Configure a Windows device for Zenoss

Zenoss Core is an enterprise-level systems and network monitoring solution. This post will show you how to configure Windows Server 2008 R2 to be properly monitored by Zenoss.

There are two primary channels for Zenoss to collect information from a Windows device. Zenoss can retrieve data via SNMP and WMI. SNMP gives us the most flexibility and the best device support, but WMI allows Zenoss to retrieve Windows-specific information like services and the event logs.

Simple Network Management Protocol (SNMP)
Zenoss Core uses SNMP to model attributes about a device (CPU, memory, disk, network, etc.). We need to make sure the Windows SNMP agent/service is properly installed and configured before the communication between our Windows device and the Zenoss Network Management Station (NMS) can happen.

# Install SNMP Services
We will first install the SNMP service. Run the following commands from an elevated PowerShell prompt:

PS> Import-Module -Name ServerManager
PS> Add-WindowsFeature -Name SNMP-Services

Verify the SNMP installation. Run the following command from an elevated PowerShell prompt:

PS> Get-WindowsFeature -Name snmp*

Display Name                                            Name
------------                                            ----
[X] SNMP Services                                       SNMP-Services
    [X] SNMP Service                                    SNMP-Service
    [X] SNMP WMI Provider                               SNMP-WMI-Provider

# Configure the SNMP Service
We will now configure the SNMP service to link to our Zenoss server. Since we still have a PowerShell session open, enter the following command to open the Services MMC:

PS> services.msc

1. Double-click SNMP Service to open the properties window.
2. Select the Agent tab.
3. Enter your information in the Contact and Location fields.
4. Enable the Physical, Applications, End-to-end and optionally the Internet service-based options.
5. Click the Apply button.

1. Select the Security tab.
2. Add your Community Name and the Community rights. The Community Name will need to match what has been configured on the Zenoss server.
3. Add the Zenoss server hostname (or IP address) to the Accept SNMP packets from these hosts list.
4. Click the Apply button, then click the OK button to close the window.

# Install SNMP Informant
The base Windows SNMP agent does not return information about the host’s CPU, memory, or file system. The installation of the free SNMP Informant extension agent will “beef up” the native agent by exposing these essential components.

1. Browse to http://www.snmp-informant.com and download the free SNMP Informant-STD package.
2. Unzip the package and step thru the standard GUI Wizard-based install.

Restart the SNMP service to establish the changes. Run the following command from an elevated PowerShell prompt:

PS> Restart-Service -Name snmp

Windows Management Instrumentation (WMI)
We will implement the security principle of least privilege by creating, and using, a non-privileged AD domain user for remote WMI access. I will be using an account named zenwmiq in my example. We will need to set permissions in a few different areas to allow our zenwmiq user to query and return the required data.

# Local Security Groups
We will need to add our user to a few local security groups. Run these commands from an elevated PowerShell prompt:

PS> net localgroup "Distributed COM Users" zenwmiq /ADD
PS> net localgroup "Performance Monitor Users" zenwmiq /ADD
PS> net localgroup "Event Log Readers" zenwmiq /ADD

# WMI Namespace Security
Steve Lee (Microsoft Senior Test Manager) created a pair of PowerShell WMI namespace security scripts. The Get-WmiNamespaceSecurity.ps1 and Set-WmiNamespaceSecurity.ps1 scripts allow us to get/set the WMI namespace permissions on the local computer as well as a remote one. We will need to add the Enable Account and Remote Enable permissions for our zenwmiq user to the Root/CIMV2 namespace.

List the current security settings for the Root/CIMV2 namespace. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2

Add our access control entry (ACE) to the Root/CIMV2 access control list (ACL). Run this command from an elevated PowerShell prompt:

PS> Set-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 -Operation add -Account tendocalc\zenwmiq -Permissions Enable,RemoteAccess

Let’s verify our ACE was correctly added to the namespace ACL. Run this command from an elevated PowerShell prompt:

PS> Get-WmiNamespaceSecurity.ps1 -Namespace root/cimv2 | ? {$_.Name -like '*zen*'} | fl

Name       : TENDOCALC\zenwmiq
Permission : {Enable, RemoteAccess}
Inherited  : False

# Service Control Manager
The Service Control Manager ACL will also need to be modified to allow our zenwmiq user to enumerate and list the status of the services on our host.

