Checkmk werks level2

checkmk-werks-lvl2@lists.checkmk.com

1 participants
1349 discussions

[2.2.0] Checkmk Werk 16025 created: Update PHP version in SLES15SP3 from 7 to 8

by Checkmk werks level 2

Title: Update PHP version in SLES15SP3 from 7 to 8 Class: fix Compatible: incomp Component: rpm Date: 1701254497 Edition: cre Level: 2 Version: 2.2.0p17 Checkmk was shipped with a dependency to PHP7 for SLES15SP3. Since PHP7 is part of the legacy module, this Werk updates the dependency from PHP7 to PHP8. As SLES only allows one version of PHP to be installed, the following steps will uninstall PHP7 from the system and install the new version of Checkmk with PHP8. Be aware that this procedure updates PHP from version 7 to 8 for the whole OS. In case you run additional PHP applications next to Checkmk, the update will also affect them. Run the following commands to perform the update to the new Checkmk version: * add SLES-15SP4 repo to get PHP8 with <tt>zypper addrepo https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/ sles15sp4</tt> * install the new Checkmk version with <tt>zypper install NEW_CHECKMK.rpm</tt> * Zypper will now complain about a conflict with several PHP packages and asks you to select a solution. There, select <tt>solution 1</tt> to confirm the deinstallation of the current Checkmk version, the PHP7 modules and to continue with the installation * confirm the installation of the new Checkmk version and PHP8 with <tt>yes</tt> * removing the existing Checkmk version will throw an error like `Site <SITENAME> is still using this version! Removal of <OLD_CHECKMK>(@System) failed:`, proceed by choosing <tt>ignore</tt> which creates a inconsistent state for the old Checkmk version package, which we will resolve in a later step. * PHP7 will be removed and PHP8 gets installed * change to the site user with <tt>omd su SITE_NAME</tt> * stop the site with <tt>omd stop</tt> * perform the update to the new Checkmk version with <tt>omd update</tt>, select <tt>Update</tt> at the user prompt * in case further prompts regarding wrong permissions of BUILD files appear, choose the default value with <tt>d</tt> * start the site again with <tt>omd start</tt> * exit from the site user * list all installed Checkmk version with <tt>omd versions</tt> * finally remove the old Checkmk installation with <tt>zypper remove OLD_CHECKMK</tt>

8 months, 1 week

[2.3.0] Checkmk Werk 16025 created: Update PHP version in SLES15SP3 from 7 to 8

by Checkmk werks level 2

Title: Update PHP version in SLES15SP3 from 7 to 8 Class: fix Compatible: incomp Component: rpm Date: 1701254497 Edition: cre Level: 2 Version: 2.3.0b1 Checkmk was shipped with a dependency to PHP7 for SLES15SP3. Since PHP7 is part of the legacy module, this Werk updates the dependency from PHP7 to PHP8. As SLES only allows one version of PHP to be installed, the following steps will uninstall PHP7 from the system and install the new version of Checkmk with PHP8. Be aware that this procedure updates PHP from version 7 to 8 for the whole OS. In case you run additional PHP applications next to Checkmk, the update will also affect them. Run the following commands to perform the update to the new Checkmk version: * add SLES-15SP4 repo to get PHP8 with <tt>zypper addrepo https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/ sles15sp4</tt> * install the new Checkmk version with <tt>zypper install NEW_CHECKMK.rpm</tt> * Zypper will now complain about a conflict with several PHP packages and asks you to select a solution. There, select <tt>solution 1</tt> to confirm the deinstallation of the current Checkmk version, the PHP7 modules and to continue with the installation * confirm the installation of the new Checkmk version and PHP8 with <tt>yes</tt> * removing the existing Checkmk version will throw an error like `Site <SITENAME> is still using this version! Removal of <OLD_CHECKMK>(@System) failed:`, proceed by choosing <tt>ignore</tt> which creates a inconsistent state for the old Checkmk version package, which we will resolve in a later step. * PHP7 will be removed and PHP8 gets installed * change to the site user with <tt>omd su SITE_NAME</tt> * stop the site with <tt>omd stop</tt> * perform the update to the new Checkmk version with <tt>omd update</tt>, select <tt>Update</tt> at the user prompt * in case further prompts regarding wrong permissions of BUILD files appear, choose the default value with <tt>d</tt> * start the site again with <tt>omd start</tt> * exit from the site user * list all installed Checkmk version with <tt>omd versions</tt> * finally remove the old Checkmk installation with <tt>zypper remove OLD_CHECKMK</tt>

