icinga-powershell-plugin-bw-icinga.psm1
|
function Invoke-IcingaCheckFailedLoginEvents() { # Create our arguments we can use to parse thresholds # Example: Invoke-IcingaCheckTutorial -Warning 10 -Critical 30 param ( $Warning = $null, $Critical = $null, [switch]$NoPerfData = $FALSE, [int]$LastXDays = 7 ); # Create a new object we can check on. This will include # comparing values and checking if they are between a # range is Unknown $Check = New-IcingaCheck ` -Name 'FailedLoginEvents' ` -Value ( $(Get-WinEvent -FilterHashtable @{ProviderName = "Microsoft-Windows-Security-Auditing";ID="4625"} | where {$_.TimeCreated -ge $(Get-Date).AddDays(-$LastXDays)}).count ); # Each compare function within our check object will return the # object itself, allowing us to write a nested call like below # to compare multiple values at once. # IMPORTANT: We have to output the last call either to Out-Null # or store the result inside a variable, as the check # object is otherwise written into our plugin output $Check.WarnOutOfRange($Warning).CritOutOfRange($Critical) | Out-Null; # Don't forget to add our comparison for the second check with # the identical thresholds. If you want to, you could compare # them to different arguments # Return our checkresult for the provided check and compile it # This function will take care to write the plugin output and # with return we will return the exit code to determine if our # check is Ok, Warning, Critical or Unknown return (New-IcingaCheckResult -Check $Check -NoPerfData $NoPerfData -Compile) } function Invoke-IcingaCheckSecurityAuditLogs() { # Create our arguments we can use to parse thresholds # Example: Invoke-IcingaCheckTutorial -Warning 10 -Critical 30 param ( $Warning = $null, $Critical = $null, [switch]$NoPerfData = $FALSE, [int]$LastXDays = 7, [ValidateSet(0, 1, 2)] [int]$Verbosity = 0 ); # Create a new object we can check on. This will include # comparing values and checking if they are between a # range is Unknown $EventIDs = @( #Current Windows Event ID Legacy Windows Event ID Potential Criticality Event Summary "4618", # N/A High A monitored security event pattern has occurred. "4649", # N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error. "4719", # 612 High System audit policy was changed. "4765", # N/A High SID History was added to an account. "4766", # N/A High An attempt to add SID History to an account failed. "4794", # N/A High An attempt was made to set the Directory Services Restore Mode. "4897", # 801 High Role separation enabled: "4964", # N/A High Special groups have been assigned to a new logon. "5124", # N/A High A security setting was updated on the OCSP Responder Service "1102", # 517 Medium to High The audit log was cleared "4621", # N/A Medium Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. "4675", # N/A Medium SIDs were filtered. "4692", # N/A Medium Backup of data protection master key was attempted. "4693", # N/A Medium Recovery of data protection master key was attempted. "4706", # 610 Medium A new trust was created to a domain. "4713", # 617 Medium Kerberos policy was changed. "4714", # 618 Medium Encrypted data recovery policy was changed. "4715", # N/A Medium The audit policy (SACL) on an object was changed. "4716", # 620 Medium Trusted domain information was modified. "4724", # 628 Medium An attempt was made to reset an account's password. "4727", # 631 Medium A security-enabled global group was created. "4735", # 639 Medium A security-enabled local group was changed. "4737", # 641 Medium A security-enabled global group was changed. "4739", # 643 Medium Domain Policy was changed. "4754", # 658 Medium A security-enabled universal group was created. "4755", # 659 Medium A security-enabled universal group was changed. "4764", # 667 Medium A security-disabled group was deleted "4764", # 668 Medium A group's type was changed. "4780", # 684 Medium The ACL was set on accounts which are members of administrators groups. "4816", # N/A Medium RPC detected an integrity violation while decrypting an incoming message. "4865", # N/A Medium A trusted forest information entry was added. "4866", # N/A Medium A trusted forest information entry was removed. "4867", # N/A Medium A trusted forest information entry was modified. "4868", # 772 Medium The certificate manager denied a pending certificate request. "4870", # 774 Medium Certificate Services revoked a certificate. "4882", # 786 Medium The security permissions for Certificate Services changed. "4885", # 789 Medium The audit filter for Certificate Services changed. "4890", # 794 Medium The certificate manager settings for Certificate Services changed. "4892", # 796 Medium A property of Certificate Services changed. "4896", # 800 Medium One or more rows have been deleted from the certificate database. "4906", # N/A Medium The CrashOnAuditFail value has changed. "4907", # N/A Medium Auditing settings on object were changed. "4908", # N/A Medium Special