We first need to get the security identifier (SID) of our domain user. Run these commands from an elevated PowerShell prompt:

PS> $account = New-Object Security.Principal.NTAccount "tendocalc\zenwmiq"
PS> $account.Translate([Security.Principal.SecurityIdentifier]).Value
S-1-5-21-4215953012-3604629762-2942499649-1497

We will use the service control (sc) command-line tool to get/set the security descriptor for the Service Control Manager (SCM). The sc command-line tool lets system administrators query and change the system privileges assigned to services. Let’s first display the current security descriptor for SCM. Run this command from an elevated PowerShell prompt:

PS> sc.exe sdshow scmanager

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

We now need to add our user (and linked rights) to the current ACL in the SDDL format. The following table shows the required rights we will need for our user:

String	Access Right	Description
CC	SC_MANAGER_CONNECT	Required to connect to the service control manager.
LC	SC_MANAGER_ENUMERATE_SERVICE	Required to call the EnumServicesStatusEx function to list the services that are in the database.
RP	SC_MANAGER_QUERY_LOCK_STATUS	Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database.
RC	READ_CONTROL	Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.

“Inject” the ACE as the last entry of the Discretionary Access Control List (DACL). Run this command from an elevated PowerShell prompt:

PS> sc.exe sdset scmanager 'D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-4215953012-3604629762-2942499649-1497)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)'

Firewall
If the host firewall is enabled, we need to verify the proper inbound ports are open for connectivity with Zenoss. You can enable the rule (and rule groups) with the Windows Firewall with Advanced Security console, but I will use the netsh utility in my examples.

# SNMP
The installation of the SNMP components should enable the required firewall rule. You can verify this by running this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall show rule name="SNMP Service (UDP In)"

# WMI
WMI traffic is blocked by default, so we will need to enable the WMI rule group to open the ports. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

# ICMP
The ICMPv4 echo request packet type will need to be allowed for Zenoss to verify availability thru ping. Run this command from an elevated PowerShell prompt:

PS> netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

Read More

Compile and install Wireshark on Fedora and Ubuntu Linux

Wireshark is the world’s most popular network analyzer. Almost every computer professional comes to a point when a network protocol analyzer is required to get the deepest visibility in determining what is causing network performance issues.

Grabbing the latest Wireshark release for Windows and Mac OS X is easy enough. You just point your web browser to http://www.wireshark.org to grab it. If you happen to use Linux as your OS of choice, things can be a little trickier.

The Wireshark package listed with most Linux distribution repositories is usually a version or two behind the current stable release. Even if the repositories have the latest stable release, what do you do if you want to try out the bleeding edge features of the latest development release? You may have no other choice except to do a source-based installation. This post will show you how to do just that.

Get Wireshark
Navigate your web browser to http://www.wireshark.org/download.html. In my example, I click the Development Release | Source Code link to download the wireshark-1.5.1.tar.bz2 compressed tarball file. Most will choose the Stable Release | Source Code.

Compile and Install Wireshark
Fedora and Ubuntu/Mint slightly differ which I will detail in their respective sections.

# Fedora
You may need to download and install the Development Tools package group. This package group is similar to build-essential on Debian-based Linux distributions. Run the following commands from the terminal:

$ su -c 'yum clean all'
$ su -c 'yum update'
$ su -c 'yum groupinstall "Development Tools"'

We need to fetch some dependency packages to ensure a successful source-based installation of Wireshark. Run this command from the terminal:

$ su -c 'yum install bison flex gtk2-devel libpcap-devel c-ares-devel libsmi-devel gnutls-devel libgcrypt-devel krb5-devel GeoIP-devel ortp-devel portaudio-devel'

Change to the directory where you saved the Wireshark compressed tarball file. I saved the file in my $HOME/Downloads directory. Run this command from the terminal:

$ cd ~/Downloads

We will now unpack the Wireshark compressed tarball file to the /tmp directory. Run this command from the terminal:

$ tar xf wireshark-1.5.1.tar.bz2 -C /tmp

Change to the /tmp/wireshark-1.5.1 directory. Run this command from the terminal:

$ cd /tmp/wireshark-1.5.1

Run the autogen.sh script to configure your build directory:

$ ./autogen.sh

Run the configure script. This checks your Linux system to ensure it has the proper library dependencies, in addition to the proper compiler to compile the source code. Run this command from the terminal:

$ ./configure --enable-setcap-install

If everything has checked out, we will see a summary output of the compile-time options for the Wireshark package.

