Checkmk werks level2

checkmk-werks-lvl2@lists.checkmk.com

1355 discussions

[2.1.0] Checkmk Werk 15327 created: mk_oracle: Follow-up to privilege escalation fix

by Checkmk werks level 2

Title: mk_oracle: Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712217578 Edition: cre Level: 2 Version: 2.1.0p42 You might be affected by this Werk if you use <tt>mk_oracle</tt> on a unix system. You might be affected by this Werk if you use oracle wallet to connect to your database. You are definitively affected by this Werk if you use oracle wallet to connect to your database and used the instructions of our official documentation to setup your configuration. This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4. Since <a href="https://checkmk.com/werk/16232">Werk #16232</a> we switch to a unprivileged user when executing oracle binaries. This causes problems when using an oracle wallet as the unprivileged user might not be able to access files defining the connection details and credentials. We introduced an additional permission check to the <code>-t</code> "Just check the connection" option of <code>mk_oracle</code>. It should help you modifying the permissions to continue using <code>mk_oracle</code> with oracle wallet. You can execute it with the following command: <pre> MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t </pre> The path to mk_oracle might be different if you execute it asynchronously. For a 60 second interval the path would be <code>/usr/lib/check_mk_agent/plugins/60/mk_oracle</code> The script will test permissions of the files needed to connect to the database. It boils down to the following: <code>mk_oracle</code> will switch to the owner of <code>$ORACLE_HOME/bin/sqlplus</code> before executing <code>sqlplus</code>. So this user has to have the following permissions: <ul> <li>read <code>$TNS_ADMIN/sqlnet.ora</code></li> <li>read <code>$TNS_ADMIN/tnsnames.ora</code></li> <li>execute the wallet folder (<code>/etc/check_mk/oracle_wallet</code> if followed the official documentation)</li> <li>read files inside the wallet folder (<code>/etc/check_mk/oracle_wallet/*</code> if followed the official documentation)</li> </ul> Beside that we also fixed some bash syntax errors we introduced with <a href="https://checkmk.com/werk/16232">Werk #16232</a>. See <a href="https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting…">Troubleshooting mk_oracle for Windows and Linux</a> for more information about troubleshooting this problem.

6 months, 3 weeks

[2.2.0] Checkmk Werk 15327 created: mk_oracle: Follow-up to privilege escalation fix

by Checkmk werks level 2

Title: mk_oracle: Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712217578 Edition: cre Level: 2 Version: 2.2.0p25 You might be affected by this Werk if you use <tt>mk_oracle</tt> on a unix system. You might be affected by this Werk if you use oracle wallet to connect to your database. You are definitively affected by this Werk if you use oracle wallet to connect to your database and used the instructions of our official documentation to setup your configuration. This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4. Since <a href="https://checkmk.com/werk/16232">Werk #16232</a> we switch to a unprivileged user when executing oracle binaries. This causes problems when using an oracle wallet as the unprivileged user might not be able to access files defining the connection details and credentials. We introduced an additional permission check to the <code>-t</code> "Just check the connection" option of <code>mk_oracle</code>. It should help you modifying the permissions to continue using <code>mk_oracle</code> with oracle wallet. You can execute it with the following command: <pre> MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t </pre> The path to mk_oracle might be different if you execute it asynchronously. For a 60 second interval the path would be <code>/usr/lib/check_mk_agent/plugins/60/mk_oracle</code> The script will test permissions of the files needed to connect to the database. It boils down to the following: <code>mk_oracle</code> will switch to the owner of <code>$ORACLE_HOME/bin/sqlplus</code> before executing <code>sqlplus</code>. So this user has to have the following permissions: <ul> <li>read <code>$TNS_ADMIN/sqlnet.ora</code></li> <li>read <code>$TNS_ADMIN/tnsnames.ora</code></li> <li>execute the wallet folder (<code>/etc/check_mk/oracle_wallet</code> if followed the official documentation)</li> <li>read files inside the wallet folder (<code>/etc/check_mk/oracle_wallet/*</code> if followed the official documentation)</li> </ul> Beside that we also fixed some bash syntax errors we introduced with <a href="https://checkmk.com/werk/16232">Werk #16232</a>. See <a href="https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting…">Troubleshooting mk_oracle for Windows and Linux</a> for more information about troubleshooting this problem.

