For piggyback monitoring of e.g. storagesystems we use signed powershell scripts and store credentials using pscredential objects. As long as the check_mk service runs in the system context, it is easy for an attacker with local administrator rights to gain access to these credentials.
The idea is to use a group managed service account - in this case the stored credentials would be secure in the context of the ad account and could not be decrypted by the system or any other admin account.
In my manual setup, this is already working as expected, but since we update the agents automatically, the service account always reverts to system after a change.
Best would be to have a rule to specify serviceaccount for installation or to tell installation procedure to not change an existing service. Or did I miss a existing way to achive this?
@sonusandeep had this idea already in 2019