[checkmk-commits] Add Windows alert handler example to doc/treasures

Module: check_mk Branch: master Commit: 8c991b98ecc54dc8f87c8a4897cc2c4603fc546e URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8c991b98ecc54d… Author: Alexander Wilms &lt;aw(a)mathias-kettner.de&gt; Date: Thu Dec 13 13:34:55 2018 +0100 Add Windows alert handler example to doc/treasures Change-Id: I1b2254953aa786bf4859059958c668520ea4c0fa --- doc/treasures/alert_handler/windows/README | 52 ++++++++++++++++++ doc/treasures/alert_handler/windows/windows_remote | 51 ++++++++++++++++++ .../windows/windows_remote_alert_handler.py | 63 ++++++++++++++++++++++ 3 files changed, 166 insertions(+) diff --git a/doc/treasures/alert_handler/windows/README b/doc/treasures/alert_handler/windows/README new file mode 100644 index 0000000..076654b --- /dev/null +++ b/doc/treasures/alert_handler/windows/README @@ -0,0 +1,52 @@ +#. +# .--Security Warning----------------------------------------------------. +# | ____ _ _ | +# | / ___| ___ ___ _ _ _ __(_) |_ _ _ | +# | \___ \ / _ \/ __| | | | '__| | __| | | | | +# | ___) | __/ (__| |_| | | | | |_| |_| | | +# | |____/ \___|\___|\__,_|_| |_|\__|\__, | | +# | |___/ | +# | __ __ _ | +# | \ \ / /_ _ _ __ _ __ (_)_ __ __ _ | +# | \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | | +# | \ V V / (_| | | | | | | | | | | (_| | | +# | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | | +# | |___/ | +# +----------------------------------------------------------------------+ +# | Use this alert handler at your own risk! | +# | It can execute arbritrary code with permissions | +# | of the configured windows user! | +# '----------------------------------------------------------------------' + + + +#. +# .--Installation--------------------------------------------------------. +# | ___ _ _ _ _ _ | +# | |_ _|_ __ ___| |_ __ _| | | __ _| |_(_) ___ _ __ | +# | | || '_ \/ __| __/ _` | | |/ _` | __| |/ _ \| '_ \ | +# | | || | | \__ \ || (_| | | | (_| | |_| | (_) | | | | | +# | |___|_| |_|___/\__\__,_|_|_|\__,_|\__|_|\___/|_| |_| | +# | | +# +----------------------------------------------------------------------+ +# | | +# '----------------------------------------------------------------------' +Check_MK +1. Copy windows_remote to /opt/omd/sites/<mysite>/local/share/check_mk/alert_handlers +2. Copy windows_remote_alert_handler.py to /opt/omd/sites/<mysite>/local/share/check_mk/web/plugins/wato/ +3. Install pypsrp into <mysite>: su - mystite; pip install pypsrp +4. Configure the alert handler rule in WATO/Alert Handlers, supply User, Password and command to execute + +Windows +As user credentials are transferred via network, this alert handler is designed to use HTTPS as transport mode. +Therefore you have to enable the WinRM HTTPS listener on windows, at least with a self signed certificate. +For simplicity the certificate validation is set to false. To increase security you may enable validation and use +valid public certificate chains instead + +1. Create a self-signed certificate using administrative powershell: + New-SelfSignedCertificate -DnsName <myhostname> -CertStoreLocation Cert:\LocalMachine\My +2. Create HTTPS listener and bind certificate to it using administrative cmd: + winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<myhostname>"; CertificateThumbprint="<thumbprint from step 1>"} +3. You may need to open the firewall. Also this will work in the NLA profiles "Domain" and "Private" only! + + diff --git a/doc/treasures/alert_handler/windows/windows_remote b/doc/treasures/alert_handler/windows/windows_remote new file mode 100755 index 0000000..c283b85 --- /dev/null +++ b/doc/treasures/alert_handler/windows/windows_remote @@ -0,0 +1,51 @@ +#!