More updates for your monitoring pleasure with OS addendum updates!
OS Addendum updates
Been busy in the monitoring ‘bat’ cave crafting up new ways to simplify things, automating recoveries, top process finds, STIG compliance, automatic services logic, and PowerShell transcription checks.
Seriously, dream on! End the STIGma is a good thing, but STIGs can be a burden. Hit the easy button, if you’re not already using it. Contact your SQL Data and AI Cloud Solutions Architect for the latest SQL STIG Monitor 2024 Q4 build!
Latest SQL STIG monitor 31 Oct 2024 release includes
DISA UPDATES – see link
MS SQL Server 2016 Instance STIG, V3R2:
(NOTE: DISA has been contacted to remove related CCI STIGID for AzureSQLDB that was overlooked: ASQL-00-010700)
POWERSHELL MODULE
Updated version to 1.23
Added STIGID parameter to Invoke-StigMonitor allowing granular control over STIGID scanning.
DATABASE CHANGES
Updated Checklist Templates for Q4 Revisions.
Updated Instance & Database STIG for Q4 benchmark date.
Script updates include:
CNTNMIXDB: Not A Finding if using Windows Auth
FORCENRYPT: NA if using Windows Auth
PWDCMPLX: Updated Finding to remove OS STIG reference
AZDBPERMISS: Revised script with new version.
DBPERMISS: Revised script with new version.
ENFCACCSS: Revised script with new version.
PSERRPERM: Revised script with new version.
UNQSVCACC: Removed code stripping out port number.
AZAUDITSTATE: Properly returns No Finding when audit setup is correct.
Fixed bug in vDocumentation view causing POAMs to not display custom comment in exported documentation.
Added usp_RemoveInstance stored procedure to easily clean up a specific Instance from StigMonitor that no longer exists.
DOCUMENTS
Updated checklist templates, Approvals scripts, and Documentation Templates for Q4 Revisions.
Removed Set-CEIPRegKeys.ps1, Set-FIPSCompliance.ps1, and Set-SqlRegKey.ps1 in favor of Module commands.
Updated InfoPage with new StigMonitor logo and text references.
Documentation updated with new examples of Invoke-StigMonitor STIGID parameter.
Updated documentation to add Azure DB Permission for MS_SecurityDefinitionReader.
Added DatabaseName to CSV Export of Export-StigDocumentation.
REPORTS
Updated Report banner to display new StigMonitor logo and latest report versions.
Removed Adhoc scanning to Policy Management Report in favor of Invoke-StigMonitor parameter.
Removed references to Sunset 2012 and 2014 STIGs.
Added AzureSQLMI for future use.
Combined NF and Approved in Total Findings summary
Reduced Recent Scans to latest 6.
Also please send us your feedback if you get a chance to check this out.
If you want to be added/removed from this, click here (Subscribe /Unsubscribe) or send us an email.
Depending on requirements, creating multiple subscriptions within SCOM to leverage subscriber/channels required. Selecting rules/monitors, and resolution state conditions to help Application teams get incidents for key issues requiring intervention. NOTE Depending on what was command channels were created for various AssignmentGroup(s) and Team(s) within the organization.
Configure channel to execute logAlert.ps1 command channel to verify SCOM outputs
SCOM Navigation steps:
Click on Administration Tab > Notifications > Channels
Click New
Name
TEST Holman’s Command Channel
Description
C:\MonAdmin\Scripts\LogAlert.ps1 Utilize LogAlert.ps1 example from Holman’s blog. Specific Subscription details: +CRITERIA = ALL Alerts +RESOLUTIONSTATE = NEW (0) +SUBSCRIBER = CHANNEL SCOM Command Channel Subscriber via POWERSHELL +CHANNEL Test LogAlert.ps1 SCOM Command Channel
Setup and use Holman’s script execution channel blog to test what account SCOM uses for notifications
NOTE Use these steps to create multiple command channels, as the AssignmentGroup and Team may differ depending on Application Owners
SCOM Navigation steps:
Click on Administration Tab > Notifications > Channels
Click New
Name
TEST SNOW Event Creation
Description
C:\MonAdmin\Scripts\New-SNowEvent.ps1 Outputs 711 Events into Operations Manager event log.