The Wireshark package has been configured with the following options.
                    Build wireshark : yes
                       Build tshark : yes
                     Build capinfos : yes
                      Build editcap : yes
                      Build dumpcap : yes
                     Build mergecap : yes
                    Build text2pcap : yes
                      Build idl2wrs : yes
                      Build randpkt : yes
                       Build dftest : yes
                     Build rawshark : yes

  Install dumpcap with capabilities : yes
             Install dumpcap setuid : no
                  Use dumpcap group : (none)
                        Use plugins : yes
                    Use lua library : no
                 Use python binding : no
                   Build rtp_player : yes
                        Use threads : no
             Build profile binaries : no
                   Use pcap library : yes
                   Use zlib library : yes
                   Use pcre library : no (using GRegex instead)
               Use kerberos library : yes (MIT)
                 Use c-ares library : yes
               Use GNU ADNS library : no (using c-ares instead)
                Use SMI MIB library : yes
             Use GNU crypto library : yes
             Use SSL crypto library : no
           Use IPv6 name resolution : yes
                 Use gnutls library : yes
     Use POSIX capabilities library : no
                  Use GeoIP library : yes

Let’s now build Wireshark. The make command compiles the source code and then the linker to create the final executable files for the package. Run the command from the terminal:

$ make

It’s finally time to install Wireshark. Run this command from the terminal:

$ su -c 'make install'

# Ubuntu/Mint
Let’s start off by updating the local package index with the latest changes made in our defined repositories. Run this command from the terminal:

$ sudo apt-get update

We need to fetch some dependency packages to ensure a successful source-based installation of Wireshark. Run this command from the terminal:

$ sudo apt-get install autoconf bison flex libtool libgtk2.0-dev libpcap-dev libc-ares-dev libsmi2-dev libgnutls-dev libgcrypt11-dev libkrb5-dev libcap2-bin libgeoip-dev libortp-dev libportaudio-dev

Change to the directory where you saved the Wireshark compressed tarball file. I saved the file in my $HOME/Downloads directory. Run this command from the terminal:

$ cd ~/Downloads

We will now unpack the Wireshark compressed tarball file to the /tmp directory. Run this command from the terminal:

$ tar xf wireshark-1.5.1.tar.bz2 -C /tmp

Change to the /tmp/wireshark-1.5.1 directory. Run this command from the terminal:

$ cd /tmp/wireshark-1.5.1

Run the autogen.sh script to configure your build directory:

$ ./autogen.sh

Run the configure script. This checks your Linux system to ensure it has the proper library dependencies, in addition to the proper compiler to compile the source code. Run this command from the terminal:

$ ./configure --enable-setcap-install

If everything has checked out, we will see a summary output of the compile-time options for the Wireshark package.

The Wireshark package has been configured with the following options.
                    Build wireshark : yes (with GTK+ 2)
                       Build tshark : yes
                     Build capinfos : yes
                      Build editcap : yes
                      Build dumpcap : yes
                     Build mergecap : yes
                   Build reordercap : yes
                    Build text2pcap : yes
                      Build randpkt : yes
                       Build dftest : yes
                     Build rawshark : yes

   Save files as pcap-ng by default : yes
  Install dumpcap with capabilities : yes
             Install dumpcap setuid : no
                  Use dumpcap group : (none)
                        Use plugins : yes
                    Use Lua library : no
                 Use Python binding : no
                   Build rtp_player : yes
             Build profile binaries : no
                   Use pcap library : yes
                   Use zlib library : yes
               Use kerberos library : yes (MIT)
                 Use c-ares library : yes
               Use GNU ADNS library : no (using c-ares instead)
                Use SMI MIB library : yes
             Use GNU crypto library : yes
             Use SSL crypto library : no
           Use IPv6 name resolution : yes
                 Use gnutls library : yes
     Use POSIX capabilities library : no
                  Use GeoIP library : yes
                     Use nl library : no

