WAPT Documentation

208452

WAPT Documentation

Release 2.4

Tranquil-IT

Jul 12, 2023

PRESENTING WAPT

i ii

WAPT Documentation, Release 2.4

Welcome to WAPT"s official documentation by Tranquil IT, last compiled on 2023-07-12. Click here f ora PDF v ersion of the complete documentation.

WAPT is a software and configuration deployment toolthat may be compared to MicrosoftSCCM(System Center Configuration

Management) (now calledMECM(Microsoft Endpoint Configuration Management)), IvantiUIM(Unified Endpoint Manager), IBM

Bigfix, Tanium, OPSI, PDQDeploy, or Matrix42. WAPT exists in two flavors,WAPT Discovery and WAPT Enterprise.

For System Administrators:

•Install software and configurations silently. •Maintain up to date an installed base of software and configurations. •Configure software at the system and user level to reduce the load on support teams. •Remove unwanted or out of cycle software and configurations silently.

•Reduce your need for support by your IT teams, whose reaction times are often long because of their workloads.

•Reduce as much as possible the consumption of bandwidth on remote sites to preserve it for productive uses.

For IT Security Officers

•Pilot the software installed base to converge to a security standard acceptable to the organization.

•Prepare your enterprise for the comingGDPR and help y ourDPO k eephis regis terof data processing, because y outw owill

become close colleagues. •No longer tolerate hosts operating inAdministratormode. •No longer tolerate users downloading and running software binaries from their home directory.

•Start applyingSRPs(Software Restriction Policies), also known asApplockerorWDAC(Windows Defender Application

Control) to improve application level IT security. •Reduce the level of exposure to software vulnerabilities andlateral mo vementattac ks.

•Bring up audit indicators for a better knowledge of the state of installed IT devices and their global security level.

•Be prompt to deploy updates to react to cyber attacks likeW annacryor notP etya.

For End-Users

•Have installed software configured to work well in the context of your Organization and trust that they will work correctly.PRESENTING WAPT1

WAPT Documentation, Release 2.4

•GiveUsersmore autonomy to install software safely and reliably.

•Have better working and more predictable professional systems because of standard software configurations.2PRESENTING WAPT

CHAPTER

ONEINTRODUCTION TO WAPT

1.1

F orwhat purpose is W APTuseful?

WAPTinstalls, updates and removes software and configurations on Windows, Linux and macOS devices. Software deployment

(Firefox, MS Office, etc.) can be carried out from a central server using a graphical console. WAPT is taking many ideas from Debian

Linux apt package management tool, hence its name.

Privatecompaniesofallsizes,Colleges,Schools,Universities,researchlabs,localandstategovernments,Hospitals,citygovernments,

state ministries around the world are successfully usingWAPT.

WAPTexists in two versions,DiscoveryandEnterprise, both proprietary, theCommunityversion having been friendly forked to

the Opensource Community.

WAPTis very efficient to addressrecurrent Firefox or Chrome update needsand it is often to cover that basic need that WAPT is

initially adopted; it then becomes a tool of choice for the sysadmin"s daily tasks. 1.2 Security Cer tificationfrom F renchCyberdef enseA gencyANSSI

Following its first level security certification obtained on 14 February 2018, WAPT has obtained on 15 march 2018 a

higher le vel certification from ANSSI. 1.3

The g enesisof W APT

1.3.1

Our assessment af ter15 y earsof IT manag ement

Managing large IT installed bases of Microsoft Windows computers is today a difficult task in a secured environment:

•Common ghosting methods (ClonezillaorGhost) are efficient on homogeneous IT infrastructures with roaming user profiles.

•Deployment tools (OCSInventoryorWPKG) can broadcast software but do not easily allow software level or user level cus-

tomizations that are useful to prevent or limit user support requests. •Software from smaller vendors often needLocal Administratorrights to run properly.

