Checkmk git commits February 2019

checkmk-commits@lists.checkmk.com

18 participants
457 discussions

6758 FIX mknotifyd: Fixed crash if the mknotify check sends no data

by Marcel Arentz

Module: check_mk Branch: master Commit: 19cf81db3c42f0b910ccca2f80dcacabd049598e URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=19cf81db3c42f0… Author: Marcel Arentz <ma(a)mathias-kettner.de> Date: Fri Feb 15 17:21:18 2019 +0100 6758 FIX mknotifyd: Fixed crash if the mknotify check sends no data The check previously crashed, if the agent sends a site name but no data for this site. If there is no data, this will be displayed now in the service output. Additionally the service will change it's state to WARN because there is no data for the last update time of mknotify state file. Change-Id: Icfab565fb1bcf45218d85413e0470f4df845f899 --- .werks/6758 | 13 +++++++++++++ checks/mknotifyd | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/.werks/6758 b/.werks/6758 new file mode 100644 index 0000000..11973f8 --- /dev/null +++ b/.werks/6758 @@ -0,0 +1,13 @@ +Title: mknotifyd: Fixed crash if the mknotify check sends no data +Level: 1 +Component: checks +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1550247640 +Class: fix + +The check previously crashed, if the agent sends a site name but no data for +this site. If there is no data, this will be displayed now in the service +output. Additionally the service will change it's state to WARN because +there is no data for the last update time of mknotify state file. diff --git a/checks/mknotifyd b/checks/mknotifyd index 7863936..d3ae439 100644 --- a/checks/mknotifyd +++ b/checks/mknotifyd @@ -148,6 +148,12 @@ def check_mknotifyd(item, _no_params, parsed): if item not in parsed: yield 2, "No status information, Spooler not running" return + # There are dummy-entries created during the parsing. So the + # dict will never be completely empty. We check for Version + # because this should be always present in a valid state file. + elif not parsed[item].get("Version"): + yield 2, "The state file seems to be empty. It is very likely that the spooler is not working properly" + return now = time.time() stat = parsed[item]

5 years, 7 months

7177 FIX Fix background job warning "IOError: [Errno 9] Bad file descriptor"

by Lars Michelsen

Module: check_mk Branch: master Commit: 4112ae3601e1fd21c89deebd0619b280cb14229c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4112ae3601e1fd… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Feb 20 14:46:40 2019 +0100 7177 FIX Fix background job warning "IOError: [Errno 9] Bad file descriptor" When starting a background job an unproblematic error message like this could occur in the output of the background job log: <code> sys.stdin.close() IOError: [Errno 9] Bad file descriptor </code> This was caused by an unclean stdin/stdout/stderr handling during job startup since commit cd6563801d1de1bdb89edc23788c17904f296aa1. Change-Id: I09a652b2f2373cf332aa37b8b4a0b23a493e189b --- .werks/7177 | 20 ++++++++++++++++++++ cmk/gui/background_job.py | 3 +++ 2 files changed, 23 insertions(+) diff --git a/.werks/7177 b/.werks/7177 new file mode 100644 index 0000000..5786327 --- /dev/null +++ b/.werks/7177 @@ -0,0 +1,20 @@ +Title: Fix background job warning "IOError: [Errno 9] Bad file descriptor" +Level: 1 +Component: wato +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1550667579 + +When starting a background job an unproblematic error message like this could +occur in the output of the background job log: + +<code> +sys.stdin.close() +IOError: [Errno 9] Bad file descriptor +</code> + +This was caused by an unclean stdin/stdout/stderr handling during job startup +since commit b15dfeb619c14c925b66f2a3437d213852204975. diff --git a/cmk/gui/background_job.py b/cmk/gui/background_job.py index dbeefa7..b493c57 100644 --- a/cmk/gui/background_job.py +++ b/cmk/gui/background_job.py @@ -152,6 +152,9 @@ class BackgroundProcess(BackgroundProcessInterface, multiprocessing.Process): # Detach from parent and cleanup inherited file descriptors os.setsid() daemon.set_procname(BackgroundJobDefines.process_name) + sys.stdin.close() + sys.stdout.close() + sys.stderr.close() daemon.closefrom(0) try:

