test adding sysmon on windows

threatstack · Oct 21, 2019 · 5d0f7fe · 5d0f7fe
1 parent c29b691
commit 5d0f7fe
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 2 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -21,7 +21,7 @@
 #   type: string
 #
 # [*enable_sysmon*]
-#   Windows: optionally enable sysmon (not used yet)
+#   Windows: optionally enable sysmon
 #   type: bool
 #
 # [*extra_args*]
@@ -128,6 +128,7 @@
   $disable_auditd_cmd      = $::threatstack::params::disable_auditd_cmd,
   $binpath                 = $::threatstack::params::binpath,
   $setup_unless            = $::threatstack::params::setup_unless,
+  $enable_sysmon           = $::threatstack::params::enable_sysmon,
   $windows_download_url    = $::threatstack::params::download_url,
   $windows_tmp_path        = $::threatstack::params::tmp_path,
   $windows_install_options = concat(["TSDEPLOYKEY=${deploy_key}"],$::threatstack::params::windows_install_options)

diff --git a/manifests/package.pp b/manifests/package.pp
@@ -47,11 +47,15 @@
       source => $::threatstack::windows_download_url
     }
 
+    if $::threatstack::enable_sysmon {
+        include threatstack::sysmon
+    }
+
     package { $::threatstack::ts_package:
       ensure          => installed,
       source          => $::threatstack::windows_tmp_path,
       install_options => $::threatstack::windows_install_options,
-      require => Remote_file['agent msi download']
+      require         => Remote_file['agent msi download']
     }
   }
   default: {

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -48,6 +48,11 @@
     default   => '/opt/threatstack/etc'
   }
 
+  $enable_sysmon = $facts['os']['family'] ? {
+    'Windows' => true
+    default   => false
+  }
+
   $rulesets = $facts['os']['family'] ? {
     'Windows' => ['Windows Rule Set'],
     default   => ['Base Rule Set']

diff --git a/manifests/sysmon.pp b/manifests/sysmon.pp
@@ -0,0 +1,37 @@
+# == Class: threatstack::sysmon
+#
+# Install Sysmon for Windows
+#
+# === Authors
+#
+# Nate St. Germain <[email protected]>
+#
+# === Copyright
+#
+# Copyright 2019 Threat Stack, Inc.
+#
+class threatstack::sysmon {
+
+  archive { "C:\\Windows\\Temp\\sysmon.zip":
+    ensure       => present,
+    extract      => true,
+    cleanup      => true,
+    extract_path => "C:\\Windows\\Temp\\",
+    source       => 'https://download.sysinternals.com/files/Sysmon.zip'
+  }
+
+  file { 'C:\Windows\Temp\sysmonconfig-export.xml':
+    ensure => present,
+    source => 'https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml'
+  }
+
+  exec { 'Install sysmon':
+    command     => "C:\\Windows\\Temp\\Sysmon64.exe –accepteula –i sysmonconfig-export.xml",
+    subscribe   => File['C:\Windows\Temp\sysmonconfig-export.xml'],
+    refreshonly => true,
+    require     => [
+      Archive["C:\\Windows\\Temp\\sysmon.zip"],
+      File['C:\Windows\Temp\sysmonconfig-export.xml']
+    ]
+  }
+}