Module: check_mk
Branch: master
Commit: ab88f7a4712416e2569eb60819164b69269423d4
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ab88f7a4712416…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon May 15 15:20:20 2017 +0200
4682 SEC Add permission "Can add or modify executables" to be able to fine tune access rights
It is now possible to explicitly allow/deny users of WATO to add or modify executables.
This done with the new permission <i>Can add or modify executables</i>. By default
only users with the role <i>Administrator</i> have this permission.
There are different places in Check_MK where an admin, the user of the configuration
GUI, can use the GUI to add executable code to Check_MK.
For example when configuring datasource programs, the user inserts a command line for
gathering monitoring data. This command line is then executed during monitoring by
Check_MK.
Another example is the upload of extension packages (MKPs).
These functions have in common that the user provides data that is executed by Check_MK
later in the context of Check_MK.
If you want to ensure that your WATO users can not "inject" arbitrary executables
into your Check_MK installation, you only need to revoke this permission.
This permission is needed in addition to the other component related permissions.
For example you need the <tt>wato.rulesets</tt> permission together with the new
permission to be able to configure rulesets where bare command lines are configured.
These things are protected by the new permission at the moment:
<ul>
<li>Ruleset: Classical active and passive monitoring checks</li>
<li>Ruleset: Datasource programs</li>
<li>Ruleset: Configuring custom host check command</li>
<li>Host diagnostic page: Setting arbritary command line as datasource program</li>
<li>Configure event console actions</li>
<li>
<strong>Incompatible</strong>: User with the role <i>Users</i> are allowed to edit rulesets
for the WATO folders they are permitted on. In previous versions they were also able to
insert arbitrary commands into the rulesets mentioned above. This has now been removed
(by default) for security reasons. If you still need this functionality, you need to
set the new permission to <i>yes</i> for this role.
CMK-963
Change-Id: Ic52c52e53b8cbd10c8f2af064559ff0bed9b41c7
---
cmk/gui/wato/__init__.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index 86b72d0..4413e06 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -15178,13 +15178,13 @@ def load_plugins(force):
config.declare_permission("wato.add_or_modify_executables",
_("Can add or modify executables"),
- _("There are different places in Check_MK where an admin, the user of the configuration "
- "GUI, can use the GUI to add executable code to Check_MK. For example when configuring "
+ _("There are different places in Check_MK where an admin can use the GUI to add "
+ "executable code to Check_MK. For example when configuring "
"datasource programs, the user inserts a command line for gathering monitoring data. "
"This command line is then executed during monitoring by Check_MK. Another example is "
"the upload of extension packages (MKPs). All these functions have in "
- "common that the user provides data that is executed by Check_MK later. "
- "If you want to ensure that your WATO users can not \"inject\" arbitrary executables "
+ "common that the user provides data that is executed by Check_MK. "
+ "If you want to ensure that your WATO users cannot \"inject\" arbitrary executables "
"into your Check_MK installation, you only need to remove this permission for them. "
"This permission is needed in addition to the other component related permissions. "
"For example you need the <tt>wato.rulesets</tt> permission together with this "
Module: check_mk
Branch: master
Commit: 0179cfcbf53f595b9703f632958dd0f7e28d5b52
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0179cfcbf53f59…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 14 08:42:47 2018 +0200
6614 SEC Fixed reflected XSS affecting agent updater AJAX calls
When the hostname of a monitored agent is known, this could be used to exploit
a reflected XSS vulnerability. Every unauthenticated or authenticated user can
issue a request like this. The victim does not have to be authorized on the
Check_MK application
Change-Id: If81ea745bfd042b647f24f34bf7e90c1dff93a5d
---
.werks/6614 | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/.werks/6614 b/.werks/6614
new file mode 100644
index 0000000..8a8dd43
--- /dev/null
+++ b/.werks/6614
@@ -0,0 +1,13 @@
+Title: Fixed reflected XSS affecting agent updater AJAX calls
+Level: 1
+Component: agents
+Compatible: compat
+Edition: cee
+Version: 1.6.0i1
+Date: 1536907287
+Class: security
+
+When the hostname of a monitored agent is known, this could be used to exploit
+a reflected XSS vulnerability. Every unauthenticated or authenticated user can
+issue a request like this. The victim does not have to be authorized on the
+Check_MK application
Module: check_mk
Branch: master
Commit: 3e586750d45011fca465255518aa90a97935aa0a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3e586750d45011…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 14 09:05:09 2018 +0200
6615 SEC Fixed unauthorized access to master control actions
As an authenticated guest user it was possible to gain unauthorized access to
the master control snapin actions event if it is not possible to open the
master control snapin. The vulnerability could be used to disable the complete
monitoring or trigger other actions like disabling notifications.
