ID: 7476
Title: Allow shell interpreted characters in agent encryption phrase
Component: WATO
Level: 1
Class: Bug fix
Version: 1.6.0i1
Perviously the passphrase was not properly escaped, such that
characters with special meaning to the shell lead to unencrypted
agent data.
ID: 7475
Title: ceph_status: Adapt to new health field name 'status'
Component: Checks & agents
Level: 1
Class: New feature
Version: 1.6.0i1
Ceph health' JSON format has changed in luminous, which lead to a false {WARN} state
for affected devices.
ID: 7259
Title: Fixed bug with host discovery causing steadily increasing CPU load on the monitoring system.
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 1.6.0i1
A host service discovery could modify the monitoring cores live configuration.
The monitoring core detects this deviation and restarts the Check_MK helper.
However, the restarted helper uses the new configuration, whereas the core still uses the old configuration - causing another restart...
This has been fixed.
ID: 7398
Title: heartbeat_crm: Inconsistent parameter format
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 1.6.0i1
Due to an inconsistent parameter format, the default parameters could not be displayed during discovery.
ID: 7344
Title: Changing all setuid root binaries to use linux capabilities
Component: Core & setup
Level: 2
Class: Security fix
Version: 1.6.0i1
In Linux there is the option to give a binary a SETUID bit. This bit gives the
processes created by the binary all privileges of the binary file owner. There
is also a more advanced concept called "linux capabilities" which makes it
possible to give these processes only a specific set of permissions.
In past versions Check_MK used SETUID root binaries in several places for
different reasons.
<ul>
<li>check_dhcp / check_icmp: Active check plugins which need this permission to
be able to open their raw sockets for sending and receiving their packets.</li>
<li>bin/mkeventd_open514: Open SNMP trap or sylog ports for receiving
messages.</li>
<li>lib/cmc/icmpsender / lib/cmc/icmpreceiver: CEE/CME only: Open raw sockets
for sending and receiving packets.</li>
</ul>
SETUID root binaries are problematic in terms of security, because they could
be used for getting root privileges in case an attacker finds an attackable
security flaw in them. Once exploited the attacker would gain full root access
on the Check_MK system.
Because all of these binaries need the privilege for a very specific known
reason, we have now removed the SETUID bit from these binaries and are now
setting individual linux capabilities to them.
The capabilities have the advantage that they don't give full root access to
the processes created with the binary. Instead they give only a defined set of
permissions.
ID: 7345
Title: Drop ancient scanparent_hosts configuration variable
Component: Core & setup
Level: 1
Class: Bug fix
Version: 1.6.0i1
The undocumented configuration variable <tt>scanparent_hosts</tt> was removed
from Check_MK base. In the unlikely case you have configured this variable for
some reason, you will have to remove it from your configuration.
ID: 7439
Title: PagerDuty notification when Host Check Command queries a service
Component: Notifications
Level: 1
Class: Bug fix
Version: 1.6.0i1
PagerDuty notification plugin tried to parse perfdata and include it on the
Notification payload. This led to some buggy behavior on host problems when
using a Host check command. Since this information is not Processed by
PagerDuty only showed, we drop the perfdata information out of the
notification. Also for consistency as other notification plugins don't
include this information either.
ID: 7295
Title: postgres_stats: Optional ignore of db table
Component: Checks & agents
Level: 1
Class: New feature
Version: 1.6.0i1
This check plugin notifies about db tables which have never been analyzed or
vacuumed with status according to the configuration in the WATO rule
"PostgresSQL VACUUM and ANALYZE: Age of never analyzed/vacuumed tables".
Users can now disable this rule, such that never analyzed or vacuumed tables
are always {OK}.