Title: Rework of "Add to" option in views
Class: feature
Compatible: compat
Component: multisite
Date: 1702393252
Edition: cre
Level: 1
Version: 2.3.0b1
The option to add views to e.g. dashboards can now be found within the "Export"
dropdown.
A popup will show an autocompleter dropdown where you can select the target.
Title: Improve Symmetric Agent Encryption on Linux
Class: feature
Compatible: compat
Component: checks
Date: 1702055121
Edition: cre
Level: 1
Version: 2.3.0b1
This Werk improves the agent's built-in symmetric encryption for Linux hosts.
The new encryption scheme adds authentication of the encrypted data and improves the method used to derive cryptographic key material from the shared secret configured in the rule.
To use the new encryption scheme, OpenSSL >= 1.0.0, better OpenSSL >= 1.1.1, must be available on the host.
For testing and debugging purposes, a bash script to decrypt the agent's output can be found in the Checkmk repository under `doc/treasures/agent_legacy_encryption/decrypt.sh`.
Older encryption schemes can still be decrypted by the Checkmk site.
**Important disclaimers:**
If the Agent Controller with TLS encryption is available, use that instead.
The build-in symmetric encryption should only be used if TLS is not available.
Moreover, there is no advantage in using both.
Disable the symmetric encryption if you can use TLS.
The security of this encryption scheme strongly depends on the security of the shared secret configured in the rule.
Use a long, random secret.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.3.0b1
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Title: Improvement of "Schedule downtimes" command dialog
Class: feature
Compatible: compat
Component: multisite
Date: 1702297650
Edition: cre
Level: 1
Version: 2.3.0b1
The command dialog for setting downtimes in views was reworked to improve
usability.
The different options can now be set from the top to the bottom and only one
submit button is used to schedule a downtime.
Preset durations can be set within the section "Duration". Own presets can be
set via the "Edit presets" link.
The start and end time can no optionally be set via a time- and datepicker.
Advanced options are bundled within an own section.
Werk 15715 was deleted. The following Werk is no longer relevant.
Title: agent_proxmox_ve: Use statically configured IP address if set
Class: fix
Compatible: compat
Component: checks
Date: 1701627600
Edition: cre
Level: 1
Version: 2.3.0b1
The special agent always used the hostname to connect to the Proxmox VE host, even in case the host
address was configured explicitly.
Title: notification rule: update rule no longer creates a new rule
Class: fix
Compatible: compat
Component: rest-api
Date: 1702294645
Edition: cre
Level: 1
Version: 2.3.0b1
This werk addresses an issue found when updating a rule via
the REST-API. Previously, it would instead of updating an existing
rule, create a new one. We now update the existing rule as
would be expected.
Title: Privilege escalation in Agent
Class: security
Compatible: compat
Component: checks
Date: 1701938773
Edition: cre
Level: 2
Version: 2.3.0b1
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk.
Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries.
To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent.
Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
<b>Affected Versions</b>:
LI: since 2.2.0p10
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31210 to this vulnerability.
<b>Changes</b>:
This Werk changes the library path from the site to the version files, which are only root-writable.
Werk 16033 was deleted. The following Werk is no longer relevant.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.3.0b1
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Werk 16159 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: linux-bonding: introduce check for expected bonding mode
Class: feature
Compatible: incomp
Component: checks
Date: 1698999268
Edition: cre
Level: 1
Version: 2.3.0b1
The service monitoring rule "Linux monitoring service status"
was previously being used for both Linux and OVS. This werk
now splits this rule in two. We now have the following rules.
Bonding interface status
OVS bonding interface status
The reason behind this, is that we have now introduced an
expected mode configuration parameter only for the Linux
rule. So you are now able to select the expected bonding
mode and the state you want to display when this condition
is not met.
Actions:
Case 1: Rule configured for linux
Action: do nothing.
Case 2: Rule configured for OVS
Action: All previously configured rules will now appear as
Linux Bonding interface status rules. Therefore you will
have to delete them and create new "OVS Bonding interface
status" rules.
------------------------------------<diff>-------------------------------------------
Title: linux-bonding: introduce check for expected bonding mode
Class: feature
Compatible: incomp
Component: checks
Date: 1698999268
Edition: cre
Level: 1
Version: 2.3.0b1
The service monitoring rule "Linux monitoring service status"
was previously being used for both Linux and OVS. This werk
now splits this rule in two. We now have the following rules.
- Linux bonding interface status -> Linux
- Bonding interface status -> OVS
? -------
+ Bonding interface status
+ OVS bonding interface status
The reason behind this, is that we have now introduced an
expected mode configuration parameter only for the Linux
rule. So you are now able to select the expected bonding
mode and the state you want to display when this condition
is not met.
+ Actions:
- This also means that there is a change to the configuration.
- So, if you currently have the "Linux bonding interface status"
- rule configured, the actions you have to take are the
- following
Case 1: Rule configured for linux
- Action: The config update process will handle the update.
+ Action: do nothing.
Case 2: Rule configured for OVS
- Action: All previously configured rules will now appear
+ Action: All previously configured rules will now appear as
? +++
- as Linux Bonding interface status rules. Therefore you
? ---
+ Linux Bonding interface status rules. Therefore you will
? +++++
- will have to delete them and create new "Bonding interface
? -----
+ have to delete them and create new "OVS Bonding interface
? ++++
status" rules.
+