Module: check_mk
Branch: master
Commit: 96aa316f0984b2c412e7558b6fc07209c0ce4250
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96aa316f0984b2…
Author: Bastian Kuhn <bk(a)mathias-kettner.de>
Date: Mon Mar 31 17:18:03 2014 +0200
fix in nagvis_icon.mk
---
doc/treasures/nagvis_icon/nagvis_icon.mk | 3 ++-
doc/treasures/nagvis_icon/nagvis_icon.py | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/doc/treasures/nagvis_icon/nagvis_icon.mk b/doc/treasures/nagvis_icon/nagvis_icon.mk
index 9ac6056..3d3dddd 100644
--- a/doc/treasures/nagvis_icon/nagvis_icon.mk
+++ b/doc/treasures/nagvis_icon/nagvis_icon.mk
@@ -10,7 +10,8 @@ for _nm in glob.glob(_path):
for _nhost in [ _l for _l in file(_nm).readlines() if _l.startswith('host_name')]:
_nhost = _nhost.split('=')[-1].strip()
_hosts.setdefault(_nhost, [])
- _hosts[_nhost].append(_mapname)
+ if _mapname not in _hosts[_nhost]:
+ _hosts[_nhost].append(_mapname)
extra_host_conf['_nagvismaps'] = []
for _nhost, _maps in _hosts.items():
diff --git a/doc/treasures/nagvis_icon/nagvis_icon.py b/doc/treasures/nagvis_icon/nagvis_icon.py
index 2d7dff2..bcc6356 100644
--- a/doc/treasures/nagvis_icon/nagvis_icon.py
+++ b/doc/treasures/nagvis_icon/nagvis_icon.py
@@ -1,6 +1,8 @@
#!/usr/bin/python
# Please refer to nagvis_icon.mk to see a way how to add the nagvismaps custom macro
+# copy me to ~/local/share/check_mk/web/pluins/icon and restart the site apache
+
def paint_nagvis_image(what, row, tags, custom_vars):
if what != 'host' or not custom_vars.get('NAGVISMAPS'):
return
Module: check_mk
Branch: master
Commit: 913ca325c0c286aedad1e08e0172c7a7841b82d1
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=913ca325c0c286…
Author: Bastian Kuhn <bk(a)mathias-kettner.de>
Date: Mon Mar 31 16:53:53 2014 +0200
Added a simple icon to show links to navis maps. (located in treasures/nagvis_icon)
---
doc/treasures/nagvis_icon/nagvis_icon.mk | 18 ++++++++++++++++++
doc/treasures/nagvis_icon/nagvis_icon.py | 16 ++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/doc/treasures/nagvis_icon/nagvis_icon.mk b/doc/treasures/nagvis_icon/nagvis_icon.mk
new file mode 100644
index 0000000..9ac6056
--- /dev/null
+++ b/doc/treasures/nagvis_icon/nagvis_icon.mk
@@ -0,0 +1,18 @@
+#This config file adds the name of each nagvis map contaning a host as custom macro.
+#The information is used for the nagvis_icon.py to show a nagvis icon in the gui
+
+# Just place this file to check_mk/conf.d
+
+_path = '/omd/sites/%s/etc/nagvis/maps/*.cfg' % omd_site
+_hosts = {}
+for _nm in glob.glob(_path):
+ _mapname = _nm.split("/")[-1].split('.')[0]
+ for _nhost in [ _l for _l in file(_nm).readlines() if _l.startswith('host_name')]:
+ _nhost = _nhost.split('=')[-1].strip()
+ _hosts.setdefault(_nhost, [])
+ _hosts[_nhost].append(_mapname)
+
+extra_host_conf['_nagvismaps'] = []
+for _nhost, _maps in _hosts.items():
+ extra_host_conf['_nagvismaps'].append( ( ",".join(_maps), [_nhost] ) )
+
diff --git a/doc/treasures/nagvis_icon/nagvis_icon.py b/doc/treasures/nagvis_icon/nagvis_icon.py
new file mode 100644
index 0000000..2d7dff2
--- /dev/null
+++ b/doc/treasures/nagvis_icon/nagvis_icon.py
@@ -0,0 +1,16 @@
+#!/usr/bin/python
+# Please refer to nagvis_icon.mk to see a way how to add the nagvismaps custom macro
+
+def paint_nagvis_image(what, row, tags, custom_vars):
+ if what != 'host' or not custom_vars.get('NAGVISMAPS'):
+ return
+ h = ""
+ for nagvis_map in custom_vars['NAGVISMAPS'].split(','):
+ h += '<a href="../nagvis/frontend/nagvis-js/index.php?mod=Map&act=view&show=%s" title="%s"><img class=icon src="images/icon_nagvis.png"/></a>' \
+ % ( nagvis_map, nagvis_map )
+
+ return h
+
+multisite_icons.append({
+ 'paint': paint_nagvis_image,
+})
Module: check_mk
Branch: master
Commit: 3268a2ee4e447229d743d821274e9e09717bb607
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3268a2ee4e4472…
Author: Götz Golla <gg(a)mathias-kettner.de>
Date: Mon Mar 31 15:02:12 2014 +0200
nfsexports.solaris: new agent plugin for monitoring nfs exports on solaris systems
This agent plugin delivers information about nfs exports on Solaris systems in stand-alone
as well as clustered environments.
