NSClient in Icinga2 Agent installer tries to call home during the install

[siklosipeter]

Describe the bug

When following the NSClient++ install instructions the NSCP.msi tries to open a network connection and gets killed by our endpoint security system.

Information: The application C:\Program Files\ICINGA2\sbin\NSCP.msi attempted to establish a TCP/80 connection to 151.139.128.14:80 from X.X.X.X:58860. The operation was blocked and the application terminated by Confer.

In my opinion the installer should:

• let you know that it will try to do this and offer you the option to skip this step
• accept a CLI parameter from Icinga2 to skip this step (and add an option to the Setup Wizard)
• not bother with this call-home function at all.

To Reproduce

Provide a link to a live example, or an unambiguous set of steps to reproduce this bug. Include configuration, logs, etc. to reproduce, if relevant.

1. Download Icinga2-v2.10.5-x86_64.msi from icinga.com
2. Install the agent, run the configuration wizard
3. Select Install/Update bundled NSClient++
4. Proceed with the install
5. Notice the disappearing act of the nsclient++ installer

Expected behavior

NSClient++ being installed correctly

Screenshots

Can't do a screenshot of a not happening thing

Your Environment

Include as many relevant details about the environment you experienced the problem in

• Operating System and version: Windows Server 2016 (up-to-date)

Additional context

icinga2 --version

icinga2 - The Icinga 2 network monitoring daemon (version: v2.10.5)

Copyright (c) 2012-2019 Icinga GmbH (https://icinga.com/) License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl2.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

System information: Platform: Windows Platform version: 8 (Server) Kernel: Windows Kernel version: 6.2 Architecture: x86_64

Build information: Compiler: MSVC 19.0.24215.1 Build host: ICINGA-BUILD-WI

Application information:

General paths: Config directory: C:\ProgramData\icinga2\etc\icinga2 Data directory: C:\ProgramData\icinga2\var\lib\icinga2 Log directory: C:\ProgramData\icinga2\var\log\icinga2 Cache directory: C:\ProgramData\icinga2\var\cache\icinga2 Spool directory: C:\ProgramData\icinga2\var\spool\icinga2 Run directory: C:\ProgramData\icinga2\var\run\icinga2

Old paths (deprecated): Installation root: C:\Program Files\ICINGA2\ Sysconf directory: C:\ProgramData\icinga2\etc Run directory (base): C:\ProgramData\icinga2\var\run Local state directory: C:\ProgramData\icinga2\var

Internal paths: Package data directory: C:\Program Files\ICINGA2\share\icinga2 State path: C:\ProgramData\icinga2\var\lib\icinga2/icinga2.state Modified attributes path: C:\ProgramData\icinga2\var\lib\icinga2/modified-attributes.conf Objects path: C:\ProgramData\icinga2\var\cache\icinga2/icinga2.debug Vars path: C:\ProgramData\icinga2\var\cache\icinga2/icinga2.vars PID path: C:\ProgramData\icinga2\var\run\icinga2/icinga2.pid

icinga2 feature list

Disabled features: command compatlog debuglog elasticsearch gelf graphite ido-mysql ido-pgsql influxdb livestatus notification opentsdb perfdata statusdata Enabled features: api checker mainlog

icinga2 daemon -C

[2019-06-24 13:44:44 +0200] information/cli: Icinga application loader (version: v2.10.5) [2019-06-24 13:44:44 +0200] information/cli: Loading configuration file(s). [2019-06-24 13:44:44 +0200] information/ConfigItem: Committing config item(s). [2019-06-24 13:44:44 +0200] information/ApiListener: My API identity: HOSTNAME [...] [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 1 ApiListener. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 1 CheckerComponent. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 2 ServiceGroups. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 5 TimePeriods. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 2 Endpoints. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 11 HostGroups. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 4 Zones. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 1 IcingaApplication. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 231 CheckCommands. [2019-06-24 13:44:46 +0200] information/ConfigItem: Instantiated 1 FileLogger. [2019-06-24 13:44:46 +0200] information/ScriptGlobal: Dumping variables to file 'C:\ProgramData\icinga2\var\cache\icinga2/icinga2.vars' [2019-06-24 13:44:46 +0200] information/cli: Finished validating the configuration file(s).

