Nagios Windows Updates check

Following on from my post last night about the Windows Updates check on MonitoringExchange a colleague reminded me that we acutally modified the script from there as we weren’t looking for the names of updates to be listed but simply to get the total number of updates that are outstanding. The modified version of the script is listed below for reference and the source for this is at the following URL: https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/Check-Windows-Updates

<job>
  <script language="VBScript">
    ' Parse command line switches for pending updates
    If Wscript.Arguments.Named.Exists("h") Then
      Wscript.Echo "Usage: check_win_updates.wsf /w:1 /c:2"
      Wscript.Echo "/w: - number of updates before warning status "
      Wscript.Echo "/c: - number of updates before critical status "
    End If
    If Wscript.Arguments.Named.Exists("w") Then
      intWarning = Cint(Wscript.Arguments.Named("w"))
    Else
      intWarning = 0
    End If
    If Wscript.Arguments.Named.Exists("c") Then
      intCritical = Cint(Wscript.Arguments.Named("c"))
    Else
      intCritical = 0
    End If
    Set objShell = CreateObject("WScript.Shell")
    Dim sysroot
    sysroot = objShell.ExpandEnvironmentStrings("%systemroot%")
    ' Check if the Server is pending a reboot and quit with warning
    Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
    If objSysInfo.RebootRequired Then
      Wscript.Echo "Warning: Reboot required | updates=-1"
      Wscript.quit(1)
    End If
    ' Dump Software Dist Event log to variable for parsing
    Set objExec = objShell.Exec("cmd.exe /c type " & sysroot & "SoftwareDistributionReportingEvents.log")
    results = LCase(objExec.StdOut.ReadAll)
    res_split = Split(results, vbCrLf)
    Dim regEx
    Set regEx = New RegExp
    regEx.Pattern = "(.)S*s*S*s*S*s*ds*(d*)s*S*s*S*[0-9s]*S*s*S*s*.*t(.*)"
    regEx.IgnoreCase = true
    count = 1
    ReDim arrDyn(1)
    For Each zeile in res_split
      firstsign = regEx.Replace(zeile, "$1")
      If (firstsign = "{") Then
                number = regEx.Replace(zeile, "$2")
        finish = regEx.Replace(zeile, "$3")
                If (number = 147) Then
          count = count + 1
          ReDim Preserve arrDyn(count + 1)
                  arrDyn(count + 1) = finish
        End If
      End If
    Next
    mount_updates = -1
    For x = 0 to UBound(arrDyn)
      If x = UBound(arrDyn) Then
                      end_array = Split(arrDyn(x), " ")
                      mount_updates = end_array(UBound(end_array) - 1)
      End If
    Next
    ' Quit the script with the appropriate performance data
    mount_updates = Cint(mount_updates)
    If mount_updates = 0 Then
      Wscript.Echo "OK: There are no pending updates | updates=0"
      Wscript.Quit(0)
    ElseIf mount_updates >= intCritical Then
      Wscript.Echo "Critical: There are " & mount_updates & " updates pending | updates=" & mount_updates
      Wscript.Quit(2)
    ElseIf mount_updates >= intWarning Then
      Wscript.Echo "Warning: There are " & mount_updates & " updates pending | updates=" & mount_updates
      Wscript.Quit(1)
    ElseIf mount_updates < intWarning Then
      Wscript.Echo "OK: There are " & mount_updates & " updates pending | updates=" & mount_updates
      Wscript.Quit(0)
    Else
      Wscript.Echo "Unknown: There has been an error"
      Wscript.Quit(3)
    End If
    Wscript.Echo "Unknown: There has been an error"
    Wscript.Quit(3)
  </script>
</job>

NSClient 0.3.9 released

NSClient 0.3.9 was released earlier this month and from the looks of the change log should be a good replacement for 0.3.8. (http://www.nsclient.org/nscp/blog/Blog-2011-07-05). As with previous releases there are both 32-bit and 64-bit variants and the option for an MSI package or for a ZIP download.