5 years, 7 months

agent_aws: New checks for AWS/S3 requests metrics

by Simon Betz

Module: check_mk Branch: master Commit: 95970f991623fa63b350990ef9d5a4122c6d0656 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=95970f991623fa… Author: Simon Betz <si(a)mathias-kettner.de> Date: Fri Feb 15 13:42:03 2019 +0100 agent_aws: New checks for AWS/S3 requests metrics These checks are: - aws_s3_requests - aws_s3_requests.http_errors - aws_s3_requests.latency - aws_s3_requests.select_object - aws_s3_requests.traffic_stats 'Request metrics (paid feature)' must be enabled in AWS S3 console Change-Id: Ia60a571575bd69193f0808d920429dad02abea50 --- agents/special/agent_aws | 82 +++++++++ checkman/aws_s3_requests | 19 ++ checkman/aws_s3_requests.http_errors | 18 ++ checkman/aws_s3_requests.latency | 21 +++ checkman/aws_s3_requests.select_object | 18 ++ checkman/aws_s3_requests.traffic_stats | 19 ++ checks/agent_aws | 3 + checks/aws_s3_requests | 250 ++++++++++++++++++++++++++ cmk/gui/plugins/metrics/check_mk.py | 72 ++++++++ cmk/gui/plugins/wato/check_parameters/aws.py | 251 +++++++++++++++++++++++---- cmk/gui/plugins/wato/datasource_programs.py | 99 +++++++---- 11 files changed, 788 insertions(+), 64 deletions(-) Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=95970f9916…

5 years, 7 months

7176 FIX Fixed "insecure request warning" message during distributed site remote calls

by Lars Michelsen

Module: check_mk Branch: master Commit: 7aa0a2e96f9964a5ec1d681fb8be76e38c7e5e7d URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7aa0a2e96f9964… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Feb 20 14:45:51 2019 +0100 7176 FIX Fixed "insecure request warning" message during distributed site remote calls When executing a remote automation call, for example to rename a host on a remote site in distributed setups, the message "InsecureRequestWarning: Unverified HTTPS request is being made" could be visible in the background job output which we don't want to display there. Insecure configurations are made visibile in the analyze configuration results instead. Change-Id: I3e3b3405de3ee42807b65f45077dcefb4b56d455 --- .werks/7176 | 15 +++++++++++++++ cmk/gui/plugins/wato/ac_tests.py | 5 +++++ cmk/gui/watolib/__init__.py | 5 +++++ cmk/gui/watolib/automations.py | 5 +++++ 4 files changed, 30 insertions(+) diff --git a/.werks/7176 b/.werks/7176 new file mode 100644 index 0000000..ecd3ede --- /dev/null +++ b/.werks/7176 @@ -0,0 +1,15 @@ +Title: Fixed "insecure request warning" message during distributed site remote calls +Level: 1 +Component: wato +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1550666883 + +When executing a remote automation call, for example to rename a host on a remote site +in distributed setups, the message "InsecureRequestWarning: Unverified HTTPS request is +being made" could be visible in the background job output which we don't want to display +there. Insecure configurations are made visibile in the analyze configuration results +instead. diff --git a/cmk/gui/plugins/wato/ac_tests.py b/cmk/gui/plugins/wato/ac_tests.py index 8ba8e18..ec191fb 100644 --- a/cmk/gui/plugins/wato/ac_tests.py +++ b/cmk/gui/plugins/wato/ac_tests.py @@ -28,6 +28,7 @@ import abc import subprocess import requests +import urllib3 import cmk.gui.userdb as userdb import cmk.gui.sites as sites @@ -50,6 +51,10 @@ from cmk.gui.plugins.wato import ( SiteBackupJobs, ) +# Disable python warnings in background job output or logs like "Unverified +# HTTPS request is being made". We warn the user using analyze configuration. +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + @ac_test_registry.register class ACTestPersistentConnections(ACTest): diff --git a/cmk/gui/watolib/__init__.py b/cmk/gui/watolib/__init__.py index 16d377f..a105506 100644 --- a/cmk/gui/watolib/__init__.py +++ b/cmk/gui/watolib/__init__.py @@ -53,6 +53,7 @@ import traceback from typing import NamedTuple, List # pylint: disable=unused-import import requests +import urllib3 from pathlib2 import Path import six @@ -305,6 +306,10 @@ import cmk.gui.plugins.watolib if not cmk.is_raw_edition(): import cmk.gui.cee.plugins.watolib +# Disable python warnings in background job output or logs like "Unverified +# HTTPS request is being made". We warn the user using analyze configuration. +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + def load_watolib_plugins(): cmk.gui.utils.load_web_plugins("watolib", globals()) diff --git a/cmk/gui/watolib/automations.py b/cmk/gui/watolib/automations.py index 783a013..3f4150e 100644 --- a/cmk/gui/watolib/automations.py +++ b/cmk/gui/watolib/automations.py @@ -32,6 +32,7 @@ import re import subprocess import time import requests +import urllib3 import cmk.utils @@ -48,6 +49,10 @@ from cmk.gui.exceptions import ( MKUserError, ) +# Disable python warnings in background job output or logs like "Unverified +# HTTPS request is being made". We warn the user using analyze configuration. +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + class MKAutomationException(MKGeneralException): pass