Change-Id: Ibc5c9f8b2183cee7444548a3f2e0c7392351dcaa
---
.werks/6615 | 13 +++++++++++++
cmk/gui/plugins/sidebar/master_control.py | 5 +++++
2 files changed, 18 insertions(+)
diff --git a/.werks/6615 b/.werks/6615
new file mode 100644
index 0000000..44c6098
--- /dev/null
+++ b/.werks/6615
@@ -0,0 +1,13 @@
+Title: Fixed unauthorized access to master control actions
+Level: 2
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536908316
+Class: security
+
+As an authenticated guest user it was possible to gain unauthorized access to
+the master control snapin actions event if it is not possible to open the
+master control snapin. The vulnerability could be used to disable the complete
+monitoring or trigger other actions like disabling notifications.
diff --git a/cmk/gui/plugins/sidebar/master_control.py b/cmk/gui/plugins/sidebar/master_control.py
index c360f47..319c573 100644
--- a/cmk/gui/plugins/sidebar/master_control.py
+++ b/cmk/gui/plugins/sidebar/master_control.py
@@ -175,6 +175,11 @@ div.snapin table.master_control td img.iconbutton {
def _ajax_switch_masterstate(self):
+ html.set_output_format("json")
+
+ if not config.user.may("sidesnap.master_control"):
+ return
+
site = html.var("site")
column = html.var("switch")
state = int(html.var("state"))
Module: check_mk
Branch: master
Commit: 17fd31635b3ecb418ca25a4153c5abfaaa93495a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=17fd31635b3ecb…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Tue Sep 18 14:25:26 2018 +0200
6598 FIX HW/SW Inventory: Do not list plugins on commandline for which the related section is empty
Change-Id: I0333452af31c77eefb8c58d4bf51636ead4d4197
---
.werks/6598 | 10 ++++++++++
cmk_base/inventory.py | 6 ++++++
2 files changed, 16 insertions(+)
diff --git a/.werks/6598 b/.werks/6598
new file mode 100644
index 0000000..023fce1
--- /dev/null
+++ b/.werks/6598
@@ -0,0 +1,10 @@
+Title: HW/SW Inventory: Do not list plugins on commandline for which the related section is empty
+Level: 1
+Component: inv
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1537273423
+Class: fix
+
+
diff --git a/cmk_base/inventory.py b/cmk_base/inventory.py
index 6363a17..2c37116 100644
--- a/cmk_base/inventory.py
+++ b/cmk_base/inventory.py
@@ -249,6 +249,12 @@ def _do_inv_for_realhost(sources, multi_host_sections, hostname, ipaddress,
# Note: this also excludes existing sections without info..
continue
+ if all([x in [[], {}, None] for x in section_content]):
+ # Inventory plugins which get parsed info from related
+ # check plugin may have more than one return value, eg
+ # parse function of oracle_tablespaces returns ({}, {})
+ continue
+
console.verbose(" %s%s%s%s" % (tty.green, tty.bold, section_name, tty.normal))
# Inventory functions can optionally have a second argument: parameters.
Module: check_mk
Branch: master
Commit: e2ff95cf65ce2088ced8b6b47f481276cb25b743
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e2ff95cf65ce20…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Tue Sep 18 13:38:06 2018 +0200
6596 FIX Do status data inventory: Check "HW/SW Inventory" and shell commands behave the same way
If <tt>Status data inventory</tt> is enabled in the ruleset
<tt>Do hardware/software Inventory</tt> the active check
<tt>Check_MK HW/SW Inventory</tt> and the shell commands
<tt>cmk -vii</tt> and <tt>cmk -v</tt> behave the same way.
