Module: check_mk
Branch: master
Commit: 19cf81db3c42f0b910ccca2f80dcacabd049598e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=19cf81db3c42f0…
Author: Marcel Arentz <ma(a)mathias-kettner.de>
Date: Fri Feb 15 17:21:18 2019 +0100
6758 FIX mknotifyd: Fixed crash if the mknotify check sends no data
The check previously crashed, if the agent sends a site name but no data for
this site. If there is no data, this will be displayed now in the service
output. Additionally the service will change it's state to WARN because
there is no data for the last update time of mknotify state file.
Change-Id: Icfab565fb1bcf45218d85413e0470f4df845f899
---
.werks/6758 | 13 +++++++++++++
checks/mknotifyd | 6 ++++++
2 files changed, 19 insertions(+)
diff --git a/.werks/6758 b/.werks/6758
new file mode 100644
index 0000000..11973f8
--- /dev/null
+++ b/.werks/6758
@@ -0,0 +1,13 @@
+Title: mknotifyd: Fixed crash if the mknotify check sends no data
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1550247640
+Class: fix
+
+The check previously crashed, if the agent sends a site name but no data for
+this site. If there is no data, this will be displayed now in the service
+output. Additionally the service will change it's state to WARN because
+there is no data for the last update time of mknotify state file.
diff --git a/checks/mknotifyd b/checks/mknotifyd
index 7863936..d3ae439 100644
--- a/checks/mknotifyd
+++ b/checks/mknotifyd
@@ -148,6 +148,12 @@ def check_mknotifyd(item, _no_params, parsed):
if item not in parsed:
yield 2, "No status information, Spooler not running"
return
+ # There are dummy-entries created during the parsing. So the
+ # dict will never be completely empty. We check for Version
+ # because this should be always present in a valid state file.
+ elif not parsed[item].get("Version"):
+ yield 2, "The state file seems to be empty. It is very likely that the spooler is not working properly"
+ return
now = time.time()
stat = parsed[item]
Module: check_mk
Branch: master
Commit: 7aa0a2e96f9964a5ec1d681fb8be76e38c7e5e7d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7aa0a2e96f9964…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Feb 20 14:45:51 2019 +0100
7176 FIX Fixed "insecure request warning" message during distributed site remote calls
When executing a remote automation call, for example to rename a host on a remote site
in distributed setups, the message "InsecureRequestWarning: Unverified HTTPS request is
being made" could be visible in the background job output which we don't want to display
there. Insecure configurations are made visibile in the analyze configuration results
instead.
Change-Id: I3e3b3405de3ee42807b65f45077dcefb4b56d455
---
.werks/7176 | 15 +++++++++++++++
cmk/gui/plugins/wato/ac_tests.py | 5 +++++
cmk/gui/watolib/__init__.py | 5 +++++
cmk/gui/watolib/automations.py | 5 +++++
4 files changed, 30 insertions(+)
diff --git a/.werks/7176 b/.werks/7176
new file mode 100644
index 0000000..ecd3ede
--- /dev/null
+++ b/.werks/7176
@@ -0,0 +1,15 @@
+Title: Fixed "insecure request warning" message during distributed site remote calls
+Level: 1
+Component: wato
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1550666883
+
+When executing a remote automation call, for example to rename a host on a remote site
+in distributed setups, the message "InsecureRequestWarning: Unverified HTTPS request is
+being made" could be visible in the background job output which we don't want to display
+there. Insecure configurations are made visibile in the analyze configuration results
+instead.
diff --git a/cmk/gui/plugins/wato/ac_tests.py b/cmk/gui/plugins/wato/ac_tests.py
index 8ba8e18..ec191fb 100644
--- a/cmk/gui/plugins/wato/ac_tests.py
+++ b/cmk/gui/plugins/wato/ac_tests.py
@@ -28,6 +28,7 @@ import abc
import subprocess
import requests
+import urllib3
import cmk.gui.userdb as userdb
import cmk.gui.sites as sites
@@ -50,6 +51,10 @@ from cmk.gui.plugins.wato import (
SiteBackupJobs,
)
+# Disable python warnings in background job output or logs like "Unverified
+# HTTPS request is being made". We warn the user using analyze configuration.
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
@ac_test_registry.register
class ACTestPersistentConnections(ACTest):
diff --git a/cmk/gui/watolib/__init__.py b/cmk/gui/watolib/__init__.py
index 16d377f..a105506 100644
--- a/cmk/gui/watolib/__init__.py
+++ b/cmk/gui/watolib/__init__.py
@@ -53,6 +53,7 @@ import traceback
from typing import NamedTuple, List # pylint: disable=unused-import
import requests
+import urllib3
from pathlib2 import Path
import six
@@ -305,6 +306,10 @@ import cmk.gui.plugins.watolib
if not cmk.is_raw_edition():
import cmk.gui.cee.plugins.watolib
+# Disable python warnings in background job output or logs like "Unverified
+# HTTPS request is being made". We warn the user using analyze configuration.
