentation, Release 2.1.0 1.3.2 WAPT development hypotheses and motivations The development of WAPT is motivated by these two principles: • What is complicated should be made simple. • What is simple should be made trivial. WAPT relies on a small set of fundamental hypotheses: • Sysadmins should know a scripting language and WAPT has chosen Python for the depth and breadth of its libraries. • Sysadmins who have little experience with scripting languages must find inspiration in simple and efficient examples that they’ll adapt to fit their needs. • Sysadmins must be able to communicate on the efficiency of their actions to their superiors and report process gaps to internal or external auditors. • Sysadmins must be able to collaborate with their IT team; thereby WAPT local repositories provide signed packages that they can trust to be deployed on their network. Alternatively, they can choose external public repositories providing them the security guarantees that they consider sufficient. • Sysadmins are aware that user workstations serve business purposes and some customizations must be possible. The adaptation of the infrastructure to the business needs is facilitated by the notion of groups and OU (Organizational Units); it allows to select a large number of machines to customize their configuration. 1.3. The genesis of WAPT 5 WAPT Documentation, Release 2.1.0 6 Chapter 1. Introduction to WAPT CHAPTER TWO FUNDAMENTAL PRINCIPLES 2.1 Repository principle Packages are stored in a web repository. They are not stored in a database. Note: Transport protocol used for deploying packages is HTTPS. WAPT packages are served by the Nginx web server, available with Linux and Windows. The Packages index file is the only thing necessary. It lists the packages available on allowed repositories and some basic information on each package. That mechanism allows to easily set up a replication process between multiple repositories. Large organizations with remote sites and subsidiaries sometimes require services to be replicated locally to avoid bandwidth conges- tion (Edge Computing). 2.2 Replicated repository WAPT Enterprise offers the possibility to upgrade remote agents to serve as remote repositories that can be managed directly from the WAPT Console. All WAPT agents can then be centrally configured to automatically select the best repository based on a set of rules. When WAPT is used on bandwidth limited remote sites, it makes sense to have a local device that will replicate the main WAPT repository to reduce the network bandwidth consumed when deploying updates on remote devices. With remote repositories, WAPT remains a solution with a low operating cost because high bandwidth fiber links are not required to take advantage of WAPT. It works as follows: • A small form factor and no maintenance appliance with the role of secondary repository is deployed on the local network of each remote site; a workstation can also be used, although it may not be up and running if you want to connect to it. • The remote repository replicates the packages from the main repository. • The WAPT clients connect in priority with the repository that is the closest to them, the local repository. To learn more about the replicated repositories, visit the documentation on the replicating a repository. 7 WAPT Documentation, Release 2.1.0 Fig. 1: Replication and multiple repositories 2.3 Packages principle A WAPT package structure is similar to Debian Linux .deb packages. Each WAPT package includes the binaries to be executed and the other files it needs. A package is easily transportable. Here is how a WAPT package looks: To learn more about the composition of a WAPT package, visit the documentation on the structure of a WAPT package. 2.3.1 Types of WAPT packages There are 7 types of WAPT packages: 8 Chapter 2. Fundamental principles WAPT Documentation, Release 2.1.0 Fig. 2: Replicating WAPT repositories 2.3. Packages principle 9 WAPT Documentation, Release 2.1.0 Fig. 3: WAPT package structure Fig. 4: Anatomy of a simple WAPT package 10 Chapter 2. Fundamental principles WAPT Documentation, Release 2.1.0 base packages They are classic software packages. They are stored in the web directory https://srvwapt.mydomain.lan/wapt/. group packages They are groups of packages. Each group often correspond to: • a service in an organization (ex: accounting). • a room, building, etc. Hint: A host can be a member of several groups. They are stored in the web directory https://srvwapt.mydomain.lan/wapt/. host packages Host packages are named after the UUID of the computer BIOS or the FQDN of the host. Each host will look for its host package to know the packages that it must install (i.e. dependencies). Host packages are stored in the web directory https://srvwapt.mydomain.lan/wapt-host/. unit packages Unit packages bear the complete name of OU, example: OU=room1,OU=prod,OU=computers,DC=mydomain,DC=lan. By default, each computer looks for the unit packages and then installs the list of associated dependencies. Unit packages are stored in the web directory https://srvwapt.mydomain.lan/wapt/. wsus packages Wsus packages contain the list of authorized or prohibited Windows Updates. When this package is installed on the endpoints, the next update scan performed by WAPT will choose Windows updates based on this filtering. Wsus packages are stored in the web directory https://srvwapt.mydomain.lan/wapt/. 2.3. Packages principle 11 WAPT Documentation, Release 2.1.0 self-service packages Self-service packages contain a list of groups or users (Active Directory or local) and their associated lists of authorized packages that Users are allowed to install by themselves.