Module: check_mk
Branch: master
Commit: cab5a661eec2f4b97da18e382704330debecb854
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cab5a661eec2f4…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Fri Jun 16 15:20:03 2017 +0200
4868 FIX oracle_tablespace: Restrict data for check from primary
Thwew is a chance for wrong check results in Data-Guard Environments
with READ ONLY Standby-Databases, when a delay for redo apply has
been configured.
Change-Id: Ifdf81e10cc03d8be39e4845ce2cdee208b62e971
---
.werks/4868 | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/.werks/4868 b/.werks/4868
new file mode 100644
index 0000000..6c32cd6
--- /dev/null
+++ b/.werks/4868
@@ -0,0 +1,13 @@
+Title: oracle_tablespace: Restrict data for check from primary
+Level: 1
+Component: checks
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1497619176
+
+Thwew is a chance for wrong check results in Data-Guard Environments
+with READ ONLY Standby-Databases, when a delay for redo apply has
+been configured.
Module: check_mk
Branch: master
Commit: 03fe5ba2c19f5e1c52d66a061d6b556efb322c96
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=03fe5ba2c19f5e…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Fri Jun 16 15:15:34 2017 +0200
4785 FIX oracle_locks: New SQL for check
The behavior of this check has been changed. There is no output
for object_owner and object_name anymore. This has been removed
for performance reasons. The check is moved from ASYNC to SYNC, due
to very easy SQL for getting the data. The problem with lot of wrong
alarms has been solved as well.
The old SQL is still existing for users who wants the object_owner
and object_name in check result. Please be aware that the old problems
are still there. Please make sure that the old check is configured
as ASYNC-Check. Otherwise you risk high performance issues in mk_oracle!
Please define the following lines in mk_oracle.cfg to get the old
behavior:
SYNC_SECTIONS="instance sessions logswitches undostat recovery_area processes recovery_status longactivesessions dataguard_stats performance"
ASYNC_SECTIONS="tablespaces rman jobs ts_quotas resumable locks_old"
Change-Id: Ia3a4df0459f895e521f96668f69e79f97f4ff5fb
---
.werks/4785 | 25 +++++++++++++++++++++++++
agents/plugins/mk_oracle | 40 ++++++++++++++++++++++++++++++++++++++--
checks/oracle_locks | 22 +++++++++++++++++++---
3 files changed, 82 insertions(+), 5 deletions(-)
diff --git a/.werks/4785 b/.werks/4785
new file mode 100644
index 0000000..b804fdf
--- /dev/null
+++ b/.werks/4785
@@ -0,0 +1,25 @@
+Title: oracle_locks: New SQL for check
+Level: 1
+Component: checks
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1497618876
+
+The behavior of this check has been changed. There is no output
+for object_owner and object_name anymore. This has been removed
+for performance reasons. The check is moved from ASYNC to SYNC, due
+to very easy SQL for getting the data. The problem with lot of wrong
+alarms has been solved as well.
+
+The old SQL is still existing for users who wants the object_owner
+and object_name in check result. Please be aware that the old problems
+are still there. Please make sure that the old check is configured
+as ASYNC-Check. Otherwise you risk high performance issues in mk_oracle!
+
+Please define the following lines in mk_oracle.cfg to get the old
+behavior:
+SYNC_SECTIONS="instance sessions logswitches undostat recovery_area processes recovery_status longactivesessions dataguard_stats performance"
+ASYNC_SECTIONS="tablespaces rman jobs ts_quotas resumable locks_old"
diff --git a/agents/plugins/mk_oracle b/agents/plugins/mk_oracle
index edcd2c0..b199eea 100755
--- a/agents/plugins/mk_oracle
+++ b/agents/plugins/mk_oracle
@@ -72,12 +72,12 @@ fi
# '----------------------------------------------------------------------'
# Sections that run fast and do no caching
-SYNC_SECTIONS="instance sessions logswitches undostat recovery_area processes recovery_status longactivesessions dataguard_stats performance"
+SYNC_SECTIONS="instance sessions logswitches undostat recovery_area processes recovery_status longactivesessions dataguard_stats performance locks"
