Checkmk git commits January 2023

checkmk-commits@lists.checkmk.com

1 participants
642 discussions

[tribe29/checkmk] 082400: 14699 aws_agent: Remove Lambda and Route53 from CE...

by scolakovic

Branch: refs/heads/2.1.0 Home: https://github.com/tribe29/checkmk Commit: 082400ebd151e3abef60a85b53588eb2f208adc0 https://github.com/tribe29/checkmk/commit/082400ebd151e3abef60a85b53588eb2f… Author: Sofia Colakovic <sofia.colakovic(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/14699 M cmk/gui/plugins/wato/special_agents/aws.py Log Message: ----------- 14699 aws_agent: Remove Lambda and Route53 from CEE and CRE config In version 2.1, Lambda and Route53 service configuration was visible in the CRE and CEE editions. The configuration was useless because the services themselves weren't released. With this werk the configuration is removed from CRE and CEE editions. The services are fully functional in the CPE edition. CMK-11453 Change-Id: Iad68cfaee29b4325966a1391597f3cc8b42e4dc1

1 year, 7 months

[tribe29/checkmk] 896555: 15184 FIX Do not enforce password change for autom...

by Simon

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 89655580fd1f82e0c3d347d1ae48a5aeaefd912f https://github.com/tribe29/checkmk/commit/89655580fd1f82e0c3d347d1ae48a5aea… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15184 M cmk/gui/plugins/openapi/endpoints/user_config.py M cmk/gui/userdb/__init__.py Log Message: ----------- 15184 FIX Do not enforce password change for automation users The enforce_pw_change flag is now ignored for automation users. Since automation users cannot change their passwords themselves, Checkmk will now no longer require them to do so, even if the flag is set. Note that automation users can still be prevented from logging in if the password policy for local accounts defines a maximum password age. This Werk is motivated by a fixup for Werk #14391, which could cause old automation users to be unable to log in. Since Werk #14391 omd update / cmk-update-config looks for users whose passwords are hashed with outdated hashing schemes in etc/htpasswd. Users whose passwords were hashed with the insecure algorithms MD5 or DES Crypt are asked to change their password the next time they log in. Moreover, the administrator running the update will see a warning that lists the affected users. That check did not properly exclude old automation users created by Checkmk < 1.6.0, although the check does not make sense for them. (Automation users do not log in the same way regular users do and their password hash is irrelevant.) As a result, the flag to require a password change was set also for automation users, preventing automation users from logging in. In addition, the automation users were mistakenly listed in the warning message mentioned above. Note that automation users that have been created or had their automation secret changed with Checkmk >= 1.6.0 are not affected, as Checkmk didn't use the insecure hashing algorithms since version 1.6.0 (Werk #6846). With this fix the flag to enforce a password change will no longer be set for automation users by that check and automation users will no longer be listed in the warning message. Moreover, since the flag is now ignored for automation users, they will be able to log in again, even if the flag has already been set. CMK-12085 Change-Id: Id923f104d05d41fc8985b5db86690db884c31a01 Commit: 4aecef2f931184cdc59c5f345ff8d1176e72720e https://github.com/tribe29/checkmk/commit/4aecef2f931184cdc59c5f345ff8d1176… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15185 M cmk/gui/plugins/openapi/endpoints/user_config.py M tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py Log Message: ----------- 15185 FIX REST API: update password change time when changing automation user's secret Previously, changing an automation user's authentication secret did not update the recorded timestamp of the last password change for the automation user. As a result, the automation user could have been prevented from logging in by the password policy for local users, because the secret appeared to be too old. The recorded timestamp is now updated when the secret is changed via the REST API. Note that the issue did not affect changing an automation user's secret via the user management GUI (Setup > Users). Here the timestamp was already updated correctly. Change-Id: Ied02cc5d5e50f7743ae4d0993ce0f1c034a5e007 Commit: cd89e4a5599dbbffde0b09f19ff019b48b327bdd https://github.com/tribe29/checkmk/commit/cd89e4a5599dbbffde0b09f19ff019b48… Author: Simon Jess <simon.jess(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/utils/licensing/export.py Log Message: ----------- licensing: Cleanup REST-API endpoint 'download_license_usage' - UploadOrigin is not needed anymore Change-Id: I70ca4009be741b7a80261ffbd601f3e8bc7e557f Compare: https://github.com/tribe29/checkmk/compare/4c69d9f6718c...cd89e4a5599d

