Module: check_mk
Branch: master
Commit: bd07f94ea7c38ebe3193fe20937653a9fd5b181f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=bd07f94ea7c38e…
Author: Tom Baerwinkel <tb(a)mathias-kettner.de>
Date: Fri Sep 28 13:58:56 2018 +0200
6410 FIX Determine the parent process more reliably
Previously, the parent process was determined by parsing
/proc/{PID}/stat and columns where assumed to be separated by space.
This was unreliable because the filename in the second
column may contain a space as well. If omd was issued e.g. from tmux
the process name "tmux: server" was used. This resulted in a traceback
during e.g. omd rm. Now the psutil module is used to determine the
parent process.
Change-Id: If0a52723a2d95f961973912a4ee3418de90fbef2
---
.werks/6410 | 16 ++++++++++++++++
omd/packages/omd/omd | 9 +++++----
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/.werks/6410 b/.werks/6410
new file mode 100644
index 0000000..367276c
--- /dev/null
+++ b/.werks/6410
@@ -0,0 +1,16 @@
+Title: Determine the parent process more reliably
+Level: 1
+Component: omd
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1538138123
+Class: fix
+
+Previously, the parent process was determined by parsing
+/proc/{PID}/stat and columns where assumed to be separated by space.
+This was unreliable because the filename in the second
+column may contain a space as well. If omd was issued e.g. from tmux
+the process name "tmux: server" was used. This resulted in a traceback
+during e.g. omd rm. Now the psutil module is used to determine the
+parent process.
diff --git a/omd/packages/omd/omd b/omd/packages/omd/omd
index 280a4f6..56c68b2 100644
--- a/omd/packages/omd/omd
+++ b/omd/packages/omd/omd
@@ -66,6 +66,7 @@ import errno
import fcntl
import shlex
import pprint
+import psutil
import random
import shutil
import socket
@@ -3967,10 +3968,10 @@ def kill_site_user_processes(exclude_current_and_parents=False):
def get_current_and_parent_pids():
"""Return list of PIDs of the current process and parent process tree till pid 0"""
pids = []
- pid = os.getpid()
- while pid != 0:
- pids.append(pid)
- pid = int(file("/proc/%d/stat" % pid).read().split(" ")[3])
+ process = psutil.Process()
+ while process and process.pid != 0:
+ pids.append(process.pid)
+ process = process.parent()
return pids
Module: check_mk
Branch: master
Commit: 7a2d7fe3696d8aae394660cb0d3767f8c8c1556c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7a2d7fe3696d8a…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Fri Sep 28 14:51:35 2018 +0200
6733 FIX veeam_backup_status: Plugin is bakeable
Change-Id: I2ab4de22a0d7d18225124e07b836536da2dbe98a
---
.werks/6733 | 18 ++++++++++++++++++
agents/windows/plugins/veeam_backup_status.bat | 8 --------
...eeam_backup_status.ps1_ => veeam_backup_status.ps1} | 0
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/.werks/6733 b/.werks/6733
new file mode 100644
index 0000000..2ebd3bb
--- /dev/null
+++ b/.werks/6733
@@ -0,0 +1,18 @@
+Title: veeam_backup_status: Plugin is bakeable
+Level: 1
+Component: agents
+Class: fix
+Compatible: compat
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1538042010
+
+If no 64-bit Windows agent is used you have to create a wrapper batch script,
+eg. {{veeam_backup_status.bat}} which calls the {{veeam_backup_status.ps1}}.
+In this case the powershell script needs to be put somewhere else (see example
+here) and is called from this .bat script with the 64 bit powershell:
+<code>
+@ECHO OFF
+%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted " & ""C:\scripts\veeam_backup_status.ps1"""
+</code>
diff --git a/agents/windows/plugins/veeam_backup_status.bat b/agents/windows/plugins/veeam_backup_status.bat
deleted file mode 100644
index 1e21286..0000000
--- a/agents/windows/plugins/veeam_backup_status.bat
+++ /dev/null
@@ -1,8 +0,0 @@
-@ECHO OFF
-REM version 0.9
-REM Put this file in cmk Plugins-Folder *only* if you need to run
-REM the veeam_backup_status.ps1 powershell script and you
-REM have no 64 bit check_mk agent available
-REM In this case the powershell script needs to be put somewhere else
-REM (see example here) and is called from this .bat script with the 64 bit powershell
-%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted " & ""C:\skripte\veeam_backup_status.ps1"""
diff --git a/agents/windows/plugins/veeam_backup_status.ps1_ b/agents/windows/plugins/veeam_backup_status.ps1
similarity index 100%
rename from agents/windows/plugins/veeam_backup_status.ps1_
rename to agents/windows/plugins/veeam_backup_status.ps1
Module: check_mk
Branch: master
Commit: 5fa1e4bd28bc12bc64d4ec601e551d0f29319242
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5fa1e4bd28bc12…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 27 16:08:45 2018 +0200
6770 Showing graph metric values at mouse position now
When moving the mouse pointer on Check_MK graphs a hover popup will be shown at
the mous position that contains the date and time of the current mouse
position together with the values of the single metrics.
