AnsweredAssumed Answered

Groovy Tag Rule Creation Assistance

Question asked by Mark Heneghan on May 21, 2018

The Qualys cloud agent has given me a bit of heartache because I haven't found a good way to manage the automatic updating of clients within our standard change windows. I think I've come up with a good methodology thus far and would like your input on how to expand this to one more complexity.  I apologize for the length but wanted to give as much background as possible.

 

Existing Setup

Established Asset Tags

The following are asset tags that I've created to assist in my setup:

 

CloudAgent-Auto - This tag allows me to grab all of our testing machines and ensure that they always have the latest version of the cloud agent to ensure there are no issues.
This is a groovy based tag with the tag rule:
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.hasTag("TestGroup1-Endpoint") || asset.hasTag("TestGroup2-IT") || asset.hasTag("TestGroup3-Security") || asset.hasTag("TestGroup4-EndUsers") || asset.hasTag("TestGroup5-Linux") || asset.hasTag("TestGroup6-WinServer");

 

CloudAgent-Manual - This captures all other machines with the exception of cloud agents that are newly installed. As you will see with my configuration profiles below, this means that machines that do not get tagged as CloudAgent-Auto or CloudAgent-Manual, they will fall into the default configuration profile which will update their binaries.
This is a groovy based tag with the tag rule:
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if(asset.hasTag("CloudAgent-Auto")) return false;
if (new Date().minus(asset.getCreated().toDate()) < 2) return false;
return asset.hasTag("Cloud Agent");

 

Configuration Profiles

Now, at present, I have three configuration profiles in this order:
1 - Acme Generic - Auto Update
2 - Acme Generic - Manual Update
3 - Acme - Newly Installed

 

The configuration profile "Acme Generic - Auto Update" has the standard parameters of a default config profile with the exception that under "Assign Hosts" it is set to include hosts that are part of the tag "CloudAgent-Auto".

 

The configuration profile "Acme Generic - Manual Update" has the standard parameters of a default config profile with the exceptions of: "Prevent auto updating of the agent binaries" is checked as well as under "Assign Hosts" it is set to include hosts that are part of the tag "CloudAgent-Manual".

 

The configuration profile "Acme - Newly Installed" has the standard parameters of a default config profile with the exception that it is setup as the "Default" configuration profile. It has nothing under "Assign Hosts".

 

Usage

When I have an approved change window, I go into the "Acme Generic - Manual Update" configuration profile and modify it to uncheck the "Prevent auto updating...".  I then go back in and add the check back when the change window is complete in case a new version rolls out.  This is cumbersome and if a new version rolls out during the change window, I can have the agents that should be manually getting their agent update, roll to the latest and greatest.

 

Next Steps / Expansion
What I would like to do at this point is created another tag called CloudAgent-Targeted. Instead of modify the configuration profile for the manual configuration profile each time I'm ready to upgrade, I would utilize a new tag and permanently update the configuration profile of "Acme Generic - Auto Update" to target the tags "CloudAgent-Auto" OR "CloudAgent-Targeted". When I'm ready to push changes to the clients, I would update the language in the tag below and be done.  What I need assistance for the community is how to write my theory in Groovy, if it is possible:

 

Here is a logical view of what I'm looking for:

 

Primer Statements:
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if(asset.hasTag("CloudAgent-Auto")) return false;
if(asset.hasTag("CloudAgent-Manual")) return true;

 

Additional Parameters:
if
   {
      Agent Operating System like "Windows" or "Microsoft"
      Agent Version is not "1.6.3.8"
   }
return true;
if
   {
      Agent Operating System like "linux" or "Cent"
      Agent Version is not "1.7.1.37"
   }
return true;
if
   {
      Agent Operating System like "Mac" or "Darwin"
      Agent Version is not "1.6.0.61"
   }
return true;

 

then end with the standard:
return asset.hasTag("Cloud Agent");

 

I thought the following might work and tested it but I get "An Error Occurred.  Here is what I tried:

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if(asset.hasTag("CloudAgent-Auto")) return false;
if((asset.hasTag("CloudAgent-Manual")) && ((asset.getOperatingSystem.startsWith("Microsoft")) || (asset.getOperatingSystem.contains("Windows"))) && (asset.getAgentVersion()!="1.6.3.8")) return true;
if((asset.hasTag("CloudAgent-Manual")) && ((asset.getOperatingSystem.startsWith("Cent")) || (asset.getOperatingSystem.contains("Linux"))) && (asset.getAgentVersion()!="1.7.1.37")) return true;
if((asset.hasTag("CloudAgent-Manual")) && ((asset.getOperatingSystem.startsWith("Mac")) || (asset.getOperatingSystem.startsWith("Darwin"))) && (asset.getAgentVersion()!="1.6.0.61")) return true;
return asset.hasTag("Cloud Agent");

 

Istruggle to know where to find a full listing of the getAsset tags available to Groovy programming specific to Qualys and how to do nested "if" and "or" statements. If you could help, it would be greatly appreciated.

 

Thanks,

Mark

Outcomes