mirror of
https://github.com/Icinga/icinga-powershell-framework.git
synced 2025-12-20 23:00:35 -05:00
Added Icinga Service and Service permission management
This commit is contained in:
Lord Hepipud
parent
317c42daef
commit
90f61052da
6 changed files with 170 additions and 0 deletions
|
|
@ -0,0 +1,16 @@
|
||||||
|
function Get-IcingaAgentServicePermission()
|
||||||
|
{
|
||||||
|
$SystemPermissions = New-TemporaryFile;
|
||||||
|
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/export /cfg "{0}.inf"', $SystemPermissions));
|
||||||
|
|
||||||
|
if ($SystemOutput.ExitCode -ne 0) {
|
||||||
|
throw ([string]::Format('Unable to fetch system permission information: {0}', $SystemOutput.Message));
|
||||||
|
return $null;
|
||||||
|
}
|
||||||
|
|
||||||
|
$SystemContent = Get-Content "$SystemPermissions.inf";
|
||||||
|
|
||||||
|
Remove-Item $SystemPermissions*;
|
||||||
|
|
||||||
|
return $SystemContent;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,46 @@
|
||||||
|
function Set-IcingaAgentServicePermission()
|
||||||
|
{
|
||||||
|
if (Test-IcingaAgentServicePermission -Silent) {
|
||||||
|
Write-Host 'The Icinga Service User already has permission to run as service';
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$SystemPermissions = New-TemporaryFile;
|
||||||
|
$ServiceUser = Get-IcingaServiceUser;
|
||||||
|
$ServiceUserSID = Get-IcingaUserSID $ServiceUser;
|
||||||
|
$SystemContent = Get-IcingaAgentServicePermission;
|
||||||
|
$NewSystemContent = @();
|
||||||
|
|
||||||
|
if ([string]::IsNullOrEmpty($ServiceUser)) {
|
||||||
|
Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
|
||||||
|
return $FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ($line in $SystemContent) {
|
||||||
|
if ($line -like '*SeServiceLogonRight*') {
|
||||||
|
$line = [string]::Format('{0},*{1}', $line, $ServiceUserSID);
|
||||||
|
}
|
||||||
|
|
||||||
|
$NewSystemContent += $line;
|
||||||
|
}
|
||||||
|
|
||||||
|
Set-Content -Path "$SystemPermissions.inf" -Value $NewSystemContent;
|
||||||
|
|
||||||
|
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/import /cfg "{0}.inf" /db "{0}.sdb"', $SystemPermissions));
|
||||||
|
|
||||||
|
if ($SystemOutput.ExitCode -ne 0) {
|
||||||
|
throw ([string]::Format('Unable to import system permission information: {0}', $SystemOutput.Message));
|
||||||
|
return $null;
|
||||||
|
}
|
||||||
|
|
||||||
|
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/configure /cfg "{0}.inf" /db "{0}.sdb"', $SystemPermissions));
|
||||||
|
|
||||||
|
if ($SystemOutput.ExitCode -ne 0) {
|
||||||
|
throw ([string]::Format('Unable to configure system permission information: {0}', $SystemOutput.Message));
|
||||||
|
return $null;
|
||||||
|
}
|
||||||
|
|
||||||
|
Remove-Item $SystemPermissions*;
|
||||||
|
|
||||||
|
Test-IcingaAgentServicePermission | Out-Null;
|
||||||
|
}
|
||||||
30
lib/core/icingaagent/setters/Set-IcingaAgentServiceUser.psm1
Normal file
30
lib/core/icingaagent/setters/Set-IcingaAgentServiceUser.psm1
Normal file
|
|
@ -0,0 +1,30 @@
|
||||||
|
function Set-IcingaAgentServiceUser()
|
||||||
|
{
|
||||||
|
param(
|
||||||
|
[string]$User,
|
||||||
|
[securestring]$Password
|
||||||
|
);
|
||||||
|
|
||||||
|
if ([string]::IsNullOrEmpty($User)) {
|
||||||
|
throw 'Please specify a username to modify the service user';
|
||||||
|
return $FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
$ArgString = 'config icinga2 obj= "{0}" password="{1}"';
|
||||||
|
if($null -eq $Password) {
|
||||||
|
$ArgString = 'config icinga2 obj= "{0}"{1}';
|
||||||
|
}
|
||||||
|
|
||||||
|
$Output = Start-IcingaProcess `
|
||||||
|
-Executable 'sc.exe' `
|
||||||
|
-Arguments ([string]::Format($ArgString, $User, (ConvertFrom-IcingaSecureString $Password))) `
|
||||||
|
-FlushNewLines $TRUE;
|
||||||
|
|
||||||
|
if ($Output.ExitCode -eq 0) {
|
||||||
|
