ID: 15088
Title: Views: Regex in 'Joined column' is now possible
Component: Multisite
Level: 1
Class: New feature
Version: 2.2.0i1
Now you can use regexes in {{Joined column}}s. If multiple entries are found
the first one of the sorted entries will be used.
These regexes can be combined with macros in inventory based views and are
evaluated {{AFTER}} the macro replacements. These macros don't need to be
escaped, all other special characters have to be escaped:
{{ORA $SID$\.SYSTEM Tablespace}}
Example:
<ul>
<li>Choose {{Oracle instances}} as the data source</li>
<li>Choose {{SID}} with {{$SID$}} below macros</li>
<li>Now you can connect {{Services: Summary}} of the services
{{ORA $SID$.(SYSAUX|TEMP) Tablespace}} below {{Joined column}}</li>
</ul>
ID: 14578
Title: kube_node_count: Check node count if there are zero control plane nodes
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
If there were no control plane nodes, Checkmk would not check the node count
against the tresholds for the control plane nodes configured in <tt>Kubernetes
node count</tt>.
ID: 15231
Title: Drop command line alias "cmk -P" for "mkp"
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
The extension packages manager has been callable from the command line in three ways:
LI: <tt>cmk -P [arguments]</tt>
LI: <tt>check_mk -P [arguments]</tt>
LI: <tt>mkp [arguments]</tt>
We no longer support the first ones, and only keep the <tt>mkp</tt> command.
This unification reduces confusion, eases documentation, and increases maintainability.
ID: 14963
Title: Check_MK Agent service: State if host is exluded from agent updates
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Within the ruleset "Checkmk agent installation auditing", it's possible for some time
to configiure the state that is reported if the host queried the server for an agent update,
but agent updates are globally disabled.
With this Werk, it's also possible to configure the state for hosts that are rejected by the
setting "Selection of hosts to activate agent updates for".
Please note that this new setting will only apply if agent updates are globally enabled, as
the agent bakery will not check the abovementioned host selection otherwise, hence no error
will be reported for the host being rejected.
ID: 15183
Title: Drop support for outdated password hashing schemes
Component: setup
Level: 1
Class: Security fix
Version: 2.2.0i1
With Checkmk 2.2.0 the support for older and in part insecure password hashing schemes has been removed.
As a result, it is possible that some local users cannot log in anymore.
<tt>omd update</tt> will now inform about these cases.
Since Werk #14391 old password hashes were either automatically updated upon login or users were asked to choose new passwords, depending on how old and insecure their hashes were.
However, if a user has not logged in at all since Werk #14391 it is possible that they still use the old hashing scheme.
These users will not be able to log in after the update, since support for these schemes has been removed.
The login will fail with the message "Invalid login".
In order to restore access for affected users, you need to manually reset their password.
This can be done either via user management in Setup > Users or via the commandline using cmk-passwd.
Even though this Werk is related to security, it does not fix any exploitable issue.
To aid automatic scanners, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
ID: 14689
Title: Fixed various Livestatus columns in the NEB
Component: Livestatus
Level: 1
Class: Bug fix
Version: 2.2.0i1
Accessing some Livestatus columns via the NEB could potentially lead to a crash
of the Nagios core. This affects the "service_period" column in the "hosts" or
"services" tables, or the "filename" column in the "hosts" table. This has been
fixed.
If you are running the CMC as the monitoring core, you have not been affected by
this bug.
ID: 15203
Title: Rule "Check Email": Allow current host address/name as mail server
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Currently the mail server in the "Check Email" rule does not allow macros such as $HOSTNAME$ as input.
To avoid repeated configuration for each host, the <tt>$HOSTADDRESS$</tt> or <tt>$HOSTNAME$</tt> can be selected in addition to the current input via the options "Use the address of the host for which the service is generated" and "Use the name of the host for which the service is generated" respectively.
If a <tt>$HOSTADDRESS$</tt> or <tt>$HOSTNAME$</tt> was used in a previous version, the corresponding option will be selected during the update.
ID: 15221
Title: Add support for HP A10508 switches
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
SNMP discovery now also detects HP A10508 switches with sysObjectID .1.3.6.1.4.1.25506.11.1.87
ID: 15185
Title: REST API: update password change time when changing automation user's secret
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, changing an automation user's authentication secret did not update the recorded timestamp of the last password change for the automation user.
As a result, the automation user could have been prevented from logging in by the password policy for local users, because the secret appeared to be too old.
The recorded timestamp is now updated when the secret is changed via the REST API.
Note that the issue did not affect changing an automation user's secret via the user management GUI (Setup > Users).
Here the timestamp was already updated correctly.
ID: 15184
Title: Do not enforce password change for automation users
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
The <tt>enforce_pw_change</tt> flag is now ignored for automation users.
Since automation users cannot change their passwords themselves, Checkmk will now no longer require them to do so, even if the flag is set.
Note that automation users can still be prevented from logging in if the password policy for local accounts defines a maximum password age.
This Werk is motivated by a fixup for Werk #14391, which could cause old automation users to be unable to log in.
Since Werk #14391 <tt>omd update</tt> / <tt>cmk-update-config<tt> looks for users whose passwords are hashed with outdated hashing schemes in <tt>etc/htpasswd</tt>.
Users whose passwords were hashed with the insecure algorithms <tt>MD5</tt> or <tt>DES Crypt</tt> are asked to change their password the next time they log in.
Moreover, the administrator running the update will see a warning that lists the affected users.
That check did not properly exclude old automation users created by Checkmk < 1.6.0, although the check does not make sense for them.
(Automation users do not log in the same way regular users do and their password hash is irrelevant.)
As a result, the flag to require a password change was set also for automation users, preventing automation users from logging in.
In addition, the automation users were mistakenly listed in the warning message mentioned above.
Note that automation users that have been created or had their automation secret changed with Checkmk >= 1.6.0 are not affected, as Checkmk didn't use the insecure hashing algorithms since version 1.6.0 (Werk #6846).
With this fix the flag to enforce a password change will no longer be set for automation users by that check and automation users will no longer be listed in the warning message.
Moreover, since the flag is now ignored for automation users, they will be able to log in again, even if the flag has already been set.