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
def load_watolib_plugins():
cmk.gui.utils.load_web_plugins("watolib", globals())
diff --git a/cmk/gui/watolib/automations.py b/cmk/gui/watolib/automations.py
index 783a013..3f4150e 100644
--- a/cmk/gui/watolib/automations.py
+++ b/cmk/gui/watolib/automations.py
@@ -32,6 +32,7 @@ import re
import subprocess
import time
import requests
+import urllib3
import cmk.utils
@@ -48,6 +49,10 @@ from cmk.gui.exceptions import (
MKUserError,
)
+# Disable python warnings in background job output or logs like "Unverified
+# HTTPS request is being made". We warn the user using analyze configuration.
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
class MKAutomationException(MKGeneralException):
pass
Module: check_mk
Branch: master
Commit: 4063af8df14f7b7d4767d84f0372fc08a6d60630
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4063af8df14f7b…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Feb 20 13:07:30 2019 +0100
7175 FIX Fixed exception when trying to export agent output for non WATO hosts
The actions "Fetch agent output" and "Fetch SNMP walk" can only be used for hosts
managed by WATO for distributed sites. The error message for non WATO hosts could
not be displayed correctly and resulted in a crash which is fixed now.
Change-Id: I004cc30cc4ee6f2bc51252d4e7948288046073d8
---
.werks/7175 | 13 +++++++++++++
cmk/gui/wato/__init__.py | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/7175 b/.werks/7175
new file mode 100644
index 0000000..efa6d27
--- /dev/null
+++ b/.werks/7175
@@ -0,0 +1,13 @@
+Title: Fixed exception when trying to export agent output for non WATO hosts
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1550661767
+
+The actions "Fetch agent output" and "Fetch SNMP walk" can only be used for hosts
+managed by WATO for distributed sites. The error message for non WATO hosts could
+not be displayed correctly and resulted in a crash which is fixed now.
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index c91ce55..9dc4ed1 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -617,7 +617,7 @@ class AgentOutputPage(object):
if not host:
raise MKGeneralException(
_("Host is not managed by WATO. "
- "Click <a href=\"%s\">here</a> to go back.") % html.escape_attribute(
+ "Click <a href=\"%s\">here</a> to go back.") % html.escaper.escape_attribute(
self._back_url))
host.need_permission("read")
self._host = host
Module: check_mk
Branch: master
Commit: 6d3e2053bec133feececea674d4baf45d43f88f2
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6d3e2053bec133…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Feb 20 07:47:21 2019 +0100
7174 SEC Apache: Disable TRACE and OPTIONS method
The similar TRACK method is not supported by the site apache at all, so
it does not have to be disabled.
A lot of guides recommend to also disable the OPTIONS method for
production servers. This HTTP method basically reports which HTTP
Methods that are allowed on the web server. In reality, this is rarely
used for legitimate purposes, but it may grant a potential attacker a
little bit of help and it can be considered a shortcut to find another
hole. For this reason we also disabled the OPTIONS method.
CMK-1639
Change-Id: I57a0b47ba8f7fb2ae0d974ed5383afe56c5418af
---
.werks/7174 | 22 ++++++++++++++++
.../skel/etc/apache/conf.d/security.conf | 13 ++++++++++
tests/integration/omd/test_web_access.py | 21 +++++++++++++++-
tests/testlib/__init__.py | 29 ++++++----------------
4 files changed, 62 insertions(+), 23 deletions(-)
diff --git a/.werks/7174 b/.werks/7174
new file mode 100644
index 0000000..7154308
--- /dev/null
+++ b/.werks/7174
@@ -0,0 +1,22 @@
+Title: Apache: Disable TRACE and OPTIONS methods
+Level: 1
+Component: omd
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1550645011
+Class: security
+
+The HTTP method TRACE makes some kind of reflection attacks possible and is not
+used at all. It has been enabled for the site apache using the option
+<tt>TraceEnable Off</tt> in etc/apache/conf.d/security.conf.
+
+The similar TRACK method is not supported by the site apache at all, so it does
+not have to be disabled.
