New OMI vulnerabilities for SCOM/LogAnalytics Agents
Thank you Aris for reaching out with questions on these new vulnerabilities!
New OMI vulnerabilities for SCOM/Log Analytics Agents posted. The vulnerabilities apply to OMI component on non-windows servers with SCOM2019, SCOM2022, or Log Analytics agents. The vulnerabilities apply to non-windows server operating systems. See hotfix details below to resolve.
OMI vulnerabilities for SCOM/LogAnalytics CVE details
The vulnerability exists due to a use-after-free error in the Open Management Infrastructure (OMI). A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to application does not properly impose security restrictions in the Open Management Infrastructure (OMI), which leads to security restrictions bypass and privilege escalation.
Leverage Holman’s Monitoring UNIX quick start guide(s) if you need a ‘how to’ or refresher to update your SCOM management groups with the latest packs, and how to update the agent on non-windows/UNIX servers.
Whether you’re building a new SCOM2019, SCOM2022 environment or not, you might be missing these event details, and NOT even know!
It’s been a while for me, and I came across these, so posting for a fresh heads up!
Leverage Holman’s TXT files to keep your logging up to maximum potential! Use the information below to resolve SCOM2016+ SQL SysMessages and 18054 events.
— Source entity of the relationship doesn’t exist.
EXECUTE sp_addmessage @msgnum = 777980002, @msgtext = N’The specified relationship doesn”t have a valid source.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
— Target entity of the relationship doesn’t exist.
EXECUTE sp_addmessage @msgnum = 777980003, @msgtext = N’The specified relationship doesn”t have a valid target.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
— Discovery data from invalid managed entity is dropped.
EXECUTE sp_addmessage @msgnum = 777980004, @msgtext = N’Discovery data has been received from a rule targeted to a non-existent entity. The discovery data will be dropped.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
— Invalid relationship rejected by cycle detection.
EXECUTE sp_addmessage @msgnum = 777980005, @msgtext = N’Relationship {%s} was rejected because it would cause a containment cycle; relationship source = ”%s” and target = ”%s”.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
— Discovery data generated by invalid connector.
EXECUTE sp_addmessage @msgnum = 777980006, @msgtext = N’Discovery data generated by invalid connector:%s.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
— Discovery data generated by invalid rule, task, discovery.
EXECUTE sp_addmessage @msgnum = 777980007, @msgtext = N’Discovery data generated by invalid discovery source. Id:%s.’, @severity = 16, @lang = ‘us_english’, @with_log = false, @replace = ‘REPLACE’
GO
If no account information is returned, this is not a finding.
If account information is returned, this is a finding.
Tab delimited view –
Remove Computer Accounts DB SQL6-D0-000400 V-213902 CAT II Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Remove Computer AccountsSQL6-D0-004200V-213935CAT IINon-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Can provide one work-around to mitigate.
Awaiting CSS engagement for official mitigation from support and SCOM PG.
Second, another change with the repo’s was a ‘whitespace audit’ encoded characters, or ‘data concealment’. See AT&T link CyberSecurity Link
Third, after whitespace we focused on script/workflow efficiencies seen in large enterprise environments. While Efforts began in December, the workflow efficiencies sprint resulted in two sets of improvements.
Fast and Efficient
1) Added ‘Reset Monitors Script base code’ $Age variable
What does this mean?
Simply put $Age allows admins to define monitor age before resetting.
The default is 1 (day), but can be specified in the script to tailor to requirements.
Example
$Age = [DateTime](Get-Date).AddDays(-1)
2) Beyond incorporating $Age into the reset monitor logic, the packs utilize logic for a much faster runtime (~90%+).
What does this mean?
Updated logic quickly gathers unhealthy monitor objects, by leveraging ‘Get-SCOMManagementPack‘ and then ‘Get-SCOMClass‘, before passing to ‘Get-SCOMClassInstance‘.
Example PowerShell
## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server DNS Monitoring”
Use the Tangible SCOM management pack to monitor logins and ProV application registration issues. First, the management pack configures Seed class discovery. Second, the pack includes rules/monitors for Tangible ProV software. Third, rules and monitors for 2802 ‘Could not validate product key’ and 4402 ‘Could not validate the contents of user logon request context: AS-REQ contains an invalid or unknown username type’ events. Fourth, the service monitor, which uses Kevin Holman’s fragment library for service recovery scripts/rules. Fifth, scheduled and on-demand daily reports for audit and record keeping purposes. Lastly, alert cleanup logic, to reduce admin burden and overhead.
Reference the Tangible vendor’s website – Tangible ProV application website
NOTE: This may not apply for everyone, as the ProV application ‘Auto-provisions Active Directory user accounts for visitors or new employees whenever they want to work from one of your PCs.’
The Daily report piece of the pack makes things easier answering ‘what happened in the last 24-72 hours’ question. Gathers open/closed insights and organizes alerts.
Screenshot of the daily report
Zero Alert example of daily report
Report example of insights (in text)
Open ProV alerts = 13
Since last report run: #———————– Total ProV alerts = 23 Auto-closed monitors = 22 Auto-closed rules = 0
Ever have a need to configure a SCOM agent outside the SCOM Console GUI using SCOM.Management pack? Tyson’s ‘SCOM Helper PowerShell module’ on monitoringguys.com may assist if you can update PowerShell and SnapIn’s. If Tyson’s solution may not be an applicable solution in a locked down environment, the blog is a PowerShell script to manage agent configuration.
A shout out to Aris for his watchful eye testing and playing with this!
