Module: check_mk
Branch: master
Commit: 50bb17166b31a46a53716f9d238d9b009906827f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=50bb17166b31a4…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Mar 31 12:09:30 2014 +0200
FIX Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
This change fixes possible attacks against Check_MK Multisite users. In previous
versions a possible attacker could try to make the browsers of authenticated users
open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
knowledge of the attacked user.
To make such an attack possible, there are several things needed: The user must be
authenticated with multisite and have enough permission within multisite to execute
the actions the attacker wants to use, the attacker needs to know the exact URL to the
Multisite GUI. Then the attacker needs to make the user either click on a manipulated
link or open a manipulated webpage which makes the browser of the user, where the user
is authenticated with multisite, open the URL the attacker wants to make it open.
The multisite GUI makes use of transids (transaction ids) when processing form
submissions or actions. The transids were mainly used to prevent double execution
of actions when reloading the page which performed the action in the browser.
Now we changed internal handling of the transid to make it also prevent CSRF attacks.
The transid is now some kind of shared secret between the webserver and the browser
of the user. This ensures a form submission is intended by a previously requested page.
This change impicates an incompatible change: In case you use a script which opens
multisite pages to perform an action, e.g. set a downtime and use this with a regular
user account which authenticates by username/password, the script won't work anymore
after this change.
The way to go is to adapt the script and change the user to authenticate with an
automation secret instead of a password. For this kind of authentication, you will
need to user other URL parameters (_username=... and _secret=...).
---
.werks/766 | 33 +++++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 69 +++++++++++++++++++++++++++++++++++--------------
web/htdocs/login.py | 2 ++
4 files changed, 86 insertions(+), 19 deletions(-)
diff --git a/.werks/766 b/.werks/766
new file mode 100644
index 0000000..21d8748
--- /dev/null
+++ b/.werks/766
@@ -0,0 +1,33 @@
+Title: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
+Level: 3
+Component: multisite
+Version: 1.2.5i2
+Date: 1396259365
+Class: fix
+
+This change fixes possible attacks against Check_MK Multisite users. In previous
+versions a possible attacker could try to make the browsers of authenticated users
+open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
+knowledge of the attacked user.
+
+To make such an attack possible, there are several things needed: The user must be
+authenticated with multisite and have enough permission within multisite to execute
+the actions the attacker wants to use, the attacker needs to know the exact URL to the
+Multisite GUI. Then the attacker needs to make the user either click on a manipulated
+link or open a manipulated webpage which makes the browser of the user, where the user
+is authenticated with multisite, open the URL the attacker wants to make it open.
+
+The multisite GUI makes use of transids (transaction ids) when processing form
+submissions or actions. The transids were mainly used to prevent double execution
+of actions when reloading the page which performed the action in the browser.
+Now we changed internal handling of the transid to make it also prevent CSRF attacks.
+The transid is now some kind of shared secret between the webserver and the browser
+of the user. This ensures a form submission is intended by a previously requested page.
+
+This change impicates an incompatible change: In case you use a script which opens
+multisite pages to perform an action, e.g. set a downtime and use this with a regular
+user account which authenticates by username/password, the script won't work anymore
+after this change.
+The way to go is to adapt the script and change the user to authenticate with an
+automation secret instead of a password. For this kind of authentication, you will
+need to user other URL parameters (_username=... and _secret=...).
diff --git a/ChangeLog b/ChangeLog
index 5c95b6f..4c9d690 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@
Multisite:
* 0765 NagVis-Maps-Snapin: Now visualizes downtime / acknowledgment states of maps...
+ * 0766 FIX: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)...
1.2.5i1:
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index 8c31d42..6a9c84c 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -74,6 +74,8 @@ class html:
self.treestates = {}
self.treestates_for_id = None
self.caches = {}
+ self.new_transids = []
+ self.ignore_transids = False
RETURN = 13
SHIFT = 16
@@ -801,6 +803,9 @@ class html:
self.bottom_footer()
self.body_end()
+ # Hopefully this is the correct place to performe some "finalization" tasks.