1 year, 7 months

[tribe29/checkmk] 4c69d9: transform: parse_metadata

by SoloJacobs

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 4c69d9f6718cf9d828e8e66d9c4aa5381f2db94d https://github.com/tribe29/checkmk/commit/4c69d9f6718cf9d828e8e66d9c4aa5381… Author: Solomon Jacobs <solomon.jacobs(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/special_agents/agent_kube.py M cmk/special_agents/utils_kubernetes/schemata/api.py M cmk/special_agents/utils_kubernetes/transform.py M cmk/special_agents/utils_kubernetes/transform_any.py M cmk/special_agents/utils_kubernetes/transform_json.py M tests/unit/cmk/special_agents/agent_kube/factory.py M tests/unit/cmk/special_agents/agent_kube/test_agent_kube_api.py M tests/unit/cmk/special_agents/agent_kube/test_cluster.py M tests/unit/cmk/special_agents/agent_kube/test_cronjob.py M tests/unit/cmk/special_agents/agent_kube/test_namespace.py M tests/unit/cmk/special_agents/agent_kube/test_persistent_volume_claim.py M tests/unit/cmk/special_agents/agent_kube/test_pods.py M tests/unit/cmk/special_agents/agent_kubernetes/test_agent_kube_filter_from_namespace.py Log Message: ----------- transform: parse_metadata Change-Id: Ibc55e750e2728d1905be8efa78e2348f3b104a68

1 year, 7 months

[tribe29/checkmk] dfd0a2: 15184 FIX Do not enforce password change for autom...

by Hannes Rantzsch

Branch: refs/heads/2.1.0 Home: https://github.com/tribe29/checkmk Commit: dfd0a2595928d5d6da356fb6edc3420faa6262a0 https://github.com/tribe29/checkmk/commit/dfd0a2595928d5d6da356fb6edc3420fa… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15184 M cmk/gui/plugins/openapi/endpoints/user_config.py M cmk/gui/userdb.py M cmk/update_config.py M tests/unit/cmk/test_update_config.py Log Message: ----------- 15184 FIX Do not enforce password change for automation users The enforce_pw_change flag is now ignored for automation users. Since automation users cannot change their passwords themselves, Checkmk will now no longer require them to do so, even if the flag is set. Note that automation users can still be prevented from logging in if the password policy for local accounts defines a maximum password age. This Werk is motivated by a fixup for Werk #14391, which could cause old automation users to be unable to log in. Since Werk #14391 omd update / cmk-update-config looks for users whose passwords are hashed with outdated hashing schemes in etc/htpasswd. Users whose passwords were hashed with the insecure algorithms MD5 or DES Crypt are asked to change their password the next time they log in. Moreover, the administrator running the update will see a warning that lists the affected users. That check did not properly exclude old automation users created by Checkmk < 1.6.0, although the check does not make sense for them. (Automation users do not log in the same way regular users do and their password hash is irrelevant.) As a result, the flag to require a password change was set also for automation users, preventing automation users from logging in. In addition, the automation users were mistakenly listed in the warning message mentioned above. Note that automation users that have been created or had their automation secret changed with Checkmk >= 1.6.0 are not affected, as Checkmk didn't use the insecure hashing algorithms since version 1.6.0 (Werk #6846). With this fix the flag to enforce a password change will no longer be set for automation users by that check and automation users will no longer be listed in the warning message. Moreover, since the flag is now ignored for automation users, they will be able to log in again, even if the flag has already been set. CMK-12085 Change-Id: Id923f104d05d41fc8985b5db86690db884c31a01 Commit: 84064c633f5a3b8226273b2de8b02a0f40b09559 https://github.com/tribe29/checkmk/commit/84064c633f5a3b8226273b2de8b02a0f4… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15185 M cmk/gui/plugins/openapi/endpoints/user_config.py M tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py Log Message: ----------- 15185 FIX REST API: update password change time when changing automation user's secret Previously, changing an automation user's authentication secret did not update the recorded timestamp of the last password change for the automation user. As a result, the automation user could have been prevented from logging in by the password policy for local users, because the secret appeared to be too old. The recorded timestamp is now updated when the secret is changed via the REST API. Note that the issue did not affect changing an automation user's secret via the user management GUI (Setup > Users). Here the timestamp was already updated correctly. Change-Id: Ied02cc5d5e50f7743ae4d0993ce0f1c034a5e007 Compare: https://github.com/tribe29/checkmk/compare/c81da45553ee...84064c633f5a