5 years, 7 months

AWS checks: Fixed a few missing 'aws.include's

by Simon Betz

Module: check_mk Branch: master Commit: 26416b878411fa1e68d7a5d168b905b9307a86fd URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=26416b878411fa… Author: Simon Betz <si(a)mathias-kettner.de> Date: Wed Feb 20 14:11:42 2019 +0100 AWS checks: Fixed a few missing 'aws.include's Change-Id: I85af7da1e5614694ee7652b23e42212011d53932 --- checks/aws_ebs | 1 + checks/aws_rds | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/checks/aws_ebs b/checks/aws_ebs index 6a1e31c..243a159 100644 --- a/checks/aws_ebs +++ b/checks/aws_ebs @@ -112,6 +112,7 @@ check_info['aws_ebs.burst_balance'] = { inventory_aws_generic(p, ['BurstBalance']), 'check_function': check_aws_ebs_burst_balance, 'service_description': 'AWS/EBS Burst Balance %s', + 'includes': ['aws.include'], 'group': 'aws_ebs_burst_balance', 'has_perfdata': True } diff --git a/checks/aws_rds b/checks/aws_rds index 8fca101..66194ce 100644 --- a/checks/aws_rds +++ b/checks/aws_rds @@ -157,6 +157,7 @@ check_info['aws_rds.cpu_credits'] = { inventory_aws_generic(p, ['CPUCreditUsage', 'CPUCreditBalance']), 'check_function': check_aws_rds_cpu_credits, 'service_description': 'AWS/RDS %s CPU Credits', + 'includes': ['aws.include'], 'group': 'aws_rds_cpu_credits', 'has_perfdata': True, } @@ -204,7 +205,7 @@ check_info['aws_rds.network_io'] = { inventory_aws_generic(p, ['NetworkReceiveThroughput', 'NetworkTransmitThroughput']), 'check_function': check_aws_rds_network_io, 'service_description': 'AWS/RDS %s Network IO', - 'includes': ["if.include"], + 'includes': ['aws.include', "if.include"], 'default_levels_variable': "if_default_levels", 'group': 'if', 'has_perfdata': True, @@ -243,6 +244,7 @@ check_info['aws_rds.bin_log_usage'] = { inventory_aws_generic(p, ['BinLogDiskUsage', 'AllocatedStorage']), 'check_function': check_aws_rds_bin_log_usage, 'service_description': 'AWS/RDS %s Binary Log Usage', + 'includes': ['aws.include'], 'has_perfdata': True, 'group': 'aws_rds_disk_usage', } @@ -290,6 +292,7 @@ check_info['aws_rds.transaction_logs_usage'] = { inventory_aws_generic(p, ['TransactionLogsDiskUsage', 'AllocatedStorage']), 'check_function': check_aws_rds_transaction_logs_usage, 'service_description': 'AWS/RDS %s Transaction Logs Usage', + 'includes': ['aws.include'], 'has_perfdata': True, 'group': 'aws_rds_disk_usage', } @@ -333,6 +336,7 @@ check_info['aws_rds.replication_slot_usage'] = { inventory_aws_generic(p, ['ReplicationSlotDiskUsage', 'AllocatedStorage']), 'check_function': check_aws_rds_replication_slot_usage, 'service_description': 'AWS/RDS %s Replication Slot Usage', + 'includes': ['aws.include'], 'has_perfdata': True, 'group': 'aws_rds_disk_usage', } @@ -373,7 +377,7 @@ check_info['aws_rds.disk_io'] = { inventory_aws_generic(p, ['DiskQueueDepth', 'ReadIOPS', 'ReadLatency', 'ReadThroughput', 'WriteIOPS', 'WriteLatency', 'WriteThroughput']), 'check_function': check_aws_rds_disk_io, 'service_description': 'AWS/RDS %s Disk IO', - 'includes': ['diskstat.include'], + 'includes': ['aws.include', 'diskstat.include'], 'group': 'diskstat', 'has_perfdata': True, } @@ -403,6 +407,7 @@ check_info['aws_rds.connections'] = { inventory_aws_generic(p, ['DatabaseConnections']), 'check_function': check_aws_rds_connections, 'service_description': 'AWS/RDS %s Connections', + 'includes': ['aws.include'], 'has_perfdata': True, 'group': 'aws_rds_connections', } @@ -433,6 +438,7 @@ check_info['aws_rds.agent_jobs'] = { inventory_aws_generic(p, ['FailedSQLServerAgentJobsCount']), 'check_function': check_aws_rds_agent_jobs, 'service_description': 'AWS/RDS %s SQL Server Agent Jobs', + 'includes': ['aws.include'], } #. @@ -470,6 +476,7 @@ check_info['aws_rds.replica_lag'] = { inventory_aws_generic(p, ['ReplicaLag']), 'check_function': check_aws_rds_replica_lag, 'service_description': 'AWS/RDS %s Replica Lag', + 'includes': ['aws.include'], 'has_perfdata': True, 'group': 'aws_rds_replica_lag', }

