PageRenderTime 71ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/readme.md

https://github.com/atomia/atomia-nagios-plugins
Markdown | 343 lines | 268 code | 75 blank | 0 comment | 0 complexity | 0a1405b640ec3510d446b0c91b70cfa4 MD5 | raw file
  1. This is a set of simple nagios plugins written in perl, python, shell-script & powershell
  2. for testing that for example [Atomia Hosting Control Panel](http://www.atomia.com/) logins
  3. work.
  4. # Usage
  5. ## check_hcp_login.pl:
  6. ```sh
  7. ./check_hcp_login.pl --uri https://some.uri.of.hcp/ --user somelowprivuser --pass 'somepass' --timeout 5 --match somestring-only-found-after-successfull-login
  8. ```
  9. ## check_stats_report.sh
  10. Place the following in nrpe.conf on the awstats host:
  11. ```sh
  12. command[check_stats_lin]=/home/atomia/nagios/check_stats_report.sh some.linux.site 50 3
  13. command[check_stats_win]=/home/atomia/nagios/check_stats_report.sh some.windows.site 50 3
  14. ```
  15. ## check_login.py
  16. ```sh
  17. python3 check_login.py --url <login_form_url> --username <username> --password <password> [--timeout 5] [--match <matchstring>]
  18. python check_login.py --url <login_form_url> --username <username> --password <password> [--timeout 5] [--match <matchstring>]
  19. ```
  20. Dependencies:
  21. * **WWW::Mechanize** (on ubuntu, just `apt-get install libwww-mechanize-perl`)
  22. * **BeautifulSoup4** (ubuntu: `apt-get install python-bs4 python3-bs4`)
  23. ## check_admins.ps1
  24. This script checks users on the Windows server. Users can be either local or domain based. The script will compare the list of accounts provided and if there are more users on the system than on the list the script will output CRITICAL.
  25. ### Parameters
  26. ```
  27. check_admins.ps1
  28. -domain "Domain group name"
  29. -local "Local group name"
  30. -usernames "COMPUTER\User1,DOMAIN\User2"
  31. ```
  32. ### Exit codes
  33. ```
  34. 0 - OK
  35. 2 - CRITICAL
  36. 3 - UNKNOWN
  37. ```
  38. ### Examples
  39. Example call when all users are there, and there are no additional in group **Domain Admins**:
  40. ```
  41. ./check_admins.ps1 -domain "Domain Admins" -usernames "ATOMIA\Administrator,ATOMIA\apppooluser,ATOMIA\WindowsAdmin"
  42. ```
  43. Returns:
  44. ```
  45. OK - No additional users found
  46. ```
  47. Example call when there is for example additional user that is not in the list:
  48. Example call when all users are there, and there are no additional in group **Domain Admins**:
  49. ```
  50. ./check_admins.ps1 -domain "Domain Admins" -usernames "ATOMIA\Administrator,ATOMIA\WindowsAdmin"
  51. ```
  52. Returns:
  53. ```
  54. CRITICAL - 1 additional users
  55. ATOMIA\apppooluser
  56. ```
  57. As we can see here in the list above we did not specify the **apppooluser** which has now been shown.
  58. ### Nagios client setup
  59. Assuming you are using NSClient++ on Windows, the check script needs to be put into: `C:\Program Files\NSClient++\scripts`.
  60. #### nsclient.ini
  61. Configuration should be as following:
  62. ```
  63. [/settings/NRPE/server]
  64. ...
  65. allow arguments = true
  66. allow nasty characters = true
  67. [/settings/external scripts]
  68. allow arguments = true
  69. allow nasty characters = true
  70. [/settings/external scripts/scripts]
  71. check_domain_admins = cmd /c echo scripts\check_admins.ps1 -domain "Domain Admins" -usernames $ARG1$; exit($lastexitcode) | powershell.exe -command -
  72. check_enterprise_admins = cmd /c echo scripts\check_admins.ps1 -domain "Enterprise Admins" -usernames $ARG1$; exit($lastexitcode) | powershell.exe -command -
  73. check_local_admins = cmd /c echo scripts\check_admins.ps1 -local "Administrators" -usernames $ARG1$; exit($lastexitcode) | powershell.exe -command -
  74. ```
  75. Here we define three most common commands for checking **Domain Admins and Enterprise Admins** domain groups and **Administrators** local group.
