Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: 082400ebd151e3abef60a85b53588eb2f208adc0
https://github.com/tribe29/checkmk/commit/082400ebd151e3abef60a85b53588eb2f…
Author: Sofia Colakovic <sofia.colakovic(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/14699
M cmk/gui/plugins/wato/special_agents/aws.py
Log Message:
-----------
14699 aws_agent: Remove Lambda and Route53 from CEE and CRE config
In version 2.1, Lambda and Route53 service configuration was
visible in the CRE and CEE editions. The configuration was
useless because the services themselves weren't released.
With this werk the configuration is removed from CRE and CEE
editions. The services are fully functional in the CPE edition.
CMK-11453
Change-Id: Iad68cfaee29b4325966a1391597f3cc8b42e4dc1
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 89655580fd1f82e0c3d347d1ae48a5aeaefd912f
https://github.com/tribe29/checkmk/commit/89655580fd1f82e0c3d347d1ae48a5aea…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15184
M cmk/gui/plugins/openapi/endpoints/user_config.py
M cmk/gui/userdb/__init__.py
Log Message:
-----------
15184 FIX Do not enforce password change for automation users
The enforce_pw_change flag is now ignored for automation users. Since
automation users cannot change their passwords themselves, Checkmk will
now no longer require them to do so, even if the flag is set.
Note that automation users can still be prevented from logging in if the
password policy for local accounts defines a maximum password age.
This Werk is motivated by a fixup for Werk #14391, which could cause old
automation users to be unable to log in.
Since Werk #14391 omd update / cmk-update-config looks for users whose
passwords are hashed with outdated hashing schemes in etc/htpasswd.
Users whose passwords were hashed with the insecure algorithms MD5 or
DES Crypt are asked to change their password the next time they log in.
Moreover, the administrator running the update will see a warning that
lists the affected users.
That check did not properly exclude old automation users created by
Checkmk < 1.6.0, although the check does not make sense for them.
(Automation users do not log in the same way regular users do and their
password hash is irrelevant.) As a result, the flag to require a
password change was set also for automation users, preventing automation
users from logging in. In addition, the automation users were mistakenly
listed in the warning message mentioned above.
Note that automation users that have been created or had their
automation secret changed with Checkmk >= 1.6.0 are not affected, as
Checkmk didn't use the insecure hashing algorithms since version 1.6.0
(Werk #6846).
With this fix the flag to enforce a password change will no longer be
set for automation users by that check and automation users will no
longer be listed in the warning message. Moreover, since the flag is now
ignored for automation users, they will be able to log in again, even if
the flag has already been set.
CMK-12085
Change-Id: Id923f104d05d41fc8985b5db86690db884c31a01
Commit: 4aecef2f931184cdc59c5f345ff8d1176e72720e
https://github.com/tribe29/checkmk/commit/4aecef2f931184cdc59c5f345ff8d1176…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15185
M cmk/gui/plugins/openapi/endpoints/user_config.py
M tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py
Log Message:
-----------
15185 FIX REST API: update password change time when changing automation user's secret
Previously, changing an automation user's authentication secret did not update the recorded timestamp of the last password change for the automation user.
As a result, the automation user could have been prevented from logging in by the password policy for local users, because the secret appeared to be too old.
The recorded timestamp is now updated when the secret is changed via the REST API.
Note that the issue did not affect changing an automation user's secret via the user management GUI (Setup > Users).
Here the timestamp was already updated correctly.
