Werk 16434 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Synthetic Monitoring: Privilege Escalation
key | value
---------- | ---
date | 2024-06-24T14:56:31+00:00
version | 2.3.0p8
class | security
edition | cee
component | agents
level | 1
compatible | yes
The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which
have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit
the issue, if
1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule,
2. the same plan was configured without configuring `Execute plan as a specific user`
3. and a user on the host, onto which the scheduler has been deployed, was compromised.
In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific
user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM.
There is a second similar, but distinct issue. If
- there are two or more plans configured with `Execute plan as a specific user` with distinct users
- and one of the configured users was already compromised.
The attacker could then compromise the other user.
*Background*:
The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges.
Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup
the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all
users on the host to edit these Python environments. Thus, any compromised user on the host is also
able to compromise a user, which executes code from these shared environments.
With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their
access to the vulnerable Python environments revoked. Moreover, the permissions inside of the
working directory of Robotmk have been reworked. Users now only have access to directories, which
are required for their own executions.
Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler.
*Affected Versions*:
* 2.3.0
*Mitigations*:
If updating is not possible:
* Do not use the rule `Automated environment setup (via RCC)`.
* Always use the same user for `Execute plan as a specific user`.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`.
CVE-2024-39934 has been assigned to this issue.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Synthetic Monitoring: Privilege Escalation
key | value
---------- | ---
date | 2024-06-24T14:56:31+00:00
- version | 2.3.0p11
? ^^
+ version | 2.3.0p8
? ^
class | security
edition | cee
component | agents
level | 1
compatible | yes
The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which
have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit
the issue, if
1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule,
2. the same plan was configured without configuring `Execute plan as a specific user`
3. and a user on the host, onto which the scheduler has been deployed, was compromised.
In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific
user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM.
There is a second similar, but distinct issue. If
- there are two or more plans configured with `Execute plan as a specific user` with distinct users
- and one of the configured users was already compromised.
The attacker could then compromise the other user.
*Background*:
The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges.
Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup
the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all
users on the host to edit these Python environments. Thus, any compromised user on the host is also
able to compromise a user, which executes code from these shared environments.
With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their
access to the vulnerable Python environments revoked. Moreover, the permissions inside of the
working directory of Robotmk have been reworked. Users now only have access to directories, which
are required for their own executions.
Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler.
*Affected Versions*:
* 2.3.0
*Mitigations*:
If updating is not possible:
* Do not use the rule `Automated environment setup (via RCC)`.
* Always use the same user for `Execute plan as a specific user`.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`.
CVE-2024-39934 has been assigned to this issue.
Werk 15714 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Add support for Checkmk Appliance 1.7+
Class: feature
Compatible: compat
Component: distros
Date: 1701285077
Edition: cre
Level: 2
Version: 2.3.0b1
------------------------------------<diff>-------------------------------------------
Title: Add support for Checkmk Appliance 1.7+
Class: feature
Compatible: compat
Component: distros
Date: 1701285077
Edition: cre
Level: 2
- Version: 2.2.0p17
? ^ ^ -
+ Version: 2.3.0b1
? ^ ^
-
Werk 16589 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Monitor Redfish compatible management boards / BMCs via optional MKP
key | value
---------- | ---
date | 2024-03-06T16:44:06+00:00
version | 2.3.0b3
class | feature
edition | cre
component | checks
level | 1
compatible | yes
You can now monitor _Redfish_ compatible management boards / BMCs with Checkmk.
To do so, please enable the natively shipped MKP redfish in _Setup --> Extension packages_ (in commercial editions of Checkmk) or via the command line tool `mkp` (in Checkmk Raw).
This will enable a new datasource program under _Setup --> Other integrations --> Redfish Compatible Management Controller_.
This is an experimental integration created and supported by the Checkmk community (Andreas Döhler/Yogibaer75), which has already been tested in many environments.
However, due to the diverse nature of server hardware, we plan to integrate it entirely for Checkmk 2.4.0, once we have gathered further feedback.
You can find the latest versions of the extensions in [Andreas' GitHub repository](https://github.com/Yogibaer75/Check_MK-Things/tree/master/check…. There you can also raise issues or raise pull requests until the plug-ins will be mainlined into Checkmk.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Monitor Redfish compatible management boards / BMCs via optional MKP
key | value
---------- | ---
date | 2024-03-06T16:44:06+00:00
- version | 2.3.0p11
? ^^^
+ version | 2.3.0b3
? ^^
class | feature
edition | cre
component | checks
level | 1
compatible | yes
You can now monitor _Redfish_ compatible management boards / BMCs with Checkmk.
To do so, please enable the natively shipped MKP redfish in _Setup --> Extension packages_ (in commercial editions of Checkmk) or via the command line tool `mkp` (in Checkmk Raw).
This will enable a new datasource program under _Setup --> Other integrations --> Redfish Compatible Management Controller_.
