Module: check_mk
Branch: master
Commit: 93d496716e524631975651cbebc5c58314df9d21
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=93d496716e5246…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Fri May 8 10:54:37 2015 +0200
Removed obsolete code comments
---
web/plugins/views/availability.py | 5 -----
1 file changed, 5 deletions(-)
diff --git a/web/plugins/views/availability.py b/web/plugins/views/availability.py
index 011f0be..e21f776 100644
--- a/web/plugins/views/availability.py
+++ b/web/plugins/views/availability.py
@@ -27,11 +27,6 @@
import availability, table
from valuespec import *
-# TODO: CSV-Export geht nicht mehr
-# --> A: hosts/services
-# --> B: bi
-# Export as PDF von timelineansicht
-
# Variable name conventions
# av_rawdata: a two tier dict: (site, host) -> service -> list(spans)
# In case of BI (site, host) is (None, aggr_group), service is aggr_name
Module: check_mk
Branch: master
Commit: 3a25e7a069256c4b2f8aad31b1a1d511117aa910
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3a25e7a069256c…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri May 8 10:44:06 2015 +0200
#2265 FIX db2_version: improved check output when version information is missing
The version information of a db2 instance is taken from on of its snapshots.
If the instance had no snapshots, the check raised an exception.
---
.werks/2265 | 11 +++++++++++
ChangeLog | 1 +
checks/db2_version | 11 ++++++++---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/.werks/2265 b/.werks/2265
new file mode 100644
index 0000000..68a667b
--- /dev/null
+++ b/.werks/2265
@@ -0,0 +1,11 @@
+Title: db2_version: improved check output when version information is missing
+Level: 1
+Component: checks
+Compatible: compat
+Version: 1.2.7i1
+Date: 1431074580
+Class: fix
+
+The version information of a db2 instance is taken from on of its snapshots.
+If the instance had no snapshots, the check raised an exception.
+
diff --git a/ChangeLog b/ChangeLog
index 2bc3f5b..cd75f38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -356,6 +356,7 @@
* 2077 FIX: Windows MSI Installer: fixed automatical install of agent plugins...
* 1244 FIX: windows_tasks: Fixed handling of tasks manually stopped by admin...
* 1245 FIX: printer_output: Now correctly detect a bin with unknown as name
+ * 2265 FIX: db2_version: improved check output when version information is missing...
Multisite:
* 1758 Improved exception hander: Shows details without additional debug request, added mailto link for error report...
diff --git a/checks/db2_version b/checks/db2_version
index b610a74..6e7fa33 100644
--- a/checks/db2_version
+++ b/checks/db2_version
@@ -33,9 +33,14 @@ def inventory_db2_version(info):
def check_db2_version(item, no_params, info):
for line in info:
- instance, version = line[0].split(" ", 1)
- if item == instance:
- return 0, version
+ tokens = line[0].split(" ", 1)
+ if len(tokens) < 2:
+ if item == tokens[0]:
+ return 3, "No version information found"
+ else:
+ instance, version = tokens
+ if item == instance:
+ return 0, version
check_info['db2_version'] = {
"service_description" : "DB2 Version %s",
Module: check_mk
Branch: master
Commit: eb391868f483f1b85777026cdf5ca1acede47e73
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=eb391868f483f1…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri May 8 10:14:25 2015 +0200
Updated werk
---
.werks/2252 | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.werks/2252 b/.werks/2252
index be40dc8..6f451e8 100644
--- a/.werks/2252
+++ b/.werks/2252
@@ -22,6 +22,8 @@ If you have the situation where the agent is executed in <i>another</i> user con
than the configuration file <tt>logwatch.cfg</tt> can be written, you should update
to the fixed <tt>mk_logwatch</tt> plugin.
+Thanks to Adam Lis for finding and reporting this issue!
+
Short Q/As:
<b>What does the attacker need?</b>
Module: check_mk
Branch: master
Commit: 6336893400206a6a36e15ced52aff8043cf6488c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6336893400206a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri May 8 10:12:25 2015 +0200
#2252 SEC mk_logwatch: Fixed mostly uncritical command injection from config
This change fixes a security related issue n the <tt>mk_logwatch</tt> linux agent
plugin. It was possible to inject commands to the agent plugin when having write access
to the logwatch.cfg configuration file. This might result in privilege
escalation issues in very rare conditions.
>From our point of view this is a low impact issue for nearly all installations
out there. Most installations run the agent as root but also have the
<tt>logwatch.cfg</tt> only being writable by root. So if a user has write
access to this file the user don't need to do privilege escalation anymore
since he is already root.