Change-Id: Ib0b6089b9e6a64253066d00af2b89deaa5d36cf7
---
.werks/6770 | 12 +++
tests/integration/web/test_webapi.py | 177 +++++++++++++++++++++++++++--------
web/htdocs/js/checkmk.js | 73 ++++++++++-----
web/htdocs/themes/facelift/theme.css | 20 ++++
4 files changed, 220 insertions(+), 62 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=5fa1e4bd28…
Module: check_mk
Branch: master
Commit: 9f6161580aa9b5d68da9cce082078f0683dcb933
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9f6161580aa9b5…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 28 09:49:24 2018 +0200
6774 SEC Add Content-Security-Policy header to prevent some cross site scripting and injection attacks
When requesting pages from the GUI a <tt>Content-Security-Policy</tt> is now been set in the HTTP
response. Using this mechanism the application can tell the browser which things are allowed to
be done by the web page in the context of the browser.
We are now, for example limiting the URLs where AJAX calls can be made to or the URLs which can
be used as form targets. This helps to prevent some XSS and other injection attacks.
The configuration of this policy is made in the apache configuration file
<tt>etc/apache/conf.d/security.conf</tt>. In case you want to have a look at the details or
want to extend the policy somehow you may edit the file in the context of your site configuration.
To apply the changes you need to restart your site apache using <tt>omd restart apache</tt>.
In case of trouble please let us know. We can probably adapt the default configuration to solve
common issues with this policy for all users.
One thing that may affect users that include Check_MK pages on other web pages using frames or
iframes: We set the <tt>frame-ancestors</tt> option to <tt>'self'</tt> which means that only pages
with the same protocol, url and port as the Check_MK page may refer to Check_MK pages. You can
extend this statement with the URLs you want to allow.
CMK-973
Change-Id: I27cab62a9bcee3cce05b6bef15d4ff4be6e752d9
---
.werks/6774 | 28 ++++++++++++++++
.../skel/etc/apache/conf.d/security.conf | 38 ++++++++++++++++++++++
2 files changed, 66 insertions(+)
diff --git a/.werks/6774 b/.werks/6774
new file mode 100644
index 0000000..e79ac4d
--- /dev/null
+++ b/.werks/6774
@@ -0,0 +1,28 @@
+Title: Add Content-Security-Policy header to prevent some cross site scripting and injection attacks
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1538120513
+Class: security
+
+When requesting pages from the GUI a <tt>Content-Security-Policy</tt> is now been set in the HTTP
+response. Using this mechanism the application can tell the browser which things are allowed to
+be done by the web page in the context of the browser.
+
+We are now, for example limiting the URLs where AJAX calls can be made to or the URLs which can
+be used as form targets. This helps to prevent some XSS and other injection attacks.
+
+The configuration of this policy is made in the apache configuration file
+<tt>etc/apache/conf.d/security.conf</tt>. In case you want to have a look at the details or
+want to extend the policy somehow you may edit the file in the context of your site configuration.
+To apply the changes you need to restart your site apache using <tt>omd restart apache</tt>.
+
+In case of trouble please let us know. We can probably adapt the default configuration to solve
+common issues with this policy for all users.
+
+One thing that may affect users that include Check_MK pages on other web pages using frames or
+iframes: We set the <tt>frame-ancestors</tt> option to <tt>'self'</tt> which means that only pages
+with the same protocol, url and port as the Check_MK page may refer to Check_MK pages. You can
+extend this statement with the URLs you want to allow.
diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
new file mode 100644
index 0000000..7122129
--- /dev/null
+++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
@@ -0,0 +1,38 @@
+# This file contains some common security settings we apply to the site apache
+# and the requests to it. Please let us know in case these settings limit you
+# in valid use cases.
+
+# Mitigate the risk of cross-site scripting and other injection attacks.
+#
+# To make things easier, you can use an online CSP header generator
+# such as: https://www.cspisawesome.com/.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-…
+# https://www.w3.org/TR/CSP3/
+# https://content-security-policy.com/
+# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+#
+<IfModule mod_headers.c>
+ # Default policy for all not configured ones
+ Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'"
+
+ # Allow AJAX calls to current scheme/url/port and the crash report API
+ Header always append Content-Security-Policy "connect-src 'self' https://mathias-kettner.de/crash_report.php"
+
+ # Only allow to include the pages served by this site in frames of same URLs
+ Header always append Content-Security-Policy "frame-ancestors 'self'"
+
+ # <base>-Tag is limited to current scheme/url/port
+ Header always append Content-Security-Policy "base-uri 'self'"
+
+ # Form submissions are limited to current scheme/url/port
+ Header always append Content-Security-Policy "form-action 'self'"
+
+ # Disallow plugins like flash or java
+ Header always append Content-Security-Policy "object-src 'none'"
+
+ # Only set Content-Security-Policy for web pages and not other resources
+ <FilesMatch "\.(js|css|png|ico|wav|jpg)$">
+ Header always unset Content-Security-Policy
+ </FilesMatch>
+</IfModule>