/usr/bin/env python +# PowerShell Remoting Protocol Client + +import os +import sys + +from pypsrp.client import Client + +import cmk.password_store + + +def from_environment(env): + user = os.environ.get("PARAMETER_RUNAS") + password = os.environ.get("PARAMETER_PASSWORD") + command = os.environ.get("PARAMETER_COMMAND") + address = os.environ.get("ALERT_HOSTADDRESS") + + if not user or not command or not password: + sys.stdout.write("Need user, password and command as arguments") + sys.exit(3) + + if not address: + sys.stdout.write("Environment ALERT_HOSTADDRESS is missing\n") + sys.exit(3) + + return user, password, command, address + + +def main(argv=None): + if argv is None: + argv = sys.argv + + user, password, command, address = from_environment(os.environ) + + if password.startswith("store\t"): + password_id = password.split("\t", 1)[1] + try: + password = cmk.password_store.load().get(password_id) + except KeyError: + raise Exception("pwstore: Password '%s' does not exist" % password_id) + elif password.startswith("password\t"): + password = password.split("\t", 1)[1] + + client = Client(address, username=user, password=password, cert_validation=False) + stdout, stderr, rc = client.execute_cmd(command) + + return rc + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/doc/treasures/alert_handler/windows/windows_remote_alert_handler.py b/doc/treasures/alert_handler/windows/windows_remote_alert_handler.py new file mode 100644 index 0000000..45adc69 --- /dev/null +++ b/doc/treasures/alert_handler/windows/windows_remote_alert_handler.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python +# -*- encoding: utf-8; py-indent-offset: 4 -*- +# .------------------------------------------------------------------------. +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | |_____| | +# | _____ _ _ | +# | | ____|_ __ | |_ ___ _ __ _ __ _ __(_)___ ___ | +# | | _| | '_ \| __/ _ \ '__| '_ \| '__| / __|/ _ \ | +# | | |___| | | | || __/ | | |_) | | | \__ \ __/ | +# | |_____|_| |_|\__\___|_| | .__/|_| |_|___/\___| | +# | |_| | +# | _____ _ _ _ _ | +# | | ____|__| (_) |_(_) ___ _ __ | +# | | _| / _` | | __| |/ _ \| '_ \ | +# | | |__| (_| | | |_| | (_) | | | | | +# | |_____\__,_|_|\__|_|\___/|_| |_| | +# | | +# | mathias-kettner.com mathias-kettner.de | +# '------------------------------------------------------------------------' +# This file is part of the Check_MK Enterprise Edition (CEE). +# Copyright by Mathias Kettner and Mathias Kettner GmbH. All rights reserved. +# +# Distributed under the Check_MK Enterprise License. +# +# You should have received a copy of the Check_MK Enterprise License +# along with Check_MK. If not, email to mk(a)mathias-kettner.de +# or write to the postal address provided at www.mathias-kettner.de + + +register_alert_handler_parameters( + "windows_remote", + Dictionary( + title = _("Remote execution on Windows via WMI"), + help = _("This alert handler allows the remote execution of scripts and programs " + "on Windows systems via WMI. Please note that this configuration is saved " + "in clear text (including the password!). We have not made any influence on " + "the security settings of the target Window hosts. If you don't secure the " + "WMI access, the credentials might be used to execute arbitrary commands on " + "the remote system. Use with caution!"), + elements = [ + ("runas", TextAscii( + title = _("User to run handler as"), + allow_empty = False, + regex = re.compile('^[a-zA-Z_][-/a-zA-Z0-9_\\\\]*$'), + regex_error = _("Your input does not match the required format.") \ + + " " + _("Expected syntax: [domain/]username") + )), + ("password", PasswordFromStore( + title = _("Password of the user"), + allow_empty = False, + )), + ("command", TextAscii( + title = _("Command to execute"), + allow_empty = False, + )), + ], + optional_keys = False, + ) +)