1 year, 7 months

[tribe29/checkmk] 3cbe9c: SAML config: add owner

by Christoph Rauch

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 3cbe9ca6b10f60a7e20e962673c259d3f28b7098 https://github.com/tribe29/checkmk/commit/3cbe9ca6b10f60a7e20e962673c259d3f… Author: Lisa Pichler <lisa.pichler(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/gui/userdb/saml2/config.py M cmk/gui/wato/pages/saml2.py M tests/unit/cmk/gui/userdb/saml2/conftest.py Log Message: ----------- SAML config: add owner Knowing which site owns the connection is useful in a distributed monitoring set-up. CMK-12058 Change-Id: I059675d333d75655d334c0f160a5736b056753e4 Commit: 1a986d9dd784abe562ec906b4c6d567b50aaf880 https://github.com/tribe29/checkmk/commit/1a986d9dd784abe562ec906b4c6d567b5… Author: Lisa Pichler <lisa.pichler(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/gui/login.py Log Message: ----------- SAML login: disable login to the UI of remote sites CMK-12117 Change-Id: Ia8ae45d8ab83030779b11f7d482b6e320519b508 Commit: e0ff6b26c4630e7c798a0713f87eb90242e683f7 https://github.com/tribe29/checkmk/commit/e0ff6b26c4630e7c798a0713f87eb9024… Author: Christoph Rauch <christoph.rauch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/gui/wsgi/app.py M web/app/index.wsgi Log Message: ----------- WSGI: move log initialization back to script file Change-Id: I95e60cfeb6bdcc4536e9c97ca30e0872c63feda5 Compare: https://github.com/tribe29/checkmk/compare/9b75b4200066...e0ff6b26c463

1 year, 7 months

[tribe29/checkmk] c81da4: 15181 SEC Improper validation of LDAP user IDs

by Hannes Rantzsch

Branch: refs/heads/2.1.0 Home: https://github.com/tribe29/checkmk Commit: c81da45553eeecdfb2b3e4e5d0bd6ddc986de70d https://github.com/tribe29/checkmk/commit/c81da45553eeecdfb2b3e4e5d0bd6ddc9… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15181 M cmk/gui/plugins/userdb/ldap_connector.py Log Message: ----------- 15181 SEC Improper validation of LDAP user IDs Prior to this Werk user IDs synced from an LDAP connection were not properly sanitized. The allowed characters for LDAP users user IDs were not restricted in the same way as local user IDs. As a result, malicious actors with the ability to change an LDAP user's uid attribute were able to, within limits, manipulate files on the server. For instance, attackers were able to override files in other users' var/check_mk/web folder, including the deletion of their stored two-factor credentials (thus disabling 2FA for the affected user). Additionally, attackers could also lock users out of their accounts by creating a 2FA-credentials file in the affected user's web folder. However, it should be noted that to the best of our knowledge, attackers could not have impersonated other users or taken over their accounts directly. This issue was discovered during internal review. Affected Versions: - 2.1.0 previous to this Werk - 2.0.0 previous to this Werk - 1.6.0 (EOL) Mitigations: Disable LDAP user synchronization. Indicators of Compromise: Inspect the list of users in WATO user management (Setup > Users) for suspicious user IDs from an LDAP connection. Vulnerability Management: We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H. We have assigned the CVE CVE-2023-0284 Changes: This Werk adds sanitization to LDAP user IDs. We do not anticipate any negative impact on legitimate user IDs as the now-forbidden user IDs could not have been used in a functional way. CMK-11963 Change-Id: Icb5951e2d544ac821735afbee3263258370d515b