5 years, 7 months

AWS checks: Added missing performance data flag resp. metric info

by Simon Betz

Module: check_mk Branch: master Commit: 5ac8d7aaa0bad84e1ca4a65fa50c47730a62c7a9 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5ac8d7aaa0bad8… Author: Simon Betz <si(a)mathias-kettner.de> Date: Wed Feb 20 14:02:14 2019 +0100 AWS checks: Added missing performance data flag resp. metric info Change-Id: Ifcf448ff481889f31d765977a9602f991ce2a24e --- checks/aws_ec2 | 3 ++- checks/aws_rds | 4 +++- cmk/gui/plugins/metrics/check_mk.py | 6 ++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/checks/aws_ec2 b/checks/aws_ec2 index ce545c7..668b06b 100644 --- a/checks/aws_ec2 +++ b/checks/aws_ec2 @@ -113,7 +113,7 @@ def check_aws_ec2_cpu_credits(item, params, parsed): warn, crit = params["balance_levels_lower"] yield check_levels( metrics['CPUCreditBalance'], - "aws_ec2_credit_balance", (None, None, warn, crit), + "aws_cpu_credit_balance", (None, None, warn, crit), human_readable_func=lambda x: "%.2f" % x, infoname='Balance') @@ -126,6 +126,7 @@ check_info['aws_ec2.cpu_credits'] = { 'group': 'aws_ec2_cpu_credits', 'includes': ['aws.include'], 'default_levels_variable': 'aws_cpu_credits', + 'has_perfdata': True, } #. diff --git a/checks/aws_rds b/checks/aws_rds index 36c8697..8fca101 100644 --- a/checks/aws_rds +++ b/checks/aws_rds @@ -101,6 +101,7 @@ check_info['aws_rds'] = { 'includes': ['cpu_util.include', 'aws.include'], 'group': 'cpu_utilization_multiitem', 'default_levels_variable': 'aws_rds_cpu_util', + 'has_perfdata': True, } #. @@ -137,7 +138,7 @@ def check_aws_rds_cpu_credits(item, params, metrics): warn, crit = params.get("balance_levels_lower", (None, None)) yield check_levels( metrics['CPUCreditBalance'], - "aws_rds_credit_balance", (None, None, warn, crit), + "aws_cpu_credit_balance", (None, None, warn, crit), human_readable_func=lambda x: "%.2f" % x, infoname='Balance') @@ -157,6 +158,7 @@ check_info['aws_rds.cpu_credits'] = { 'check_function': check_aws_rds_cpu_credits, 'service_description': 'AWS/RDS %s CPU Credits', 'group': 'aws_rds_cpu_credits', + 'has_perfdata': True, } #. diff --git a/cmk/gui/plugins/metrics/check_mk.py b/cmk/gui/plugins/metrics/check_mk.py index 3dd0703..eaa981d 100644 --- a/cmk/gui/plugins/metrics/check_mk.py +++ b/cmk/gui/plugins/metrics/check_mk.py @@ -4860,6 +4860,12 @@ metric_info['aws_burst_balance'] = { 'color': '11/a', } +metric_info['aws_cpu_credit_balance'] = { + 'title': _('CPU Credit Balance'), + 'unit': 'count', + 'color': '11/a', +} + metric_info['aws_rds_bin_log_disk_usage'] = { 'title': _('Bin Log Disk Usage'), 'unit': '%',