+ self.store_new_transids()
+
def add_status_icon(self, img, tooltip, url = None):
if url:
self.status_icons[img] = tooltip, url
@@ -938,35 +943,61 @@ class html:
if not self.has_var("_ajaxid"):
self.javascript("if(parent && parent.frames[0]) parent.frames[0].location.reload();");
- # Compute a (hopefully) unique transaction id
+ def set_ignore_transids(self):
+ self.ignore_transids = True
+
+ # Compute a (hopefully) unique transaction id. This is generated during rendering
+ # of a form or an action link, stored in a user specific file for later validation,
+ # sent to the users browser via HTML code, then submitted by the user together
+ # with the action (link / form) and then validated if it is a known transid. When
+ # it is a known transid, it will be used and invalidated. If the id is not known,
+ # the action will not be processed.
def fresh_transid(self):
- return "%d/%d" % (int(time.time()), random.getrandbits(32))
+ transid = "%d/%d" % (int(time.time()), random.getrandbits(32))
+ self.new_transids.append(transid)
+ return transid
# Marks a transaction ID as used. This is done by saving
# it in a user specific settings file "transids.mk". At this
# time we remove all entries from that list that are older
- # then one week.
- def invalidate_transid(self, id):
- used_ids = self.load_transids()
- new_ids = []
+ # than one week.
+ def store_new_transids(self):
+ valid_ids = self.load_transids()
+
+ cleared_ids = []
now = time.time()
- for used_id in used_ids:
- timestamp, rand = used_id.split("/")
+ for valid_id in valid_ids:
+ timestamp, rand = valid_id.split("/")
if now - int(timestamp) < 604800: # 7 * 24 hours
- new_ids.append(used_id)
- used_ids.append(id)
- self.save_transids(used_ids)
-
- # Checks, if the current transaction is valid, i.e. now
- # browser reload. The HTML variable _transid must be present.
- # If it is empty or -1, then it's always valid (this is used
- # for webservice calls).
+ cleared_ids.append(valid_id)
+
+ self.save_transids(cleared_ids + self.new_transids)
+
+ # Remove the used transid from the list of valid ones
+ def invalidate_transid(self, used_id):
+ valid_ids = self.load_transids()
+ try:
+ valid_ids.remove(used_id)
+ except ValueError:
+ return
+ self.save_transids(valid_ids)
+
+ # Checks, if the current transaction is valid, i.e. in case of
+ # browser reload a browser reload, the form submit should not
+ # be handled a second time.. The HTML variable _transid must be present.
+ #
+ # In case of automation users (authed by _secret in URL): If it is empty
+ # or -1, then it's always valid (this is used for webservice calls).
+ # This was also possible for normal users, but has been removed to preven
+ # security related issues.
def transaction_valid(self):
if not self.has_var("_transid"):
return False
id = self.var("_transid")
- if not id or id == "-1":
+ if not id or self.ignore_transids:
return True # automation
+
+ # Normal user/password auth user handling
timestamp, rand = id.split("/")
# If age is too old (one week), it is always
@@ -975,8 +1006,8 @@ class html:
if now - int(timestamp) >= 604800: # 7 * 24 hours
return False
- # Now check, if this id is not yet invalidated
- return id not in self.load_transids()
+ # Now check, if this id is a valid one
+ return id in self.load_transids()
# Checks, if the current page is a transation, i.e. something
# that is secured by a transid (such as a submitted form)
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index c3a06e0..55452c0 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -128,6 +128,8 @@ def check_auth_automation():
if secret and user and "/" not in user:
path = defaults.var_dir + "/web/" + user + "/automation.secret"
if os.path.isfile(path) and file(path).read().strip() == secret:
+ # Auth with automation secret succeeded - mark transid as unneeded in this case
+ html.set_ignore_transids()
return user
raise MKAuthException(_("Invalid automation secret for user %s") % user)
Create nodes based on a service search"
Message-ID: <5339289d.9axEslwjsI1Saguu%ab(a)mathias-kettner.de>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Module: check_mk
Branch: master
Commit: 58eb05aad2ae27bc798e92b2a383e390ad85fc3d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=58eb05aad2ae27…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Mon Mar 31 10:34:34 2014 +0200
FIX BI editor: fixed display bug in "Create nodes based on a service search"
The WATO BI editor had some problems when displaying rules with the pattern<br>
"Create nodes based on a service search" -> "State of a service"
---
.werks/741 | 9 +++++++++
ChangeLog | 3 +++
web/htdocs/wato.py | 3 ++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/741 b/.werks/741
new file mode 100644
index 0000000..956eb45
--- /dev/null
+++ b/.werks/741
@@ -0,0 +1,9 @@
+Title: BI editor: fixed display bug in "Create nodes based on a service search"
+Level: 1
+Component: bi
+Version: 1.2.5i2
+Date: 1396254706
+Class: fix
+
+The WATO BI editor had some problems when displaying rules with the pattern<br>
+"Create nodes based on a service search" -> "State of a service"
diff --git a/ChangeLog b/ChangeLog
index 59ec71b..3fb0a69 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
* 0764 lnx_quota: Added new check to monitor Linux File System Quota...
