search

Icinga / icinga-powershell-framework

This PowerShell module will allow to fetch data from Windows hosts and use them for inventory and monitoring solutions. Together with the Icinga Web 2 module, a detailed overview of your Windows infrastructure will be drawn.
MIT License
77 stars 33 forks source link

Set-IcingaAgentServiceUser.psm1 - will always return $FALSE #749

Open Cr4x opened 3 months ago

Cr4x commented 3 months ago

Hello

i am using ansible to automate installation and came across "Set-IcingaServiceUser" to update user in some cases. Using a new powershell window (like ansible does by default everytime for every task) without calling "Set-IcingaServiceEnvironment" first, necessary environment variables aren't loaded and so "Set-IcingaServiceUser" will always return $FALSE.

PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
False
PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
False
PS C:\Users\Administrator> Set-IcingaServiceEnvironment
PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT AUTHORITY\NetworkService" for service "icingapowershell" successfully updated
True
PS C:\Users\Administrator>

Hope that helps.

log1-c commented 1 week ago

Can confirm:

PS C:\Windows\system32> Set-IcingaServiceUser -User 'NT AUTHORITY\System'
False
PS C:\Windows\system32> Set-IcingaServiceEnvironment
PS C:\Windows\system32> Set-IcingaServiceUser -User 'NT AUTHORITY\System'
[Notice]: Service User "NT AUTHORITY\System" for service "icinga2" successfully updated
True

We mostly switch the user to NT AUTHORITY\System, except on a few systems. Installation is also done via a PowerShell script call by Ansible. Excerpt from the script:

function agent-installation {
    write-Host "Start Icinga Agent installation"
    # Downloading icinga agent installer
    $agent_installer = "C:\tools\icinga-agent-installation\Icinga2-v$agentversion-x86_64.msi"
    if (-not (Test-Path $agent_installer)) {
        # set security protocols for webrequests
        [Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
        Invoke-WebRequest -UseBasicParsing -Uri "https://$repourl/monitoring/icingaforwindows/stable/agent/Icinga2-v$agentversion-x86_64.msi" -outfile $agent_installer
        Start-Sleep -Seconds 10
    }

    # run icinga agent installer
    msiexec /i $agent_installer /qn /norestart
    Start-Sleep -Seconds 30

    # configure agent
    & 'C:\Program Files\ICINGA2\sbin\icinga2.exe' pki save-cert --host $endpointConnections --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt"
    if($secondsatellite -eq "yes"){
        & 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --endpoint $secondsatendpoint,$secondendpointConnection,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
    }
    else{
        & 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
    }
    # change logging severity of the Icinga2 agent
    if(Test-Path "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"){
        write-Host "Set logging severity to critical to avoid EventLog spam"
        (Get-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf") -Replace '"information"', '"critical"' | Set-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"
    }
    # set the service user and restart the service
    Set-IcingaAgentServiceUser -user $serviceuser
    Start-Sleep -Seconds 5
    Restart-Service -name "icinga2"
}

This used to work before when Framework v1.11.1 was installed (though not 100% sure) Maybe this got introduced with one of the v1.12.x releases? We have installed v1.12.3 now.

log1-c commented 1 week ago

Running 

Set-IcingaServiceEnvironment
Set-IcingaAgentServiceUser -user 'NT Authority\SYSTEM'
Restart-Service -name "icinga2"

does not work reliably via the script called by Ansible. Not sure why. Maybe because Set-IcingaServiceEnvironment takes some time to complete.

update: This works

if (whatever){
    $serviceuser = 'NT AUTHORITY\NetworkService'
}else {
    $serviceuser = 'NT Authority\SYSTEM'
}

Start-Process -FilePath "sc.exe" -ArgumentList "config icinga2 obj= `"$serviceuser`"" -Wait