5 years, 7 months

AWS checks: minor cleanup

by Simon Betz

Module: check_mk Branch: master Commit: b5faa8436afb727384f2a76b013e028d56b98fa4 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b5faa8436afb72… Author: Simon Betz <si(a)mathias-kettner.de> Date: Wed Feb 20 13:21:06 2019 +0100 AWS checks: minor cleanup Change-Id: I56dda77e7f2e928c98eb5238c36f6a7f6b4fdf2d --- checks/aws.include | 18 +++-------- checks/aws_ebs_summary | 4 ++- checks/aws_ec2 | 87 +++++++++++++++++++++++++------------------------- checks/aws_ec2_summary | 17 ++++------ checks/aws_elb | 32 +++++++++++-------- checks/aws_elb_health | 7 +--- checks/aws_elb_summary | 7 +--- checks/aws_exceptions | 7 +--- checks/aws_rds_summary | 60 +++++++++++++++++++++------------- checks/aws_s3 | 24 ++++++-------- 10 files changed, 126 insertions(+), 137 deletions(-) Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=b5faa8436a…

5 years, 7 months

7175 FIX Fixed exception when trying to export agent output for non WATO hosts

by Lars Michelsen

Module: check_mk Branch: master Commit: 4063af8df14f7b7d4767d84f0372fc08a6d60630 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4063af8df14f7b… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Feb 20 13:07:30 2019 +0100 7175 FIX Fixed exception when trying to export agent output for non WATO hosts The actions "Fetch agent output" and "Fetch SNMP walk" can only be used for hosts managed by WATO for distributed sites. The error message for non WATO hosts could not be displayed correctly and resulted in a crash which is fixed now. Change-Id: I004cc30cc4ee6f2bc51252d4e7948288046073d8 --- .werks/7175 | 13 +++++++++++++ cmk/gui/wato/__init__.py | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.werks/7175 b/.werks/7175 new file mode 100644 index 0000000..efa6d27 --- /dev/null +++ b/.werks/7175 @@ -0,0 +1,13 @@ +Title: Fixed exception when trying to export agent output for non WATO hosts +Level: 1 +Component: multisite +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1550661767 + +The actions "Fetch agent output" and "Fetch SNMP walk" can only be used for hosts +managed by WATO for distributed sites. The error message for non WATO hosts could +not be displayed correctly and resulted in a crash which is fixed now. diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py index c91ce55..9dc4ed1 100644 --- a/cmk/gui/wato/__init__.py +++ b/cmk/gui/wato/__init__.py @@ -617,7 +617,7 @@ class AgentOutputPage(object): if not host: raise MKGeneralException( _("Host is not managed by WATO. " - "Click <a href=\"%s\">here</a> to go back.") % html.escape_attribute( + "Click <a href=\"%s\">here</a> to go back.") % html.escaper.escape_attribute( self._back_url)) host.need_permission("read") self._host = host

