Author: WordPress Administrator
SCOM MS TLS1.2 drivers
Courtesy of Brook Hudson, who provided clarification for encrypting SCOM data –
Question – Can we update the OLE DB Driver from 18.6.5 to 18.6.7 and the ODBC driver from 17.10.3 to 17.10.5.1 without breaking anything?
This configuration applies to SCOM2016 forward –
MS OLE DB Driver 18.6.7: https://go.microsoft.com/fwlink/?linkid=2242656
ODBC Driver 17.10.5.1: https://go.microsoft.com/fwlink/?linkid=2249004
I did NOT have success with this for SCOM2019 and SCOM2022 –
If the SQL endpoint is secured with encryption, then the following drivers can be used.
MS OLE DB Driver 19.3.2: https://aka.ms/downloadmsoledbsql
ODBC Driver 18.3.2.1: https://aka.ms/downloadmsodbcsql
If you want to use these newer drivers then SQL encryption is required, more information about enabling SQL Encryption: Configure SQL Server Database Engine for encryption – SQL Server | Microsoft Learn – https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver15
The SQL team noted that the newer versions are defaulting Encrypt to be Yes/Mandatory. That is why the new drivers were having an issue. Setting up a certificate in the SQL endpoint would have allowed the connection to work:
Enable encrypted connections – SQL Server | Microsoft Docs
Certificate Management (SQL Server Configuration Manager) – SQL Server | Microsoft Docs
OLE DB Driver 19.0 for SQL Server Released – Microsoft Tech Community
ODBC Driver 18.0 for SQL Server Released – Microsoft Tech Community
IMPORTANT:
Update: Hotfixes released for ODBC and OLE DB drivers for SQL Server – Microsoft Community Hub
ServiceNow Event integration
SNOW prerequisites
Update incident script and begin testing.
$ServiceNowURL=”https://##SERVICENOWURL##/api/now/table/em_event”
# Test New-SNOWEvent.ps1
ServiceNow Incident Integration
SNOW prerequisites
Update incident script and begin testing.
$ServiceNowURL=”https://##ServiceNowURL##/api/now/table/incident”
#$Proxy = “##CustomerProxyURL##”
$CallerID = “##GUID##”
# Test New-SNOWIncident.ps1
SCOM maintenance schedules
From PowerShell on SCOM MS
Example Output
OMI vulnerabilities for SCOM/LogAnalytics
Thank you Aris for reaching out with questions on these new vulnerabilities!
New OMI vulnerabilities for SCOM/Log Analytics Agents posted. The vulnerabilities apply to OMI component on non-windows servers with SCOM2019, SCOM2022, or Log Analytics agents. The vulnerabilities apply to non-windows server operating systems. See hotfix details below to resolve.
OMI vulnerabilities for SCOM/LogAnalytics CVE details
CVE-2024-21134 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21334
The vulnerability exists due to a use-after-free error in the Open Management Infrastructure (OMI). A remote attacker can execute arbitrary code on the target system.
CVE-2024-21330 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21330
The vulnerability exists due to application does not properly impose security restrictions in the Open Management Infrastructure (OMI), which leads to security restrictions bypass and privilege escalation.
SCOM Download links
2019 https://www.microsoft.com/en-us/download/details.aspx?id=58208
2022 https://www.microsoft.com/en-in/download/details.aspx?id=104213
Update OMI on for SCOM/Log Analytics agents
Leverage Holman’s Monitoring UNIX quick start guide(s) if you need a ‘how to’ or refresher to update your SCOM management groups with the latest packs, and how to update the agent on non-windows/UNIX servers.
SCOM2022 https://kevinholman.com/2022/12/12/monitoring-unix-linux-with-scom-2022/
SCOM2016,2019 https://kevinholman.com/2016/11/11/monitoring-unix-linux-with-opsmgr-2016/
SQL STIG vulnerabilities V-213902, V-213935
DISA DOD SQL STIG vulnerabilities V-213902, V-213935
SCOM SECURITY Documentation
SCOM2019 https://kevinholman.com/2020/07/23/scom-2019-security-account-matrix/
Both V-213902 AND V-213935 state same identification action.
V-213935 has a different identifier:
Tab delimited view –
January addendum updates
January addendum updates for multiple management packs
First, the biggest change item for large enterprise environments included a change in syntax for get-SCOMAlert
Second, another change with the repo’s was a ‘whitespace audit’ encoded characters, or ‘data concealment’. See AT&T link CyberSecurity Link
Third, after whitespace we focused on script/workflow efficiencies seen in large enterprise environments. While Efforts began in December, the workflow efficiencies sprint resulted in two sets of improvements.
Repo’s updated in January
Links below to GitHub repositories (repo’s)
Tangible ProV application monitoring
Use the Tangible SCOM management pack to monitor logins and ProV application registration issues. First, the management pack configures Seed class discovery. Second, the pack includes rules/monitors for Tangible ProV software. Third, rules and monitors for 2802 ‘Could not validate product key’ and 4402 ‘Could not validate the contents of user logon request context: AS-REQ contains an invalid or unknown username type’ events. Fourth, the service monitor, which uses Kevin Holman’s fragment library for service recovery scripts/rules. Fifth, scheduled and on-demand daily reports for audit and record keeping purposes. Lastly, alert cleanup logic, to reduce admin burden and overhead.
Reference the Tangible vendor’s website – Tangible ProV application website
NOTE: This may not apply for everyone, as the ProV application ‘Auto-provisions Active Directory user accounts for visitors or new employees whenever they want to work from one of your PCs.’
The Daily report piece of the pack makes things easier answering ‘what happened in the last 24-72 hours’ question. Gathers open/closed insights and organizes alerts.
Screenshot of the daily report
Report example of insights (in text)
Open ProV alerts = 13Total ProV alerts = 23 Auto-closed monitors = 22 Auto-closed rules = 0 Total automation closures: #————————— Auto-closed monitors = 262 Auto-closed rules = 0 # Unhealthy Tangible ProV service alert details #============================================== NetbiosComputerName TimeRaised RepeatCount Name ——————- ———- ———– —- DC01 8/11/2023 5:18:14 AM 0 Tangible ProV ProVService…
Since last report run: #———————–
All in all, the daily report utilizes get and set-SCOMAlert to accomodate large enterprise environments.
$OpenAlerts = get-scomalert -ResolutionState (0..254) -Name “Tangible ProV ProVService Service*”
$OpenAlerts = $OpenAlerts | ? { $_.TimeRaised -ge $Time }
# $OpenAlerts.count
# Closed alerts
$ClosedAlerts = get-scomalert -ResolutionState 255 -Name “Tangible ProV ProVService Service*” | ? { $_.TimeRaised -ge $Time }
# $ClosedAlerts.count
Tangible ProV application monitoring details and download
GitHub https://github.com/theKevinJustin/TangibleProV
Download here