Let’s now build Wireshark. The make command compiles the source code and then the linker to create the final executable files for the package. Run the command from the terminal:

$ make

It’s finally time to install Wireshark. Run this command from the terminal:

$ sudo make install

Run Wireshark
We have come to the easiest step of the process. Run Wireshark with this command from the terminal:

$ wireshark &

Troubleshooting
If you get an error that states wireshark: error while loading shared libraries: libwireshark.so.0: cannot open shared object file: No such file or directory, then just run ldconfig to properly update the shared library symbolic links. Run this command from the terminal:

# Fedora

$ su -c '/sbin/ldconfig'

# Ubuntu/Mint

$ sudo ldconfig

Read More

Cisco Security Device Manager on the Mac

Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool that enables you to deploy and manage the services on a Cisco IOS router. Even if you decide to do your initial configuration with the CLI, the Monitoring mode of the SDM is a great way to get a graphical real-time "pulse" on the state of your router.

The SDM application can run either as an application installed on the your Windows PC or from the router’s flash thru your web browser. This post will show you how to install, and run, the SDM application in Mac OS X. This should go without saying, but don't expect official support from Cisco regarding this configuration.

My main use case for this was to use Mac OS X, with the Cisco SDM, for the CCNA Security lab exercises with GNS3. You could also use these directions to install the Cisco SDM on Linux, albeit with a different method of grabbing the Wine package.

Get and Install the Software
We will now obtain and install the required software in this section. It is very important to download the exact versions of the Mozilla Firefox for Windows and Java Runtime Environment for Windows. If you do a search around the web, you will notice a pattern of issues with SDM when you don't have a compatible Firefox/JRE version pair. I had to do some "trial and error" to find a stable version pair.

#MacPorts
MacPorts will give your Mac OS X operating system access to ~8000 ports (open-source software). Our X server and Wine installations will require the MacPorts infrastructure to be installed and configured correctly. If you don’t have MacPorts already installed, visit http://www.macports.org for the full details of the installation process.

If you have MacPorts already installed, synchronize your installation with the MacPorts rsync server. Open Terminal.app and run this command:

$ sudo port -d selfupdate

#XQuartz X Server
The XQuartz project is an open-source effort to develop a version of the X.org X Window System that runs on Mac OS X. Run this command from Terminal.app to install the latest X11 server on your system thru MacPorts:

$ sudo port -v install xorg-server

#Wine
Wine is a compatibility layer that allows you to run Windows software on your Mac without the requirement of a virtualization hypervisor. We will use Wine for the Windows version of Firefox, Java Runtime Environment (JRE), and the Cisco SDM software. Run this command from Terminal.app to install the latest version of Wine thru MacPorts:

$ sudo port -v install wine

We can verify a successful installation by running this command from Terminal.app:

$ wine notepad &

You should see the Wine Notepad application launch.


#Mozilla Firefox for Windows
Download Mozilla Firefox 3.0.19 for Windows. A simple Google query of “windows firefox 3.0.19 download” should return a list of at least a few sites still hosting this older version. I saved the file to my /Users/marc/Downloads/Windows directory.

We will now install the Firefox application thru Wine. Run this command from Terminal.app (Note: Remember Bash tab completion is your friend):

$ wine "~/Downloads/Windows/Firefox Setup 3.0.19.exe" &

Select the defaults for the Mozilla Firefox Setup Wizard. Uncheck Launch Firefox now at the end of the setup and click Finish.

#Java Runtime Environment for Windows
The Cisco SDM leverages the JRE. Download Java Platform Standard Edition (Java SE) 6 Update 6 from Oracle. I found this file version in the archive section of their site. I saved the file to my /Users/marc/Downloads/Windows directory.

