ID: 14781
Title: Monitor systemd sockets as single services
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Previously, Systemd's services could be monitored as single service only.
With this werk, Systemd's sockets can be monitored as a single check, similar to Systemd's services.
ID: 14731
Title: super_server: Reenable "Checkmk agent network service (Linux)" ruleset
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
This is a regression since Checkmk 2.1.
The agent package install scripts didn't recognize the <tt>/etc/check_mk/super_server.cfg</tt>
correctly. As a result, the super server, if configured other than "auto",
wasn't set correctly.
In order to apply this fix, an agent update or reinstallation has to be done on
affected hosts.
ID: 14801
Title: Improve detection when OMD runs in a container
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
Only for docker and podman we could reliably detect if OMD is running in a container.
The official docker image now sets a CMK_CONTAINERIZED=TRUE environment variable that
is checked in omd. This works independent of the container runtime used.
ID: 14610
Title: super_server: Missing systemd units/xinetd services after agent update (RPM)
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
After agent update to a 2.1 linux agent (prepackaged and bakery versions)
on RPM based systems, the agent installation may end up with missing systemd
units or a missing xinetd service file.
As a workaround, or to recover from an agent installtion with broken super-server,
agents can be reinstalled once manually with <tt>cmk-update-agent --reinstall</tt>
or <tt>cmk-update-agent --force</tt> to restore the missing file(s).
Subsequent agent updates won't run into the same problem again.
With this Werk, the initial agent update to version 2.1 won't run into the
problem in the first place.
ID: 14609
Title: super_server: Cleanup config files when installing a bakery package
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
This Werk will be compatible for most users. See below for details.
When using the prepackaged agent package on DPKG or RPM based systems,
some xinetd/system files are marked as config files and won't be removed
on uninstallation/update.
This leads to problems when updating from a prepackaged agent package
to a bakery agent package, as leftover service or unit files would
occupy the listening agent port.
Bakery agent packages will now remove all deprecated systemd/xinetd
files that may be leftover from old installations before activating the
new super server coming from the new package.
Please be aware that, starting with this Werk, agent packages from the agent
bakery will discard changes made to xinetd/systemd files from
a previously installed prepackaged/raw edition agent package. While this
is expected behavior for bakery packages, it may still change some agent
installations in an unexpected way, because this was done inconsequently
in the past.
ID: 14747
Title: Fix duplicate history log while processing spoolfiles
Component: Notifications
Level: 1
Class: Bug fix
Version: 2.2.0i1
Werk #13114 fixed missing history log entries for direct local delivery of
notifications.
If notification spooling was used afterwards, there was a duplicate message
logged.
Now only one message will be logged also for spoolfiles.
ID: 14695
Title: azure_traffic_manager: Monitor Azure Traffic Manager
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
It's now possible to monitor Azure Traffic Manager in Checkmk.
Two new checks have been added:
<ul>
<li>Microsoft Azure Traffic Manager: Qps</li>
<li>Microsoft Azure Traffic Manager: Probe State</li>
</ul>
The new services will be automatically discovered if you have
an Azure Traffic Manager Profile in the resource group already
monitored in Checkmk.
ID: 14433
Title: KUBE: New workload resource: CronJobs
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
This werk introduces CronJobs to the Kubernetes agent.
Similar to other Kubernetes objects, Checkmk creates a piggyback host for each CronJob.
The CronJob host supports:
- Memory resources
- CPU resources
- Info
ID: 14384
Title: Fix command injection in livestatus query headers
Component: Livestatus
Level: 1
Class: Security fix
Version: 2.2.0i1
Prior to this Werk it was possible to inject livestatus commands in Checkmk's livestatus wrapper and python API.
Attackers could add additional commands in the AuthUser query header using newline characters.
This allowed running arbitrary livestatus commands, including external commands to the core.
The issue could only be exploited by attackers from localhost, where the tampered header could be injected in a request to graph data.
We thank Stefan Schiller (SonarSource) for reporting this issue.
<b>Affected Versions</b>:
All currently supported versions are affected: 1.6, 2.0, and 2.1.
<b>Mitigations</b>:
Immediate mitigations are not available.
<b>Indicators of Compromise</b>:
Review the logs of Nagios / CMC for suspicious commands.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L</tt>.
A CVE has been requested.
<b>Changes</b>:
This Werk adds sanitization for the AuthUser header field.