Specific Subscription details: +CRITERIA = ALL Alerts +SUBSCRIBER = CHANNEL New-SNowEvent.ps1 via POWERSHELL +CHANNEL ServiceNow SNOW Event Creation Channel
New-SNOWEvent.ps1 command channel creates ServiceNow SNOW events for alerts and incidents.
This channel will also update the SCOM alert TicketID, Owner, ResolutionState to modify SCOM alert with SNOW information, or information passed in SNOW event.
NOTE Use these steps to create multiple command channels, as the AssignmentGroup and Team may differ depending on Application Owners
SCOM Navigation steps:
Click on Administration Tab > Notifications > Channels
Click New
Name
TEST SNOW Event Creation
Description
C:\MonAdmin\Scripts\New-SNowEvent.ps1 Outputs 711 Events into Operations Manager event log.
Specific Subscription details: +CRITERIA = ALL Alerts +SUBSCRIBER = CHANNEL New-SNowEvent.ps1 via POWERSHELL +CHANNEL ServiceNow SNOW Event Creation Channel
New-SNOWEvent.ps1 command channel creates ServiceNow SNOW events for alerts and incidents.
This channel will also update the SCOM alert TicketID, Owner, ResolutionState to modify SCOM alert with SNOW information, or information passed in SNOW event.
Read the ‘Configure SCOM Subscribers’ blog to build out the SNOW subscribers for multiple PowerShell command channels. Create subscribers according to design requirements.
CHANNEL New-SNowEvent.ps1 via POWERSHELL
Follow the screenshots and fill in the wizard per the steps below.
Time to update SCOM, specifically to ‘create SCOM Command Channels’, then subscribers, and subscriptions. Depending on requirements, create multiple channels within SCOM.
Save .ps1 file(s) to SCOM MS
LogAlert.ps1 to verify SCOM notification account
New-SNowEvent.ps1 to inject events into ServiceNow
New-SNowIncident.ps1 to inject incidents into ServiceNow
Save LogAlert.ps1
Create Command channel script and save to SCOM MS(s)
SNOW Event command channel injects ServiceNow SNOW events, with logic to check for alert, incident, then update the SCOM alert TicketID, Owner, ResolutionState based on runtime.
SCOM Navigation steps:
Click on Administration Tab > Notifications > Channels
Click New
Name
ServiceNow SNOW Event Creation Channel
Use New-SNowEvent.ps1 to create SCOM subscription that creates SNOW incidents, then updates SCOM alert with TicketID, Owner, Resolution State for SCOM alert.
This command channel helps admins determine variables possible to pass to PowerShell script(s).
SCOM Navigation steps:
Click on Administration Tab > Notifications > Channels
Click New
Name
ServiceNow SNOW Incident creation channel
Use New-SNowIncident.ps1 to create SCOM subscription that creates SNOW incidents, then updates SCOM alert with TicketID, Owner, Resolution State for SCOM alert.
Time to ‘Test SNOW script’ for event or incident injection. As long as the prerequisites are verified, to include network connectivity, URL, ID, Password, etc., we’re ready to go!
Once the CredentialManager piece has been completed, by the same token you can begin testing the script. Testing can begin, whether to the SCOM Admin SA account, or to the SCOM Notifications account, or even hard coding the values into your PowerShell session.
Begin script testing
The testing leverages that you’ve downloaded various integration scripts first, then being saved on SCOM MS (management servers). The following blog posts, GitHub repo’s will set up multiple methods to test from PowerShell (command line) as SA or SVC accounts.
New-SNOWEventPowerSHellOutput for REST Event injection.