  76. ### Nagios server setup
  77. Since the script is a shell script that is triggered with `check_nrpe` example call for domain admins would be:
  78. ```
  79. /usr/local/nagios/libexec/check_nrpe -H 192.168.33.20 -t 30 -c check_domain_admins -a "ATOMIA\Administrator,ATOMIA\WindowsAdmin"
  80. ```
  81. This would call **check_domain_admins** command in the client which then accepts parameters as on the script.
  82. The command in Nagios would be setup like this:
  83. Command: `$USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ -a $ARG2$`
  84. $ARG1$: `check_domain_admins`
  85. $ARG2$: `'"ATOMIA\Administrator","ATOMIA\WindowsAdmin"'`
  86. or
  87. $ARG2$: `'"ATOMIA\Administrator,ATOMIA\WindowsAdmin"'`
  88. > **Important:** Use double quotes `'"` - wrap whole argument in `'` quotes
  89. > **Important:**
  90. > Use `check_nrpe_1arg` instead `check_nrpe` as _Check command_ in Nagios UI interface.
  91. >
  92. > `check_nrpe_1arg` passes `$ARG2$` argument via `-a` as required, where `check_nrpe` passes `$ARG2$` via `-c` and it is not properly substituted. Powershell script will get `$` as parameter value instead value in `$ARG2$`
  93. ## check_logons.ps1
  94. Nagios plugin that alerts if there are 4624 EventIDs aka logins in the Security event log of the system.
  95. In case there are unknown users CRITICAL message will be shown and exit code will be 2. Additional users with computer name or NetBIOS domain will be shown in the new lines after the CRITICAL message. In case there are unknown source IPs they will also be logged as CRITICAL.
  96. The plugin logs a timestamp of last processed log in the TEMP folder. This timestamp is used to process only logs after the timestamp. Last processed log timestamp will be stored and all logs from that time forward will be processed.
  97. You will get CRITICAL every next time the check occurs, after the first CRITICAL was encountered. Path to the file that should be deleted is shown in the CRITICAL Nagios message.
  98. The script can be run in two ways via Nagios:
  99. 1. Normally with all options via NSClient++ configuration.
  100. 2. As separate Windows scheduled task, and one instance with `-checkOnly` option in NSClient++ configuration.
  101. The option 2 is preferred because this check may take longer since it parses the EventLog. Option 1 is still possible but would involve in increasing the NRPE timeout which is not covered by this guide.
  102. ### Parameters
  103. ```
  104. check_logons.ps1
  105. -logonTypes '10','3'
  106. -ignoreUsers 'VAGRANT\WINMASTER$','VAGRANT\Administrator'
  107. -ignoreIPs '127.0.0.1','192.168.33.10','192.168.33.22'
  108. -debug
  109. -id
  110. ```
  111. All parameters are optional. Ignore parameters are essentially whitelists that say that the users or ips in the list are ignored and entries that contain them are ok. They will not result in critical if the ignore value is matched.