•Currently available solutions to address theses problems are either too expensive or too inefficient, and they are in every case

too complex.3

WAPT Documentation, Release 2.4

Fig. 1: Security Visa from ANSSI dated 14th of February 2018 for WAPT Enterprise Edition 1.5.0.13

4Chapter 1. Introduction to WAPT

WAPT Documentation, Release 2.4

1.3.2

W APTde velopmenth ypothesesand mo tivations

The development of WAPT is motivated by these two principles: •What iscomplicatedshould be madesimple. •What issimpleshould be madetrivial. WAPT relies on a small set of fundamental hypotheses:

•Sysadmins should know a scripting language and WAPT has chosen Python for the depth and breadth of its libraries.

•Sysadmins who have little experience with scripting languagesMUSTfind inspiration in simple and efficient examples that

they will adapt to fit their needs.

•SysadminsMUSTbe ableto communicate onthe efficiency of theiractions to theirsuperiors and reportprocess gaps tointernal

or external auditors.

•SysadminsMUSTbe able to collaborate with their IT team; thereby WAPT local repositories provide signed packages that

they can trust to be deployed on their network. Alternatively, they can choose external public repositories providing them the

security guarantees that they consider sufficient.

•Sysadmins are aware that user workstations serve business purposes and some customizationsMUSTbe possible. The adapta-

tion of the infrastructure to the business needs is facilitated by the notion of groups andOU(Organizational Units); it allows to

select a large number of hosts to customize their configuration.1.3. The genesis of WAPT5

WAPT Documentation, Release 2.4

6Chapter 1. Introduction to WAPT

CHAPTER

TWOFUNDAMENTAL PRINCIPLES

2.1

Reposit oryprinciple

Packages are stored in a web repository. They are not stored in a database.Note:Transport protocol used for deploying packages isHTTPS.WAPT packages are served by theNginxweb server, available with Linux and Windows.

ThePackagesindex file is the only thing necessary. It lists the packages available on allowed repositories and some basic information

on each package. That mechanism allows to easily set up a replication process between multiple repositories.

Large organizations with remote sites and subsidiaries sometimes require services to be replicated locally to avoid bandwidth conges-

tion (Edge Computing). 2.2

Replicat edr epositoryWAPT Enterprise offers the possibility to upgrade remote WAPT Agents to serve as remote repositories that can be managed

directlyfromtheWAPTConsole. AllWAPTAgentscanthenbecentrallyconfiguredtoautomaticallyselectthebestrepository

based on a set of rules.

When WAPT is used on bandwidth limited remote sites, it makes sense to have a local device that will replicate the main WAPT

repository to reduce the network bandwidth consumed when deploying updates on remote devices.

With remote repositories, WAPT remains a solution with a low operating cost because high bandwidthfiber links are not required

to take advantage of WAPT.

It works as follows:

•A small form factor and no maintenance appliance with the role of secondary repository is deployed on the local network of

each remote site; a workstation can also be used, although it may not be up and running if you want to connect to it.

•The remote repository replicates the packages from the main repository.

•The WAPT clients connect in priority with the repository that is the closest to them, the local repository.

To learn more about the replicated repositories, visit the documentation on thereplicating a repository.7

WAPT Documentation, Release 2.4

Fig. 1: Replication and multiple repositories

2.3

P ackagesprinciple

A WAPT package structure is similar to Debian Linux.debpackages. Each WAPT package includes the binaries to be executed and

the other files it needs.

A package is easily transportable.

Here is how a WAPT package looks:

To learn more about the composition of a WAPT package, visit the documentation on thestructure of a WAPT package.

2.3.1

T ypesof W APTpac kages

There are 8 types of WAPT packages:8Chapter 2. Fundamental principles

WAPT Documentation, Release 2.4

Fig. 2: Replicating WAPT repositories

2.3. Packages principle9

WAPT Documentation, Release 2.4

Fig. 3: WAPT package structure shown in Windows Explorer

Fig. 4: Anatomy of a simple WAPT package

10Chapter 2. Fundamental principles

WAPT Documentation, Release 2.4

basepackages

They are classic software packages.

They are stored in the web directory

https:// srvwapt.mydomain.lan/wapt/ grouppackages

They are groups of packages.

Each group often correspond to:

•a service in an organization (ex:accounting).

•a room, building, etc.Hint:A host can be a member of several groups.They are stored in the web directoryhttps:// srvwapt.mydomain.lan/wapt/.

hostpackages Hostpackages are named after theUUIDof the computer BIOS or theFQDNof the host.

