Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 7ddc0455f8d950a2c1da89d1c8f92ffc3850c372
https://github.com/tribe29/checkmk/commit/7ddc0455f8d950a2c1da89d1c8f92ffc3…
Author: Andreas Umbreit <andreas.umbreit(a)tribe29.com>
Date: 2021-04-28 (Wed, 28 Apr 2021)
Changed paths:
A .werks/12672
M agents/check_mk_agent.linux
Log Message:
-----------
12672 SEC real-time-checks: Provide default password
This Werk fixes a security issue that may arise from a misconfiguration
of real-time checks.
As mentioned in Werk #8350 (Introduction of real-time checks), a password
has to be provided when configuring real-time checks.
When using the agent bakery, the ruleset "Encryption" is used to
provide the encryption password, while the real-time checks itself are
activated for the agents via the ruleset "Send data for real-time checks".
If the real-time checks get activated without providing a password, this
will result in an empty password, that will nevertheless be used by the agent
to encrypt the real-time check data on the host.
While the user would most likely fix this situation, because real-time checks
won't work (A password is mandatory to activate real-time checks in CMC),
the real-time check data can be decrypted without a password/key in this case,
resulting in a security issue.
This is now fixed with the following mechanism:
- The agent bakery will read the default password from the global setting
"Monitoring core/Enable handling of real-time checks" and bake it into the
agents that have the rule "Send data for real-time checks" activated. Accordingly,
a changed global setting will lead to new agents on next bake.
- The agent bakery will keep to package the password from the "Encryption" rule,
and the Linux agent will prefer it over the default password from the CMC configuration.
- If none of the two passwords are configured, but the "Send data for real-time checks"
rule is active, the agent bakery will refuse to bake agents
- If the Linux agent is requested to send encrypted real-time check data, but no password
is deployed, no real-time check data will be sent. However, up from now, this may only happen
if real-time checks are configured without the agent bakery.
CMK-7590
Change-Id: I151af3f493a5194fd22aa9e779f47a945586db39
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: 40b747074e20bf0d15e5e8b12d76f49c9db4bf48
https://github.com/tribe29/checkmk/commit/40b747074e20bf0d15e5e8b12d76f49c9…
Author: Andreas Umbreit <andreas.umbreit(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
A .werks/12672
M agents/check_mk_agent.linux
Log Message:
-----------
12672 SEC real-time-checks: Provide default password
This Werk fixes a security issue that may arise from a misconfiguration
of real-time checks.
As mentioned in Werk #8350 (Introduction of real-time checks), a password
has to be provided when configuring real-time checks.
When using the agent bakery, the ruleset "Encryption" is used to
provide the encryption password, while the real-time checks itself are
activated for the agents via the ruleset "Send data for real-time checks".
If the real-time checks get activated without providing a password, this
will result in an empty password, that will nevertheless be used by the agent
to encrypt the real-time check data on the host.
While the user would most likely fix this situation, because real-time checks
won't work (A password is mandatory to activate real-time checks in CMC),
the real-time check data can be decrypted without a password/key in this case,
resulting in a security issue.
This is now fixed with the following mechanism:
- The agent bakery will read the default password from the global setting
"Monitoring core/Enable handling of real-time checks" and bake it into the
agents that have the rule "Send data for real-time checks" activated. Accordingly,
a changed global setting will lead to new agents on next bake.
- The agent bakery will keep to package the password from the "Encryption" rule,
and the Linux agent will prefer it over the default password from the CMC configuration.
- If none of the two passwords are configured, but the "Send data for real-time checks"
rule is active, the agent bakery will refuse to bake agents
- If the Linux agent is requested to send encrypted real-time check data, but no password
is deployed, no real-time check data will be sent. However, up from now, this may only happen
if real-time checks are configured without the agent bakery.
CMK-7590
Change-Id: I151af3f493a5194fd22aa9e779f47a945586db39
Branch: refs/heads/1.6.0
Home: https://github.com/tribe29/checkmk
Commit: d8d0ee236762be7babf3fad16edb7a37626ec51a
https://github.com/tribe29/checkmk/commit/d8d0ee236762be7babf3fad16edb7a376…
Author: Andreas Umbreit <andreas.umbreit(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
A .werks/12675
Log Message:
-----------
12675 FIX Error in systemd socket unit
This is a regression since 1.6.0p23 and Werk #12153.
When installing the Checkmk agent package on Linux systems,
an erroneous systemd socket unit will be installed on the target
system.
If the affected system is actually contacted via systemd, i.e., no
xinetd is installed on the system, this will lead to an inaccessible
host.
In order to recover from this error on affected hosts, you have to
either install the newly baked agent package on the hosts manually,
or, if you are using automatic agent updates, run <tt>cmk-update-agent</tt>
once manually on the hosts, as it won't get triggered via agent call.
SUP-6193
Change-Id: I367260862edd1786e4637073149c185fa06f59a3
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: c61b2802efdc104219501fe2fc472bd42798219d
https://github.com/tribe29/checkmk/commit/c61b2802efdc104219501fe2fc472bd42…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
Add tests to confirm XSS issue
Change-Id: I88f4fd54dcb525aca313303ec1f004f4f5822eef
Commit: ab9e24c89f4ec553a423ff71aedde4a675cdd468
https://github.com/tribe29/checkmk/commit/ab9e24c89f4ec553a423ff71aedde4a67…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
A .werks/12564
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
12564 SEC Fix possible stored XSS issue when uploading backup keys
Uploading backup keys could trigger a XSS issue which could lead to execution
of arbitrary javascript code in the context of the user currently accessing the
setup GUI.
CMK-7152
Change-Id: I384976cb2216a0a9da336b45b26e2e3da450d52c
Compare: https://github.com/tribe29/checkmk/compare/6b60d12d81ff...ab9e24c89f4e
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: facc664f423f1abd969dd65afc1a659872108509
https://github.com/tribe29/checkmk/commit/facc664f423f1abd969dd65afc1a65987…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
Add tests to confirm XSS issue
Change-Id: I88f4fd54dcb525aca313303ec1f004f4f5822eef
Commit: 9f3bb5e9c3939624f3100df78d0f9e6c75cdc9b4
https://github.com/tribe29/checkmk/commit/9f3bb5e9c3939624f3100df78d0f9e6c7…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2021-04-27 (Tue, 27 Apr 2021)
Changed paths:
A .werks/12564
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
12564 SEC Fix possible stored XSS issue when uploading backup keys
Uploading backup keys could trigger a XSS issue which could lead to execution
of arbitrary javascript code in the context of the user currently accessing the
setup GUI.
CMK-7152
Change-Id: I384976cb2216a0a9da336b45b26e2e3da450d52c
Compare: https://github.com/tribe29/checkmk/compare/39b876965bdd...9f3bb5e9c393