Skip to content
Permalink
Browse files

Add Windows alert handler example to doc/treasures

Change-Id: I1b2254953aa786bf4859059958c668520ea4c0fa
  • Loading branch information...
Gulaschcowboy authored and si-23 committed Dec 13, 2018
1 parent 30fb2e5 commit 8c991b98ecc54dc8f87c8a4897cc2c4603fc546e
@@ -0,0 +1,52 @@
#.
# .--Security Warning----------------------------------------------------.
# | ____ _ _ |
# | / ___| ___ ___ _ _ _ __(_) |_ _ _ |
# | \___ \ / _ \/ __| | | | '__| | __| | | | |
# | ___) | __/ (__| |_| | | | | |_| |_| | |
# | |____/ \___|\___|\__,_|_| |_|\__|\__, | |
# | |___/ |
# | __ __ _ |
# | \ \ / /_ _ _ __ _ __ (_)_ __ __ _ |
# | \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | |
# | \ V V / (_| | | | | | | | | | | (_| | |
# | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | |
# | |___/ |
# +----------------------------------------------------------------------+
# | Use this alert handler at your own risk! |
# | It can execute arbritrary code with permissions |
# | of the configured windows user! |
# '----------------------------------------------------------------------'



#.
# .--Installation--------------------------------------------------------.
# | ___ _ _ _ _ _ |
# | |_ _|_ __ ___| |_ __ _| | | __ _| |_(_) ___ _ __ |
# | | || '_ \/ __| __/ _` | | |/ _` | __| |/ _ \| '_ \ |
# | | || | | \__ \ || (_| | | | (_| | |_| | (_) | | | | |
# | |___|_| |_|___/\__\__,_|_|_|\__,_|\__|_|\___/|_| |_| |
# | |
# +----------------------------------------------------------------------+
# | |
# '----------------------------------------------------------------------'
Check_MK
1. Copy windows_remote to /opt/omd/sites/<mysite>/local/share/check_mk/alert_handlers
2. Copy windows_remote_alert_handler.py to /opt/omd/sites/<mysite>/local/share/check_mk/web/plugins/wato/
3. Install pypsrp into <mysite>: su - mystite; pip install pypsrp
4. Configure the alert handler rule in WATO/Alert Handlers, supply User, Password and command to execute

Windows
As user credentials are transferred via network, this alert handler is designed to use HTTPS as transport mode.
Therefore you have to enable the WinRM HTTPS listener on windows, at least with a self signed certificate.
For simplicity the certificate validation is set to false. To increase security you may enable validation and use
valid public certificate chains instead

1. Create a self-signed certificate using administrative powershell:
New-SelfSignedCertificate -DnsName <myhostname> -CertStoreLocation Cert:\LocalMachine\My
2. Create HTTPS listener and bind certificate to it using administrative cmd:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<myhostname>"; CertificateThumbprint="<thumbprint from step 1>"}
3. You may need to open the firewall. Also this will work in the NLA profiles "Domain" and "Private" only!


@@ -0,0 +1,51 @@
#!/usr/bin/env python
# PowerShell Remoting Protocol Client

import os
import sys

from pypsrp.client import Client

import cmk.password_store


def from_environment(env):
user = os.environ.get("PARAMETER_RUNAS")
password = os.environ.get("PARAMETER_PASSWORD")
command = os.environ.get("PARAMETER_COMMAND")
address = os.environ.get("ALERT_HOSTADDRESS")

if not user or not command or not password:
sys.stdout.write("Need user, password and command as arguments")
sys.exit(3)

if not address:
sys.stdout.write("Environment ALERT_HOSTADDRESS is missing\n")
sys.exit(3)

return user, password, command, address


def main(argv=None):
if argv is None:
argv = sys.argv

user, password, command, address = from_environment(os.environ)

if password.startswith("store\t"):
password_id = password.split("\t", 1)[1]
try:
password = cmk.password_store.load().get(password_id)
except KeyError:
raise Exception("pwstore: Password '%s' does not exist" % password_id)
elif password.startswith("password\t"):
password = password.split("\t", 1)[1]

client = Client(address, username=user, password=password, cert_validation=False)
stdout, stderr, rc = client.execute_cmd(command)

return rc


if __name__ == '__main__':
sys.exit(main())
@@ -0,0 +1,63 @@
#!/usr/bin/env python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# .------------------------------------------------------------------------.
# | ____ _ _ __ __ _ __ |
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
# | | |___| | | | __/ (__| < | | | | . \ |
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
# | |_____| |
# | _____ _ _ |
# | | ____|_ __ | |_ ___ _ __ _ __ _ __(_)___ ___ |
# | | _| | '_ \| __/ _ \ '__| '_ \| '__| / __|/ _ \ |
# | | |___| | | | || __/ | | |_) | | | \__ \ __/ |
# | |_____|_| |_|\__\___|_| | .__/|_| |_|___/\___| |
# | |_| |
# | _____ _ _ _ _ |
# | | ____|__| (_) |_(_) ___ _ __ |
# | | _| / _` | | __| |/ _ \| '_ \ |
# | | |__| (_| | | |_| | (_) | | | | |
# | |_____\__,_|_|\__|_|\___/|_| |_| |
# | |
# | mathias-kettner.com mathias-kettner.de |
# '------------------------------------------------------------------------'
# This file is part of the Check_MK Enterprise Edition (CEE).
# Copyright by Mathias Kettner and Mathias Kettner GmbH. All rights reserved.
#
# Distributed under the Check_MK Enterprise License.
#
# You should have received a copy of the Check_MK Enterprise License
# along with Check_MK. If not, email to mk@mathias-kettner.de
# or write to the postal address provided at www.mathias-kettner.de


register_alert_handler_parameters(
"windows_remote",
Dictionary(
title = _("Remote execution on Windows via WMI"),
help = _("This alert handler allows the remote execution of scripts and programs "
"on Windows systems via WMI. Please note that this configuration is saved "
"in clear text (including the password!). We have not made any influence on "
"the security settings of the target Window hosts. If you don't secure the "
"WMI access, the credentials might be used to execute arbitrary commands on "
"the remote system. Use with caution!"),
elements = [
("runas", TextAscii(
title = _("User to run handler as"),
allow_empty = False,
regex = re.compile('^[a-zA-Z_][-/a-zA-Z0-9_\\\\]*$'),
regex_error = _("Your input does not match the required format.") \
+ " " + _("Expected syntax: [domain/]username")
)),
("password", PasswordFromStore(
title = _("Password of the user"),
allow_empty = False,
)),
("command", TextAscii(
title = _("Command to execute"),
allow_empty = False,
)),
],
optional_keys = False,
)
)

0 comments on commit 8c991b9

Please sign in to comment.
You can’t perform that action at this time.