This is an experimental integration created and supported by the Checkmk community (Andreas Döhler/Yogibaer75), which has already been tested in many environments.
However, due to the diverse nature of server hardware, we plan to integrate it entirely for Checkmk 2.4.0, once we have gathered further feedback.
You can find the latest versions of the extensions in [Andreas' GitHub repository](https://github.com/Yogibaer75/Check_MK-Things/tree/master/check…. There you can also raise issues or raise pull requests until the plug-ins will be mainlined into Checkmk.
Werk 15373 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: time_period: disallow builtin timeperiod as the exclude option
Class: fix
Compatible: compat
Component: config
Date: 1676358006
Edition: cre
Knowledge: doc
Level: 1
Version: 2.3.0b1
This werk fixes an issue where the user could via the gui
interface, select the builtin time period 24X7 as the
timeperiod to exclude in a custom time period. This is
no longer possible. If there are no other time periods
to select, the exclude option will not be shown.
------------------------------------<diff>-------------------------------------------
Title: time_period: disallow builtin timeperiod as the exclude option
Class: fix
Compatible: compat
Component: config
Date: 1676358006
Edition: cre
Knowledge: doc
Level: 1
- Version: 2.2.0b1
? ^
+ Version: 2.3.0b1
? ^
This werk fixes an issue where the user could via the gui
interface, select the builtin time period 24X7 as the
timeperiod to exclude in a custom time period. This is
no longer possible. If there are no other time periods
to select, the exclude option will not be shown.
-
Werk 16809 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# check_by_ssh: Crashed in 2.3 beta if 'timeout' was configured
key | value
---------- | ---
date | 2024-04-25T10:27:15+00:00
version | 2.3.0p1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# check_by_ssh: Crashed in 2.3 beta if 'timeout' was configured
key | value
---------- | ---
date | 2024-04-25T10:27:15+00:00
- version | 2.3.0b7
? ^^
+ version | 2.3.0p1
? ^^
class | fix
edition | cre
component | checks
level | 1
compatible | yes
-
-
Werk 16682 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Ruleset API: Fix migration with scaling of SimpleLevels
key | value
---------- | ---
date | 2024-04-17T11:19:36+00:00
version | 2.3.0b6
class | fix
edition | cre
component | checks
level | 1
compatible | no
This change is relevant to plugin developers
The migration helper functions `migrate_to_integer_simple_levels` and `migrate_to_float_simple_levels` for `SimpleLevels` currently apply the scaling factor (if given) every time the migration is run, meaning also to the already migrated value.
This means any rule where these helpers are used with a scaling factor will have incorrect values and will have to be manually corrected.
No shipped rules are affected by this.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Ruleset API: Fix migration with scaling of SimpleLevels
key | value
---------- | ---
date | 2024-04-17T11:19:36+00:00
- version | 2.3.0
+ version | 2.3.0b6
? ++
class | fix
edition | cre
component | checks
level | 1
compatible | no
This change is relevant to plugin developers
The migration helper functions `migrate_to_integer_simple_levels` and `migrate_to_float_simple_levels` for `SimpleLevels` currently apply the scaling factor (if given) every time the migration is run, meaning also to the already migrated value.
This means any rule where these helpers are used with a scaling factor will have incorrect values and will have to be manually corrected.
No shipped rules are affected by this.
-
[//]: # (werk v2)
# Re-introduce missing requirement documentation for interface check
key | value
---------- | ---
date | 2024-07-30T15:18:46+00:00
version | 2.3.0p12
class | fix
edition | cre
component | checks
level | 1
compatible | yes
During consolidation of various interface checks, necessary
prerequisites for the Solaris and HP-UX were omitted from the
documentation.
In this werk, https://checkmk.com/integrations/interfaces is updated
include the necessary prerequisites to monitor network interfaces on all
operating systems again.
[//]: # (werk v2)
# Make Microsoft IIS monitoring locale independent
key | value
---------- | ---
date | 2024-07-24T12:52:15+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | no
Previously, the agent requesting the IIS App Pool state was hard-coded
to work only on host machines localized in English.
In this werk, the agent has been updated to work independently of host
system locale.
**Incompatible Change:**
You have to redeploy the agent plugin in order to apply this feature.
[//]: # (werk v2)
# Re-introduce missing requirement documentation for interface check
key | value
---------- | ---
date | 2024-07-30T15:18:46+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
During consolidation of various interface checks, necessary
prerequisites for the Solaris and HP-UX were omitted from the
documentation.
In this werk, https://checkmk.com/integrations/interfaces is updated
include the necessary prerequisites to monitor network interfaces on all
operating systems again.
[//]: # (werk v2)
# users: allow user edit saving when 'authorized_sites' attribute is locked
key | value
---------- | ---
date | 2024-07-29T12:08:49+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
Prior to this werk, an error occurred when attempting to save the user edit
page if the 'authorized_sites' attribute was locked. This werk resolves the issue.