ID: 13286
Title: WATO WebAPI: Added additional user permission checks for various calls
Component: Setup
Level: 1
Class: Security fix
Version: 2.1.0i1
Stricter permissions checking has been introduced for the following calls
<ul>
<li>get_folder</li>
<li>add_folder</li>
<li>edit_folder</li>
<li>delete_folder</li>
<li>get_all_folders</li>
<li></li>
<li>add_host</li>
<li>add_hosts</li>
<li>edit_host</li>
<li>edit_hosts</li>
<li>get_hosts</li>
<li>delete_host</li>
<li>delete_hosts</li>
<li>get_all_hosts</li>
<li></li>
<li>get_all_contactgroups</li>
<li>delete_contactgroup</li>
<li>add_contactgroup</li>
<li>edit_contactgroup</li>
<li>get_all_hostgroups</li>
<li>delete_hostgroup</li>
<li>add_hostgroup</li>
<li>edit_hostgroup</li>
<li>get_all_servicegroups</li>
<li>delete_servicegroup</li>
<li>add_servicegroup</li>
<li>edit_servicegroup</li>
<li></li>
<li>get_all_users</li>
<li>delete_users</li>
<li>add_users</li>
<li>edit_users</li>
<li></li>
<li>activate_changes</li>
</ul>
If your WebAPI automation user is lacking a specific permission, it will be shown in the response message.
ID: 13513
Title: check_http: Fix replacement of HOSTALIAS in service description
Component: Core & setup
Level: 1
Class: Bug fix
Version: 2.1.0i1
If you used the macro "$HOSTALIAS$" in section "Service name" of the rule
"Check HTTP service", the macro was not replaced by the hosts alias, the
service description showed "HTTP $HOSTALIAS$" instead.
ID: 13510
Title: omd cleanup: Always use "/omd/versions"
Component: RPM Packaging
Level: 1
Class: Bug fix
Version: 2.1.0i1
The real path (canonical path, eliminating any symbolic links ) was used
before, leading to unfound packages in special situations.
ID: 13483
Title: Checkmk Dockerfile: Enable authentication for relay_host
Component: Site Management
Level: 1
Class: New feature
Version: 2.1.0i1
This werk adds the package libsasl2-modules to the docker dependencies
to enable authentication for relay_host.
ID: 13456
Title: apt: Discover updates with ESM support
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.1.0i1
Previously, apt service wouldn't be discovered if there was an ESM
support warning indicating an outdated Linux distribution.
Now, updates are shown if ESM support is enabled.
If ESM support isn't enabled, apt service reports an error.
ID: 13524
Title: <tt>ntp_peer</tt>: Fix "TypeError (tuple indices must be integers or slices, not str)"
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.1.0i1
The check plugin <tt>ntp_peer</tt> crashed with
"TypeError (tuple indices must be integers or slices, not str)"
when using user-defined parameters.
ID: 13478
Title: Mitigate wrong converion of disabled service rules on update
Component: Setup
Level: 1
Class: Bug fix
Version: 2.1.0i1
During <tt>cmk-update-config</tt> some disabled services rules are being broken by introducing an undesired escaping.
This werk reduces the number of cases in which this happens.
Users "Disabled Services" rules were affected if they fullfilled <b>all</b> of the following criteria:
<ul>
<li>They have exactly one host condition (explicit or pattern)</li>
<li>They have no tag based conditions</li>
<li>All their patterns for the service name end in "<tt>$</tt>"</li>
</ul>
After this werk, only rules will be affected if they additionally
<ul>
<li> have exactly one <b>explicit</b> host condition (not a regular expression)</li>
<li> contain <b>both</b> quoted and unquoted special characters</li> in their service name pattern
</ul>
For instance: "<tt>Foo[12]$</tt>" and "<tt>Foo\[12\]$</tt>" will remain unchanged, whereas "<tt>Foo\[1\][2]$</tt>" will be changed to "<tt>Foo\[1\]\[2\]$</tt>".
If this still affects you, you can avoid meeting the above criteria.
For instance try to replace "<tt>my_hostname</tt>" by "<tt>~^my_hostname$</tt>" or to craft a service name pattern that does not require the trailing "<tt>$</tt>".
ID: 13325
Title: Two-factor authentication via FIDO2/WebAuthn
Component: Multisite
Level: 2
Class: New feature
Version: 2.1.0i1
With this change users of the Checkmk user interface can now configure Checkmk
to ask for a second factor during user authentication.
The new two-factor authentication is based on FIDO2/WebAuthn. You can use
authenticators such as the YubiKey, a USB token, a smart phone, Apple’s Touch
ID, and Windows Hello.
To enable the new feature, login to the GUI and open the "User" mega menu on
the bottom left of the screen. Then select "Two-factor authentication". On the
opened page, you first need to click on "Add credential". Once you click that,
your browser will ask you to activate your authenticator. Once done, the
registration with your user account should be complete and a new registered
credential is displayed.
With this step you have enabled the two-factor authentication for your user
account. Future logins will only be possible with the activated authenticator.
If you don't have your authenticator at hand, you can use backup codes. It is
recommended to generate these backup codes right away by clicking on
"Regenerate backup codes". The resulting page will show you a list of 10 backup
codes. Store them in a save place.
Administrators can see that a user has the two-factor authentication enabled in
the users list of the Setup. The Authentication column displays "Password
(+2FA)" for these users. Admins can disable two-factor authentication for users
to help them in case they don't have access to their second factor. This can be
done via "Setup > Users > Edit user > Disable two-factor authentication".
Please note that the WebAuthn standard makes this feature only usable in case
you access the GUI using HTTPS.
The WebAuthn two-factor authentication is also restrictive on the type of host
address you use to access the GUI. It will be used as relying party identifier
(https://www.w3.org/TR/webauthn-2/#relying-party-identifier) and has to be a
valid domain string (https://url.spec.whatwg.org/#valid-domain-string). You
will have to either use a simple host name or a full qualified domain name.
Please note that you need to be consistent in the domain you use for the
two-factor authentication to work.