ID: 1373
Title: Do not ouput complete command line when datasource programs fail
Component: Core & Setup
Level: 2
Class: Security Fix
Version: 1.2.5i6
When executing a datasource program like <tt>agent_vsphere</tt>
fails, then Check_MK used to output the complete command line
as plugin output of the Check_MK active check as part of an error
message. The commandline could contain passwords - however. So this
has now been changed into just outputting the path to the executable
(e.g. <tt>/omd/sites/mysite/share/check_mk/agents/special/agent_vsphere</tt>).
ID: 1144
Title: blade_bx_temp, dell_chassis_temp, emerson_temp, ibm_svc_enclosurestats, ups_bat_temp: rename service description
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i6
Rename service description of these checks. They now all begin with <tt>Temperature</tt>, such as
is custom for all Check_MK checks. Beware: new graphs will be created. If these services are target
of WATO or BI rules you might need to adjust them. Your WATO configuration for levels should work
without change.
ID: 1010
Title: chrony: new check for NTP synchronization via chrony on Linux
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i6
This check does the same as the existing {ntp.time} check, but is for
cases when {chrony} is being used instead of the {ntpd}. It does not
support measuring jitter, however.
ID: 1097
Title: windows_agent: preventing missing agent sections on first query
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i6
The windows agent did not report all sections on the first request(s) after
its startup, if some plugins were configured to run asynchronous.
This has been fixed. During startup, the agent now always executes the ASYNC scripts first
and waits for them to finish. After the scripts are finished, it starts listening to
the tcp port.
ID: 0647
Title: printer_input, printer_output: multiple fixes to algorithm for state determination and inventory function
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i6
The inventory function now considers the description of the unit if its name is not configured. This should lead to
more and more meaningful items. Still, all units with empty name and description will be merged into one single
service with an empty item name.
The algorithm to determine the states of a unit was plain wrong, so that a nonsense collection of states were given.
This has been corrected. Still several states may be derived, but they should now correctly describe the operational
state of the unit.
The inventory function also used the same algorithm to inventorize only units with meaningful states. Therefore some
changes may be expected in the inventory of a printer as well.
ID: 1008
Title: Overall check timeout for Check_MK checks now defaults to CRIT state
Component: Core & Setup
Level: 2
Class: New Feature
Version: 1.2.5i6
When using the Check_MK Micro Core as the core then the service status for Check_MK
services that ran into an overal timeout (default is 60 seconds) was UNKNOWN. This
has changed to CRIT. Furthermore this is configurable via a new <i>Timeout</i>
option in the ruleset <i>Status of the Check_MK service</i>.
ID: 1096
Title: New WATO webservices: manage hosts via webinterface
Component: WATO
Level: 3
Class: New Feature
Version: 1.2.5i6
It is now possible to manage hosts via web requests<br>
This includes the following operations
<ul>
<li>Add host</li>
<li>Edit host</li>
<li>Delete host</li>
<li>Get host attributes</li>
<li>Host service discovery</li>
<li>Activate changes</li>
</ul>
These operations also work in a distributed environment. You can find more information
regarding these web request in the <tt>Roles & Permissions</tt> page under a roles settings.
There is a new permission topic <tt>Web API</tt> where you can configure the permission
of all available API requests. The help texts for these permissions provide some useful examples.
In the near future, there will be a "Howto Web-API" article in our online documentation, too.
ID: 0766
Title: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
Component: Multisite
Level: 3
Class: Security Fix
Version: 1.2.5i2
This change fixes possible attacks against Check_MK Multisite users. In previous
versions a possible attacker could try to make the browsers of authenticated users
open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
knowledge of the attacked user.
To make such an attack possible, there are several things needed: The user must be
authenticated with multisite and have enough permission within multisite to execute
the actions the attacker wants to use, the attacker needs to know the exact URL to the
Multisite GUI. Then the attacker needs to make the user either click on a manipulated
link or open a manipulated webpage which makes the browser of the user, where the user
is authenticated with multisite, open the URL the attacker wants to make it open.
The multisite GUI makes use of transids (transaction ids) when processing form
submissions or actions. The transids were mainly used to prevent double execution
of actions when reloading the page which performed the action in the browser.
Now we changed internal handling of the transid to make it also prevent CSRF attacks.
The transid is now some kind of shared secret between the webserver and the browser
of the user. This ensures a form submission is intended by a previously requested page.
This change impicates an incompatible change: In case you use a script which opens
multisite pages to perform an action, e.g. set a downtime and use this with a regular
user account which authenticates by username/password, the script won't work anymore
after this change.
The way to go is to adapt the script and change the user to authenticate with an
automation secret instead of a password. For this kind of authentication, you will
need to user other URL parameters (_username=... and _secret=...).