[siklosipeter]

Manually starting the C:\Program Files\ICINGA2\sbin\NSCP.msi succeeded and it works with the previous config.

[dnsmichi]

Since NSClient is just bundled here, you'd want to open an NSClient upstream feature request/bug to disallow the connection attempt at first glance. Once such a thing exists, we may consider updating our docs/installer.

From a peek into the docs, no such thing exists yet: http://docs.nsclient.org/manual/windows_installer.html

I'd say this connection originates from an integrated update check from NSClient itself, and shouldn't harm anything - especially when blocked by a firewall.

[dnsmichi]

The IP address looks suspicious though, 151.139.128.14 belongs to Highwind Network Group seemingly not related to NSClient itself. Are you sure that you're using an icinga2 package downloaded from packages.icinga.com?

[siklosipeter]

Are you sure that you're using an icinga2 package downloaded from packages.icinga.com?

Yes, I'm sure. I actually have two versions of the file, one downloaded on 4th of Jun, the second on 24th of Jun:

4th of Jun:

Name: Icinga2-v2.10.5-x86_64.msi Size: 38069598 Bytes (36 MiB) SHA256: D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8

24th of Jun:

Name: Icinga2-v2.10.5-x86_64.msi Size: 38069598 Bytes (36 MiB) SHA256: D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8

Control (under linux):

[user@host ~]$ wget https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi --2019-06-24 15:55:50-- https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi Resolving packages.icinga.com (packages.icinga.com)... 185.11.254.87 Connecting to packages.icinga.com (packages.icinga.com)|185.11.254.87|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 38069598 (36M) [application/x-msi] Saving to: ‘Icinga2-v2.10.5-x86_64.msi’

100%[=========================================================================================================================================================================>] 38,069,598 2.11MB/s in 19s

2019-06-24 15:56:09 (1.91 MB/s) - ‘Icinga2-v2.10.5-x86_64.msi’ saved [38069598/38069598]

[user@host ~]$ sha256sum Icinga2-v2.10.5-x86_64.msi 2>&1 | tr '[:lower:]' '[:upper:]' D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8 ICINGA2-V2.10.5-X86_64.MSI [user@host ~]$

[siklosipeter]

While creating the bug report for NSClient++ I had to look up the version. Is there a reason why Icinga2 uses a more than two year old (0.5.0.62) version of the NSClient?

Please keep in mind that I based this question on the info I found in the installed nsclient's changelog.txt.

[siklosipeter]

This became much more interesting as the NSClient developer pointed me back to you stating, that the nscp.msi is not his installer.

[siklosipeter]

Summary

I received an answer from the NSClient++ developer stating that since this installer is not his, thus closed my ticket.

So I dug a bit deeper:

1. Downloaded Icinga2 Agent installer
2. Extracted NSCP.msi from it
3. Compared it to the one downloaded from mickem/nscp
4. Compared to the one in the installed NSCP.msi in C:\Program Files\ICINGA2\sbin\NSCP.msi
5. Realized that they are indeed the same: 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f

Also I should mention this again, that

Manually starting the C:\Program Files\ICINGA2\sbin\NSCP.msi succeeded and it works with the previous config.

I don't really know who should investigate this further, but I would like to gather all I know in order to help deciding.

Details on the steps

Download Icinga2 Agent installer

I don't see any HASH information on this download site, so I can't confirm if what I downloaded is valid or not.