1 year, 7 months

[tribe29/checkmk] e128f6: 15181 SEC Improper validation of LDAP user IDs

by Hannes Rantzsch

Branch: refs/heads/2.0.0 Home: https://github.com/tribe29/checkmk Commit: e128f6a3b09b1ee26c6134618256dcfbcbf89c87 https://github.com/tribe29/checkmk/commit/e128f6a3b09b1ee26c6134618256dcfbc… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15181 M cmk/gui/plugins/userdb/ldap_connector.py Log Message: ----------- 15181 SEC Improper validation of LDAP user IDs Prior to this Werk user IDs synced from an LDAP connection were not properly sanitized. The allowed characters for LDAP users user IDs were not restricted in the same way as local user IDs. As a result, malicious actors with the ability to change an LDAP user's uid attribute were able to, within limits, manipulate files on the server. For instance, attackers were able to override files in other users' var/check_mk/web folder, including the deletion of their stored two-factor credentials (thus disabling 2FA for the affected user). Additionally, attackers could also lock users out of their accounts by creating a 2FA-credentials file in the affected user's web folder. However, it should be noted that to the best of our knowledge, attackers could not have impersonated other users or taken over their accounts directly. This issue was discovered during internal review. Affected Versions: - 2.1.0 previous to this Werk - 2.0.0 previous to this Werk - 1.6.0 (EOL) Mitigations: Disable LDAP user synchronization. Indicators of Compromise: Inspect the list of users in WATO user management (Setup > Users) for suspicious user IDs from an LDAP connection. Vulnerability Management: We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H. We have assigned the CVE CVE-2023-0284 Changes: This Werk adds sanitization to LDAP user IDs. We do not anticipate any negative impact on legitimate user IDs as the now-forbidden user IDs could not have been used in a functional way. CMK-11963 Change-Id: Icb5951e2d544ac821735afbee3263258370d515b

1 year, 7 months

[tribe29/checkmk] cafbb7: Split check for ignored plugins and ignored services

by t29j

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: cafbb747939ce09a4860444551eb193423238499 https://github.com/tribe29/checkmk/commit/cafbb747939ce09a4860444551eb19342… Author: Mathias Laurin <mathias.laurin(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/base/agent_based/discovery/_discovered_services.py M cmk/base/agent_based/discovery/autodiscovery.py M cmk/base/agent_based/discovery/commandline.py M cmk/base/config.py M cmk/base/core_nagios.py M tests/unit/cmk/base/agent_based/discovery/test_discovery.py M tests/unit/cmk/base/test_core_nagios.py Log Message: ----------- Split check for ignored plugins and ignored services SRP, avoids optional parameters. Either test for something or don't. Anything in between is hard to understand, such as, the magical optional parameters in the present case. CMK-12002 Change-Id: I6f159064f563c025ba706a0b40d6e96df99315a2 Commit: 0165526910ed13d6edcfcbfa5f94cb091d19cbb8 https://github.com/tribe29/checkmk/commit/0165526910ed13d6edcfcbfa5f94cb091… Author: Mathias Laurin <mathias.laurin(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/base/agent_based/discovery/_discovered_services.py M tests/unit/cmk/base/agent_based/discovery/test_discovery.py Log Message: ----------- Fix layering violation in discovery discovered_services does need types from the check API, here CheckPlugin CMK-12002 Change-Id: Ia52b719671ea00987089eb1f51c1c3c7ff186842 Commit: c80ea0330648915062829000749e7574ddfa65cb https://github.com/tribe29/checkmk/commit/c80ea0330648915062829000749e7574d… Author: Mathias Laurin <mathias.laurin(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M checks/check_mail_loop M cmk/base/agent_based/checking/_checking.py M cmk/base/agent_based/discovery/_discovered_services.py M cmk/base/api/agent_based/utils.py M cmk/base/automations/check_mk.py M cmk/base/check_api.py M cmk/base/core_nagios.py R cmk/base/plugin_contexts.py A cmk/checkers/plugin_contexts.py M tests/testlib/__init__.py M tests/testlib/pylint_checker_cmk_module_layers.py M tests/unit/checks/generictests/run.py M tests/unit/checks/test_mem_win.py M tests/unit/cmk/base/api/agent_based/test_utils_check_levels_predictive.py M tests/unit/cmk/base/plugins/agent_based/test_check_plugin_properties.py M tests/unit/cmk/base/plugins/agent_based/test_diskstat.py M tests/unit/cmk/base/plugins/agent_based/utils/test_cpu_load.py M tests/unit/cmk/base/test_check_api.py Log Message: ----------- Move plugin_contexts out of base no dependency on cmk.base.config CMK-12002 Change-Id: I650e61c56da135c4539284802554e1f460ea56a4 Commit: 9b75b4200066550d441f4e1d8e16303747a97f71 https://github.com/tribe29/checkmk/commit/9b75b4200066550d441f4e1d8e1630374… Author: Jodok Ole Glabasna <jodok.glabasna(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M .werks/first_free Log Message: ----------- Reserved 10 Werk IDS Change-Id: Ia29ff94a594025516c0ce29e23078775c232f05c Compare: https://github.com/tribe29/checkmk/compare/07ed1ec28dee...9b75b4200066