* 0740 FIX: winperf_if: now able to handle bandwidth > 4GBit...
+ BI:
+ * 0741 FIX: BI editor: fixed display bug in "Create nodes based on a service search"...
+
1.2.5i1:
Core & Setup:
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index b00ac70..9338fff 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -15089,7 +15089,8 @@ def bi_called_rule(node):
return subnode[1][0], info
elif node[0] == "foreach_service":
subnode = node[1][-1]
- return subnode[1][0], _("Called for each service...")
+ if subnode[0] == 'call':
+ return subnode[1][0], _("Called for each service...")
def count_bi_rule_references(aggregations, aggregation_rules, ruleid):
aggr_refs = 0
Module: check_mk
Branch: master
Commit: 67efa2f17f32dbb41ab9dd330f257a56b9896e5c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=67efa2f17f32db…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Mar 28 19:56:05 2014 +0100
lnx_quota: Added new check to monitor Linux File System Quota
This check monitors filesystems where linux user quotas has been
configured for users which exceed their space and file quotas.
---
.werks/764 | 9 +++++++++
ChangeLog | 1 +
2 files changed, 10 insertions(+)
diff --git a/.werks/764 b/.werks/764
new file mode 100644
index 0000000..df81538
--- /dev/null
+++ b/.werks/764
@@ -0,0 +1,9 @@
+Title: lnx_quota: Added new check to monitor Linux File System Quota
+Level: 1
+Component: checks
+Version: 1.2.5i2
+Date: 1396032940
+Class: feature
+
+This check monitors filesystems where linux user quotas has been
+configured for users which exceed their space and file quotas.
diff --git a/ChangeLog b/ChangeLog
index 13cca8f..59ec71b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
* 0147 enterasys_fans: New Check to monitor fans of enterasys swichtes
* 0774 ibm_svc_nodestats.diskio: new check for disk troughput per node on IBM SVC / V7000 devices
* 0775 ibm_svc_systemstats.diskio: new check for disk throughput in IBM SVC / V7000 devices in total
+ * 0764 lnx_quota: Added new check to monitor Linux File System Quota...
* 0740 FIX: winperf_if: now able to handle bandwidth > 4GBit...
Module: check_mk
Branch: master
Commit: 79547604b2d139d7ce6d601fe62fd0e9e4974128
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=79547604b2d139…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Mar 28 19:55:30 2014 +0100
lnx_quota: Added new check to monitor Linux File System Quota
---
agents/plugins/lnx_quota | 6 +++
checkman/lnx_quota | 22 ++++++++++
checks/lnx_quota | 102 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 130 insertions(+)
diff --git a/agents/plugins/lnx_quota b/agents/plugins/lnx_quota
new file mode 100644
index 0000000..09fde34
--- /dev/null
+++ b/agents/plugins/lnx_quota
@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "<<<lnx_quota>>>"
+for VOL in $(grep usrjquota /etc/fstab | cut -d' ' -f2); do
+ echo "[[[$VOL]]]"
+ repquota -up $VOL
+done
diff --git a/checkman/lnx_quota b/checkman/lnx_quota
new file mode 100644
index 0000000..2f236e5
--- /dev/null
+++ b/checkman/lnx_quota
@@ -0,0 +1,22 @@
+title: Linux File System Quotas
+agents: linux
+catalog: os/storage
+license: GPL
+distribution: check_mk
+description:
+ This check monitors filesystems where linux user quotas has been configured
+ for users which exceed their space and file quotas.