# Sections that are run in the background and at a larger interval.
# Note: sections not listed in SYNC_SECTIONS or ASYNC_SECTIONS will not be
# executed at all!
-ASYNC_SECTIONS="tablespaces rman jobs ts_quotas resumable locks"
+ASYNC_SECTIONS="tablespaces rman jobs ts_quotas resumable"
# Sections that are run in the background and at a larger interval.
# Note: _ASM_ sections are only executed when SID starts with '+'
@@ -577,6 +577,42 @@ sql_logswitches()
sql_locks()
{
+ if [ "$AT_LEAST_ORACLE_102" = 'yes' ] ; then
+ echo 'prompt <<<oracle_locks:sep(124)>>>'
+ echo "select upper(i.instance_name)
+ || '|' || b.sid
+ || '|' || b.serial#
+ || '|' || b.machine
+ || '|' || b.program
+ || '|' || b.process
+ || '|' || b.osuser
+ || '|' || b.username
+ || '|' || b.SECONDS_IN_WAIT
+ || '|' || b.BLOCKING_SESSION_STATUS
+ || '|' || bs.inst_id
+ || '|' || bs.sid
+ || '|' || bs.serial#
+ || '|' || bs.machine
+ || '|' || bs.program
+ || '|' || bs.process
+ || '|' || bs.osuser
+ || '|' || bs.username
+ from v\$session b
+ join v\$instance i on 1=1
+ join gv\$session bs on bs.inst_id = b.BLOCKING_INSTANCE
+ and bs.sid = b.BLOCKING_SESSION
+ where b.BLOCKING_SESSION is not null
+;
+ select upper(i.instance_name)
+ || '|||||||||||||||||'
+ from v\$instance i
+;
+ "
+ fi
+}
+
+sql_locks_old()
+{
if [ "$AT_LEAST_ORACLE_101" = 'yes' ] ; then
echo 'prompt <<<oracle_locks:sep(124)>>>'
echo "SET SERVEROUTPUT ON feedback off
diff --git a/checks/oracle_locks b/checks/oracle_locks
index 5c67f74..549f2dc 100644
--- a/checks/oracle_locks
+++ b/checks/oracle_locks
@@ -26,8 +26,8 @@
# <<<oracle_locks>>>
# TUX12C|273|2985|ora12c.local|sqlplus(a)ora12c.local (TNS V1-V3)|46148|oracle|633|NULL|NULL
+# newdb|25|15231|ol6131|sqlplus@ol6131 (TNS V1-V3)|13275|oracle|SYS|3782|VALID|1|407|1463|ol6131|sqlplus@ol6131 (TNS V1-V3)|13018|oracle|SYS
-# oracle_sid, sid#, serial#, machine, program, process, osuser, ctime object_owner object_name
factory_settings["oracle_locks_defaults"] = {
"levels" : (1800, 3600),
@@ -51,8 +51,24 @@ def check_oracle_locks(item, params, info):
elif isinstance(err, tuple):
return err
- sid, sidnr, serial, machine, program, process, osuser, ctime, \
- object_owner, object_name = line
+ if len(line) == 10:
+
+ # old format from locks_old in current plugin
+ sid, sidnr, serial, machine, program, process, osuser, ctime, \
+ object_owner, object_name = line
+
+ elif len(line) == 18:
+
+ sid, sidnr, serial, machine, program, process, osuser, dbusername, ctime, \
+ block_status, blk_inst_id, blk_sid, blk_serial, blk_machine, blk_program, \
+ blk_process, blk_osuser, blk_dbusername = line
+
+ object_owner = ''
+ object_name = ''
+
+ else:
+
+ raise MKCounterWrapped("Unknow number of items in agent output")
ctime = int(ctime)
Module: check_mk
Branch: master
Commit: 3586a4d65fb0e0e8b221815b46ba6e7dc147a7a1
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3586a4d65fb0e0…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Fri Jun 16 15:09:28 2017 +0200
4784 FIX oracle_rman: wrong detection of level 1 backup
The behavior of some v$-Views in 12.1 has been changed.
This could lead to problems when a new Level 0 backup
was done after a Level 1. The calculation for the last Level
1 was wrong and has been fixed.
Change-Id: Ie15956de7ee19ae59d2e8cf97cbf195331de4a51
---
.werks/4784 | 14 ++++++++++++++
checks/oracle_rman | 18 +++++++++++++++---
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/.werks/4784 b/.werks/4784
new file mode 100644
index 0000000..dc6e401
--- /dev/null
+++ b/.werks/4784
@@ -0,0 +1,14 @@
+Title: oracle_rman: wrong detection of level 1 backup
+Level: 1
+Component: checks
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1497618545
+
+The behavior of some v$-Views in 12.1 has been changed.