WAPT Documentation

Release 2.4

Tranquil-IT

Jul 12, 2023

PRESENTING WAPT

i ii

WAPT Documentation, Release 2.4

Welcome to WAPT"s official documentation by Tranquil IT, last compiled on 2023-07-12. Click here f ora PDF v ersion of the complete documentation.

WAPT is a software and configuration deployment toolthat may be compared to MicrosoftSCCM(System Center Configuration

Management) (now calledMECM(Microsoft Endpoint Configuration Management)), IvantiUIM(Unified Endpoint Manager), IBM

Bigfix, Tanium, OPSI, PDQDeploy, or Matrix42. WAPT exists in two flavors,WAPT Discovery and WAPT Enterprise.

For System Administrators:

•Install software and configurations silently. •Maintain up to date an installed base of software and configurations. •Configure software at the system and user level to reduce the load on support teams. •Remove unwanted or out of cycle software and configurations silently.

•Reduce your need for support by your IT teams, whose reaction times are often long because of their workloads.

•Reduce as much as possible the consumption of bandwidth on remote sites to preserve it for productive uses.

For IT Security Officers

•Pilot the software installed base to converge to a security standard acceptable to the organization.

•Prepare your enterprise for the comingGDPR and help y ourDPO k eephis regis terof data processing, because y outw owill

become close colleagues. •No longer tolerate hosts operating inAdministratormode. •No longer tolerate users downloading and running software binaries from their home directory.

•Start applyingSRPs(Software Restriction Policies), also known asApplockerorWDAC(Windows Defender Application

Control) to improve application level IT security. •Reduce the level of exposure to software vulnerabilities andlateral mo vementattac ks.

•Bring up audit indicators for a better knowledge of the state of installed IT devices and their global security level.

•Be prompt to deploy updates to react to cyber attacks likeW annacryor notP etya.

For End-Users

•Have installed software configured to work well in the context of your Organization and trust that they will work correctly.PRESENTING WAPT1

WAPT Documentation, Release 2.4

•GiveUsersmore autonomy to install software safely and reliably.

•Have better working and more predictable professional systems because of standard software configurations.2PRESENTING WAPT

CHAPTER

ONEINTRODUCTION TO WAPT

1.1

F orwhat purpose is W APTuseful?

WAPTinstalls, updates and removes software and configurations on Windows, Linux and macOS devices. Software deployment

(Firefox, MS Office, etc.) can be carried out from a central server using a graphical console. WAPT is taking many ideas from Debian

Linux apt package management tool, hence its name.

Privatecompaniesofallsizes,Colleges,Schools,Universities,researchlabs,localandstategovernments,Hospitals,citygovernments,

state ministries around the world are successfully usingWAPT.

WAPTexists in two versions,DiscoveryandEnterprise, both proprietary, theCommunityversion having been friendly forked to

the Opensource Community.

WAPTis very efficient to addressrecurrent Firefox or Chrome update needsand it is often to cover that basic need that WAPT is

initially adopted; it then becomes a tool of choice for the sysadmin"s daily tasks. 1.2 Security Cer tificationfrom F renchCyberdef enseA gencyANSSI

Following its first level security certification obtained on 14 February 2018, WAPT has obtained on 15 march 2018 a

higher le vel certification from ANSSI. 1.3

The g enesisof W APT

1.3.1

Our assessment af ter15 y earsof IT manag ement

Managing large IT installed bases of Microsoft Windows computers is today a difficult task in a secured environment:

•Common ghosting methods (ClonezillaorGhost) are efficient on homogeneous IT infrastructures with roaming user profiles.

•Deployment tools (OCSInventoryorWPKG) can broadcast software but do not easily allow software level or user level cus-

tomizations that are useful to prevent or limit user support requests. •Software from smaller vendors often needLocal Administratorrights to run properly.

•Currently available solutions to address theses problems are either too expensive or too inefficient, and they are in every case

too complex.3

WAPT Documentation, Release 2.4

Fig. 1: Security Visa from ANSSI dated 14th of February 2018 for WAPT Enterprise Edition 1.5.0.13

4Chapter 1. Introduction to WAPT

WAPT Documentation, Release 2.4

1.3.2

W APTde velopmenth ypothesesand mo tivations

The development of WAPT is motivated by these two principles: •What iscomplicatedshould be madesimple. •What issimpleshould be madetrivial. WAPT relies on a small set of fundamental hypotheses:

•Sysadmins should know a scripting language and WAPT has chosen Python for the depth and breadth of its libraries.

