ID: 0812
Title: nginx_status: New check for monitoring status information of the Nginx web server
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
Implemented a new check which uses the Nginx stub status module to monitoring inner
information of the Nginx process about number of active connections, connections per
second, requests per second and so on.
ID: 0930
Title: WATO snapshots: disabled upload of legacy snaphots and snapshots with invalid checksums
Component: WATO
Level: 2
Class: New Feature
Version: 1.2.5i3
The upload of insecure snapshots has been disabled per default, because those
snapshots represent a security risk if their content were modified willingly or unwillingly.
Insecure snapshots are all legacy snapshots and snapshots of the newer type, but with an invalid checksum.
You can re-enable the upload of insecure snapshots via the new global setting<br>
<tt>Configuration GUI (WATO) -> Allow upload of insecure WATO snapshots</tt>
ID: 0929
Title: windows agent: now able to include and execute additional local and plugin scripts as different user
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
In the <tt>[local]</tt> and <tt>[plugin]</tt> sections the new option <tt>include</tt> has been introduced.
With this option you can configure additional local and plugin directories, which should get parsed.
You can also configure the the scripts in the given directories should be executed as a different user.
<br><br>
Example configuration:<br>
F+:check_mk.ini
[plugin]
# The scripts in the following folder are executed as user \\ab
include \\ab = C:\users\ab\plugins
# The scripts in the following folder are executed without any changes to the user permission
include - = C:\scripts\plugin
F-:
<b>Important:</b> Keep in mind that the agent needs the permission to run
scripts as other user. Internally it uses the windows command <tt>runas /User:</tt>
which prompts for a password if the windows agent has no permission to change to this user.
ID: 0928
Title: runas: new plugin script to include and execute mrpe, local and plugin scripts as different user
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
With the new plugin <tt>runas</tt> you can configure additional include files and
directories for mrpe, local and plugin scripts. You can also change the user context
of each of these scripts. It allows non-root users to add additional scripts which might
get executed with reduced permission.
This check is configured with the configuration file <tt>runas.cfg</tt>.
In a default installation this file is located within the Check_MK config directory under <tt>/etc/check_mk/runas.cfg</tt>.
The <tt>runas.cfg</tt> configuration syntax is as follow
[Script type] [User context] [File / Directory ]
The <tt>Script type</tt> can be set to <tt>mrpe</tt>, <tt>local</tt> and <tt>plugin</tt>.
The <tt>User context</tt> represents the user. If you do not want to change the context set this field to <tt>-</tt>
Depending on the script type the third value points to a file or directory.
The mrpe type requires a target file which contains the mrpe commands.
Local and plugins types require are target folder, which contains the executable local and plugin scripts.<br>
Here is an example configuration:
F+:/etc/check_mk/runas.cfg
mrpe ab /home/ab/mrpe_commands.cfg
mrpe lm /home/lm/mrpe_commands.cfg
mrpe - /root/mrpe/extra_commands.cfg
plugin ab /var/ab/plugins
local ab /var/ab/local
F-:
<b>Note:</b>You need to set up the local and plugin scripts in different folders, because the line
<tt>plugin ab /var/ab/plugins</tt> indicates that all executable files within this folder are treated as plugins.
ID: 0927
Title: windows agent: now able to evaluate logfiles written in unicode (2 bytes per character)
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
The windows agent was unable to process logfiles which were written as unicode. Those files
had binary zeros every other byte, rendering the normal "readline" logfile processing useless.<br>
The agent can now read unicode files correctly, convert each line to a multibyte representation
(most of the time it is only a single byte) and apply the configured logfile patterns accordingly.
ID: 0925
Title: ps: improved/fixed calculation of CPU utilization
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
Previously, the CPU utilization value was taken from the output <tt>pcpu</tt> from
the ps command. This value didn't reflect the exact utilization since the last check
because its definition is <br>
<pre>
CPU usage is currently expressed as the percentage of time spent running
during the entire lifetime of a process. This is not ideal, and it does not
conform to the standards that ps otherwise conforms to. CPU usage is
unlikely to add up to exactly 100%.
</pre>
The evaluation of the <tt>pcpu</tt> field has been removed and got replaced
by the field <tt>cputime</tt>, which reflects the number of cpu seconds since program start.
With the <tt>cputime</tt> we are able to determine the correct value.
To utilize this new calculation method, you need to update the check_mk_agent on the target host.
The ps check itself is able to handle both formats, <tt>pcpu</tt> and <tt>cputime</tt>.
ID: 0978
Title: Fix security issue with mk-job on Linux
Component: Checks & Agents
Level: 2
Class: Incompatible Change
Version: 1.2.5i3
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-:
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by
an RPM/DEB created from the source code with <tt>make rpm</tt> or <tt>make deb</tt>
then the permissions of <tt>/var/lib/check_mk_agent/job</tt> are automatically
fixed.
If you have installed the agent manually then please make sure that the permissions
of the job directory are set properly:
C+:
RP:chmod 755 /var/lib/check_mk_agent/job
C-:
ID: 0978
Title: Fix security issue with mk-job on Linux
Component: Checks & Agents
Level: 2
Class: Incompatible Change
Version: 1.2.5i3
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-:
ID: 0977
Title: check_traceroute: new active check for checking presence and absence of routes
Component: Checks & Agents
Level: 2
Class: New Feature
Version: 1.2.5i3
This check does a traceroute to the target host and checks which route(s)
are being taken. You can check both for missing and present routes and attach
WARN or CRIT state to them. traceroute is expected to be in the search path
and installed with SUID root bit.