Verify SCOM alert updated for ServiceNow REST injection
Check SCOM console/web console for SCOM alert updates to ResolutionState, TicketID, Owner fields, where TEAM = SYM, and Assignment Group = JustinTime Infra specified
SCOM Monitoring tab Active Alerts output view showing Owner, ResolutionState, and TicketId fields updated.
Be aware of issues
Indicator of Certificate/trust issue
Invoke-RestMethod error seen when organization cert not installed, making server sending REST injection NOT trusted.
Indicator when SNOW alert rule not configured or matching – excessive retry’s. Also note output shows summary of tests, ServiceNow SNOW detail, and SCOM alert updates.
New-SNOWEvent.ps1 failures when SNOW Alert rule not matching or created.
Logging to Operations Manager Event Log for addtional troubleshooting or debug. Unless otherwise updated, the script logs to the ‘Operations Manager’ event log, EventID = 710-712
Single Starting event indicates failed pre-requisite (pre-req NOT met)
SCOM OperationsManager events logging integration script status, as well as whoami and additional debug.
With domain joined machine, use a separate notification services svc account for notifications. SCOM is typically leverages MSAA, or even local system, depending on the accounts used when building out SCOM. Kevin Holman did an excellent job blogging this here
Verify SCOM notification account
Verify and ‘Setup SCOM Notifications account’ to separate notifications outside typical SCOM service SVC account functionality. Also, separating allows CredentialManager to secure, encrypt, and store credentials used by the notification account. Time to verify!
RDP to SCOM MS using notification account.
Open SCOM Console
Click on Administration tab
Expand Run As Configuration
Click on Accounts
Search for notification
Double click on Notifications account
Click on Credentials tab
Verify account being used, in light of CredentialManager piece storing SNOW ID and account.
NOTE Account should be part of SCOM Admins AD group
SCOM console view of Notifications SVC Account
SCOM Notifications Event Log troubleshooting
Knowing the notifications account will aid with SNOW integration scripts, as well as help log whoami, ‘run as’ logging to the ‘Operations Manager’ event log. The specific test and event or incident scripts leverage EventID’s 710-712. 710 for LogAlert.ps1, 711 for New-SNowEvent.ps1, and 712 for New-SNowIncident.ps1.
Single Starting event indicates failed pre-requisite (pre-req NOT met)
SCOM OperationsManager events logging integration script status, as well as whoami and additional debug.
The SQL team noted that the newer versions are defaulting Encrypt to be Yes/Mandatory. That is why the new drivers were having an issue. Setting up a certificate in the SQL endpoint would have allowed the connection to work:
New OMI vulnerabilities for SCOM/LogAnalytics Agents
Thank you Aris for reaching out with questions on these new vulnerabilities!
New OMI vulnerabilities for SCOM/Log Analytics Agents posted. The vulnerabilities apply to OMI component on non-windows servers with SCOM2019, SCOM2022, or Log Analytics agents. The vulnerabilities apply to non-windows server operating systems. See hotfix details below to resolve.
OMI vulnerabilities for SCOM/LogAnalytics CVE details
The vulnerability exists due to a use-after-free error in the Open Management Infrastructure (OMI). A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to application does not properly impose security restrictions in the Open Management Infrastructure (OMI), which leads to security restrictions bypass and privilege escalation.
Leverage Holman’s Monitoring UNIX quick start guide(s) if you need a ‘how to’ or refresher to update your SCOM management groups with the latest packs, and how to update the agent on non-windows/UNIX servers.
If no account information is returned, this is not a finding.
If account information is returned, this is a finding.
Tab delimited view –
Remove Computer Accounts DB SQL6-D0-000400 V-213902 CAT II Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Remove Computer AccountsSQL6-D0-004200V-213935CAT IINon-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Can provide one work-around to mitigate.
Awaiting CSS engagement for official mitigation from support and SCOM PG.
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
![dir gci New-SNow[ie]*.ps1](https://kevinjustin.com/blog/wp-content/uploads/2024/05/New-SNOWie.png)