[user@host icinga2-agent-install-issue]$ wget -S https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi --2019-06-25 08:36:51-- https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi Resolving packages.icinga.com (packages.icinga.com)... 185.11.254.87 Connecting to packages.icinga.com (packages.icinga.com)|185.11.254.87|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 25 Jun 2019 06:36:51 GMT Server: Apache Last-Modified: Thu, 23 May 2019 12:10:55 GMT ETag: "244e55e-5898cf96152ea" Accept-Ranges: bytes Content-Length: 38069598 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msi Length: 38069598 (36M) [application/x-msi] Saving to: ‘Icinga2-v2.10.5-x86_64.msi’

100%[=========================================================================================================================================================================>] 38,069,598 1.90MB/s in 20s

2019-06-25 08:37:11 (1.85 MB/s) - ‘Icinga2-v2.10.5-x86_64.msi’ saved [38069598/38069598]

[user@host icinga2-agent-install-issue]$

Create SHA256 hash

For your reference here is the HASH of the file I downloaded:

[user@host icinga2-agent-install-issue]$ sha256sum Icinga2-v2.10.5-x86_64.msi d9acde96643d699ea6871fc8e6d544b3c868a5a2e179950082f94046821b24e8 Icinga2-v2.10.5-x86_64.msi [user@host icinga2-agent-install-issue]$

Get original NSCP

Found in icinga/icinga2 repository

if(WIN32)
 if(CMAKE_VS_PLATFORM_NAME STREQUAL "x64")
   set(NSCP_URL "https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi")
   set(NSCP_SHA256 "1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f")

Download NSCP installer:

[user@host icinga2-agent-install-issue]$ wget -S https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi --2019-06-25 09:29:13-- https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi Resolving github.com (github.com)... 140.82.118.3 Connecting to github.com (github.com)|140.82.118.3|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Tue, 25 Jun 2019 07:29:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Server: GitHub.com Status: 302 Found Vary: X-PJAX Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream Cache-Control: no-cache Set-Cookie: has_recent_activity=1; path=/; expires=Tue, 25 Jun 2019 08:29:14 -0000 Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Sat, 25 Jun 2039 07:29:14 -0000; secure; HttpOnly Set-Cookie: _gh_sess=d2ZnOGNPN2VON2xsWkEwSEtFSWRtWUVCdUExS0R0NVNFL2ViWDJtMkJKcGJSUERYVy9hL1RER1dWMURTSFQ2WWx4UTB2NFpvaWRnRjh6d2U4bDhNVmQ3bWlQVk85UElhOHJWT0pIT2ZzS2gzcnlKd2VGSUo0NVZzcFU2VkNQU0Q2KzFNYzdLVmhFYzNtWDAxVnFURTlPZzZWRU5Za0lYNCt3c0lYZEtldHlxbEYvUW1XbVVNeEZQR2VPS2ZPVEtiLS1WK3h2TnM2QlQ3ODFta2NJZDFlRllBPT0%3D--b5682e787450cea9d856ad5cfd129e524586b5c2; path=/; secure; HttpOnly X-Request-Id: 1611631e-56a3-4244-a0af-e34734dc472f Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors" Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com Vary: Accept-Encoding X-GitHub-Request-Id: A74F:35F7B:7945910:BA7BC71:5D11CD49 Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316 f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream [following] --2019-06-25 09:29:14-- https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.84.227 Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.84.227|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK x-amz-id-2: Uy0SKlPIU90FlVRQ6n9b0JHnqu4gOwxnAlmXhWi4bcGf1Y+Aeyz26EYTFSVUbZTi/+dW2W32+hA= x-amz-request-id: 4C224037833C8E4B Date: Tue, 25 Jun 2019 07:29:15 GMT Last-Modified: Wed, 24 May 2017 05:21:31 GMT ETag: "74a460dedbd98659b8bad24aa91fc29c" Content-Disposition: attachment; filename=NSCP-0.5.0.62-x64.msi Accept-Ranges: bytes Content-Type: application/octet-stream Content-Length: 27426816 Server: AmazonS3 Length: 27426816 (26M) [application/octet-stream] Saving to: ‘NSCP-0.5.0.62-x64.msi’

100%[=========================================================================================================================================================================>] 27,426,816 1.67MB/s in 21s

2019-06-25 09:29:36 (1.22 MB/s) - ‘NSCP-0.5.0.62-x64.msi’ saved [27426816/27426816]

