Werk #10677: Windows plugins and local checks can be called using non-system account
| Component | Checks & agents |
| Title | Windows plugins and local checks can be called using non-system account |
| Date | Jan 9, 2020 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.0.0i1 |
| Level | Prominent Change |
| Class | New Feature |
| Compatibility | Compatible - no manual interaction needed |
Previously the plugins and local check were always called using Windows System account. Such approach could restrict access to some resources, for example, network shares. Now this problem has been resolved.
The new ruleset in Bakery Run plugins and local checks using non-system account gives the possibility to run any Windows script using a given user account.
There are two modes of the rule:
group mode, in this case Windows Agent provides its own internal user in the requested group to run a script.
user mode, in this case the credentials for the given user account must be fully specified.
The group mode is more secure, because no credentials need to be stored anywhere, except in the agent internally. When using the user mode, the provided credentials are stored on all Checkmk servers to which the configuration is applied. Also, the credentials will be baked into the distributed to target systems agent bakery packages(MSI files).
The same functionality in Raw Edition can be achieved using Agent configuration file.
To set group mode for desired plugin pattern you should assign the name of the local group to the key group. To set user mode for desired plugin pattern you should assign string with user name and password separated with one space to the key user. Detailed example you may found in the provided configuration file.
We highly recommend using the group mode whenever possible.