+
+A lot of guides recommend to also disable the OPTIONS method for production
+servers. This HTTP method basically reports which HTTP Methods that are
+allowed on the web server. In reality, this is rarely used for legitimate
+purposes, but it may grant a potential attacker a little bit of help and it
+can be considered a shortcut to find another hole. For this reason we also
+disabled the OPTIONS method.
diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
index 54635fd..a334f3e 100644
--- a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
+++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
@@ -43,3 +43,16 @@
# Provide minimal information about the running software version and platform to clients
ServerTokens Prod
+
+# Disable TRACE request method to prevent some kind of reflection attack
+TraceEnable Off
+
+# This has been added to disable the OPTIONS method globally, but it also disables all other
+# methods than GET, POST, HEAD. We may need to adapt this in the future once we use other
+# methods
+<Directory "/">
+ <LimitExcept GET POST HEAD>
+ order deny,allow
+ deny from all
+ </LimitExcept>
+</Directory>
diff --git a/tests/integration/omd/test_web_access.py b/tests/integration/omd/test_web_access.py
index ddcebd5..77426d1 100644
--- a/tests/integration/omd/test_web_access.py
+++ b/tests/integration/omd/test_web_access.py
@@ -1,7 +1,8 @@
#!/usr/bin/env python
# encoding: utf-8
-from testlib import CMKWebSession, web
+from testlib import CMKWebSession
+
def test_www_dir(site):
web = CMKWebSession(site)
@@ -82,3 +83,21 @@ def test_cmk_ajax_graph_images(site):
web = CMKWebSession(site)
response = web.get("/%s/check_mk/ajax_graph_images.py" % site.id)
assert response.text == ""
+
+
+def test_trace_disabled(site):
+ web = CMKWebSession(site)
+ # TRACE is disabled by using "TraceEnable Off" in apache config
+ web._request("TRACE", "/", expected_code=405)
+
+
+def test_track_disabled(site):
+ web = CMKWebSession(site)
+ # TRACE is not supported by apache at all by apache, so there is no need to
+ # disable this. The HTTP code is just different from TRACE.
+ web._request("TRACK", "/", expected_code=403)
+
+
+def test_options_disabled(site):
+ web = CMKWebSession(site)
+ web._request("OPTIONS", "/", expected_code=403)
diff --git a/tests/testlib/__init__.py b/tests/testlib/__init__.py
index 7c30f6f..f4fb541 100644
--- a/tests/testlib/__init__.py
+++ b/tests/testlib/__init__.py
@@ -976,11 +976,6 @@ class WebSession(requests.Session):
if expect_redirect:
kwargs["allow_redirects"] = False
- if method == "post":
- func = super(WebSession, self).post
- else:
- func = super(WebSession, self).get
-
# May raise "requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))"
# suddenly without known reason. This may be related to some
# apache or HTTP/1.1 issue when working with keepalive connections. See
@@ -988,10 +983,10 @@ class WebSession(requests.Session):
# https://github.com/mikem23/keepalive-race
# Trying to workaround this by trying the problematic request a second time.
try:
- response = func(url, **kwargs)
+ response = super(WebSession, self).request(method, url, **kwargs)
except requests.ConnectionError as e:
if allow_retry and "Connection aborted" in "%s" % e:
- response = func(url, **kwargs)
+ response = super(WebSession, self).request(method, url, **kwargs)
else:
raise
@@ -1506,9 +1501,7 @@ class CMKWebSession(WebSession):
def get_site(self, site_id):
result = self._api_request(
"webapi.py?action=get_site&request_format=python&output_format=python",
- {"request": json.dumps({
- "site_id": site_id
- })},
+ {"request": json.dumps({"site_id": site_id})},
output_format="python")
assert result != None
@@ -1523,9 +1516,7 @@ class CMKWebSession(WebSession):
def delete_site(self, site_id):
result = self._api_request(
"webapi.py?action=delete_site&output_format=python",
- {"request": json.dumps({
- "site_id": site_id
- })},
+ {"request": json.dumps({"site_id": site_id})},
output_format="python")
assert result is None
@@ -1571,24 +1562,18 @@ class CMKWebSession(WebSession):
def add_htpasswd_users(self, users):
result = self._api_request("webapi.py?action=add_users",
- {"request": json.dumps({
- "users": users
- })})
+ {"request": json.dumps({"users": users})})
assert result is None
def edit_htpasswd_users(self, users):
result = self._api_request("webapi.py?action=edit_users",
- {"request": json.dumps({
- "users": users
- })})
+ {"request": json.dumps({"users": users})})
assert result is None
def delete_htpasswd_users(self, userlist):
result = self._api_request("webapi.py?action=delete_users", {
- "request": json.dumps({
- "users": userlist
- }),
+ "request": json.dumps({"users": userlist}),
})
assert result is None