+This could lead to problems when a new Level 0 backup
+was done after a Level 1. The calculation for the last Level
+1 was wrong and has been fixed.
diff --git a/checks/oracle_rman b/checks/oracle_rman
index 6a44d23..eb5192b 100644
--- a/checks/oracle_rman
+++ b/checks/oracle_rman
@@ -118,12 +118,24 @@ def check_oracle_rman(item, params, info):
else:
if item == "%s.%s_%s" % (sid, backuptype, backuplevel):
# we got a line from agent
- # => use the data from agent
- used_incr_0 = False
+ # is last level 0 younger then current?
+
+ # 12.1 has a change behavior in v$-views for RMAN...
+ if int(backupage_level0) <= int(backupage):
+
+ # use the level instead of current
+ used_incr_0 = True
+ backupage = backupage_level0
+
+ else:
+
+ # => use the data from agent
+ used_incr_0 = False
else:
# use the DB_INCR_0 from agent
used_incr_0 = True
- sid, end, backupage = sid_level0, end_level0, backupage_level0
+ if sid_level0 and end_level0 and backupage_level0:
+ sid, end, backupage = sid_level0, end_level0, backupage_level0
perfdata = []
state = 2
Module: check_mk
Branch: master
Commit: 5591fa45b855012937dec22a4232bc0dd3da28ff
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5591fa45b85501…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri Jun 16 12:54:03 2017 +0200
4831 FIX HW/SW inventory: fixed missing inventory data from slave sites for new hosts
The liveproxyd had problems to transfer inventory data for new hosts to the master site, due to an incorrect cached timestamp.
The data was only updated when either the liveproxd restarted or the hw/sw inventory data of this host changed.
Change-Id: Idaeaaf43a3ae876aca09bf2b50cd0cd287f03f90
---
.werks/4831 | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/.werks/4831 b/.werks/4831
new file mode 100644
index 0000000..e40ebd5
--- /dev/null
+++ b/.werks/4831
@@ -0,0 +1,13 @@
+Title: HW/SW inventory: fixed missing inventory data from slave sites for new hosts
+Level: 1
+Component: inv
+Compatible: compat
+Edition: cee
+Version: 1.5.0i1
+Date: 1497606655
+Class: fix
+
+The liveproxyd had problems to transfer inventory data for new hosts to the master site, due to an incorrect cached timestamp.
+
+The data was only updated when either the liveproxd restarted or the hw/sw inventory data of this host changed.
+
Module: check_mk
Branch: master
Commit: 14a5b79c6f549502244a60146ed6831dc3473f2a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f5495…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 14 19:57:33 2017 +0200
4757 SEC Fixed possible reflected XSS in webapi.py
In the Check_MK 1.4 branch URLs like this could be used for a
reflected XSS attack:
<tt>http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a
plain text error message. This has been fixed now.
Change-Id: Id4f61d6739d1846666031faad00505b22ba45d1f
---
.werks/4757 | 17 +++++++++++++++++
web/htdocs/index.py | 6 ++++--
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/.werks/4757 b/.werks/4757
new file mode 100644
index 0000000..a9e561b
--- /dev/null
+++ b/.werks/4757
@@ -0,0 +1,17 @@
+Title: Fixed possible reflected XSS in webapi.py
+Level: 2
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1497462847
+
+In the Check_MK 1.4 branch URLs like this could be used for a
+reflected XSS attack:
+
+<tt>http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
+
+The error message was interpreted as HTML while it should be a
+plain text error message. This has been fixed now.