6 months, 3 weeks

[2.2.0] Checkmk Werk 15843 adapted: mk_oracle(ps1): Follow-up to privilege escalation fix

by Checkmk werks level 2

Werk 15843 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: mk_oracle(ps1): Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712314947 Edition: cre Level: 2 Version: 2.2.0p25 You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows. Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a regression, thereby disrupting Oracle monitoring on Windows. This Werk addresses above mentioned issue that affects versions 2.1.0p41, 2.2.0p24, and 2.3.0b4. Since this release, Oracle monitoring on Windows is fully supported under either of the following conditions: 1. The monitoring is performed using an account without administrator rights. 2. Specific Oracle executable binaries — namely, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> - are not modifiable by non-admin users. If you are still unable to monitor Oracle, for example, you can't use an unprivileged account for monitoring and changing of permission is not possible, consider one of the following actions: 1. Enable <tt>Run as local group</tt> for group <tt>Administrators</tt> in <tt>Run plugins and local checks using non-system account</tt> ruleset. 2. Adjust <tt>Oracle Binaries Permissions Check</tt> settings in <tt>ORACLE databases (Linux, Solaris, AIX, Windows)</tt> ruleset. More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>. ------------------------------------<diff>------------------------------------------- Title: mk_oracle(ps1): Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712314947 Edition: cre Level: 2 Version: 2.2.0p25 You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows. Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a regression, thereby disrupting Oracle monitoring on Windows. This Werk addresses above mentioned issue that affects versions 2.1.0p41, 2.2.0p24, and 2.3.0b4. - Since this release, Oracle monitoring on Windows is fully supported under ? - + Since this release, Oracle monitoring on Windows is fully supported under - condition you use an account without administrator rights or the certain - executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if - presented, <tt>crsctl.exe</tt> are write-protected, with the possible - exception being the Administrator. + either of the following conditions: + 1. The monitoring is performed using an account without administrator rights. + 2. Specific Oracle executable binaries — namely, <tt>sqlplus.exe</tt>, + <tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> - are not modifiable + by non-admin users. - If you are unable or prefer not to use an unprivileged account then you may - need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>, - <tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator - user and group. + If you are still unable to monitor Oracle, for example, you can't use an + unprivileged account for monitoring and changing of permission is not possible, + consider one of the following actions: + 1. Enable <tt>Run as local group</tt> for group <tt>Administrators</tt> in + <tt>Run plugins and local checks using non-system account</tt> ruleset. + 2. Adjust <tt>Oracle Binaries Permissions Check</tt> settings in <tt>ORACLE databases (Linux, + Solaris, AIX, Windows)</tt> ruleset. More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>. +

6 months, 3 weeks

[2.4.0] Checkmk Werk 15515 adapted: check_http: Soft deprecatation of old HTTP monitoring plug-in

by Checkmk werks level 2

Werk 15515 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # check_http: Soft deprecatation of old HTTP monitoring plug-in key | value ---------- | --- date | 2024-04-03T13:15:48+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | no The old plug-in is being deprecated in a soft way with this werk. Unlike hard deprecation, the deprecated rule set "Check HTTP service" will remain fully functional. However, new rules should only be created if absolutely necessary, such as when experiencing issues with the new "Check HTTP web service" implementation and needing to roll back to the old one. Please note that the rule set will be hard deprecated in version 2.4.0, meaning that you will no longer be able to create new rules. However, the plug-in itself will remain available as this is a component of the monitoring-plugins collection that comes with Checkmk. Please let us know if you find any features that were present in the old plug-in but are missing in the new one. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # check_http: Soft deprecatation of old HTTP monitoring plug-in key | value ---------- | --- date | 2024-04-03T13:15:48+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | no The old plug-in is being deprecated in a soft way with this werk. Unlike hard deprecation, the deprecated rule set "Check HTTP service" will remain fully functional. However, new rules should only be created if absolutely necessary, such as when experiencing issues with the new "Check HTTP web service" implementation and needing to roll back to the old one. Please note that the rule set will be hard deprecated in version 2.4.0, meaning that you will no longer be able to create new rules. However, the plug-in itself will remain available as this is a component of the monitoring-plugins collection that comes with Checkmk. - Please know us know if you find any features that were present in the old ? -------- + Please let us know if you find any features that were present in the old ? +++++++ plug-in but are missing in the new one.