If you have the situation where the agent is executed in <i>another</i> user context
than the configuration file <tt>logwatch.cfg</tt> can be written, you should update
to the fixed <tt>mk_logwatch</tt> plugin.
Short Q/As:
<b>What does the attacker need?</b>
He needs to have write access to the <tt>/etc/check_mk/logwatch.cfg</tt>, which is
normally only writable by root.
<b>What does the attacker get?</b>
He can execute commands in context of the Check_MK-Agent (often root).
<b>Do I need to update asap?</b>
Only if non-root users can edit the <tt>logwatch.cfg</tt>.
<b>I want to update, where can I get the fixed version?</b>
If we did not release an updated version yet, you can get it from the git:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/plu…
---
.werks/2252 | 44 ++++++++++++++++++++++++++++++++++++++++++++
ChangeLog | 1 +
agents/plugins/mk_logwatch | 11 +++++------
3 files changed, 50 insertions(+), 6 deletions(-)
diff --git a/.werks/2252 b/.werks/2252
new file mode 100644
index 0000000..be40dc8
--- /dev/null
+++ b/.werks/2252
@@ -0,0 +1,44 @@
+Title: mk_logwatch: Fixed mostly uncritical command injection from config
+Level: 1
+Component: checks
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i1
+Date: 1431071697
+
+This change fixes a security related issue n the <tt>mk_logwatch</tt> linux agent
+plugin. It was possible to inject commands to the agent plugin when having write access
+to the logwatch.cfg configuration file. This might result in privilege
+escalation issues in very rare conditions.
+
+From our point of view this is a low impact issue for nearly all installations
+out there. Most installations run the agent as root but also have the
+<tt>logwatch.cfg</tt> only being writable by root. So if a user has write
+access to this file the user don't need to do privilege escalation anymore
+since he is already root.
+
+If you have the situation where the agent is executed in <i>another</i> user context
+than the configuration file <tt>logwatch.cfg</tt> can be written, you should update
+to the fixed <tt>mk_logwatch</tt> plugin.
+
+Short Q/As:
+
+<b>What does the attacker need?</b>
+
+He needs to have write access to the <tt>/etc/check_mk/logwatch.cfg</tt>, which is
+normally only writable by root.
+
+<b>What does the attacker get?</b>
+
+He can execute commands in context of the Check_MK-Agent (often root).
+
+<b>Do I need to update asap?</b>
+
+Only if non-root users can edit the <tt>logwatch.cfg</tt>.
+
+<b>I want to update, where can I get the fixed version?</b>
+
+If we did not release an updated version yet, you can get it from the git:
+
+http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/plugins/mk_logwatch;hb=refs/heads/1.2.6
diff --git a/ChangeLog b/ChangeLog
index b4bfa8c..2bc3f5b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -173,6 +173,7 @@
* 2245 AIX-Agent: Added support for the uptime check
* 2076 fortigate_cpu_base, fortigate_sessions_base: supports wider range of models...
* 2227 isc_dhcpd: New agent plugin and check for checking IP address pools of ISC DHCP-Daemon
+ * 2252 SEC: mk_logwatch: Fixed mostly uncritical command injection from config...
* 1457 FIX: logins: new check renamed from "users" check...
NOTE: Please refer to the migration notes!
* 1762 FIX: lnx_thermal: Now ignoring trip points with level 0...
diff --git a/agents/plugins/mk_logwatch b/agents/plugins/mk_logwatch
index 921da63..afb334b 100755
--- a/agents/plugins/mk_logwatch
+++ b/agents/plugins/mk_logwatch
@@ -26,8 +26,7 @@
# Call with -d for debug mode: colored output, no saving of status
-import sys, os, re, time
-import glob
+import sys, os, re, time, glob
if '-d' in sys.argv[1:] or '--debug' in sys.argv[1:]:
tty_red = '\033[1;31m'
@@ -376,14 +375,14 @@ for filenames, patterns in config:
sys.exit(1)
- for glob in filenames:
- if '=' in glob:
+ for glob_pattern in filenames:
+ if '=' in glob_pattern:
continue
- logfiles = [ l.strip() for l in os.popen("ls %s 2>/dev/null" % glob).readlines() ]
+ logfiles = glob.glob(glob_pattern)
if opt_regex:
logfiles = [ f for f in logfiles if opt_regex.search(f) ]
if len(logfiles) == 0:
- print '[[[%s:missing]]]' % glob
+ print '[[[%s:missing]]]' % glob_pattern
else:
for logfile in logfiles:
process_logfile(logfile, patterns)