diff --git a/web/htdocs/index.py b/web/htdocs/index.py
index 2c84a6a..a0f29dd 100644
--- a/web/htdocs/index.py
+++ b/web/htdocs/index.py
@@ -71,7 +71,7 @@ def handler(mod_python_req, fields = None, is_profiling = False):
try:
handler()
except Exception, e:
- html.write("%s" % e)
+ html.write_text("%s" % e)
if config.debug:
html.write_text(traceback.format_exc())
raise FinalizeRequest()
@@ -117,6 +117,7 @@ def handler(mod_python_req, fields = None, is_profiling = False):
plain_title = e.plain_title()
if plain_error():
+ html.set_output_format("text")
html.write("%s: %s\n" % (plain_title, e))
elif not fail_silently():
html.header(title)
@@ -142,7 +143,8 @@ def handler(mod_python_req, fields = None, is_profiling = False):
html.unplug_all()
log_exception()
if plain_error():
- html.write_text(_("Internal error") + ": %s\n" % e)
+ html.set_output_format("text")
+ html.write(_("Internal error") + ": %s\n" % e)
elif not fail_silently():
modules.get_handler("gui_crash")()
response_code = apache.OK
Module: check_mk
Branch: master
Commit: 36cef0036e7d65d89ad17c098ceb25826de2a4d6
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=36cef0036e7d65…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 14 17:07:37 2017 +0200
Moved trusted CA management code to cmk git
Change-Id: I248e144454ae1f52234410b098e8df6208bd9814
---
web/htdocs/watolib.py | 62 ++++++++++++++++++++++++++++++
web/plugins/wato/check_mk_configuration.py | 36 +++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index 599e1e2..c5e9cd3 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -395,6 +395,68 @@ class ConfigDomainEventConsole(ConfigDomain):
call_hook_mkeventd_activate_changes()
+
+class ConfigDomainCACertificates(ConfigDomain):
+ needs_sync = True
+ needs_activation = True
+ ident = "ca-certificates"
+
+ trusted_cas_file = "%s/var/ssl/ca-certificates.crt" % cmk.paths.omd_root
+
+ # This is a list of directories that may contain .pem files of trusted CAs.
+ # The contents of all .pem files will be contantenated together and written
+ # to "trusted_cas_file". This is done by the function update_trusted_cas().
+ # On a system only a single directory, the first existing one is processed.
+ system_wide_trusted_ca_search_paths = [
+ "/etc/ssl/certs", # Ubuntu/Debian/SLES
+ "/etc/pki/tls/certs", # CentOS/RedHat
+ ]
+
+ def config_dir(self):
+ return multisite_dir
+
+
+ def config_file(self, site_specific=False):
+ return os.path.join(self.config_dir(), "ca-certificates.mk")
+
+
+ def activate(self):
+ try:
+ self._update_trusted_cas()
+ except Exception, e:
+ log_exception()
+ return ["Failed to create trusted CA file '%s': %s" %
+ (self.trusted_cas_file, traceback.format_exc())]
+
+
+ def _update_trusted_cas(self):
+ trusted_cas = []
+
+ if config.trusted_certificate_authorities["use_system_wide_cas"]:
+ trusted_cas += self._get_system_wide_trusted_ca_certificates()
+
+ trusted_cas += config.trusted_certificate_authorities["trusted_cas"]
+
+ store.save_file(self.trusted_cas_file, "\n".join(trusted_cas))
+
+
+ def _get_system_wide_trusted_ca_certificates(self):
+ trusted_cas = []
+ for cert_path in self.system_wide_trusted_ca_search_paths:
+ if not os.path.isdir(cert_path):
+ continue
+
+ for entry in os.listdir(cert_path):
+ ext = os.path.splitext(entry)[-1]
+ if ext != ".pem":
+ continue
+
+ trusted_cas.append(file(os.path.join(cert_path, entry)).read())
+
+ break
+
+ return trusted_cas
+
#.
# .--Hosts & Folders-----------------------------------------------------.
# | _ _ _ ___ _____ _ _ |
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index 9637b20..1cb61fb 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -903,6 +903,42 @@ register_configvar(group,
)
+register_configvar(_("Site Management"),
+ "trusted_certificate_authorities",
+ Dictionary(
+ title = _("Trusted certificate authorities for SSL"),
+ help = _("Whenever a server component of Check_MK opens a SSL connection it uses the "
+ "certificate authorities configured here for verifying the SSL certificate of "
+ "the destination server. This is used for example when performing WATO "
+ "replication to slave sites or when special agents are communicating via HTTPS. "
+ "The CA certificates configured here will be written to the CA bundle %s.") %
+ site_neutral_path(ConfigDomainCACertificates.trusted_cas_file),
+ elements = [
+ ("use_system_wide_cas", Checkbox(
+ title = _("Use system wide CAs"),
+ help = _("All supported linux distributions provide a mechanism of managing "
+ "trusted CAs. Depending on your linux distributions the paths where "
+ "these CAs are stored and the commands to manage the CAs differ. "
+ "Please checko out the documentation of your linux distribution "
+ "in case you want to customize trusted CAs system wide. You can "
+ "choose here to trust the system wide CAs here. Check_MK will search "
+ "these directories for system wide CAs: %s") %
+ ", ".join(ConfigDomainCACertificates.system_wide_trusted_ca_search_paths),
+ label = _("Trust system wide configured CAs"),
+ default_value = True,
+ )),
+ ("trusted_cas", ListOfCAs(
+ title = _("Check_MK specific"),
+ allow_empty = True,
+ default_value = [],
+ )),
+ ],
+ optional_keys = False,
+ ),
+ domain = ConfigDomainCACertificates,
+ need_restart = True,
+)
+
#.
