Closed K0nne closed 4 years ago
LordHepipud
commented
4 years ago Thank you very much for the feedback. I honestly never expected WMI/CIM instances to be used without a default permission set to be honest ๐
But you are right, this should be addressed and fixed. I will have a look on this on how to make this work properly.
Thank you a lot !
K0nne
commented
4 years ago My company is very security-aware. I have to go step by step in sense of access rights until it works ๐
During my journey so far I also found out, that the automatic unit detection in this check does not work, if there's no access to the CIM class Win32_LocalMemory. I think I'm the only one ever with this problem ๐
But when I think about it, maybe it whould be good to return the not accessible class(es) in the plug-in output to give a hint where to search.
LordHepipud
commented
4 years ago Yeah, I fully agree on this. Just have to figure out a way to do this the most easiest way ๐
LordHepipud
commented
4 years ago I'm currently about to have a look on this issue and would require one additional input: When you run
try {
Get-CimInstance -ClassName Win32_PhysicalMemory -ErrorAction Stop;
} catch {
$_.Exception.StatusCode;
$_.Exception.NativeErrorCode;
}what do you get as output in PowerShell? With this I can add a proper error handling for this. In addition, what happens if you run the same command as WMI:
try {
Get-WmiObject -Class Win32_PhysicalMemory -ErrorAction Stop;
} catch {
$_.Exception.HResult;
}Thank you in advance!
LordHepipud
commented
4 years ago I have updated the Framework master now and created a new branch for the plugins, implementing the new wrapper function for WMI/CIM calls.
I would apprecicate if you could test them if everything still works as expected and if you would provide me with the error id for the permission error. Once this is done I can merge everything into the master.
The plan would be to support this entirely with 1.2.0
K0nne
commented
4 years ago I reproduced it by removing rights:
try { Get-CimInstance -ClassName Win32_PhysicalMemory -ErrorAction Stop; } catch { $_.Exception.StatusCode; $_.Exception.NativeErrorCode; }
2
PSComputerName RunspaceID Value
-------------- ---------- -----
fqdn id AccessDeniedtry { Get-WmiObject -Class Win32_PhysicalMemory -ErrorAction Stop; } catch { $_.Exception.HResult; }
-2146233087
The following steps were done to make it work again:
LordHepipud
commented
4 years ago Thank you very much. Does this step by adding the permissions and the group resolve it for both - CIM and WMI or are different steps required in addition?
K0nne
commented
4 years ago I made a mistake before. Instead of Get-WmiObject -Class Win32_PhysicalMemory -ErrorAction Stop; I had executed Get-CimInstance -Class Win32_PhysicalMemory -ErrorAction Stop; I corrected the errorcode accordingly.
Yes, by adding the permissions both are working. Its reproduceable. WMI & CIM seems to be connected.
I will test both packages in the next few days.
LordHepipud
commented
4 years ago Allright - thank you a lot! Would it be possible for you to test the new Framework Master and the Plugin test-branch Icinga Plugins WMI/CIM Wrapper?
LordHepipud
commented
4 years ago In addition: Could you please test this part as well?
try {
Get-WmiObject -Class Win32_PhysicalMemory -ErrorAction Stop;
} catch {
$_.CategoryInfo.Category;
}The error id seems to be not unique, so I might have to take to error category for identification
K0nne
commented
4 years ago try { Get-WmiObject -Class Win32_PhysicalMemory -ErrorAction Stop; } catch { $_.CategoryInfo.Category; }
The returned value is InvalidOperation
LordHepipud
commented
4 years ago Thank you very much! The master of the Framework is up-to-date with the latest code part and the plugins within the dev branch should also cover the occured issue. I also updated the developer guide for the new functionality.
Would you be able to test the Framework and the Plugin Test-Branch on your machines without having permissions to execute CIM/WMI calls and report back if this works properly now with the new exception handling? Plugin Test-Branch
Thank you in advance!
K0nne
commented
4 years ago Its looking way better now ๐
[UNKNOWN]: Icinga Permission Error was thrown: CimInstance: Win32_ComputerSystem
The user you are running this command as does not have permission to access the requested Cim-Object. To fix this, please add the user the Agent is running with to the "Remote Management Users" groups and grant access to the WMI branch "root/cimv2" and add the permission "Remote enable".On a sidenote:
Yesterday in the evening I stumbled upon a new permission problem, which affects all of my perfcounter checks, which I wanted to rollout today for MSSQL :~ I don't know where its coming from, because the confguration worked before. Something has changed.
I placed the new packages here and the output is as following:
Service: Disk Avg. sec/Read
Exception calling "SourceExists" with "1" argument(s): "The source was not found, but some or all event logs could not
be searched. Inaccessible logs: Security."
At C:\Program
Files\WindowsPowerShell\Modules\icinga-powershell-framework\lib\core\logging\Register-IcingaEventLog.psm1:3 char:5
+ $Registered = [System.Diagnostics.EventLog]::SourceExists(
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SecurityException
New-EventLog : Access is denied. Try running the command again in a session that has been opened with elevated user
rights (that is, Run as Administrator).
At C:\Program
Files\WindowsPowerShell\Modules\icinga-powershell-framework\lib\core\logging\Register-IcingaEventLog.psm1:11 char:5
+ New-EventLog -LogName Application -Source 'Icinga for Windows';
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-EventLog], Exception
+ FullyQualifiedErrorId : AccessIsDenied,โMicrosoft.PowerShell.Commands.NewEventLogCommand[OK] Check package "Performance Counter""
Its the same with the check package "CPU Load".
The strange thing is: the checks are working. I'm getting graphs and perfdata. I'm not sure what's up with the eventlog here, because I want to monitor perfcounter. Should I open a new issue for this?
K0nne
commented
4 years ago When I change the packages back to the versions when I first configured the checks (framework: 1.0.2, plugins: 1.0.0), the permission errors are gone.
LordHepipud
commented
4 years ago This could occur because the EventLog Writer was enabled with 1.1.0. Could you please open a new issue for this error? I will look into it right away.
Thank you a lot !
LordHepipud
commented
4 years ago Thank you for all the support!
Hello,
I'm about to test the powershell plugins via powershell remoting against a test system. My user has currently no access to read perf counters on the target host.
When I tested Invoke-IcingaCheckMemory and Invoke-IcingaCheckCPU and stumbled upon this problem I was surprised that both checks showed a different plugin result:
Invoke-IcingaCheckMemory
returns OK but shows internal errors
Invoke-IcingaCheckCPU returns UNKNOWN and an helpful advice about the problem
I think Invoke-IcingaCheckMemory should behave like Invoke-IcingaCheckCPU and also point to the permission problem. Those hints are very helpful, btw ๐
Thank you!
PS: I tested all available checks in this repo against this "access denied" scenario. Half of them return UNKOWN, but the other half returns OK.