Install the Java Runtime Environment (JRE) thru Wine. Run this command from Terminal.app:

$ wine ~/Downloads/Windows/jre-6u6-windows-i586-p.exe &

• Click the Accept button to install the JRE.
• Click the Finish button to end the setup wizard.

#Cisco Security Device Manager
We have finally come to the installation of the Cisco SDM with all the prerequisite installations complete. You will need to download the Cisco SDM 2.5 from http://www.cisco.com. I’ve unpacked the SDM package to my /Users/marc/Downloads/Windows/SDMv25 directory.

Launch the SDM setup with following command in Terminal.app:

$ wine ~/Downloads/Windows/SDMv25/setup.exe &

• Click the Next button to start the wizard.
• Select I accept the terms of the license agreement and click the Next button.
• Select This Computer on the Install Options screen then click the Next button.

• Click the Next button to accept the default install location.
• Click the Install button on the following screen.
• Click the Finish button to close the Installation Wizard Complete screen.

Configuration
We still have a few configuration steps left for Firefox and the Cisco IOS.

#Firefox
In this step, we will force Firefox to be the default browser when launching the SDM. Run this command from Terminal.app:

$ wine ~/.wine/drive_c/Program\ Files/Mozilla\ Firefox/firefox.exe -silent -setDefaultBrowser

We also need to disable the pop-up blocker in Firefox (requirement for SDM). Run this command from Terminal.app to open Firefox:

$ wine ~/.wine/drive_c/Program\ Files/Mozilla\ Firefox/firefox.exe &

• Click Tools -> Options from the top toolbar menu.
• Click the Content tab.
• Uncheck Block pop-up windows and click the OK button.

Close the Firefox application.

#Configure IOS for SDM Access
Best practice would dictate you enable the secure web server in a production environment, but I will be using the basic HTTP web server for testing purposes in our example.

Create a user and enable the HTTP server.

R1> enable
R1# conf t
R1(config)# username marc privilege 15 secret cisco
R1(config)# ip http server
R1(config)# ip http authentication local
R1(config)# ip http timeout-policy idle 600 life 86400 requests 1000
R1(config)# exit

Set the IP address for the network interface.

R1(config)# int fa0/0
R1(config-if)# ip address 10.11.1.1 255.255.255.0
R1(config-if)# no shut
R1(config-if)# end

Launch Security Device Manager
We are almost there. Let’s open the SDM Launcher by running this command from Terminal.app:

$ wine ~/.wine/drive_c/Program\ Files/Cisco\ Systems/Cisco\ SDM/SDMLauncher.exe &

• Enter your router IP address/Hostname into the Device IP Address or Hostname field.
• Enable the This device has HTTPS enabled and I want to use it. checkbox if you have configured the ip http secure-server option in the router IOS configuration.
• Click the Launch button to open the SDM Java applet.

A Firefox window should now appear with a login dialog box in the foreground.

• Enter your credentials in the Authentication Required dialog box.
• Click the OK button to login.

We should now be presented with the Cisco Router and Security Device Manager (SDM) window.



Troubleshooting
This section will give you a workaround if you are having graphical issues with SDM. Wine does a pretty good job of translating Windows DirectX, but it is still a little rough around the edges. We can disable DirectX acceleration for Java with a registry setting. This will allow you to launch the SDM in software rendering mode.

Open the Wine Configuration Editor. Run this command from Terminal.app:

$ winecfg &

On the Graphics tab, enable the Emulate a virtual desktop checkbox and create a desktop size of 1024 x 768. Click the OK button to save the settings.


Now open the Wine Control Panel. Run this command from Terminal.app:

$ wine control &

Double-click the Java icon. The Java configuration panel may not launch, and you may also notice a Java exception access violation error in the output of Terminal.app. This step is still necessary because the event creates the proper Java registry data which we will modify in the next step.

Open the Registry Editor. Run this command from Terminal.app:

$ regedit &

• Navigate thru the registry with the path of \HKEY_CURRENT_USER\Software\JavaSoft\Java2D\1.6.0_3.
• Double-click the DXAcceleration key.
• Enter 0 for the hexadecimal value and click the OK button.

Close the Registry Editor.

The next time you launch the Cisco SDM you should be able to run the Java applet without graphical glitches.

Read More