First, let’s begin the conversation. Leverage the PowerShell script to configure SCOM/MOM agent per domain(s). Whether DMZ forest(s), or multiple forests with SCOM gateways, the script will enable configuration management. Alternatively, add script as a compliance check to the Configuration Management tool, or as a post install step to configure SCOM Agent (MomAgent.MSI) via application or package. Third, utilize the PowerShell script where agent upgrade is a pre-req to resolve ‘a really old SCOM agent version’. Lastly, the script also tests network connectivity, and verifies if configuration is requested/loaded.
Install SCOM agent MSI via command line and roll into a ‘SCOM agent’ MECM application package.
Why an application/package? Many times, servers are built, and the IT Enterprise doesn’t find out device is NOT monitored until it’s involved in an outage. Proceed to add to your Configuration management tool will provide a consistent configuration to avoid the ‘NOT monitored’ configuration.
While there are a few options to build out a MCM/MEM/MECM/SCCM application/package to install the SCOM agent on managed windows machines. In August, I posted Neal’s updates to install/configure the SCOM agent. Neal’s scenario works great for a new environment, and it’s simple PowerShell. Also, if Neal’s scenario with PowerShell is NOT your preference, try the batch file below. Another key point, the script has logic for multiple forests and SCOM gateways (to connect said forests). Basically test the command line script, then roll into a MCM/MEM/MECM/SCCM application/package. Have the SCOM agent added to task sequence which consequently includes the SCOM agent in the default build.
Install SCOM agent command line script
First – NOTE each line has no hidden line feed/carriage returns
Second – go through the variables before testing
Variables to review/replace:
##SCOMManagementGroup## # SCOM Management group, seen in SCOM console on top left corner
SCOMManagementServer## # SCOM management Server in primary domain
##SCOMManagementServerGW## # SCOM first gateway
##SCOMManagementServerGW2## # Second gateway
##Domain## as forest FQDN
##Domain2## as forest FQDN
Third – Find/Replace ##hashtagged## variables and test away!
@echo off
cls
REM This script command line is for NEW installs of the agent (nothing prior)
REM Replace ##SCOMManagementGroup## SCOM Management group, seen in SCOM console on top left corner
My thanks to Aris Somatis for his deep dive reviewing the packs with me, particularly new use cases. The PowerShell below builds on Scott Murr’s initial TechNet published logic from years back. Consequently, the reset logic provides a ‘manual intervention required’ alerting/monitoring system.
Improving SCOM monitor reset logic
Calling the reset method has been a game changer for my customers – including operators, system and application owners!
Background
Scott’s reset logic, from SCOM2012, helped administrators reset unhealthy monitors where alerts may have been closed. Because Scott leveraged the ResetMonitoringState method, the community gained a way to keep true health. Additionally, many administrators and engineers built custom management packs to provide solutions. Second, the addendum packs blog brought in more options – best practices, lessons from the field (and customers), and health model accurate alerting for what was really broken in the environment. Third, addressing ‘gaps’ or ‘blind spots’ from product teams. As a result of NEW monitoring, the packs may include: rules/monitors, datasource/writeAction (DS/WA) workflows, recovery tasks and automation, count logic monitors, overrides, discoveries, and groups. Thirdly, to take monitoring to the next level. To top that off, with very little/NO cost compared to competitors!
PowerShell code
Aris’s Age use case takes this even further. Using monitor age allows further analysis to dial down ‘monitor reset’ to object is X days old. Comparatively, the 24-72 hour setup default is used in the addendums, so Age provides a second option. Third option can rely on SCOM’s built-in cleanup, but that’s typically 14-30 days. Overall, flexibility is a good thing.
# Specify age variable for your environment
$Age = [DateTime](Get-Date).AddDays(-7)
PowerShell code snippet
First, the reset logic can pivot on the age requirement. Then, adjust the Age variable per requirements. Third, figure out which method applies to gather a unique list of classes, whether by partial string(s), or by management pack name(s).
Set age variable (how long ‘OLD’ monitors might be stale and need reset)
# Example sets $Age variable to 7 days ago (-7)
$Age = [DateTime](Get-Date).AddDays(-7)
Unpack two different ways to gather classes for monitors to reset
# When common string name exists in all classes
Example DFS/FileServices packs all have one of the three strings:
0
Found 0 unhealthy monitors for class Microsoft.SystemCenter.HealthServicesGroup
1
Found 1 unhealthy monitors for class Microsoft.SystemCenter.HealthServiceWatcher
Resetting Health State on ' + Microsoft.SystemCenter.HealthServiceWatcher:Microsoft.SystemCenter.AgentWatchersGroup;5e0
4f804-8b71-6eb6-0101-dcbb58022498 + '
Guid
----
0218d239-3d37-f9b1-75d2-6d52c2c7c0c1
Hear ye hear ye – see the nice warm toasty updated packs
See the nice warm toasty updated packs
Fresh off the press, right to your door, just in time for that gift for your special someone! Time for new updates to keep you ever-green’d, up to date, fixes, etc. ;-P
Holman updated his SCOM.Management pack for SCOM2022 UR2
Multiple packs with multiple updates. Removed debug detail for DS/WA (Data Source/Write Action workflows) Health Explorer outputs, simplified mgmt pack recovery tasks for single WA script.
Ah – ‘Setting up PowerBI Report Server SPN’s for PowerBI and SQL to help securely communicate and authenticate.
‘Setting up PowerBI Report Server SPN’ in hybrid environments when the PowerBI cloud service is not <yet> an option in an organization. This article will go through SPN commands, to secure via Kerberos authentication and/or smart card usage for Security requirements (i.e. STIG, CCRI, SOX, HIPAA, PCI, Security Scans, <insert other regulatory requirements here>). Lastly, PowerBI Report Server can be setup to run parallel to SSRS SQL instance. Refer to SPN commands below which helped me setup SmartCards authentication based on SPN setup.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