Change-Id: Ied02cc5d5e50f7743ae4d0993ce0f1c034a5e007
Commit: cd89e4a5599dbbffde0b09f19ff019b48b327bdd
https://github.com/tribe29/checkmk/commit/cd89e4a5599dbbffde0b09f19ff019b48…
Author: Simon Jess <simon.jess(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/utils/licensing/export.py
Log Message:
-----------
licensing: Cleanup REST-API endpoint 'download_license_usage'
- UploadOrigin is not needed anymore
Change-Id: I70ca4009be741b7a80261ffbd601f3e8bc7e557f
Compare: https://github.com/tribe29/checkmk/compare/4c69d9f6718c...cd89e4a5599d
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 4c69d9f6718cf9d828e8e66d9c4aa5381f2db94d
https://github.com/tribe29/checkmk/commit/4c69d9f6718cf9d828e8e66d9c4aa5381…
Author: Solomon Jacobs <solomon.jacobs(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/special_agents/agent_kube.py
M cmk/special_agents/utils_kubernetes/schemata/api.py
M cmk/special_agents/utils_kubernetes/transform.py
M cmk/special_agents/utils_kubernetes/transform_any.py
M cmk/special_agents/utils_kubernetes/transform_json.py
M tests/unit/cmk/special_agents/agent_kube/factory.py
M tests/unit/cmk/special_agents/agent_kube/test_agent_kube_api.py
M tests/unit/cmk/special_agents/agent_kube/test_cluster.py
M tests/unit/cmk/special_agents/agent_kube/test_cronjob.py
M tests/unit/cmk/special_agents/agent_kube/test_namespace.py
M tests/unit/cmk/special_agents/agent_kube/test_persistent_volume_claim.py
M tests/unit/cmk/special_agents/agent_kube/test_pods.py
M tests/unit/cmk/special_agents/agent_kubernetes/test_agent_kube_filter_from_namespace.py
Log Message:
-----------
transform: parse_metadata
Change-Id: Ibc55e750e2728d1905be8efa78e2348f3b104a68
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: dfd0a2595928d5d6da356fb6edc3420faa6262a0
https://github.com/tribe29/checkmk/commit/dfd0a2595928d5d6da356fb6edc3420fa…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15184
M cmk/gui/plugins/openapi/endpoints/user_config.py
M cmk/gui/userdb.py
M cmk/update_config.py
M tests/unit/cmk/test_update_config.py
Log Message:
-----------
15184 FIX Do not enforce password change for automation users
The enforce_pw_change flag is now ignored for automation users. Since
automation users cannot change their passwords themselves, Checkmk will
now no longer require them to do so, even if the flag is set.
Note that automation users can still be prevented from logging in if the
password policy for local accounts defines a maximum password age.
This Werk is motivated by a fixup for Werk #14391, which could cause old
automation users to be unable to log in.
Since Werk #14391 omd update / cmk-update-config looks for users whose
passwords are hashed with outdated hashing schemes in etc/htpasswd.
Users whose passwords were hashed with the insecure algorithms MD5 or
DES Crypt are asked to change their password the next time they log in.
Moreover, the administrator running the update will see a warning that
lists the affected users.
That check did not properly exclude old automation users created by
Checkmk < 1.6.0, although the check does not make sense for them.
(Automation users do not log in the same way regular users do and their
password hash is irrelevant.) As a result, the flag to require a
password change was set also for automation users, preventing automation
users from logging in. In addition, the automation users were mistakenly
listed in the warning message mentioned above.
Note that automation users that have been created or had their
automation secret changed with Checkmk >= 1.6.0 are not affected, as
Checkmk didn't use the insecure hashing algorithms since version 1.6.0
(Werk #6846).
With this fix the flag to enforce a password change will no longer be
set for automation users by that check and automation users will no
longer be listed in the warning message. Moreover, since the flag is now
ignored for automation users, they will be able to log in again, even if
the flag has already been set.
CMK-12085
Change-Id: Id923f104d05d41fc8985b5db86690db884c31a01
Commit: 84064c633f5a3b8226273b2de8b02a0f40b09559
https://github.com/tribe29/checkmk/commit/84064c633f5a3b8226273b2de8b02a0f4…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15185
M cmk/gui/plugins/openapi/endpoints/user_config.py
M tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py
Log Message:
-----------
15185 FIX REST API: update password change time when changing automation user's secret
Previously, changing an automation user's authentication secret did not update the recorded timestamp of the last password change for the automation user.
As a result, the automation user could have been prevented from logging in by the password policy for local users, because the secret appeared to be too old.
The recorded timestamp is now updated when the secret is changed via the REST API.
Note that the issue did not affect changing an automation user's secret via the user management GUI (Setup > Users).
Here the timestamp was already updated correctly.
Change-Id: Ied02cc5d5e50f7743ae4d0993ce0f1c034a5e007
Compare: https://github.com/tribe29/checkmk/compare/c81da45553ee...84064c633f5a
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 3cbe9ca6b10f60a7e20e962673c259d3f28b7098
https://github.com/tribe29/checkmk/commit/3cbe9ca6b10f60a7e20e962673c259d3f…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/gui/userdb/saml2/config.py
M cmk/gui/wato/pages/saml2.py
M tests/unit/cmk/gui/userdb/saml2/conftest.py
Log Message:
-----------
SAML config: add owner
Knowing which site owns the connection is useful in a distributed
monitoring set-up.