5 years, 7 months

agent_jolokia: fix debug flag

by Moritz Kiemer

Module: check_mk Branch: master Commit: 1c36d923d76b47d96906fc993fa77d2d1541a51a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1c36d923d76b47… Author: Moritz Kiemer <mo(a)mathias-kettner.de> Date: Tue Feb 19 14:34:30 2019 +0100 agent_jolokia: fix debug flag Change-Id: Ibef9e8f328ed5d98f08b1d6dada38ee0e6a7f8c9 --- agents/plugins/mk_jolokia.py | 4 ++-- agents/special/agent_jolokia | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/agents/plugins/mk_jolokia.py b/agents/plugins/mk_jolokia.py index 251ebdf..b4d9249 100755 --- a/agents/plugins/mk_jolokia.py +++ b/agents/plugins/mk_jolokia.py @@ -326,7 +326,7 @@ class JolokiaInstance(object): def post(self, data): post_data = json.dumps(data) if VERBOSE: - sys.stderr.write("DEBUG: POST data: %r\n" % post_data) + sys.stderr.write("\nDEBUG: POST data: %r\n" % post_data) try: raw_response = self._session.post(self.base_url, data=post_data) except () if DEBUG else Exception, exc: @@ -342,7 +342,7 @@ class JolokiaInstance(object): response = raw_response.json() if VERBOSE: - sys.stderr.write("DEBUG: Result: %r\n\n" % response) + sys.stderr.write("DEBUG: Result: %r\n" % response) return response diff --git a/agents/special/agent_jolokia b/agents/special/agent_jolokia index 9d3b0d5..95df1b1 100755 --- a/agents/special/agent_jolokia +++ b/agents/special/agent_jolokia @@ -42,8 +42,9 @@ def parse_arguments(argv=None): parser = argparse.ArgumentParser(description=__doc__) - parser.add_argument("-v", "--verbose", help='''Verbose mode''') - parser.add_argument("--debug", help="Debug mode: let python exceptions come through") + parser.add_argument("--verbose", action="count", help='''Verbose mode''') + parser.add_argument( + "--debug", action="store_true", help="Debug mode: let python exceptions come through") opts_with_help = (t for t in mk_jolokia.DEFAULT_CONFIG_TUPLES if len(t) == 3)

