ID: 10580
Title: Memory check plugins: Unify service descriptions
Component: Checks & agents
Level: 2
Class: New feature
Version: 1.7.0i1
Several Memory check plugins have been unified with respect to their service
description, which is now simply "Memory" or "Memory $ITEM$".
In order to use these new service descriptions you have to enable them below
{Global settings}, {Use new service descriptions}. Renaming of existing services
has many implications - including existing rules, performance data and availability
history - these renamings are disabled per default for existing installations.
Here you can switch to the new descriptions for selected check types.
Renaming the services will mean you loose all historic data. If you want to rename
the services but keep the recorded metrics, you have to rename the RRD files in
<tt>~/var/pnp4nagios/perfdata/$HOST$</tt> or <tt>~/var/check_mk/rrd/$HSOT$</tt>
according to the service name change.
Affected check plugins are:
LI:aix_memory
LI:brocade_sys.mem
LI:cisco_mem
LI:cisco_mem_asa
LI:cisco_mem_asa64
LI:db2_mem
LI:docker_container_mem
LI:esx_vsphere_hostsystem.mem_usage
LI:esx_vsphere_hostsystem.mem_usage_cluster
LI:fortigate_memory
LI:fortigate_memory_base
LI:fortigate_node.memory
LI:hr_mem
LI:huawei_switch_mem
LI:innovaphone_mem
LI:juniper_mem
LI:juniper_screenos_mem
LI:juniper_trpz_mem
LI:mem.used
LI:mem.win
LI:netscaler_mem
LI:solaris_mem
LI:sophos_memory
LI:statgrab_mem
LI:tplink_mem
ID: 10432
Title: cmk-update-agent.exe: Fix security issue on Windows
Component: agents
Level: 2
Class: Security fix
Version: 1.7.0i1
Recently, a vulnerability of PyInstaller, that we use to compile
the cmk-update-agent.exe executable on windows to one file, has been
discovered, see
<a href=https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7f…>here</a>.
Only the windows version of the cmk-update-agent binary is affected. Unix versions and the python script
are not affected.
We fix this issue by updating to PyIntaller 3.6.
ID: 10677
Title: Windows plugins and local checks can be called using non-system account
Component: Checks & agents
Level: 2
Class: New feature
Version: 1.7.0i1
Previously the plugins and local check were always called using <i>Windows
System account</i>. Such approach could restrict access to some resources,
for example, network shares. Now this problem has been resolved.
The new ruleset in Bakery <tt>Run plugins and local checks using non-system
account</tt> gives the possibility to run any Windows script using a given
user account.
There are two modes of the rule:
<i>group mode</i>, in this case Windows Agent provides its own internal
user in the requested group to run a script.
<i>user mode</i>, in this case the credentials for the given user account
must be fully specified.
The <i>group mode</i> is more secure, because no credentials need to be
stored anywhere, except in the agent internally. When using the
<i>user mode</i>, the provided credentials are stored on all Checkmk
servers to which the configuration is applied. Also, the credentials will
be baked into the distributed to target systems agent bakery
packages(MSI files).
The same functionality in Raw Edition can be achieved using Agent configuration
file.
To set <i>group mode</i> for desired plugin pattern you should assign
the name of the local group to the key <tt>group</tt>. To set <i>user mode</i>
for desired plugin pattern you should assign string with user name and password
separated with one space to the key <tt>user</tt>. Detailed example you may found
in the provided configuration file.
We highly recommend using the <i>group mode</i> whenever possible.