Page 1 of 1

check_wmi_plus.pl

Posted: Thu Sep 30, 2021 8:09 am
by delboy1966
This might be a longshot, but here goes.

We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.

We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?

Here is what we got back from Microsoft.

> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.

> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.

> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).

> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.

> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.

> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs


Thanks in advance

Re: check_wmi_plus.pl

Posted: Fri Oct 01, 2021 11:46 am
by meni2029
Hi, not found a solution. But for your information the issue is also reported here: https://edcint.co.nz/checkwmiplus/forum ... integrity/

Re: check_wmi_plus.pl

Posted: Thu Oct 07, 2021 4:44 am
by alienone
Hi
We got the same issue with this but have not yet find any solution.

Re: check_wmi_plus.pl

Posted: Thu Oct 07, 2021 8:24 am
by mcapra
I don't have a lab machine to crack open wmic and see what it does or does not support, though this definitely seems like it would be a wmic limitation.

impacket definitely supports this, and I'd started on a Python based WMI checks plugin a while ago but never finished it:
https://github.com/mcapra/nagios-check_ ... eck_wmi.py

Re: check_wmi_plus.pl

Posted: Wed Oct 13, 2021 3:35 am
by delboy1966
HI Guys

Sorry for the late reply, i've been away.

I did find that check_wmi_plus.pl allows you to include additional arguments to pass to wmic, by using -extrawmicargs.
One option you can pass is --use-security-mechanisms, where you can specify the level to use.
So, I added:

--extrawmicargs "--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY"

To the commands in commands.cfg.

Running the check_wmi_plus.pl command from command line with the debug option shows it being sent.

QUERY: /usr/local/bin/wmic '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '-U' 'USER%PASS' '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '--namespace' 'root/cimv2' '//10.48.86.34' 'select Name,CommandLine,ExecutablePath from Win32_Process'

But doesn't seem to work as the eventlogs are still full of the errors.

Tony

Re: check_wmi_plus.pl

Posted: Mon Oct 18, 2021 4:47 am
by rudi.lotze
Bump - anyone had any luck getting this issue resolved?

Re: check_wmi_plus.pl

Posted: Fri Oct 22, 2021 3:12 am
by ebinjast
I found a wmic on github (not the original) and it looks like it uses code from the samba project. https://github.com/astbss/wmic
Someone who understands a little of python might be able to find something that can be changed in here to raise the rpc auth level and then recompile it.

Should the rpc implementation in samba not support to raise the auth level, it would probably break some other linux -> windows stuff as well.

Re: check_wmi_plus.pl

Posted: Tue Nov 23, 2021 5:56 pm
by amoss24
I'll add my two cents - we've also started noticing this issue on Windows servers as we update them.

Seems like there is some time to figure out a solution based on the timeline from Microsoft.

https://support.microsoft.com/en-us/top ... ed901c769c

May have to consider switching to NCPA perhaps - there goes my agentless monitoring!

Re: check_wmi_plus.pl

Posted: Sun Jan 16, 2022 10:46 pm
by stuartbeckasg
Hi All,

Just wondering what the consensus is for WMI based Nagios checks going forward?
Is this still an option or will we need to migrate the checks over to something else?

Stuart.