5 years, 7 months

7174 SEC Apache: Disable TRACE and OPTIONS method

by Lars Michelsen

Module: check_mk Branch: master Commit: 6d3e2053bec133feececea674d4baf45d43f88f2 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6d3e2053bec133… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Feb 20 07:47:21 2019 +0100 7174 SEC Apache: Disable TRACE and OPTIONS method The similar TRACK method is not supported by the site apache at all, so it does not have to be disabled. A lot of guides recommend to also disable the OPTIONS method for production servers. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it may grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole. For this reason we also disabled the OPTIONS method. CMK-1639 Change-Id: I57a0b47ba8f7fb2ae0d974ed5383afe56c5418af --- .werks/7174 | 22 ++++++++++++++++ .../skel/etc/apache/conf.d/security.conf | 13 ++++++++++ tests/integration/omd/test_web_access.py | 21 +++++++++++++++- tests/testlib/__init__.py | 29 ++++++---------------- 4 files changed, 62 insertions(+), 23 deletions(-) diff --git a/.werks/7174 b/.werks/7174 new file mode 100644 index 0000000..7154308 --- /dev/null +++ b/.werks/7174 @@ -0,0 +1,22 @@ +Title: Apache: Disable TRACE and OPTIONS methods +Level: 1 +Component: omd +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1550645011 +Class: security + +The HTTP method TRACE makes some kind of reflection attacks possible and is not +used at all. It has been enabled for the site apache using the option +<tt>TraceEnable Off</tt> in etc/apache/conf.d/security.conf. + +The similar TRACK method is not supported by the site apache at all, so it does +not have to be disabled. + +A lot of guides recommend to also disable the OPTIONS method for production +servers. This HTTP method basically reports which HTTP Methods that are +allowed on the web server. In reality, this is rarely used for legitimate +purposes, but it may grant a potential attacker a little bit of help and it +can be considered a shortcut to find another hole. For this reason we also +disabled the OPTIONS method. diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf index 54635fd..a334f3e 100644 --- a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf +++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf @@ -43,3 +43,16 @@ # Provide minimal information about the running software version and platform to clients ServerTokens Prod + +# Disable TRACE request method to prevent some kind of reflection attack +TraceEnable Off + +# This has been added to disable the OPTIONS method globally, but it also disables all other +# methods than GET, POST, HEAD. We may need to adapt this in the future once we use other +# methods +<Directory "/"> + <LimitExcept GET POST HEAD> + order deny,allow + deny from all + </LimitExcept> +</Directory> diff --git a/tests/integration/omd/test_web_access.py b/tests/integration/omd/test_web_access.py index ddcebd5..77426d1 100644 --- a/tests/integration/omd/test_web_access.py +++ b/tests/integration/omd/test_web_access.py @@ -1,7 +1,8 @@ #!/usr/bin/env python # encoding: utf-8 -from testlib import CMKWebSession, web +from testlib import CMKWebSession + def test_www_dir(site): web = CMKWebSession(site) @@ -82,3 +83,21 @@ def test_cmk_ajax_graph_images(site): web = CMKWebSession(site) response = web.get("/%s/check_mk/ajax_graph_images.py" % site.id) assert response.text == "" + + +def test_trace_disabled(site): + web = CMKWebSession(site) + # TRACE is disabled by using "TraceEnable Off" in apache config + web._request("TRACE", "/", expected_code=405) + + +def test_track_disabled(site): + web = CMKWebSession(site) + # TRACE is not supported by apache at all by apache, so there is no need to + # disable this. The HTTP code is just different from TRACE. + web._request("TRACK", "/", expected_code=403) + + +def test_options_disabled(site): + web = CMKWebSession(site) + web._request("OPTIONS", "/", expected_code=403) diff --git a/tests/testlib/__init__.py b/tests/testlib/__init__.py index 7c30f6f..f4fb541 100644 --- a/tests/testlib/__init__.py +++ b/tests/testlib/__init__.py @@ -976,11 +976,6 @@ class WebSession(requests.Session): if expect_redirect: kwargs["allow_redirects"] = False - if method == "post": - func = super(WebSession, self).post - else: - func = super(WebSession, self).get - # May raise "requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))" # suddenly without known reason. This may be related to some # apache or HTTP/1.1 issue when working with keepalive connections. See @@ -988,10 +983,10 @@ class WebSession(requests.Session): # https://github.com/mikem23/keepalive-race # Trying to workaround this by trying the problematic request a second time. try: - response = func(url, **kwargs) + response = super(WebSession, self).request(method, url, **kwargs) except requests.ConnectionError as e: if allow_retry and "Connection aborted" in "%s" % e: - response = func(url, **kwargs) + response = super(WebSession, self).request(method, url, **kwargs) else: raise @@ -1506,9 +1501,7 @@ class CMKWebSession(WebSession): def get_site(self, site_id): result = self._api_request( "webapi.py?action=get_site&request_format=python&output_format=python", - {"request": json.dumps({ - "site_id": site_id - })}, + {"request": json.dumps({"site_id": site_id})}, output_format="python") assert result != None @@ -1523,9 +1516,7 @@ class CMKWebSession(WebSession): def delete_site(self, site_id): result = self._api_request( "webapi.py?action=delete_site&output_format=python", - {"request": json.dumps({ - "site_id": site_id - })}, + {"request": json.dumps({"site_id": site_id})}, output_format="python") assert result is None @@ -1571,24 +1562,18 @@ class CMKWebSession(WebSession): def add_htpasswd_users(self, users): result = self._api_request("webapi.py?action=add_users", - {"request": json.dumps({ - "users": users - })}) + {"request": json.dumps({"users": users})}) assert result is None def edit_htpasswd_users(self, users): result = self._api_request("webapi.py?action=edit_users", - {"request": json.dumps({ - "users": users - })}) + {"request": json.dumps({"users": users})}) assert result is None def delete_htpasswd_users(self, userlist): result = self._api_request("webapi.py?action=delete_users", { - "request": json.dumps({ - "users": userlist - }), + "request": json.dumps({"users": userlist}), }) assert result is None

5 years, 7 months

← Newer
1
...
15
16
17
18
19
20
21
...
46
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Checkmk git commits February 2019