search

Linuxfabrik / monitoring-plugins

220+ check plugins for Icinga and other Nagios-compatible monitoring applications. Each plugin is a standalone command line tool (written in Python) that provides a specific type of check.
https://linuxfabrik.ch
The Unlicense
214 stars 49 forks source link

Windows Updates: 0x80070005 (E_ACCESSDENIED) #695

Closed mmartinello closed 1 year ago

mmartinello commented 1 year ago

This issue respects the following points:

Which variant of the Monitoring Plugins do you use?

Bug description

Disclaimer: this is not a bug, but I think that this could be documented to avoid missunderstandings.

I am running the Windows Icinga Agent on Windows Server 2019, which runs as Network Service:

Screenshot 2023-07-20 at 15 15 45

The Windows Updates updates.exeplugin is getting me an Access denied error:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:4 char:5

+     $Pending = $SearchIndex.Search('IsInstalled=0');

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], UnauthorizedAccessException

    + FullyQualifiedErrorId : System.UnauthorizedAccessException

I think this could be due the fact that Network Service cannot access to the Microsoft.Update.Session PowerShell object.

Is it correct to run Icinga with Network Service or it's better to run it as a local or domain user?

Steps to reproduce - Plugin call

..\uupdates.exe

Steps to reproduce - Data

No response

Environment

Windows Server 2019

Plugin Version

updates.exe: v2023051201 by Linuxfabrik GmbH, Zurich/Switzerland

Python version

No response

List of Python modules

No response

Additional Information

No response

0x446 commented 1 year ago

According to Icinga's documentation it runs under the network user by default. Check the setting descriptions under icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#agent-setup-on-windows-configuration-wizard That being said, I would recommend you to run it under the local system account as a lot of Linuxfabric's plugins need additional permissions to perform certain lookups.

mmartinello commented 1 year ago

Thank you @0x446!

markuslf commented 1 year ago

Thank you @0x446!