1 year, 7 months

[tribe29/checkmk] 07ed1e: Adjust confirm dialog for rule deletion

by rb

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 07ed1ec28deebb4c6f84a7147d73b1e8b91e3388 https://github.com/tribe29/checkmk/commit/07ed1ec28deebb4c6f84a7147d73b1e8b… Author: Ronny Bruska <ronny.bruska(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/gui/plugins/wato/utils/__init__.py M cmk/gui/utils/urls.py M cmk/gui/wato/pages/rulesets.py M web/htdocs/js/modules/forms.ts M web/htdocs/themes/facelift/scss/_page_menu.scss Log Message: ----------- Adjust confirm dialog for rule deletion CMK-12772 Change-Id: Ia36163dd79d0a6204ba86e2617f7c6f317f5e2ef

1 year, 7 months

[tribe29/checkmk] dc7e63: 15090 FIX inventory_solaris_psrinfo: Fix missing m...

by Simon

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: dc7e636fbf8b5904aa9b0f4dac88aa7ba3bb8c16 https://github.com/tribe29/checkmk/commit/dc7e636fbf8b5904aa9b0f4dac88aa7ba… Author: Simon Jess <simon.jess(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15090 M cmk/base/plugins/agent_based/inventory_solaris_psrinfo.py M tests/unit/cmk/base/plugins/agent_based/test_inventory_solaris_psrinfo.py Log Message: ----------- 15090 FIX inventory_solaris_psrinfo: Fix missing model or maximum speed Change-Id: I8eab3aba0c374e205847bda533dd0656cbabdc91 Commit: 1864bd6c2837ac9ab125577192fd38b654f14c42 https://github.com/tribe29/checkmk/commit/1864bd6c2837ac9ab125577192fd38b65… Author: Simon Jess <simon.jess(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/base/plugins/agent_based/prtconf.py M tests/unit/cmk/base/plugins/agent_based/test_inv_prtconf.py Log Message: ----------- prtconf: Put entries as table rows not as attributes of sub node Change-Id: Iffa95aeb8509472e6fc52e90e967ba88e9b664f8 Commit: 12487d434dccb7441f51acc098c164e043ad03e2 https://github.com/tribe29/checkmk/commit/12487d434dccb7441f51acc098c164e04… Author: Simon Jess <simon.jess(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: M cmk/base/plugins/agent_based/prtconf.py Log Message: ----------- prtconf: Split single attributes Change-Id: I66f2dfe59ae1802732e389afa854d61550831d12 Compare: https://github.com/tribe29/checkmk/compare/21f7c47fd971...12487d434dcc

1 year, 7 months

← Newer
1
...
15
16
17
18
19
20
21
...
65
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Checkmk git commits January 2023