  112. #### logonTypes
  113. This parameters tells the script which 4624 Event logon types to check from the Security logs. Parameters are a list of logon type ids. For example 10 is Terminal services meaning RDP connection to the server is checked. There are various options available shown on the table below:
  114. <table class="table">
  115. <thead>
  116. <tr class="header">
  117. <th>Logon type</th>
  118. <th>Logon title</th>
  119. <th>Description</th>
  120. </tr>
  121. </thead>
  122. <tbody>
  123. <tr class="odd">
  124. <td><p>2</p></td>
  125. <td><p>Interactive</p></td>
  126. <td><p>A user logged on to this computer.</p></td>
  127. </tr>
  128. <tr class="even">
  129. <td><p>3</p></td>
  130. <td><p>Network</p></td>
  131. <td><p>A user or computer logged on to this computer from the network.</p></td>
  132. </tr>
  133. <tr class="odd">
  134. <td><p>4</p></td>
  135. <td><p>Batch</p></td>
  136. <td><p>Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.</p></td>
  137. </tr>
  138. <tr class="even">
  139. <td><p>5</p></td>
  140. <td><p>Service</p></td>
  141. <td><p>A service was started by the Service Control Manager.</p></td>
  142. </tr>
  143. <tr class="odd">
  144. <td><p>7</p></td>
  145. <td><p>Unlock</p></td>
  146. <td><p>This workstation was unlocked.</p></td>
  147. </tr>
  148. <tr class="even">
  149. <td><p>8</p></td>
  150. <td><p>NetworkCleartext</p></td>
  151. <td><p>A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).</p></td>
  152. </tr>
  153. <tr class="odd">
  154. <td><p>9</p></td>
  155. <td><p>NewCredentials</p></td>
  156. <td><p>A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.</p></td>
  157. </tr>
  158. <tr class="even">
  159. <td><p>10</p></td>
  160. <td><p>RemoteInteractive</p></td>
  161. <td><p>A user logged on to this computer remotely using Terminal Services or Remote Desktop.</p></td>
  162. </tr>
  163. <tr class="odd">
  164. <td><p>11</p></td>
  165. <td><p>CachedInteractive</p></td>
  166. <td><p>A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.</p></td>
  167. </tr>
  168. </tbody>
  169. </table>
  170. Detailed information can be found on: https://bit.ly/2ULjexx
  171. #### ignoreUsers
  172. This parameter requires a list of users that are ignored and allowed by the script. Idea is to specify the list of all users that require access to the server where the check is running.
  173. If you don't specify `-ignoreUsers` any username will be treated as unknown. Usernames need to be specified in format "DOMAIN\Username" or "COMPUTER\Username". NetBIOS short name should be used.
  174. #### ignoreIPs
  175. If you don't specify `-ignoreIPs` any IP will be treated as suspcious. You can specify multiple IPs or only one. Any event that has different IP than the one available in the list will be reported as suspicious. Make sure that all IPs are specified.
  176. #### disableIPCheck
  177. Disables checking of the IPs from the Security log. By default you need to specify a list of IPs that will be whitelisted or you will get a CRITICAL alert if any IP shows.
  178. If you specify `-disableIPCheck` IPs from the login events won't be checked, the parameter `-ignoreIPs` won't have any effect.
  179. #### debug
  180. This parameter gives more info about the running of the script, of all logs that are processed and various other info such as locations of lock files and temp directory. This should be only specified when you are debugging the output of the script, in case some logs are there that are not correctly parsed.
  181. #### id
  182. If you specify `-id` option a folder will be created in the temp directory where the log and lock files will be created.
  183. #### testOnly
  184. If you specify `-testOnly` it will just check if there is last lock file that is not removed. If it exists message from that log will be written else the OK message will be written to the user.
  185. There is no need to specify any other options other than `-id` if you are running `-testOnly` since they would not be checked, only the lock file is checked.
  186. #### logLocation
  187. If you specify `-logLocation` script will create and check the lock files in that location. You should specify absolute path. By default it's the temp location available from the environment variable.
  188. ### Exit codes
  189. ```
  190. 0 - OK
  191. 2 - CRITICAL
  192. 3 - UNKNOWN
  193. ```
  194. ### Examples
  195. Example call that will incorporate all options and no weird settings.
  196. ```
  197. ./check_logons.ps1 -logonTypes 10 -ignoreIPs '127.0.0.1','192.168.33.10','192.168.33.22' -ignoreUsers 'VAGRANT\WINMASTER$'
  198. ```
  199. Response:
  200. ```
  201. OK - Processed 3883 logs
  202. ```
  203. This means that everything was OK and no suspicious activity was detected.
  204. If you specified the `-checkOnly` option and are running the actual check in the task scheduler then if everything was ok you would get the following response:
  205. ```
  206. OK - No suspicious activity in the last scan
  207. ```
  208. Next example shows how the script works in User mode only and shows how unknown user `vitanovic` has logged into the server. In case that the `Administrator` has logged no alert would have happened.