---
.werks/600 | 9 ++++++
ChangeLog | 1 +
agents/solaris/nfsexports.solaris | 57 +++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
diff --git a/.werks/600 b/.werks/600
new file mode 100644
index 0000000..89d8d4b
--- /dev/null
+++ b/.werks/600
@@ -0,0 +1,9 @@
+Title: nfsexports.solaris: new agent plugin for monitoring nfs exports on solaris systems
+Level: 1
+Component: checks
+Version: 1.2.5i2
+Date: 1396270818
+Class: feature
+
+This agent plugin delivers information about nfs exports on Solaris systems in stand-alone
+as well as clustered environments.
diff --git a/ChangeLog b/ChangeLog
index a32df95..a0cf1b1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
* 0775 ibm_svc_systemstats.diskio: new check for disk throughput in IBM SVC / V7000 devices in total
* 0764 lnx_quota: Added new check to monitor Linux File System Quota...
* 0776 ibm_svc_nodestats.cpu_util: new check for CPU Utilization per Node on IBM SVC / V7000 devices
+ * 0600 nfsexports.solaris: new agent plugin for monitoring nfs exports on solaris systems...
* 0740 FIX: winperf_if: now able to handle bandwidth > 4GBit...
Multisite:
diff --git a/agents/solaris/nfsexports.solaris b/agents/solaris/nfsexports.solaris
new file mode 100644
index 0000000..39c6443
--- /dev/null
+++ b/agents/solaris/nfsexports.solaris
@@ -0,0 +1,57 @@
+#!/usr/bin/bash
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2010 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+# Check_MK agent plugin for monitoring nfsexports on Solaris. This plugin
+# has been tested with solaris 10 in a standalone and cluster setting.
+
+clusterconfigdir="/etc/cluster/ccr/global/directory"
+if [ -r $clusterconfigdir ]; then
+ # is a clustered nfs server
+ nfsconfig=/etc/cluster/ccr/global/`grep rgm $clusterconfigdir | grep nfs | grep rg_`
+ if [ -r $nsconfig ]; then
+ Pathprefix=`grep Path $nfsconfig | awk {'print $2'}`/SUNW.nfs
+ dfstabfile=$Pathprefix/dfstab.`grep -v FilesystemMountPoints $nfsconfig | grep SUNW.nfs | \
+ awk {'print $1'} | sed -e 's/RS_//'`
+ if [ -r $dfstabfile ]; then
+ EXPORTS=`grep -v ^# $dfstabfile | grep -v ^$`
+ ps -aef | grep nfsd | grep $Pathprefix >/dev/null && DAEMONS="ok"
+ fi
+ fi
+else
+ # is a standalone nfs server
+ dfstabfile="/etc/dfs/dfstab"
+ if [ -r $dfstabfile ]; then
+ EXPORTS=`grep -v ^# $dfstabfile | grep -v ^$`
+ svcs -a | grep nfs/server | grep ^online >/dev/null && DAEMONS="ok"
+ fi
+fi
+
+# any exports or have running daemons? then look for registered exports
+if [ "$EXPORTS" ]; then
+ echo "<<<nfsexports>>>"
+ if [ "$DAEMONS" ]; then
+ showmount -e | grep ^/
+ fi
+fi
Module: check_mk
Branch: master
Commit: afbee9905e18dd96e1bbb5a49bd85ba298a37b4e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=afbee9905e18dd…
Author: Bernd Stroessenreuther <bs(a)mathias-kettner.de>
Date: Mon Mar 31 14:51:36 2014 +0200
ibm_svc_mdisk: mode array is now also considered to be ok
---
checkman/ibm_svc_mdisk | 2 +-
checks/ibm_svc_mdisk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/checkman/ibm_svc_mdisk b/checkman/ibm_svc_mdisk
index 3226a22..39cc756 100644
--- a/checkman/ibm_svc_mdisk
+++ b/checkman/ibm_svc_mdisk
@@ -9,7 +9,7 @@ description:
Status {online} is {OK}, status {offline} and {excluded} are {CRIT} and
every other status is {WARN}.