8 months, 1 week

[2.3.0] Checkmk Werk 16308 created: New option to test notification rulesets

by Checkmk werks level 2

[//]: # (werk v2) # New option to test notification rulesets key | value ---------- | --- date | 2024-01-11T12:12:45+00:00 version | 2.3.0b1 class | feature edition | cre component | notifications level | 2 compatible | yes Previously, you could only test your notification rulesets using the "Analyze" option against a limited set of notifications in the backlog or with the "Fake check result" command. We now introduce the possibility to define a custom notification and test it against your rulesets. The option can be found in "Setup" - "Notifications" - "Test notifications". In the popup, select whether you want to test on a host or a service notification. Select the host and service (if you want to test on a service notification) and the type of simulation. Currently supported are 'Start of downtime" and "Status change". Optionally, you can specify a custom plugin output. A checkbox allows you to decide whether to test only (default) or to send a real notification according to your notification rules. Within the 'Advanced condition simulation' options you can set a custom notification date and time to test period matching and the notification number.

8 months, 1 week

[2.1.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 2

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.1.0p38 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

8 months, 1 week

[2.2.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 2

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.2.0p18 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

8 months, 1 week

[2.3.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 2

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.3.0b1 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. ### Affected Versions * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older ### Mitigations If updating is not possible, disable the jar_signature plugin. ### Vulnerability Management We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` We have assigned `CVE-2023-6740`. ### Changes The jarsigner binary is now executed by the oracle user.

8 months, 1 week

[1.2.7] Checkmk Werk 1665 adapted: agent_netapp: New special agent for NetApp monitoring via Web-API

by Checkmk werks level 2

Werk 1665 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: agent_netapp: New special agent for NetApp monitoring via Web-API Level: 3 Component: checks Class: feature Compatible: compat State: unknown Version: 1.2.7i1 Date: 1418736173 The new agent_netapp allows you to collect data from a NetApp Filer through its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is following soon. H2: Agent setup This agent does not run out of the box, because it depends on some files from the <i>Netapp Manageability SDK</i> from NetApp. You can download it <a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a> In this package you will find a python API binding. The agent_netapp requires the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into the sites local directory <tt>~/local/lib/python</tt>. (Our plan is to eleminate this tedious step in a future version) Once the agent has all required files you need to create a user account with the following permissions: <ul> <li>perf-object-get-instances</li> <li>net-ifconfig-get</li> <li>aggr-list-info</li> <li>storage-shelf-bay-list-info</li> <li>disk-list-info</li> <li>vfiler-list-info</li> <li>vfiler-get-status</li> <li>volume-list-info</li> <li>system-get-version</li> <li>system-get-info</li> <li>storage-shelf-environment-list-info</li> <li>cf-status</li> <li>diagnosis-status-get</li> </ul> Note: This list might increase in later versions If the new agent is able to access the Web-API the following new checks are ready to process the data: <table> <tr><th>Check</th><th>Description</th></tr> <tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr> <tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr> <tr><td>netapp_api_cluster</td><td>Cluster status</td></tr> <tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr> <tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr> <tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr> <tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr> <tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr> <tr><td>netapp_api_version</td><td>Version information</td></tr> <tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr> <tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr> <tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr> <tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr> <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr> <tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr> </table> Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems. ------------------------------------<diff>------------------------------------------- Title: agent_netapp: New special agent for NetApp monitoring via Web-API Level: 3 Component: checks Class: feature Compatible: compat State: unknown Version: 1.2.7i1 Date: 1418736173 The new agent_netapp allows you to collect data from a NetApp Filer through its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is following soon. H2: Agent setup This agent does not run out of the box, because it depends on some files from the <i>Netapp Manageability SDK</i> from NetApp. You can download it <a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a> In this package you will find a python API binding. The agent_netapp requires the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into the sites local directory <tt>~/local/lib/python</tt>. (Our plan is to eleminate this tedious step in a future version) Once the agent has all required files you need to create a user account with the following permissions: <ul> <li>perf-object-get-instances</li> <li>net-ifconfig-get</li> <li>aggr-list-info</li> <li>storage-shelf-bay-list-info</li> <li>disk-list-info</li> <li>vfiler-list-info</li> <li>vfiler-get-status</li> <li>volume-list-info</li> <li>system-get-version</li> <li>system-get-info</li> <li>storage-shelf-environment-list-info</li> <li>cf-status</li> <li>diagnosis-status-get</li> </ul> Note: This list might increase in later versions If the new agent is able to access the Web-API the following new checks are ready to process the data: <table> <tr><th>Check</th><th>Description</th></tr> <tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr> <tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr> <tr><td>netapp_api_cluster</td><td>Cluster status</td></tr> <tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr> <tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr> <tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr> <tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr> <tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr> <tr><td>netapp_api_version</td><td>Version information</td></tr> <tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr> <tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr> <tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr> <tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr> - <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td><tr> + <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr> ? + <tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr> </table> Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.