Write-Host 'Service User successfully updated'
|
||||||
|
return $TRUE;
|
||||||
|
} else {
|
||||||
|
Write-Host ([string]::Format('Failed to update the service user: {0}', $Output.Message));
|
||||||
|
return $FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -2,6 +2,7 @@ function Test-IcingaAgent()
|
||||||
{
|
{
|
||||||
if (Get-Service 'icinga2' -ErrorAction SilentlyContinue) {
|
if (Get-Service 'icinga2' -ErrorAction SilentlyContinue) {
|
||||||
Write-IcingaTestOutput -Severity 'PASSED' -Message 'Icinga Agent Service is installed';
|
Write-IcingaTestOutput -Severity 'PASSED' -Message 'Icinga Agent Service is installed';
|
||||||
|
Test-IcingaAgentServicePermission | Out-Null;
|
||||||
Test-IcingaAcl "$Env:ProgramData\icinga2\etc" -WriteOutput | Out-Null;
|
Test-IcingaAcl "$Env:ProgramData\icinga2\etc" -WriteOutput | Out-Null;
|
||||||
Test-IcingaAcl "$Env:ProgramData\icinga2\var" -WriteOutput | Out-Null;
|
Test-IcingaAcl "$Env:ProgramData\icinga2\var" -WriteOutput | Out-Null;
|
||||||
Test-IcingaAcl (Get-IcingaCacheDir) -WriteOutput | Out-Null;
|
Test-IcingaAcl (Get-IcingaCacheDir) -WriteOutput | Out-Null;
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,46 @@
|
||||||
|
function Test-IcingaAgentServicePermission()
|
||||||
|
{
|
||||||
|
param(
|
||||||
|
[switch]$Silent = $FALSE
|
||||||
|
);
|
||||||
|
|
||||||
|
$ServiceUser = Get-IcingaServiceUser;
|
||||||
|
$ServiceUserSID = Get-IcingaUserSID $ServiceUser;
|
||||||
|
$SystemContent = Get-IcingaAgentServicePermission;
|
||||||
|
[bool]$FoundSID = $FALSE;
|
||||||
|
|
||||||
|
if ([string]::IsNullOrEmpty($ServiceUser)) {
|
||||||
|
if (-Not $Silent) {
|
||||||
|
Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
|
||||||
|
}
|
||||||
|
return $FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ($line in $SystemContent) {
|
||||||
|
if ($line -like '*SeServiceLogonRight*') {
|
||||||
|
$Index = $line.IndexOf('= ') + 2;
|
||||||
|
[string]$SIDs = $line.Substring($Index, $line.Length - $Index);
|
||||||
|
[array]$SIDArray = $SIDs.Split(',');
|
||||||
|
|
||||||
|
foreach ($sid in $SIDArray) {
|
||||||
|
if ($sid -like "*$ServiceUserSID" -Or $sid -eq $ServiceUser) {
|
||||||
|
$FoundSID = $TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ($FoundSID) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (-Not $Silent) {
|
||||||
|
if ($FoundSID) {
|
||||||
|
Write-IcingaTestOutput -Severity 'PASSED' -Message ([string]::Format('The specified user "{0}" is allowed to run as service.', $ServiceUser));
|
||||||
|
} else {
|
||||||
|
Write-IcingaTestOutput -Severity 'FAILED' -Message ([string]::Format('The specified user "{0}" is not allowed to run as service.', $ServiceUser));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $FoundSID;
|
||||||
|
}
|
||||||
31
lib/core/tools/Get-IcingaUserSID.psm1
Normal file
31
lib/core/tools/Get-IcingaUserSID.psm1
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
function Get-IcingaUserSID()
|
||||||
|
{
|
||||||
|
param(
|
||||||
|
[string]$User
|
||||||
|
);
|
||||||
|
|
||||||
|
[string]$Username = '';
|
||||||
|
[string]$Domain = '';
|
||||||
|
|
||||||
|
if ($User.Contains('\')) {
|
||||||
|
$TmpArray = $User.Split('\');
|
||||||
|
$Domain = $TmpArray[0];
|
||||||
|
$Username = $TmpArray[1];
|
||||||
|
} else {
|
||||||
|
$Domain = Get-IcingaHostname;
|
||||||
|
$Username = $User;
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
$NTUser = [System.Security.Principal.NTAccount]::New($Domain, $Username);
|
||||||
|
$SecurityData = $NTUser.Translate([System.Security.Principal.SecurityIdentifier]);
|
||||||
|
} catch {
|
||||||
|
throw $_.Exception;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($null -eq $SecurityData) {
|
||||||
|
throw 'Failed to fetch user information from system';
|
||||||
|
}
|
||||||
|
|
||||||
|
return $SecurityData.Value;
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue