Branch: refs/heads/1.6.0
Home:
https://github.com/tribe29/checkmk
Commit: 492ab9752ff9bb60d70fd70c2d4aee3eace486b4
https://github.com/tribe29/checkmk/commit/492ab9752ff9bb60d70fd70c2d4aee3ea…
Author: Andreas Umbreit <andreas.umbreit(a)tribe29.com>
Date: 2021-03-12 (Fri, 12 Mar 2021)
Changed paths:
A .werks/12153
M cmk/gui/plugins/wato/check_mk_configuration.py
Log Message:
-----------
12153 SEC Prevent Linux agent systemd service from being accidentally accessible via
network
When baking agents with activated ruleset "Allowed agent access via IP address",
the
configured restriction previously would only apply to the Windows agent service and the
Linux
xinetd service.
As the used service dispatcher (xinetd or systemd) is automatically chosen on Linux
systems on agent package installation (with xinetd being preferred), the agent might
accidentally result in being accessible via systemd service without restiction, although
it is expected that an IP restriction is active.
To mitigate this situation, the Linux agent systemd service now also applies the
configured restriction via IP Access Lists.
However, there's one caveat to this approach: The IP Access Lists feature is only
available for systemd installations from version 235. Because of this, the Checkmk agent
package will abort the activation of the systemd service, if a systemd version < 235
is
detected on the host. In that case, the Checkmk agent will be completely inaccessible via
systemd. Please note that this is only relevant if no xinetd is available, because
xinetd will be used as a service dispatcher before considering systemd.
Please note that for Solaris, there is no IP restriction available at all, because the
Checkmk agent package will use inetd as a service dispatcher on Solaris hosts.
While this is not a new situation, as this has never been supported on Solaris, however
the help text of the "Allowed agent access via IP address" now contains a
warning about
this fact.
FEED-5501
Change-Id: I2a628e2a9d3751c470971d8f6dcb631bda057aaf