9 months, 1 week

[1.2.3] Checkmk Werk 50 adapted: New concept of favorite hosts and services plus matching filters and views

by Checkmk werks level 2

Werk 50 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: New concept of favorite hosts and services plus matching filters and views Level: 2 Component: multisite Version: 1.2.3i7 Date: 1383411707 Class: feature The new "Favorites" feature introduces a new pair of commands for hosts and services: <i>Add to favourites</i> and <i>Remove from favourites</i>. It allows you to manage your personal list of favourite hosts and services. This list is saved on a per-user-base. Objects on this list are marked with a star icon. The favourites-list can be used for filtering. Two new predefined views "Favourite hosts" and "Favourite services" are available for showing you favourite objects. Also the new filters have been added to several views. Please note, that when you make a host a favourite, the services of that host will not automatically get favourites as well. But you easily can use the "Service Search" view for listing all services on favorite hosts, if you like that behaviour. With a combination of the existing filters you can do many useful queries like "Show me all problems on my favourite hosts in host group X". The advantage of favourites as opposed to host- and service groups are: <ul> <li>No change to the monitoring configuration is neccessary and thus no restart of the core.</li> <li>Each user can manage his indiviual list.</li> </ul> ------------------------------------<diff>------------------------------------------- Title: New concept of favorite hosts and services plus matching filters and views Level: 2 Component: multisite Version: 1.2.3i7 Date: 1383411707 Class: feature The new "Favorites" feature introduces a new pair of commands for hosts and services: <i>Add to favourites</i> and <i>Remove from favourites</i>. It allows you to manage your personal list of favourite hosts and services. This list is saved on a per-user-base. Objects on this list are marked with a star icon. The favourites-list can be used for filtering. Two new predefined views "Favourite hosts" and "Favourite services" are available for showing you favourite objects. Also the new filters have been added to several views. Please note, that when you make a host a favourite, the services of that host will not automatically get favourites as well. But you easily can use the "Service Search" view for listing all services on favorite hosts, if you like that behaviour. With a combination of the existing filters you can do many useful queries like "Show me all problems on my favourite hosts in host group X". The advantage of favourites as opposed to host- and service groups are: <ul> <li>No change to the monitoring configuration is neccessary and thus no restart of the core.</li> - <li>Each user can manage his indiviual list.</li>. ? - + <li>Each user can manage his indiviual list.</li> </ul>

9 months, 1 week

[2.2.0] Checkmk Werk 16226 created: Privilege escalation in Agent

by Checkmk werks level 2

Title: Privilege escalation in Agent Class: security Compatible: compat Component: checks Date: 1701938773 Edition: cre Level: 2 Version: 2.2.0p17 In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk. Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries. To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent. Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation. We thank Jan-Philipp Litza for reporting this issue. <b>Affected Versions</b>: * since 2.2.0p10 <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>. We assigned CVE-2023-31210 to this vulnerability. <b>Changes</b>: This Werk changes the library path from the site to the version files, which are only root-writable.

9 months, 1 week

[2.3.0] Checkmk Werk 16226 created: Privilege escalation in Agent

by Checkmk werks level 2

Title: Privilege escalation in Agent Class: security Compatible: compat Component: checks Date: 1701938773 Edition: cre Level: 2 Version: 2.3.0b1 In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk. Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries. To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent. Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation. We thank Jan-Philipp Litza for reporting this issue. <b>Affected Versions</b>: LI: since 2.2.0p10 <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>. We assigned CVE-2023-31210 to this vulnerability. <b>Changes</b>: This Werk changes the library path from the site to the version files, which are only root-writable.

9 months, 1 week

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level2