Groups Logon table modified. "4912", # 807 Medium Per User Audit Policy was changed. "4960", # N/A Medium IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. "4961", # N/A Medium IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. "4962", # N/A Medium IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. "4963", # N/A Medium IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. "4965", # N/A Medium IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. "4976", # N/A Medium During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. "4977", # N/A Medium During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. "4978", # N/A Medium During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. "4983", # N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. "4984", # N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. "5027", # N/A Medium The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. "5028", # N/A Medium The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. "5029", # N/A Medium The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. "5030", # N/A Medium The Windows Firewall Service failed to start. "5035", # N/A Medium The Windows Firewall Driver failed to start. "5037", # N/A Medium The Windows Firewall Driver detected critical runtime error. Terminating. "5038", # N/A Medium Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. "5120", # N/A Medium OCSP Responder Service Started "5121", # N/A Medium OCSP Responder Service Stopped "5122", # N/A Medium A configuration entry changed in OCSP Responder Service "5123", # N/A Medium A configuration entry changed in OCSP Responder Service "5376", # N/A Medium Credential Manager credentials were backed up. "5377", # N/A Medium Credential Manager credentials were restored from a backup. "5453", # N/A Medium An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. "5480", # N/A Medium IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. "5483", # N/A Medium IPsec Services failed to initialize RPC server. IPsec Services could not be started. "5484", # N/A Medium IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. "5485", # N/A Medium IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. "5827", # N/A Medium The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. "5828", # N/A Medium The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account. "6145", # N/A Medium One or more errors occurred while processing security policy in the Group Policy objects. "6273", # N/A Medium Network Policy Server denied access to a user. "6274", # N/A Medium Network Policy Server discarded the request for a user. "6275", # N/A Medium Network Policy Server discarded the accounting request for a user. "6276", # N/A Medium Network Policy Server quarantined a user. "6277", # N/A Medium Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. "6278", # N/A Medium Network Policy Server granted full access to a user because the host met the defined health policy. "6279", # N/A Medium Network Policy Server locked the user account due to repeated failed authentication attempts. "6280", # N/A Medium Network Policy Server unlocked the user account. "24586", # N/A Medium An error was encountered converting volume "24592", # N/A Medium An attempt to automatically restart conversion on volume %2 failed. "24593", # N/A Medium Metadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume "24594" # N/A Medium Metadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume. ) $EventsArray = $null $EventsArray = @() foreach ($id in $EventIDs) { Write-Verbose "getting event $id" [array]$Events = @() $Last = $null try { $Events = Get-WinEvent -FilterHashtable @{ProviderName = "Microsoft-Windows-Security-Auditing";ID = "$id"} -MaxEvents 100 | where {$_.TimeCreated -ge $(Get-Date).AddDays(-$LastXDays)} } catch {Write-Verbose $_} $Last = $Events | Select-Object -Last 1 $EventsArray += New-Object PSObject -Property ([ordered]@{ EventID = $id Quantity = $Events.count LatestMSG = if ($Last.Message -ne $null) {"$($Last.TimeCreated) - $($Last.Message))"} }) } $CheckPackage = New-IcingaCheckPackage -Name 'SecurityAuditLogs' -OperatorAnd -Verbose $Verbosity; $EventsArray | where {$_.Quantity -gt 0} | %{ $CheckEvent = $_; $Check = $null; $Check = New-IcingaCheck -Name "EventID $($CheckEvent.EventID) Details: $($CheckEvent.LatestMSG -replace '\s+',' ')" -Value ($CheckEvent.Quantity) $Check.WarnOutOfRange($Warning).CritOutOfRange($Critical) | Out-Null; $CheckPackage.AddCheck($Check); } # Return our checkresult for the provided check and compile it # This function will take care to write the plugin output and # with return we will return the exit code to determine if our # check is Ok, Warning, Critical or Unknown return (New-IcingaCheckResult -Check $CheckPackage -NoPerfData $NoPerfData -Compile) } Export-ModuleMember -Function Invoke-IcingaCheckFailedLoginEvents Export-ModuleMember -Function Invoke-IcingaCheckSecurityAuditLogs |