7 months

[2.1.0] Checkmk Werk 15843 created: mk_oracle(ps1): Follow-up to privilege escalation fix

by Checkmk werks level 2

Title: mk_oracle(ps1): Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712314947 Edition: cre Level: 2 Version: 2.1.0p42 You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows. Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a regression, thereby disrupting Oracle monitoring on Windows. This Werk addresses above mentioned issue that affects versions 2.1.0p41, 2.2.0p24, and 2.3.0b4. Since this release, Oracle monitoring on Windows is fully supported under condition you use an account without administrator rights or the certain executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> are write-protected, with the possible exception being the Administrator. If you are unable or prefer not to use an unprivileged account then you may need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>, <tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator user and group. More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.

7 months, 1 week

[2.2.0] Checkmk Werk 15843 created: mk_oracle(ps1): Follow-up to privilege escalation fix

by Checkmk werks level 2

Title: mk_oracle(ps1): Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712314947 Edition: cre Level: 2 Version: 2.2.0p25 You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows. Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a regression, thereby disrupting Oracle monitoring on Windows. This Werk addresses above mentioned issue that affects versions 2.1.0p41, 2.2.0p24, and 2.3.0b4. Since this release, Oracle monitoring on Windows is fully supported under condition you use an account without administrator rights or the certain executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> are write-protected, with the possible exception being the Administrator. If you are unable or prefer not to use an unprivileged account then you may need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>, <tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator user and group. More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.

7 months, 1 week

[2.4.0] Checkmk Werk 16116 created: Fixed association of contacts with hosts/services/contactgroups

by Checkmk werks level 2

[//]: # (werk v2) # Fixed association of contacts with hosts/services/contactgroups key | value ---------- | --- date | 2024-04-05T13:48:37+00:00 version | 2.4.0b1 class | fix edition | cre component | livestatus level | 3 compatible | yes Checkmk 2.3 beta introduced a regression regarding contacts when then Nagios core was used: The association of contacts with hosts, services and contact groups was incorrect. A symptom of this bug were e.g. missing hosts or services in the GUI.

7 months, 1 week

[2.4.0] Checkmk Werk 15516 created: check_cert: New active check for advanced certificate monitoring

by Checkmk werks level 2

[//]: # (werk v2) # check_cert: New active check for advanced certificate monitoring key | value ---------- | --- date | 2024-04-03T13:42:35+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | yes The _check_http_ plug-in was previously the only method to monitor certificates out-of-the-box with Checkmk. With the new plug-in Checkmk provides an extensive functionality to monitor certificates. This includes but is not limited to certificates provided by the HTTP protocol. With the new plug-in you can monitor all certificates provided through a TCP connection to encrypt communication. This includes the monitoring of * validity times (max and remaining) * issuer fields * subject fields * encryption algorithm * alternative names * response times * public key algorithm and size * serial number As with the reworked plugin to monitor web services, you are able to configure multiple services within a single rule.

7 months, 1 week

[2.4.0] Checkmk Werk 15515 created: check_http: Soft deprecatation of old HTTP monitoring plug-in

by Checkmk werks level 2

[//]: # (werk v2) # check_http: Soft deprecatation of old HTTP monitoring plug-in key | value ---------- | --- date | 2024-04-03T13:15:48+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | no The old plug-in is being deprecated in a soft way with this werk. Unlike hard deprecation, the deprecated rule set "Check HTTP service" will remain fully functional. However, new rules should only be created if absolutely necessary, such as when experiencing issues with the new "Check HTTP web service" implementation and needing to roll back to the old one. Please note that the rule set will be hard deprecated in version 2.4.0, meaning that you will no longer be able to create new rules. However, the plug-in itself will remain available as this is a component of the monitoring-plugins collection that comes with Checkmk. Please know us know if you find any features that were present in the old plug-in but are missing in the new one.

7 months, 1 week

[2.1.0] Checkmk Werk 15841 created: The configuration is correctly loaded by RRD helper processes

by Checkmk werks level 2

Title: The configuration is correctly loaded by RRD helper processes Class: fix Compatible: compat Component: core Date: 1711447383 Edition: cee Level: 2 Version: 2.1.0p42 This change ensures the reloading of the configuration by already running RRD processes, thereby guaranteeing that those processes are using the correct configuration. SUP-17787 CMK-16318

7 months, 2 weeks

← Newer
1
...
7
8
9
10
11
12
13
...
136
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level2