Some things I have noticed in the new release (these may have been in 0.3.8 but I never noticed them) are two new external scripts to check Printer status and check Windows Updates. I have been using my own Windows Update script (https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/Check-Windows-Updates) as I found the ones that query WMI take longer than the default 10 seconds for the script to run without timing out. Giving the bundled script a go it did a good job of outputting some useful information about the Windows Updates however it still took too long to run so I doubt that I will be using this in its current form. The output when running it on my workstation is as follows:

OK: Number of critical updates not installed: 1 <br />Number of software updates not installed: 6 <br /> Critical updates name: Service Pack 1 for Microsoft Office 2010 (KB2510690) 32-bit Edition+

The Printer check also ran through my list of installed printers and came out with an “Unknown” status and the details listed didnt match what Windows was saying so again probably wont be using this in its current format and more likely monitor the printers individually with SNMP based checks directly to the printers.

There are some good additions to the list of modules. CheckTaskSched looks to be a good addition to make sure that those scheduled tasks you have left to run on your server are running as expected and not left stuck in a running state (or didn’t exit with error code 0). CheckFile and CheckFile2 have been amalgamated into the CheckFiles module which will allow you to check a single file but also multiple files for certain criteria. The link above gives examples on checking file versions, line counts, file sizes etc.

For a full list of changes the change log can be found here: http://www.nsclient.org/nscp/blog/Blog-2011-07-05

RSA Authentication Manager SQL bug

As part of a planned reboot of our client’s infrastructure last month we had an issue with the RSA server taking a *LONG* time to come back up (were talking hours not minutes). After logging a call with RSA they pointed out that Authentication Manager 7.1 has an issue with cleaning up the .sql files it creates as part of its standard operation and this has been resolved in SP4.

The .sql files that are generated are all saved in C:WindowsTemp and are in the format DbMgmtSqlScript*.sql with 1 or two generated per minute on the server. The content of the files is as follows

select to_char(count(*)) from dba_tablespaces;

QUIT;

Whilst waiting for approval to install SP4 on the server I was looking for a fix as the RSA server has generated over 64,000 files this month and I stumbled across the following article (http://microsoftplatform.blogspot.com/2011/04/rsa-authentication-manager-71-bug.html) which describes a nice batch file that can be used to clear out the .sql files on a daily basis:

del c:/windows/temp/dbmgmt*.sql

That should carry out a workaround for the short term. Long term I would recommend that you install SP4 and Patch 4 which can be downloaded from the RSA website.

CheckPoint Full Disk Encryption and RSA SecurID800

I have spent the past week looking at a peculiar issue with CheckPoint Full Disk Encryption for a client. As a bit of a background all laptops are encrypted with Full Disk Encryption and to provide two factor authentication we are using the RSA SecurID800 which acts as a Smart Card as well as a one time authenticator.

Whilst provisioning a laptop for a new starter we re-used an existing token, issued the Smart Card certificate from our internal Certification Authority and it was added to the token successfully. After updating Full Disk Encryption from the MI Console we rebooted and tested login. Everything worked fine.

The issues came when we removed the old certificates from the token and suddenly Full Disk Encryption was showing “Invalid Logon – No certificates were found on this token” yet when in Windows the RSA software shows the certificate is there and the fingerprint matches what was picked up from Active Directory by the MI Console. Rebooted the laptop and still the same no certificates error.

Speaking with CheckPoint on the issue didn’t turn up much so I decided to issue a new certificate and try again. Went through the same process and upon reboot it worked fine and I put the original error down to a glitch so went and removed the old token from the SID800. Rebooted and it was broken again with the same error message.

To fix the issue I removed *all* certificates from the token, revoked all the issued ones in the CA and then issued one more for the user. All works fine and the user can now work on the laptop without issue.

Moral of the story… Remove all certificates first and then only add the one that you need. Its easier in the long run