  209. Call:
  210. ```
  211. ./check_logons.ps1 -logonTypes 10 -disableIPCheck -ignoreUsers 'VAGRANT\WINMASTER$','VAGRANT\Administrator'
  212. ```
  213. Response:
  214. ```
  215. CRITICAL - There are 2 unauthorised logins
  216. Suspicious user - User: VAGRANT\vitanovic IP: 192.168.33.1 EventIndex: 148446 LogonType: 10
  217. Suspicious user - User: VAGRANT\vitanovic IP: 192.168.33.1 EventIndex: 148445 LogonType: 10
  218. ```
  219. Example call where you just check for the existance of lock file. This is useful when you are running the script as Nagios check. This example assumes that you already run the script like above with parameters that you want and only check for the existance of the lock file.
  220. ```
  221. ./check_logons.ps1 -id SOME_ID -checkOnly
  222. ```
  223. ### Task scheduler setup
  224. In order for the script not to timeout, it's needed to set it up as a Scheduled task in Windows. You would need to set this up on each and every server that you want to run the script.
  225. Let's say that we want to run the script with the following arguments:
  226. ```
  227. ./check_logons.ps1 -logonTypes 10 -disableIPCheck -ignoreUsers 'VAGRANT\WINMASTER$','VAGRANT\Administrator' -id LOGON
  228. ```
  229. You should first try to run this manually and see if the desired output is generated:
  230. ```
  231. powershell.exe -executionPolicy bypass -file "C:\Program Files (x86)\Atomia\Security\check_logons.ps1" "-disableIPCheck" "-id" "LOGON" "-ignoreUsers" "VAGRANT\Administrator,VAGRANT\WINMASTER$"
  232. ```
  233. Make sure that you put the full path to the location of the script that you are trying to run.
  234. If your folder and files are generated as expected proceed with task creation in the scheduled tasks.
  235. 1. Create a new Task (not basic task).
  236. 2. Select the options like on the image:
  237. ![](https://i.imgur.com/np49eVP.png)
  238. 3. Go to the Triggers tab and set a Daily trigger that repeats every 5 minutes:
  239. ![](https://i.imgur.com/Y4dJV6n.png)
  240. 4. On the Actions tab fill out the image like the above powershell call:
  241. ![](https://i.imgur.com/RVkRd4c.png)
  242. 5. You can manually trigger the task to run it for the first time and afterwards it would repeat.
  243. ### Nagios client setup
  244. Assuming you are using NSClient++ on Windows, the check script needs to be put into: `C:\Program Files\NSClient++\scripts`.
  245. #### nsclient.ini
  246. Configuration should be as following:
  247. ```
  248. [/settings/NRPE/server]
  249. ...
  250. allow arguments = true
  251. allow nasty characters = true
  252. [/settings/external scripts]
  253. allow arguments = true
  254. allow nasty characters = true
  255. [/settings/external scripts/scripts]
  256. check_logons = cmd /c echo scripts\check_logons.ps1 -id $ARG1$ -checkOnly ; exit($lastexitcode) | powershell.exe -command -
  257. ```
  258. Here we define three most common commands for checking **Domain Admins and Enterprise Admins** domain groups and **Administrators** local group.
  259. ### Nagios server setup
  260. Since the script is a shell script that is triggered with `check_nrpe` example call for domain admins would be:
  261. ```
  262. /usr/local/nagios/libexec/check_nrpe -H 192.168.177.26 -t 30 -c check_logons -a SOME_ID
  263. ```
  264. This would call **check_logons** command in the client which then accepts parameters as on the script.
  265. The command in Nagios would be setup like this:
  266. Command: `$USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ -a $ARG2$ $ARG3$ $ARG4$ $ARG5$`
  267. $ARG1$: `check_logons`
  268. $ARG2$: `SOME_ID`