NagiosXI WMI Monitoring

[BanditBBS]

He replied...he wants to clean it up just a tad and document, so hopefully very soon. I will keep you all posted.

[tgelzaines]

Thanks for the response!

Do any of you know if Nagios has any form of asset inventory management built in?

[sreinhardt]

Nope, that is out of the scope of core and XI. You might be able to write a plugin to check various items from other interfaces, but it is not standard.

[BanditBBS]

Updating once again...script should be given to me tomorrow. Also, fyi, this script makes is possible to do this without using a domain admin account. I'll share as soon as I get it.

[WillemDH]

+1

[sreinhardt]

Awesome, thanks bandit! Looking forward to seeing what I missed before with wmi permissions..

[BanditBBS]

Ok, here is the script:

This should be pretty sanitized… give it out and see what people think.. .naturally I don’t care, but I can assist if people have problems lol! Purposely absent of error handling or advanced environments… my next revision will be, but this will get those guys going. I attached as a flat file as well, to preserve white spacing. Written by a technical guy for technical guys!!!

Code: Select all

##***************************************************************************
##*************** ENABLE NAGIOS - POWERSHELL - AD Integrated **************##
## Lets enable a domain account on a server with WMI cimv2 rights for nagios*
## monitoring, some SDDL permission string creation / modification ......****
## some performance monitoring rights as well.  This is intended to use a ***
## domain account as listed below.  Script can be modified with for loops to*
## support additoinal domains and accounts.  This is simply written to     **
## execute with variables below, sorry I don't write like a coder!         **
##  Thanks, best of luck, and naturally no warranty expressed or implied,  **
## use with precaution and don't hold me responsible at all! *             **
##***************************************************************************
## THIS VERSION IS WRITTEN WITH NO ERROR HANDLING!!! DOES REQUIRE WMI ACCESS*
##***************************************************************************

Function Set-UserLocalGroup
{
    [cmdletBinding()]
    Param(
    [Parameter(Mandatory=$True)]
    [string]$Computer,
    [Parameter(Mandatory=$True)]
    [string]$Group,
    [Parameter(Mandatory=$True)]
    [string]$Domain,
    [Parameter(Mandatory=$True)]
    [string]$User,
    [switch]$add,
    [switch]$remove
    )
    $de = [ADSI]"WinNT://$Computer/$Group,group"
    if($add){
        $de.psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$User").path)
    } elseif ($remove){
        $de.psbase.Invoke("Remove",([ADSI]"WinNT://$Domain/$User").path)
    }
}

Function get-sid
{
Param (
 $DSIdentity
)
 $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
 return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

#SID from AD for nagiosXI to apply perms to DCOM level
  write-host "`tCapturing SID information for Nagios!"
#use the get-sid command and the netbios domain account to be used... standard domain user permissions.
#function above for get-sid, returns AD sid
#yes this account should be varibalized as it is called below but in the command for group membership you need netbios domain and user seperate. 
$sid = get-sid "subdomain\nagiosxi"
$SDDL = "A;;CCWP;;;$sid"
#sets remote launch and activate and local launch.  this is where you modify the perms you would like to provide
$DCOMSDDL = “A;;CCDCLCSWRP;;;$sid”
#local computer name to reference... remote calls do not always work. 
#$strcomputer = $env:COMPUTERNAME
# remote call it, easily wrapped into a foreach for a list of server names, depending on deployment, add a domain based lookup for multiple domains.
##### VARIABLE TO BE SET #####
$strcomputer = "hostmachine1.subdomain.domain.com"
#Where am I? 
write-host "`nWorking on $strcomputer..."
#Modify Launch permissions... all through registry... 
    $Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
    $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
    $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
    $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
    $binarySD = @($null)
    $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
		write-host "`tConverting current permissions to SDDL format..."
    $outsddl = $converter.BinarySDToSDDL($binarySD[0])
    $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
    $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
		write-host "`tBuilding the new permissions..."
    $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
    $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
    $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
		write-host "`tApplying changes..."
    $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
    $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)

# add WMI perms  Add nagiosXI Account to the CIMV2 perms
#WMI Permission - Enable Account, Remote Enable for This namespace and subnamespaces 
	write-host "`tLets modify the WMI permissions to CIMV2 for Nagios!"
$WMISDDL = "A;CI;CCWP;;;$sid" 

#PartialMatch
$WMISDDLPartialMatch = "A;\w*;\w+;;;$sid"
  $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
  $binarySD = @($null)
  $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
  # Convert the current permissions to SDDL 
	write-host "`tConverting current permissions to SDDL format..."
  $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
  $CurrentWMISDDL = $converter.BinarySDToSDDL($binarySD[0])
  
  # Build the new permissions 
	write-host "`tBuilding the new permissions..."
  if (($CurrentWMISDDL.SDDL -match $WMISDDLPartialMatch) -and ($CurrentWMISDDL.SDDL -notmatch $WMISDDL))
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL -replace $WMISDDLPartialMatch, $WMISDDL
  }
  else
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
  }
  # Convert SDDL back to Binary 
	write-host `t"Converting SDDL back to binary"
  $WMIbinarySD = $converter.SDDLToBinarySD($NewWMISDDL)
  $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
 
	write-host "`tApplying changes..."
  if ($CurrentWMISDDL.SDDL -match $WMISDDL)
  {
    write-host "`t`tCurrent WMI Permissions match desired values."
  }
  else
  {
   $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) 
   if($result='0'){write-host "`t`tApplied WMI Security complete."}
  }

# add perf counter group membership in local users of the domain account  
$LocalGroups = "Performance Monitor Users"
# Simply add groups to the above string comma-seperated and you are legit. 
# Again you are using the netbios domain name here... and the domain account for the rights on teh local group for perf mon rights
$LocalGroups | %{Set-UserLocalGroup -Computer $strcomputer -Group $_ -Domain "SUBDOMAIN" -User "NagiosXI" -add} # insert netbios DOMAIN name and user account.

#EOF
##
# Sonny McManigle - [email protected] 
# 
##

WARNING: This does not give the user access to monitor services. That is a separate piece of code I'll get for you all later.

I'll get this up on the exchange sooner or later, maybe wait a bit for feedback from any of you.

[sreinhardt]

Fantastic, thank you and sonny! I'm going to take a look, and give it a spin!