CMK-12058
Change-Id: I059675d333d75655d334c0f160a5736b056753e4
Commit: 1a986d9dd784abe562ec906b4c6d567b50aaf880
https://github.com/tribe29/checkmk/commit/1a986d9dd784abe562ec906b4c6d567b5…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/gui/login.py
Log Message:
-----------
SAML login: disable login to the UI of remote sites
CMK-12117
Change-Id: Ia8ae45d8ab83030779b11f7d482b6e320519b508
Commit: e0ff6b26c4630e7c798a0713f87eb90242e683f7
https://github.com/tribe29/checkmk/commit/e0ff6b26c4630e7c798a0713f87eb9024…
Author: Christoph Rauch <christoph.rauch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/gui/wsgi/app.py
M web/app/index.wsgi
Log Message:
-----------
WSGI: move log initialization back to script file
Change-Id: I95e60cfeb6bdcc4536e9c97ca30e0872c63feda5
Compare: https://github.com/tribe29/checkmk/compare/9b75b4200066...e0ff6b26c463
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: c81da45553eeecdfb2b3e4e5d0bd6ddc986de70d
https://github.com/tribe29/checkmk/commit/c81da45553eeecdfb2b3e4e5d0bd6ddc9…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15181
M cmk/gui/plugins/userdb/ldap_connector.py
Log Message:
-----------
15181 SEC Improper validation of LDAP user IDs
Prior to this Werk user IDs synced from an LDAP connection were not
properly sanitized. The allowed characters for LDAP users user IDs were
not restricted in the same way as local user IDs.
As a result, malicious actors with the ability to change an LDAP user's
uid attribute were able to, within limits, manipulate files on
the server. For instance, attackers were able to override files in other
users' var/check_mk/web folder, including the deletion of their
stored two-factor credentials (thus disabling 2FA for the affected
user). Additionally, attackers could also lock users out of their
accounts by creating a 2FA-credentials file in the affected user's web
folder.
However, it should be noted that to the best of our knowledge, attackers
could not have impersonated other users or taken over their accounts
directly.
This issue was discovered during internal review.
Affected Versions:
- 2.1.0 previous to this Werk
- 2.0.0 previous to this Werk
- 1.6.0 (EOL)
Mitigations:
Disable LDAP user synchronization.
Indicators of Compromise:
Inspect the list of users in WATO user management (Setup > Users) for
suspicious user IDs from an LDAP connection.
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.8 (Medium) with the
following CVSS vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H.
We have assigned the CVE CVE-2023-0284
Changes:
This Werk adds sanitization to LDAP user IDs. We do not anticipate any
negative impact on legitimate user IDs as the now-forbidden user IDs
could not have been used in a functional way.
CMK-11963
Change-Id: Icb5951e2d544ac821735afbee3263258370d515b
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: e128f6a3b09b1ee26c6134618256dcfbcbf89c87
https://github.com/tribe29/checkmk/commit/e128f6a3b09b1ee26c6134618256dcfbc…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15181
M cmk/gui/plugins/userdb/ldap_connector.py
Log Message:
-----------
15181 SEC Improper validation of LDAP user IDs
Prior to this Werk user IDs synced from an LDAP connection were not
properly sanitized. The allowed characters for LDAP users user IDs were
not restricted in the same way as local user IDs.
As a result, malicious actors with the ability to change an LDAP user's
uid attribute were able to, within limits, manipulate files on
the server. For instance, attackers were able to override files in other
users' var/check_mk/web folder, including the deletion of their
stored two-factor credentials (thus disabling 2FA for the affected
user). Additionally, attackers could also lock users out of their
accounts by creating a 2FA-credentials file in the affected user's web
folder.
However, it should be noted that to the best of our knowledge, attackers
could not have impersonated other users or taken over their accounts
directly.
This issue was discovered during internal review.
Affected Versions:
- 2.1.0 previous to this Werk
- 2.0.0 previous to this Werk
- 1.6.0 (EOL)
Mitigations:
Disable LDAP user synchronization.
Indicators of Compromise:
Inspect the list of users in WATO user management (Setup > Users) for
suspicious user IDs from an LDAP connection.
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.8 (Medium) with the
following CVSS vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H.
We have assigned the CVE CVE-2023-0284
Changes:
This Werk adds sanitization to LDAP user IDs. We do not anticipate any
negative impact on legitimate user IDs as the now-forbidden user IDs
could not have been used in a functional way.