Change-Id: I41016a6491549d166b77991c7fc3ae01f4608994
---
.werks/6596 | 16 ++++++++++++++++
cmk_base/inventory.py | 25 ++++++++++++++-----------
2 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/.werks/6596 b/.werks/6596
new file mode 100644
index 0000000..08846d5
--- /dev/null
+++ b/.werks/6596
@@ -0,0 +1,16 @@
+Title: Do status data inventory: Check "HW/SW Inventory" and shell commands behave the same way
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1537270279
+Class: fix
+
+If <tt>Status data inventory</tt> is enabled in the ruleset
+<tt>Do hardware/software Inventory</tt> the active check
+<tt>Check_MK HW/SW Inventory</tt> and the shell commands
+<tt>cmk -vii</tt> and <tt>cmk -vi</tt> behave the same way.
+
+The same result should also be displayed if <tt>cmk -v</tt>
+is executed if <tt>Status data inventory</tt> is enabled.
diff --git a/cmk_base/inventory.py b/cmk_base/inventory.py
index a368510..f58fe0d 100644
--- a/cmk_base/inventory.py
+++ b/cmk_base/inventory.py
@@ -83,7 +83,8 @@ def do_inv(hostnames):
ipaddress = ip_lookup.lookup_ip_address(hostname)
sources = data_sources.DataSources(hostname, ipaddress)
- do_inv_for(sources, multi_host_sections=None, hostname=hostname, ipaddress=ipaddress)
+ _do_inv_for(sources, multi_host_sections=None, hostname=hostname, ipaddress=ipaddress,
+ do_status_data_inv=config.do_status_data_inventory_for(hostname))
except Exception, e:
if cmk.debug.enabled():
raise
@@ -108,8 +109,10 @@ def do_inv_check(hostname, options):
status, infotexts, long_infotexts, perfdata = 0, [], [], []
sources = data_sources.DataSources(hostname, ipaddress)
- old_timestamp, inventory_tree, status_data_tree = do_inv_for(sources, multi_host_sections=None,
- hostname=hostname, ipaddress=ipaddress)
+ old_timestamp, inventory_tree, status_data_tree =\
+ _do_inv_for(sources, multi_host_sections=None,
+ hostname=hostname, ipaddress=ipaddress,
+ do_status_data_inv=config.do_status_data_inventory_for(hostname))
if inventory_tree.is_empty() and status_data_tree.is_empty():
infotexts.append("Found no data")
@@ -157,17 +160,18 @@ def do_status_data_inventory(sources, multi_host_sections, hostname, ipaddress):
import cmk_base.inventory_plugins as inventory_plugins
# cmk_base/modes/check_mk.py loads check plugins but not inventory plugins
do_inv = False
+ section_names = multi_host_sections.get_host_sections().get((hostname, ipaddress)).sections.keys()
inventory_plugins.load_plugins(check_api.get_check_api_context, get_inventory_context)
- for plugin in inventory_plugins.inv_info.values():
- if plugin.get("has_status_data"):
+ for plugin_name, plugin in inventory_plugins.inv_info.iteritems():
+ if plugin_name in section_names and plugin.get("has_status_data"):
do_inv = True
break
if do_inv:
- do_inv_for(sources, multi_host_sections=multi_host_sections, hostname=hostname,
- ipaddress=ipaddress, do_status_data_inventory=True)
+ _do_inv_for(sources, multi_host_sections=multi_host_sections, hostname=hostname,
+ ipaddress=ipaddress, do_status_data_inv=True)
-def do_inv_for(sources, multi_host_sections, hostname, ipaddress, do_status_data_inventory=False):
+def _do_inv_for(sources, multi_host_sections, hostname, ipaddress, do_status_data_inv):
_initialize_inventory_tree()
inventory_tree = g_inv_tree
status_data_tree = StructuredDataTree()
@@ -189,7 +193,7 @@ def do_inv_for(sources, multi_host_sections, hostname, ipaddress, do_status_data
console.section_success("Found %s%s%d%s inventory entries" %
(tty.bold, tty.yellow, inventory_tree.count_entries(), tty.normal))
- if do_status_data_inventory:
+ if do_status_data_inv:
status_data_tree.normalize_nodes()
_save_status_data_tree(hostname, status_data_tree)
@@ -219,7 +223,7 @@ def _do_inv_for_realhost(sources, multi_host_sections, hostname, ipaddress,
source.set_check_plugin_name_filter(_gather_snmp_check_plugin_names_inventory)
if multi_host_sections is not None:
# Status data inventory already provides filled multi_host_sections object.
- # SNMP data source: If do_status_data_inventory is enabled there may be
+ # SNMP data source: If 'do_status_data_inv' is enabled there may be
# sections for inventory plugins which were not fetched yet.
source.enforce_check_plugin_names(None)
host_sections = multi_host_sections.add_or_get_host_sections(hostname, ipaddress)
@@ -236,7 +240,6 @@ def _do_inv_for_realhost(sources, multi_host_sections, hostname, ipaddress,
for section_name, plugin in inventory_plugins.inv_info.items():
section_content = multi_host_sections.get_section_content(hostname, ipaddress,
section_name, for_discovery=False)
-
if section_content is None: # No data for this check type
continue
Module: check_mk
Branch: master
Commit: aa309f53279792e478da24048a03802987fb198c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=aa309f53279792…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Sep 18 13:20:08 2018 +0200
6624 FIX Sign all agents: Prevent focussing search field when opening the dialog
When opening the dialog "Sign all agents" there was previously a search field shown which had
the initial focus. A user would expect to have the initial focus on the key pass phrase field
to sign the agent. When the user starts typing the pass phrase without previously changing the
focus, the pass phrase becomes visible on the screen.
To fix this we have now removed the search field from the "Sign all agents" dialog. The pass
phrase field in now initially focused as intended.
Change-Id: Id7ab0cb4706b39f42f76a0d33888eaf084000a4b
---
.werks/6624 | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/.werks/6624 b/.werks/6624
new file mode 100644
index 0000000..4b74f66
--- /dev/null
+++ b/.werks/6624
@@ -0,0 +1,17 @@
+Title: Sign all agents: Prevent focussing search field when opening the dialog
+Level: 1
+Component: agents
+Class: fix
+Compatible: compat
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1537269441
+
+When opening the dialog "Sign all agents" there was previously a search field shown which had
+the initial focus. A user would expect to have the initial focus on the key pass phrase field
+to sign the agent. When the user starts typing the pass phrase without previously changing the
+focus, the pass phrase becomes visible on the screen.
+
+To fix this we have now removed the search field from the "Sign all agents" dialog. The pass
+phrase field in now initially focused as intended.
Module: check_mk
Branch: master
Commit: 1c444cb6e67e03fbd2a578fcf722f308eb31c9dc
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1c444cb6e67e03…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Wed Sep 12 10:42:25 2018 +0200
6496 FIX check_mk_agent.linux: Moved piggybacked docker container sections to plugin 'mk_docker_container_piggybacked'
Change-Id: Ic6803b9057394f0fe87019168056815bf1210a00
---
.werks/6496 | 28 +++++++++++++
agents/check_mk_agent.linux | 30 --------------
agents/plugins/mk_docker_container_piggybacked | 55 ++++++++++++++++++++++++++
3 files changed, 83 insertions(+), 30 deletions(-)
diff --git a/.werks/6496 b/.werks/6496
new file mode 100644
index 0000000..a04d5be
--- /dev/null
+++ b/.werks/6496
@@ -0,0 +1,28 @@
+Title: check_mk_agent.linux: Moved piggybacked docker container sections to plugin 'mk_docker_container_piggybacked'
+Level: 1
+Component: checks
+Class: fix
+Compatible: incomp
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1536741679
+
+In order to monitor docker containers the {{check_mk_agent}}
+collects the following information of each docker container
+as piggyback data:
+<ul>
+<li>The state, node name, labels and network information</li>
+<li>Execution of the {{check_mk_agent}} within running containers</li>
+</ul>
+
+Moreover you have to create piggybacked hosts in Check_MK for each docker
+container. The piggybacked host name is the docker container ID.
+
+Due to a long running time of these sections they are transferred to the
+plugin {{mk_docker_container_piggybacked}} which also can be executed
+asynchronously.
+
+That means that these sections were removed from the {{check_mk_agent}}
+and you have to install the plugin to the plugins folder on the client.