•Sysadmins who have little experience with scripting languagesMUSTfind inspiration in simple and efficient examples that

they will adapt to fit their needs.

•SysadminsMUSTbe ableto communicate onthe efficiency of theiractions to theirsuperiors and reportprocess gaps tointernal

or external auditors.

•SysadminsMUSTbe able to collaborate with their IT team; thereby WAPT local repositories provide signed packages that

they can trust to be deployed on their network. Alternatively, they can choose external public repositories providing them the

security guarantees that they consider sufficient.

•Sysadmins are aware that user workstations serve business purposes and some customizationsMUSTbe possible. The adapta-

tion of the infrastructure to the business needs is facilitated by the notion of groups andOU(Organizational Units); it allows to

select a large number of hosts to customize their configuration.1.3. The genesis of WAPT5

WAPT Documentation, Release 2.4

6Chapter 1. Introduction to WAPT

CHAPTER

TWOFUNDAMENTAL PRINCIPLES

2.1

Reposit oryprinciple

Packages are stored in a web repository. They are not stored in a database.Note:Transport protocol used for deploying packages isHTTPS.WAPT packages are served by theNginxweb server, available with Linux and Windows.

ThePackagesindex file is the only thing necessary. It lists the packages available on allowed repositories and some basic information

on each package. That mechanism allows to easily set up a replication process between multiple repositories.

Large organizations with remote sites and subsidiaries sometimes require services to be replicated locally to avoid bandwidth conges-

tion (Edge Computing). 2.2

Replicat edr epositoryWAPT Enterprise offers the possibility to upgrade remote WAPT Agents to serve as remote repositories that can be managed

directlyfromtheWAPTConsole. AllWAPTAgentscanthenbecentrallyconfiguredtoautomaticallyselectthebestrepository

based on a set of rules.

When WAPT is used on bandwidth limited remote sites, it makes sense to have a local device that will replicate the main WAPT

repository to reduce the network bandwidth consumed when deploying updates on remote devices.

With remote repositories, WAPT remains a solution with a low operating cost because high bandwidthfiber links are not required

to take advantage of WAPT.

It works as follows:

•A small form factor and no maintenance appliance with the role of secondary repository is deployed on the local network of

each remote site; a workstation can also be used, although it may not be up and running if you want to connect to it.

•The remote repository replicates the packages from the main repository.

•The WAPT clients connect in priority with the repository that is the closest to them, the local repository.

To learn more about the replicated repositories, visit the documentation on thereplicating a repository.7

WAPT Documentation, Release 2.4

Fig. 1: Replication and multiple repositories

2.3

P ackagesprinciple

A WAPT package structure is similar to Debian Linux.debpackages. Each WAPT package includes the binaries to be executed and

the other files it needs.

A package is easily transportable.

Here is how a WAPT package looks:

To learn more about the composition of a WAPT package, visit the documentation on thestructure of a WAPT package.

2.3.1

T ypesof W APTpac kages

There are 8 types of WAPT packages:8Chapter 2. Fundamental principles

WAPT Documentation, Release 2.4

Fig. 2: Replicating WAPT repositories

2.3. Packages principle9

WAPT Documentation, Release 2.4

Fig. 3: WAPT package structure shown in Windows Explorer

Fig. 4: Anatomy of a simple WAPT package

10Chapter 2. Fundamental principles

WAPT Documentation, Release 2.4

basepackages

They are classic software packages.

They are stored in the web directory

https:// srvwapt.mydomain.lan/wapt/ grouppackages

They are groups of packages.

Each group often correspond to:

•a service in an organization (ex:accounting).

•a room, building, etc.Hint:A host can be a member of several groups.They are stored in the web directoryhttps:// srvwapt.mydomain.lan/wapt/.

hostpackages Hostpackages are named after theUUIDof the computer BIOS or theFQDNof the host.