- Mode {managed} is {OK} and every other mode is {WARN}.
+ Modes {managed} and {array} are {OK} and every other mode is {WARN}.
The worst of both is returned as check result.
diff --git a/checks/ibm_svc_mdisk b/checks/ibm_svc_mdisk
index 2422ae6..a88a6eb 100644
--- a/checks/ibm_svc_mdisk
+++ b/checks/ibm_svc_mdisk
@@ -62,7 +62,7 @@ def check_ibm_svc_mdisk(item, _no_params, info):
# check mdisk_mode
message += ", Mode %s" % mdisk_mode
- if mdisk_mode != "managed":
+ if mdisk_mode not in ( "managed", "array" ):
status = max(status, 1)
message += "(!)"
Module: check_mk
Branch: master
Commit: 50bb17166b31a46a53716f9d238d9b009906827f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=50bb17166b31a4…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Mar 31 12:09:30 2014 +0200
FIX Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
This change fixes possible attacks against Check_MK Multisite users. In previous
versions a possible attacker could try to make the browsers of authenticated users
open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
knowledge of the attacked user.
To make such an attack possible, there are several things needed: The user must be
authenticated with multisite and have enough permission within multisite to execute
the actions the attacker wants to use, the attacker needs to know the exact URL to the
Multisite GUI. Then the attacker needs to make the user either click on a manipulated
link or open a manipulated webpage which makes the browser of the user, where the user
is authenticated with multisite, open the URL the attacker wants to make it open.
The multisite GUI makes use of transids (transaction ids) when processing form
submissions or actions. The transids were mainly used to prevent double execution
of actions when reloading the page which performed the action in the browser.
Now we changed internal handling of the transid to make it also prevent CSRF attacks.
The transid is now some kind of shared secret between the webserver and the browser
of the user. This ensures a form submission is intended by a previously requested page.
This change impicates an incompatible change: In case you use a script which opens
multisite pages to perform an action, e.g. set a downtime and use this with a regular
user account which authenticates by username/password, the script won't work anymore
after this change.
The way to go is to adapt the script and change the user to authenticate with an
automation secret instead of a password. For this kind of authentication, you will
need to user other URL parameters (_username=... and _secret=...).
---
.werks/766 | 33 +++++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 69 +++++++++++++++++++++++++++++++++++--------------
web/htdocs/login.py | 2 ++
4 files changed, 86 insertions(+), 19 deletions(-)
diff --git a/.werks/766 b/.werks/766
new file mode 100644
index 0000000..21d8748
--- /dev/null
+++ b/.werks/766
@@ -0,0 +1,33 @@
+Title: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
+Level: 3
+Component: multisite
+Version: 1.2.5i2
+Date: 1396259365
+Class: fix
+
+This change fixes possible attacks against Check_MK Multisite users. In previous
+versions a possible attacker could try to make the browsers of authenticated users
+open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
+knowledge of the attacked user.
+
+To make such an attack possible, there are several things needed: The user must be
+authenticated with multisite and have enough permission within multisite to execute
+the actions the attacker wants to use, the attacker needs to know the exact URL to the
+Multisite GUI. Then the attacker needs to make the user either click on a manipulated
+link or open a manipulated webpage which makes the browser of the user, where the user
+is authenticated with multisite, open the URL the attacker wants to make it open.
+
+The multisite GUI makes use of transids (transaction ids) when processing form
+submissions or actions. The transids were mainly used to prevent double execution
+of actions when reloading the page which performed the action in the browser.
+Now we changed internal handling of the transid to make it also prevent CSRF attacks.
+The transid is now some kind of shared secret between the webserver and the browser
+of the user. This ensures a form submission is intended by a previously requested page.
+
+This change impicates an incompatible change: In case you use a script which opens
+multisite pages to perform an action, e.g. set a downtime and use this with a regular
+user account which authenticates by username/password, the script won't work anymore
+after this change.
+The way to go is to adapt the script and change the user to authenticate with an
+automation secret instead of a password. For this kind of authentication, you will
+need to user other URL parameters (_username=... and _secret=...).
diff --git a/ChangeLog b/ChangeLog
index 5c95b6f..4c9d690 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@
Multisite:
* 0765 NagVis-Maps-Snapin: Now visualizes downtime / acknowledgment states of maps...
