upstream/icinga-powershell-framework
1
0
Fork 0
mirror of https://github.com/Icinga/icinga-powershell-framework.git synced 2025-12-21 07:10:15 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added Icinga Service and Service permission management

Browse source
This commit is contained in:
Lord Hepipud 2019-10-17 22:51:12 +02:00
parent 317c42daef
commit 90f61052da
6 changed files with 170 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
lib/core/icingaagent/getters/Get-IcingaAgentServicePermission.psm1 Normal file
View file

@ -0,0 +1,16 @@
function Get-IcingaAgentServicePermission()
{
$SystemPermissions = New-TemporaryFile;
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/export /cfg "{0}.inf"', $SystemPermissions));
if ($SystemOutput.ExitCode -ne 0) {
throw ([string]::Format('Unable to fetch system permission information: {0}', $SystemOutput.Message));
return $null;
}
$SystemContent = Get-Content "$SystemPermissions.inf";
Remove-Item $SystemPermissions*;
return $SystemContent;
}

46
lib/core/icingaagent/setters/Set-IcingaAgentServicePermission.psm1 Normal file
View file

@ -0,0 +1,46 @@
function Set-IcingaAgentServicePermission()
{
if (Test-IcingaAgentServicePermission -Silent) {
Write-Host 'The Icinga Service User already has permission to run as service';
return;
}
$SystemPermissions = New-TemporaryFile;
$ServiceUser = Get-IcingaServiceUser;
$ServiceUserSID = Get-IcingaUserSID $ServiceUser;
$SystemContent = Get-IcingaAgentServicePermission;
$NewSystemContent = @();
if ([string]::IsNullOrEmpty($ServiceUser)) {
Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
return $FALSE;
}
foreach ($line in $SystemContent) {
if ($line -like '*SeServiceLogonRight*') {
$line = [string]::Format('{0},*{1}', $line, $ServiceUserSID);
}
$NewSystemContent += $line;
}
Set-Content -Path "$SystemPermissions.inf" -Value $NewSystemContent;
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/import /cfg "{0}.inf" /db "{0}.sdb"', $SystemPermissions));
if ($SystemOutput.ExitCode -ne 0) {
throw ([string]::Format('Unable to import system permission information: {0}', $SystemOutput.Message));
return $null;
}
$SystemOutput = Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/configure /cfg "{0}.inf" /db "{0}.sdb"', $SystemPermissions));
if ($SystemOutput.ExitCode -ne 0) {
throw ([string]::Format('Unable to configure system permission information: {0}', $SystemOutput.Message));
return $null;
}
Remove-Item $SystemPermissions*;
Test-IcingaAgentServicePermission | Out-Null;
}

30
lib/core/icingaagent/setters/Set-IcingaAgentServiceUser.psm1 Normal file
View file

@ -0,0 +1,30 @@
function Set-IcingaAgentServiceUser()
{
param(
[string]$User,
[securestring]$Password
);
if ([string]::IsNullOrEmpty($User)) {
throw 'Please specify a username to modify the service user';
return $FALSE;
}
$ArgString = 'config icinga2 obj= "{0}" password="{1}"';
if($null -eq $Password) {
$ArgString = 'config icinga2 obj= "{0}"{1}';
}
$Output = Start-IcingaProcess `
-Executable 'sc.exe' `
-Arguments ([string]::Format($ArgString, $User, (ConvertFrom-IcingaSecureString $Password))) `
-FlushNewLines $TRUE;
if ($Output.ExitCode -eq 0) {
Write-Host 'Service User successfully updated'
return $TRUE;
} else {
Write-Host ([string]::Format('Failed to update the service user: {0}', $Output.Message));
return $FALSE;
}
}

1
lib/core/icingaagent/tests/Test-IcingaAgent.psm1
View file

@ -2,6 +2,7 @@ function Test-IcingaAgent()
{
if (Get-Service 'icinga2' -ErrorAction SilentlyContinue) {
Write-IcingaTestOutput -Severity 'PASSED' -Message 'Icinga Agent Service is installed';
Test-IcingaAgentServicePermission | Out-Null;
Test-IcingaAcl "$Env:ProgramData\icinga2\etc" -WriteOutput | Out-Null;
Test-IcingaAcl "$Env:ProgramData\icinga2\var" -WriteOutput | Out-Null;
Test-IcingaAcl (Get-IcingaCacheDir) -WriteOutput | Out-Null;

46
lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1 Normal file
View file

@ -0,0 +1,46 @@
function Test-IcingaAgentServicePermission()
{
param(
[switch]$Silent = $FALSE
);
$ServiceUser = Get-IcingaServiceUser;
$ServiceUserSID = Get-IcingaUserSID $ServiceUser;
$SystemContent = Get-IcingaAgentServicePermission;
[bool]$FoundSID = $FALSE;
if ([string]::IsNullOrEmpty($ServiceUser)) {
if (-Not $Silent) {
Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
}
return $FALSE;
}
foreach ($line in $SystemContent) {
if ($line -like '*SeServiceLogonRight*') {
$Index = $line.IndexOf('= ') + 2;
[string]$SIDs = $line.Substring($Index, $line.Length - $Index);
[array]$SIDArray = $SIDs.Split(',');
foreach ($sid in $SIDArray) {
if ($sid -like "*$ServiceUserSID" -Or $sid -eq $ServiceUser) {
$FoundSID = $TRUE;
break;
}
}
}
if ($FoundSID) {
break;
}
}
if (-Not $Silent) {
if ($FoundSID) {
Write-IcingaTestOutput -Severity 'PASSED' -Message ([string]::Format('The specified user "{0}" is allowed to run as service.', $ServiceUser));
} else {
Write-IcingaTestOutput -Severity 'FAILED' -Message ([string]::Format('The specified user "{0}" is not allowed to run as service.', $ServiceUser));
}
}
return $FoundSID;
}

31
lib/core/tools/Get-IcingaUserSID.psm1 Normal file
View file

@ -0,0 +1,31 @@
function Get-IcingaUserSID()
{
param(
[string]$User
);
[string]$Username = '';
[string]$Domain = '';
if ($User.Contains('\')) {
$TmpArray = $User.Split('\');
$Domain = $TmpArray[0];
$Username = $TmpArray[1];
} else {
$Domain = Get-IcingaHostname;
$Username = $User;
}
try {
$NTUser = [System.Security.Principal.NTAccount]::New($Domain, $Username);
$SecurityData = $NTUser.Translate([System.Security.Principal.SecurityIdentifier]);
} catch {
throw $_.Exception;
}
if ($null -eq $SecurityData) {
throw 'Failed to fetch user information from system';
}
return $SecurityData.Value;
}