+
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index 99177ac..d25780e 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -1027,8 +1027,6 @@ fi
# Iterate all running containers and report piggyback data for them
if type docker > /dev/null 2>&1 && [ -z "$MK_IS_PIGGYBACKED" ]; then
- NODE_NAME=$(docker info --format "{{json .Name}}")
-
echo "<<<docker_node_info>>>"
docker info --format "{{json .}}" 2>&1
@@ -1049,34 +1047,6 @@ if type docker > /dev/null 2>&1 && [ -z "$MK_IS_PIGGYBACKED" ]; then
echo "<<<docker_node_network:sep(0)>>>"
NETWORK_IDS=$(docker network ls -f 'driver=bridge' --format='{{.ID}}')
docker network inspect "$NETWORK_IDS"
-
- # For the container status, we want information about *all* containers
- for CONTAINER_ID in $(docker container ls -q --all); do
- echo "<<<<${CONTAINER_ID}>>>>"
- docker inspect "$CONTAINER_ID" \
- --format='{{println "<<<docker_container_status>>>"}}{{json .State}}{{println}}{{println "<<<docker_container_node_name>>>"}}{{println '"$NODE_NAME"'}}{{println "<<<docker_container_labels>>>"}}{{json .Config.Labels}}{{println}}{{println "<<<docker_container_network>>>"}}{{json .NetworkSettings}}{{println}}'
- echo "<<<<>>>>"
- done
-
- for CONTAINER_ID in $(docker container ls -q); do
- echo "<<<<$CONTAINER_ID>>>>"
-
- # Is there a regular agent available in the container? Use it!
- #
- # Otherwise execute the agent of the node in the context of the container.
- # Using this approach we should always get at least basic information from
- # the container.
- # Once it comes to plugins and custom configuration the user needs to use
- # a little more complex setup. Have a look at the documentation.
- AGENT_PATH=$(docker container exec "$CONTAINER_ID" bash -c "type check_mk_agent" 2>/dev/null)
- if [ -n "$AGENT_PATH" ]; then
- docker container exec --env MK_IS_PIGGYBACKED=1 --env "REMOTE=$REMOTE" "$CONTAINER_ID" check_mk_agent
- elif docker container exec "$CONTAINER_ID" which bash >/dev/null 2>&1; then
- docker container exec --env MK_IS_PIGGYBACKED=1 --env MK_FROM_NODE=1 --env "REMOTE=$REMOTE" -i "$CONTAINER_ID" bash < "$0"
- fi
-
- echo "<<<<>>>>"
- done
fi
# Start new liveupdate process in background on each agent execution. Starting
diff --git a/agents/plugins/mk_docker_container_piggybacked b/agents/plugins/mk_docker_container_piggybacked
new file mode 100755
index 0000000..5d8ca3e
--- /dev/null
+++ b/agents/plugins/mk_docker_container_piggybacked
@@ -0,0 +1,55 @@
+#!/bin/bash
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2018 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# tails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+# $REMOTE is exported from check_mk_agent.linux
+
+if type docker > /dev/null 2>&1; then
+ NODE_NAME=$(docker info --format "{{json .Name}}")
+
+ # For the container status, we want information about *all* containers
+ for CONTAINER_ID in $(docker container ls -q --all); do
+ echo "<<<<${CONTAINER_ID}>>>>"
+ docker inspect "$CONTAINER_ID" \
+ --format='{{println "<<<docker_container_status>>>"}}{{json .State}}{{println}}{{println "<<<docker_container_node_name>>>"}}{{println '"$NODE_NAME"'}}{{println "<<<docker_container_labels>>>"}}{{json .Config.Labels}}{{println}}{{println "<<<docker_container_network>>>"}}{{json .NetworkSettings}}{{println}}'
+
+ if [ "$(docker inspect -f '{{.State.Running}}' "$CONTAINER_ID")" = "true" ]; then
+ # Is there a regular agent available in the container? Use it!
+ #
+ # Otherwise execute the agent of the node in the context of the container.
+ # Using this approach we should always get at least basic information from
+ # the container.
+ # Once it comes to plugins and custom configuration the user needs to use
+ # a little more complex setup. Have a look at the documentation.
+ AGENT_PATH=$(docker container exec "$CONTAINER_ID" bash -c "type check_mk_agent" 2>/dev/null)
+ if [ -n "$AGENT_PATH" ]; then
+ docker container exec --env "REMOTE=$REMOTE" "$CONTAINER_ID" check_mk_agent
+ elif docker container exec "$CONTAINER_ID" which bash >/dev/null 2>&1; then
+ docker container exec --env MK_FROM_NODE=1 --env "REMOTE=$REMOTE" -i "$CONTAINER_ID" bash < "$0"
+ fi
+ fi
+
+ echo "<<<<>>>>"
+ done
+fi