Create SHA356 hash

[user@host icinga2-agent-install-issue]$ sha256sum NSCP-0.5.0.62-x64.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f NSCP-0.5.0.62-x64.msi [user@host icinga2-agent-install-issue]$

Extract bundled installer from Icinga2 (failed)

[user@host icinga2-agent-install-issue]$ file Icinga2-v2.10.5-x86_64.msi Icinga2-v2.10.5-x86_64.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Icinga 2, Author: Icinga Development Team, Keywords: Installer, Comments: This installer database contains the logic and data required to install Icinga 2., Template: x64;1033, Revision Number: {051070E4-7026-49CD-A433-CF32A02FE5E8}, Create Time/Date: Thu May 23 13:08:26 2019, Last Saved Time/Date: Thu May 23 13:08:26 2019, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2 [user@host icinga2-agent-install-issue]$ 7za l Icinga2-v2.10.5-x86_64.msi

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Xeon(R) CPU E5506 @ 2.13GHz (106A5),ASM)

Scanning the drive for archives: 1 file, 38069598 bytes (37 MiB)

Listing archive: Icinga2-v2.10.5-x86_64.msi

ERROR: Icinga2-v2.10.5-x86_64.msi : Icinga2-v2.10.5-x86_64.msi Open ERROR: Can not open the file as [Cab] archive

ERRORS: Headers Error WARNINGS: There are data after the end of archive

Errors: 1 [user@host icinga2-agent-install-issue]$

Open file on Windows using 7-zip still reports an error (see screenshot), but extracts this NSCP.msi file:

The HASH of the extracted NSCP installer is the same as what's in the CMakeLists.txt file

[user@host icinga2-agent-install-issue]$ sha256sum CM_FP_sbin.NSCP.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f CM_FP_sbin.NSCP.msi [user@host icinga2-agent-install-issue]$ sha256sum NSCP.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f NSCP.msi [user@host icinga2-agent-install-issue]$ [user@host icinga2-agent-install-issue]$ ls -la total 90752 drwxr-xr-x 2 user users 96 Jun 25 09:32 . drwxr-xr-x 8 user users 4096 Jun 25 08:30 .. -rw-r--r-- 1 user users 27426816 Jun 25 08:43 CM_FP_sbin.NSCP.msi -rw-r--r-- 1 user users 38069598 May 23 14:10 Icinga2-v2.10.5-x86_64.msi -rw-r--r-- 1 user users 27426816 May 24 2017 NSCP-0.5.0.62-x64.msi -rw-r--r-- 1 user users 27426816 Jun 25 10:26 NSCP.msi [user@host icinga2-agent-install-issue]$

[dnsmichi]

Is there a reason why Icinga2 uses a more than two year old (0.5.0.62) version of the NSClient?

Mainly that NSClient++ did not provide a stable 0.5.2 or 0.5.3 or 0.6.0 release for quite a long time. 0.5.0.x was sufficient and stable. 2.11 will bump the bundled file to the latest stable 0.5.2.x branch, including some fixes but no new features (e.g. the permission based API is still missing).

See #7034 for the updated include file.

The only thing our packaging does here - cmake resp. cpack downloads the msi file from the given URL, and compares the hash. This is then bundled into the created msi file, whereas the setup routine of the icinga2 installer just copies the nscp.msi into the program files directory. The user can then either run this manually, or use the setup config wizard button to invoke the NSClient++ setup.

You cannot cab extract the setup package, msi is different. Fortunately there are some methods, one of them is to use msiexec itself.

msiexec /a Icinga2-v2.10.0-x86.msi /qb TARGETDIR=c:\users\michi\downloads\i2

There's no extra effort taken with configuring the NSClient++ msi beforehand, or anything else. So the connection towards that IP address is invoked with calling the nscp.msi. Maybe your system is infected and every msi/setup call does some extra checks. Since you're the first one detecting is and no-one else has seen this for years, I would check whether your system is ok, uses proxies, or msi itself is damanged or Windows is doing sort of update checks here.

I don't believe that this is related to Icinga though, and as such, I'm closing this issue.