ID: 15275
Title: apache_status.py: autodetection for processes with long pids
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
In certain cases (processes with long pids) the autodetection of apache
instances did not work correctly.
The functionality was broken since Werk #14679 and should now be
fixed.
ID: 15179
Title: <tt>logwatch</tt> agent plugin: Always encode output in UTF-8
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
This werk is only incompatible if you monitor logfiles containing non-ASCII characters with the
<tt>logwatch</tt> agent plugin.
As of this werk, the <tt>logwatch</tt> agent plugin always encodes its ouput in UTF-8. Before, the
encoding depended on the system settings.
This werk is marked as incompatible because it can have an unexpected side effect: On some systems,
users might now have to explicitly configure the encoding of the monitored log files. The reason for
this is that if not explicitly configured, the <tt>logwatch</tt> plugin tries to guess the encoding.
If the wrong encoding is guessed, log files are decoded incorrectly, however, before this werk, this
error might have cancelled out due to <tt>logwatch</tt> using the same encoding both for decoding
logfiles and encoding its output.
Since the latter is now always done using UTF-8, this cancellation will not happen anymore. If you
are affected by this, you will either see the replacement character `�` appearing in your log
messages or your log messages will contain random non-ASCII characters which do not make sense.
As a positive side effect, correcting this issue enables the matching of patterns containing non-
ASCII characters. Before, using the wrong encoding to decode the logfiles prevented this,
effectively leading to overlooked messages.
ID: 15180
Title: <tt>logwatch</tt> agent plugin on Windows: Enable monitoring of log files with non-ASCII characters in their paths
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Before this werk, the <tt>logwatch</tt> agent plugin crashed with
C+:
UnicodeEncodeError: 'ascii' codec can't encode character ...: ordinal not in range(128)
C-:
for log files whose paths contained non-ASCII characters.
ID: 14965
Title: Dedicated CA for agent certificates
Component: Checks & agents
Level: 1
Class: Security fix
Version: 2.2.0b1
On agent registration, the contacted site issues an x509 certificate to the requesting agent controller.<br>
Previously, this agent certificate has been signed by the site-local CA, that's also used to issue certificates used for distributed monitoring, and to issue the agent receiver's certificate.
Starting with this Werk, each Checkmk site will use a dedicated agent CA to issue certificates to requesting agent controllers.
This change slighly improves security, as agent receiver and agent controller can't be authenticated with the same root certificate anymore, making it impossible to act as each other.<br>
While this situation has effectively been prevented before, this is now assured already on transport level, rather than on application level.
To prevent locking out registered agents, preexisting (Created with a Checkmk version prior to this Werk) Checkmk sites will still accept certificates issued by the site CA in parallel to the new agent CA.<br>
New sites will only accept certificates issued by the agent CA.<br>
This change is also loosely coupled with the new certificate lifetime mentioned in Werk #14964.<br>
Since active agent controllers will automatically renew their certificate to a new lifetime-limited one, this also means that they will migrate to new new CA automatically.
As an additional benefit, experienced users now can replace the agent signing CA with their own one. This has to be done directly at the site's home directory, though.<br>
The new agent CA is located at <tt>~/etc/ssl/agents/ca.pem</tt> and can be replaced with a new one in the same format.<br>
To migrate from one CA to another, it's also possible to add additional trusted root certificates to <tt>~/etc/ssl/agents/</tt>.
Even though this Werk is related to security, it does not fix any exploitable
issue.<br>
To aid automatic scanners, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
ID: 14964
Title: Agent controller certificate lifetime
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.<br>
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.<br>
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.<br>
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.<br>
The same holds true for legacy certificates with a too-long validity period.<br>
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.<br>
To resume agent communication, you'll then have to re-register the agent.
ID: 15220
Title: time period: put endpoint now returns 200 with edited time period config
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0b1
The time period put endpoint previously returned a 204 and no
data response. This werk is a fix to return the time period
object along with a status code of 200 to align with our
other put endpoints.
ID: 15382
Title: service: remove non functioning endpoint example from swagger-ui
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
The "Try out" in Swagger-UI does not work for endpoint examples which make use
of the "query" query parameter. The change must be adapted on the Swagger side.
In the meantime, such endpoints will be removed to avoid any confusion and the user
should refer to the examples in the ReDoc instead.