+
+ The check uses information provided by the Check_MK linux agent which are
+ available when the agent has been extended with the {lnx_quota} agent plugin.
+
+item:
+ The mountpoint of the filesystem
+
+perfdata:
+ Two values per user. {<user>_blocks} reports the currently allocated space
+ of the user in bytes and {<user>_files} reports the number of files currently
+ owned by the user.
+
+inventory:
+ Creates one check for each filesystem with enabled user quotas
diff --git a/checks/lnx_quota b/checks/lnx_quota
new file mode 100644
index 0000000..524c217
--- /dev/null
+++ b/checks/lnx_quota
@@ -0,0 +1,102 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+def lnx_quota_parse(info):
+ parsed = {}
+ fs = None
+ for line in info:
+ if line[0].startswith('[[['):
+ # new filesystem
+ fs = line[0][3:-3]
+ parsed[fs] = {}
+ elif fs and len(line) == 10:
+ # new table entry
+ parsed[fs][line[0]] = map(int, line[2:])
+ return parsed
+
+def inventory_lnx_quota(info):
+ inv = []
+ for fs in lnx_quota_parse(info).keys():
+ inv.append((fs, {}))
+ return inv
+
+def check_lnx_quota(item, params, info):
+ parsed = lnx_quota_parse(info)
+ if item not in parsed:
+ return 3, 'Quota info not found for this filesystem'
+
+ state = 0
+ output = []
+ perfdata = []
+
+ fmt = lambda v, w: w == 'files' and '%d files' % v or get_bytes_human_readable(used*1000, 1000)
+
+ for user, values in parsed[item].items():
+ for what, (used, soft, hard, grace) in [
+ ('blocks', values[:4]),
+ ('files', values[4:]) ]:
+ if soft == 0 and hard == 0:
+ continue # skip entries with not-set limits
+
+ this_state = 0
+ txt = '%s %s' % (user, fmt(used, what))
+ if used > hard:
+ this_state = 2
+ txt += ' (over %s hard(!!))' % fmt(hard, what)
+ elif used > soft:
+ this_state = 1
+ txt += ' (over %s soft' % fmt(soft, what)
+ if grace != 0:
+ # user is or was in grace period
+ if grace <= time.time():
+ txt += ', grace exceeded(!!)'
+ this_state = 2
+ else:
+ txt += ', within grace(!)'
+ else:
+ txt += '(!)'
+ txt += ')'
+ # When users are in "ok" state, don't output their usage, just
+ # add the perfdata for them
+ if this_state:
+ output.append(txt)
+ state = max(state, this_state)
+
+ perfdata.append(('%s_%s' % (user, what), used*1000,
+ soft*1000, hard*1000, 0, hard*1000))
+
+ if not output:
+ output.append('All users are within quota')
+
+ return state, ', '.join(output), perfdata
+
+check_info['lnx_quota'] = {
+ 'check_function' : check_lnx_quota,
+ 'inventory_function' : inventory_lnx_quota,
+ 'service_description' : 'Quota %s',
+ 'has_perfdata' : True,
+ 'group' : 'quota',
+}
Module: check_mk
Branch: master
Commit: c8ee9de6e9e0f88fc09708d27a65ce665423b53d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c8ee9de6e9e0f8…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri Mar 28 15:20:55 2014 +0100
FIX winperf_if: now able to handle display of bandwidth > 4GBit
If an interface had a bandwidth of > 4GBit the check did not receive
the correct bandwidth value, because of a 32 bit counter overflow.
Workaround: The windows plugin wmic_if.bat now also reports the correct bandwidth value.
If you use this plugin its bandwidth value will have precedence before the bandwidth determined by the agent.
