check_wmi_plus.pl

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
delboy1966
Posts: 94
Joined: Thu Oct 22, 2015 5:26 am

check_wmi_plus.pl

Post by delboy1966 »

This might be a longshot, but here goes.

We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.

We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?

Here is what we got back from Microsoft.

> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.

> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.

> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).

> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.

> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.

> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs


Thanks in advance
meni2029
Posts: 1
Joined: Thu Sep 30, 2021 7:21 am

Re: check_wmi_plus.pl

Post by meni2029 »

Hi, not found a solution. But for your information the issue is also reported here: https://edcint.co.nz/checkwmiplus/forum ... integrity/
alienone
Posts: 11
Joined: Tue May 06, 2014 9:05 am

Re: check_wmi_plus.pl

Post by alienone »

Hi
We got the same issue with this but have not yet find any solution.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: check_wmi_plus.pl

Post by mcapra »

I don't have a lab machine to crack open wmic and see what it does or does not support, though this definitely seems like it would be a wmic limitation.

impacket definitely supports this, and I'd started on a Python based WMI checks plugin a while ago but never finished it:
https://github.com/mcapra/nagios-check_ ... eck_wmi.py
Former Nagios employee
https://www.mcapra.com/
delboy1966
Posts: 94
Joined: Thu Oct 22, 2015 5:26 am

Re: check_wmi_plus.pl

Post by delboy1966 »

HI Guys

Sorry for the late reply, i've been away.

I did find that check_wmi_plus.pl allows you to include additional arguments to pass to wmic, by using -extrawmicargs.
One option you can pass is --use-security-mechanisms, where you can specify the level to use.
So, I added:

--extrawmicargs "--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY"

To the commands in commands.cfg.

Running the check_wmi_plus.pl command from command line with the debug option shows it being sent.

QUERY: /usr/local/bin/wmic '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '-U' 'USER%PASS' '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '--namespace' 'root/cimv2' '//10.48.86.34' 'select Name,CommandLine,ExecutablePath from Win32_Process'

But doesn't seem to work as the eventlogs are still full of the errors.

Tony
rudi.lotze
Posts: 3
Joined: Fri Oct 08, 2021 9:17 am

Re: check_wmi_plus.pl

Post by rudi.lotze »

Bump - anyone had any luck getting this issue resolved?
ebinjast
Posts: 1
Joined: Wed Apr 08, 2020 3:07 am

Re: check_wmi_plus.pl

Post by ebinjast »

I found a wmic on github (not the original) and it looks like it uses code from the samba project. https://github.com/astbss/wmic
Someone who understands a little of python might be able to find something that can be changed in here to raise the rpc auth level and then recompile it.

Should the rpc implementation in samba not support to raise the auth level, it would probably break some other linux -> windows stuff as well.
amoss24
Posts: 14
Joined: Thu Dec 17, 2020 1:19 pm

Re: check_wmi_plus.pl

Post by amoss24 »

I'll add my two cents - we've also started noticing this issue on Windows servers as we update them.

Seems like there is some time to figure out a solution based on the timeline from Microsoft.

https://support.microsoft.com/en-us/top ... ed901c769c

May have to consider switching to NCPA perhaps - there goes my agentless monitoring!
stuartbeckasg
Posts: 3
Joined: Mon Sep 02, 2019 9:11 pm

Re: check_wmi_plus.pl

Post by stuartbeckasg »

Hi All,

Just wondering what the consensus is for WMI based Nagios checks going forward?
Is this still an option or will we need to migrate the checks over to something else?

Stuart.
Locked