+ * 0766 FIX: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)...
1.2.5i1:
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index 8c31d42..6a9c84c 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -74,6 +74,8 @@ class html:
self.treestates = {}
self.treestates_for_id = None
self.caches = {}
+ self.new_transids = []
+ self.ignore_transids = False
RETURN = 13
SHIFT = 16
@@ -801,6 +803,9 @@ class html:
self.bottom_footer()
self.body_end()
+ # Hopefully this is the correct place to performe some "finalization" tasks.
+ self.store_new_transids()
+
def add_status_icon(self, img, tooltip, url = None):
if url:
self.status_icons[img] = tooltip, url
@@ -938,35 +943,61 @@ class html:
if not self.has_var("_ajaxid"):
self.javascript("if(parent && parent.frames[0]) parent.frames[0].location.reload();");
- # Compute a (hopefully) unique transaction id
+ def set_ignore_transids(self):
+ self.ignore_transids = True
+
+ # Compute a (hopefully) unique transaction id. This is generated during rendering
+ # of a form or an action link, stored in a user specific file for later validation,
+ # sent to the users browser via HTML code, then submitted by the user together
+ # with the action (link / form) and then validated if it is a known transid. When
+ # it is a known transid, it will be used and invalidated. If the id is not known,
+ # the action will not be processed.
def fresh_transid(self):
- return "%d/%d" % (int(time.time()), random.getrandbits(32))
+ transid = "%d/%d" % (int(time.time()), random.getrandbits(32))
+ self.new_transids.append(transid)
+ return transid
# Marks a transaction ID as used. This is done by saving
# it in a user specific settings file "transids.mk". At this
# time we remove all entries from that list that are older
- # then one week.
- def invalidate_transid(self, id):
- used_ids = self.load_transids()
- new_ids = []
+ # than one week.
+ def store_new_transids(self):
+ valid_ids = self.load_transids()
+
+ cleared_ids = []
now = time.time()
- for used_id in used_ids:
- timestamp, rand = used_id.split("/")
+ for valid_id in valid_ids:
+ timestamp, rand = valid_id.split("/")
if now - int(timestamp) < 604800: # 7 * 24 hours
- new_ids.append(used_id)
- used_ids.append(id)
- self.save_transids(used_ids)
-
- # Checks, if the current transaction is valid, i.e. now
- # browser reload. The HTML variable _transid must be present.
- # If it is empty or -1, then it's always valid (this is used
- # for webservice calls).
+ cleared_ids.append(valid_id)
+
+ self.save_transids(cleared_ids + self.new_transids)
+
+ # Remove the used transid from the list of valid ones
+ def invalidate_transid(self, used_id):
+ valid_ids = self.load_transids()
+ try:
+ valid_ids.remove(used_id)
+ except ValueError:
+ return
+ self.save_transids(valid_ids)
+
+ # Checks, if the current transaction is valid, i.e. in case of
+ # browser reload a browser reload, the form submit should not
+ # be handled a second time.. The HTML variable _transid must be present.
+ #
+ # In case of automation users (authed by _secret in URL): If it is empty
+ # or -1, then it's always valid (this is used for webservice calls).
+ # This was also possible for normal users, but has been removed to preven
+ # security related issues.
def transaction_valid(self):
if not self.has_var("_transid"):
return False
id = self.var("_transid")
- if not id or id == "-1":
+ if not id or self.ignore_transids:
return True # automation
+
+ # Normal user/password auth user handling
timestamp, rand = id.split("/")
# If age is too old (one week), it is always
@@ -975,8 +1006,8 @@ class html:
if now - int(timestamp) >= 604800: # 7 * 24 hours
return False
- # Now check, if this id is not yet invalidated
- return id not in self.load_transids()
+ # Now check, if this id is a valid one
+ return id in self.load_transids()
# Checks, if the current page is a transation, i.e. something
# that is secured by a transid (such as a submitted form)
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index c3a06e0..55452c0 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -128,6 +128,8 @@ def check_auth_automation():
if secret and user and "/" not in user:
path = defaults.var_dir + "/web/" + user + "/automation.secret"
if os.path.isfile(path) and file(path).read().strip() == secret:
+ # Auth with automation secret succeeded - mark transid as unneeded in this case
+ html.set_ignore_transids()
return user
raise MKAuthException(_("Invalid automation secret for user %s") % user)