mnagel

windows certificate store scan

Recommended Posts

I have written a DS that uses PowerShell to discover any SSL Certificate within the Windows certificate stores and generates alerts for those expiring soon and for those that have already expired.  The alert messages are still generic as I am fighting a weird timeout issue with the data collection code against remote devices.  The AD code works fine and the data collection code is virtually identical, simpler in fact as we have the serial number on hand.  If I run it from the collector itself in a PS console, it also works fine.  Just seems to go to lunch when run from within LM itself.  If anyone wants to take a look and see if they can find the problem, that would be much appreciated -- my intent is to polish it up and release it publicly.  It is in code review, not clear how long that will take with the new LMExchange feature.

2YPMLN

Share this post


Link to post
Share on other sites

Thanks!  And, we shall see :).  I stepped away for now on the whole data collection timeout thing to clear my head.  Feels like it is LM causing it, but can't see how.  I based the general structure on the "_Windows patches needed" DS Mike Suding wrote.  Also tried the PSSession avenue other DSes use, but made no difference.  Same exact code run from the collector PS shell returns data quickly.  Hopefully we can figure it out -- this information is otherwise hard to get from external tests.

Share this post


Link to post
Share on other sites

Hey @mnagel, I think I found the issue. Your if statement in the collection script checks to see if $TargetUser matches "wmi.user". Unfortunately, tokens behave differently in collection than AD. In AD, a nonexistent property will return the token name. In a collection script, a nonexistent property will return a blank string. I think if you change your collection script to match on "" for user and pass, it will work.

I'll talk to the collector team about how we might be able to fix this and make things consistent.

Share this post


Link to post
Share on other sites

Got it -- that is subtle!  New version posted -- P3GXE7

Share this post


Link to post
Share on other sites

Thanks! I need to make one more pass on it to enable custom alert messages. I added two different virtual datapoints so messages can say "expired XX ago" versus "will expire in XX". Looking forward to one day being able to just check stuff when alert messages are actually handled by template processors :).

Share this post


Link to post
Share on other sites

Posted new version with datapoint messages and revised out of the box thresholds.  Did not change AD or collection code, but it still shows pending review. 

PE9KPD

Share this post


Link to post
Share on other sites

@mnagel it's through review.

Our system isn't smart enough to notice that we've reviewed an identical script. It just flags anything with code for review (including Groovy CDPs). It would be nice to check them against a list of previously reviewed code and possibly bypass SR in that case.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.