# .--WATO----------------------------------------------------------------.
# | __ ___ _____ ___ |
Module: check_mk
Branch: master
Commit: 244aa980e35b899626f7833476abd175c8aa9afe
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=244aa980e35b89…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 14 15:15:59 2017 +0200
Moved CA valuespec to common Check_MK code
Change-Id: I4191d8cdd2e24299ac6ce0430ff6946494858323
---
web/htdocs/valuespec.py | 80 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index b7886e8..344e365 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -4347,3 +4347,83 @@ class SchedulePeriod(CascadingDropdown):
Integer(minvalue=1, maxvalue=28)),
] + from_end_choice
)
+
+
+
+class CAorCAChain(UploadOrPasteTextFile):
+ def __init__(self, **args):
+ args.setdefault("title", _("Certificate Chain (Root / Intermediate Certificate)"))
+ args.setdefault("file_title", _("CRT/PEM File"))
+ UploadOrPasteTextFile.__init__(self, **args)
+
+
+ def from_html_vars(self, varprefix):
+ value = Alternative.from_html_vars(self, varprefix)
+ if type(value) == tuple:
+ value = value[2] # FileUpload sends (filename, mime-type, content)
+ return value
+
+
+ def validate_value(self, value, varprefix):
+ try:
+ self.analyse_cert(value)
+ except Exception, e:
+ # FIXME TODO: Cleanup this general exception catcher
+ raise MKUserError(varprefix, _("Invalid certificate file"))
+
+
+ def analyse_cert(self, value):
+ from OpenSSL import crypto
+ cert = crypto.load_certificate(crypto.FILETYPE_PEM, value)
+ titles = {
+ "C" : _("Country"),
+ "ST" : _("State or Province Name"),
+ "L" : _("Locality Name"),
+ "O" : _("Organization Name"),
+ "CN" : _("Common Name"),
+ }
+ cert_info = {}
+ for what, x509, title in [
+ ( "issuer", cert.get_issuer(), _("Issuer") ),
+ ( "subject", cert.get_subject(), _("Subject") ),
+ ]:
+ cert_info[what] = {}
+ for key, val in x509.get_components():
+ if key in titles:
+ cert_info[what][titles[key]] = val.decode("utf8")
+ return cert_info
+
+
+ def value_to_text(self, value):
+ cert_info = self.analyse_cert(value)
+ text = "<table>"
+ for what, title in [
+ ( "issuer", _("Issuer") ),
+ ( "subject", _("Subject") ),
+ ]:
+ text += "<tr><td>%s:</td><td>" % title
+ for title, value in sorted(cert_info[what].items()):
+ text += "%s: %s<br>" % (title, value)
+ text += "</tr>"
+ text += "</table>"
+ return text
+
+
+
+# Move this to wato.py or valuespec.py as soon as we need this at least
+# once again somewhere
+def ListOfCAs(**args):
+ args.setdefault("title", _("CAs to accept"))
+ args.setdefault("help", _("Only accepting HTTPS connections with a server which certificate "
+ "is signed with one of the CAs that are listed here. That way it is guaranteed "
+ "that it is communicating only with the authentic update server. "
+ "If you use self signed certificates for you server then enter that certificate "
+ "here."))
+ args.setdefault("add_label", _("Add new CA certificate or chain"))
+ args.setdefault("empty_text", _("You need to enter at least one CA. Otherwise no SSL connection can be made."))
+ args.setdefault("allow_empty", False)
+ return ListOf(
+ CAorCAChain(),
+ movable = False,
+ **args
+ )