CMK-11963
Change-Id: Icb5951e2d544ac821735afbee3263258370d515b
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: cafbb747939ce09a4860444551eb193423238499
https://github.com/tribe29/checkmk/commit/cafbb747939ce09a4860444551eb19342…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/base/agent_based/discovery/_discovered_services.py
M cmk/base/agent_based/discovery/autodiscovery.py
M cmk/base/agent_based/discovery/commandline.py
M cmk/base/config.py
M cmk/base/core_nagios.py
M tests/unit/cmk/base/agent_based/discovery/test_discovery.py
M tests/unit/cmk/base/test_core_nagios.py
Log Message:
-----------
Split check for ignored plugins and ignored services
SRP, avoids optional parameters. Either test for something
or don't. Anything in between is hard to understand, such as,
the magical optional parameters in the present case.
CMK-12002
Change-Id: I6f159064f563c025ba706a0b40d6e96df99315a2
Commit: 0165526910ed13d6edcfcbfa5f94cb091d19cbb8
https://github.com/tribe29/checkmk/commit/0165526910ed13d6edcfcbfa5f94cb091…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/base/agent_based/discovery/_discovered_services.py
M tests/unit/cmk/base/agent_based/discovery/test_discovery.py
Log Message:
-----------
Fix layering violation in discovery
discovered_services does need types from the check API, here CheckPlugin
CMK-12002
Change-Id: Ia52b719671ea00987089eb1f51c1c3c7ff186842
Commit: c80ea0330648915062829000749e7574ddfa65cb
https://github.com/tribe29/checkmk/commit/c80ea0330648915062829000749e7574d…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M checks/check_mail_loop
M cmk/base/agent_based/checking/_checking.py
M cmk/base/agent_based/discovery/_discovered_services.py
M cmk/base/api/agent_based/utils.py
M cmk/base/automations/check_mk.py
M cmk/base/check_api.py
M cmk/base/core_nagios.py
R cmk/base/plugin_contexts.py
A cmk/checkers/plugin_contexts.py
M tests/testlib/__init__.py
M tests/testlib/pylint_checker_cmk_module_layers.py
M tests/unit/checks/generictests/run.py
M tests/unit/checks/test_mem_win.py
M tests/unit/cmk/base/api/agent_based/test_utils_check_levels_predictive.py
M tests/unit/cmk/base/plugins/agent_based/test_check_plugin_properties.py
M tests/unit/cmk/base/plugins/agent_based/test_diskstat.py
M tests/unit/cmk/base/plugins/agent_based/utils/test_cpu_load.py
M tests/unit/cmk/base/test_check_api.py
Log Message:
-----------
Move plugin_contexts out of base
no dependency on cmk.base.config
CMK-12002
Change-Id: I650e61c56da135c4539284802554e1f460ea56a4
Commit: 9b75b4200066550d441f4e1d8e16303747a97f71
https://github.com/tribe29/checkmk/commit/9b75b4200066550d441f4e1d8e1630374…
Author: Jodok Ole Glabasna <jodok.glabasna(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M .werks/first_free
Log Message:
-----------
Reserved 10 Werk IDS
Change-Id: Ia29ff94a594025516c0ce29e23078775c232f05c
Compare: https://github.com/tribe29/checkmk/compare/07ed1ec28dee...9b75b4200066
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: dc7e636fbf8b5904aa9b0f4dac88aa7ba3bb8c16
https://github.com/tribe29/checkmk/commit/dc7e636fbf8b5904aa9b0f4dac88aa7ba…
Author: Simon Jess <simon.jess(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15090
M cmk/base/plugins/agent_based/inventory_solaris_psrinfo.py
M tests/unit/cmk/base/plugins/agent_based/test_inventory_solaris_psrinfo.py
Log Message:
-----------
15090 FIX inventory_solaris_psrinfo: Fix missing model or maximum speed
Change-Id: I8eab3aba0c374e205847bda533dd0656cbabdc91
Commit: 1864bd6c2837ac9ab125577192fd38b654f14c42
https://github.com/tribe29/checkmk/commit/1864bd6c2837ac9ab125577192fd38b65…
Author: Simon Jess <simon.jess(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/base/plugins/agent_based/prtconf.py
M tests/unit/cmk/base/plugins/agent_based/test_inv_prtconf.py
Log Message:
-----------
prtconf: Put entries as table rows not as attributes of sub node
Change-Id: Iffa95aeb8509472e6fc52e90e967ba88e9b664f8
Commit: 12487d434dccb7441f51acc098c164e043ad03e2
https://github.com/tribe29/checkmk/commit/12487d434dccb7441f51acc098c164e04…
Author: Simon Jess <simon.jess(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/base/plugins/agent_based/prtconf.py
Log Message:
-----------
prtconf: Split single attributes
Change-Id: I66f2dfe59ae1802732e389afa854d61550831d12
Compare: https://github.com/tribe29/checkmk/compare/21f7c47fd971...12487d434dcc