---
.werks/740 | 11 +++++++++++
ChangeLog | 2 ++
agents/windows/plugins/wmic_if.bat | 2 +-
checks/winperf_if | 3 ++-
4 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/.werks/740 b/.werks/740
new file mode 100644
index 0000000..504df72
--- /dev/null
+++ b/.werks/740
@@ -0,0 +1,11 @@
+Title: winperf_if: now able to handle display of bandwidth > 4GBit
+Level: 1
+Component: checks
+Version: 1.2.5i2
+Date: 1396016199
+Class: fix
+
+If an interface had a bandwidth of > 4GBit the check did not receive
+the correct bandwidth value, because of a 32 bit counter overflow.
+Workaround: The windows plugin wmic_if.bat now also reports the correct bandwidth value.
+If you use this plugin its bandwidth value will have precedence before the bandwidth determined by the agent.
diff --git a/ChangeLog b/ChangeLog
index 2cdf4e3..62c7302 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
1.2.5i2:
Checks & Agents:
+ * 0147 enterasys_fans: New Check to monitor fans of enterasys swichtes
* 0774 ibm_svc_nodestats.diskio: new check for disk troughput per node on IBM SVC / V7000 devices
+ * 0740 FIX: winperf_if: now able to handle display of bandwidth > 4GBit...
1.2.5i1:
diff --git a/agents/windows/plugins/wmic_if.bat b/agents/windows/plugins/wmic_if.bat
index 501c892..2192d7e 100644
--- a/agents/windows/plugins/wmic_if.bat
+++ b/agents/windows/plugins/wmic_if.bat
@@ -1,3 +1,3 @@
@echo off
echo ^<^<^<winperf_if:sep^(44^)^>^>^>
-wmic path Win32_NetworkAdapter get macaddress,name,netconnectionid,netconnectionstatus /format:csv
+wmic path Win32_NetworkAdapter get speed,macaddress,name,netconnectionid,netconnectionstatus /format:csv
diff --git a/checks/winperf_if b/checks/winperf_if
index a7a7cf6..6035cc3 100644
--- a/checks/winperf_if
+++ b/checks/winperf_if
@@ -121,6 +121,7 @@ def convert_winperf_if(info):
for nr, nic_name in enumerate(nic_names):
nic = nics[nic_name]
mac_txt = nic.get('MACAddress')
+ bandwidth = saveint(nic.get('Speed'))
if mac_txt:
mac = "".join(map(lambda x: chr(int(x, 16)), mac_txt.split(':')))
else:
@@ -129,7 +130,7 @@ def convert_winperf_if(info):
str(nr + 1),
nic_name,
"loopback" in nic_name.lower() and '24' or '6',
- nic[10], # Aktuelle Bandbreite
+ bandwidth or nic[10], # Aktuelle Bandbreite
# NetConnectionStatus: 2 st up, 7 ist 'not connected'. If the plugin
# wmic_if is missing and we have link information we need to assume 'up':
nic.get('NetConnectionStatus', '2') == '2' and '1' or '2',
Module: check_mk
Branch: master
Commit: bbc4e718c9b023bdb588ee265c208a045d58646c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=bbc4e718c9b023…
Author: Bernd Stroessenreuther <bs(a)mathias-kettner.de>
Date: Fri Mar 28 15:06:11 2014 +0100
fixed wording in check manpage of ibm_svc_nodestats.diskio
---
checkman/ibm_svc_nodestats.diskio | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkman/ibm_svc_nodestats.diskio b/checkman/ibm_svc_nodestats.diskio
index 79e1311..523c197 100644
--- a/checkman/ibm_svc_nodestats.diskio
+++ b/checkman/ibm_svc_nodestats.diskio
@@ -13,7 +13,7 @@ item:
"Drives", "MDisks" or "VDisks" plus the name of the node.
inventory:
- Creates one check for every Drive, MDisk or VDisk on every node.
+ Creates one check for Drives, one for MDisks and one for VDisks per node.
perfdata:
Two values: Throughput read and throughput write in Bytes/sec.