Checkmk werks level2

checkmk-werks-lvl2@lists.checkmk.com

1 participants
1349 discussions

[2.3.0] Checkmk Werk 16841 created: mk-sql plugin produces backup section correctly

by Checkmk werks level 2

[//]: # (werk v2) # mk-sql plugin produces backup section correctly key | value ---------- | --- date | 2024-06-21T09:07:51+00:00 version | 2.3.0p7 class | fix edition | cre component | checks level | 2 compatible | yes Since this release the backup section content is identical to the expected one(from mssql.vbs)

2 months, 4 weeks

[2.3.0] Checkmk Werk 17056 adapted: Don't show automation secret in the audit log (addresses CVE-2024-28830)

by Checkmk werks level 2

Werk 17056 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Don't show automation secret in the audit log (addresses CVE-2024-28830) key | value ---------- | --- date | 2024-06-19T12:10:00+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 2 compatible | no By default only admin users are able to see the audit log. Guests and normal monitoring users do not have acces to the audit log. Werk #13330 already fixed a problem where passwords were shown in the audit log. This werk now addresses the problem, that still automation secrets of automation user were logged in clear text to the audit log, e.g. on change of the automation secret via REST-API or the user interface. Existing automation secrets in the audit log should be removed automatically during the update but please double check that no automation secrets remain in the log (see next paragraph for details). A backup of the original audit log (before automation secrets were removed) is copied to "~/audit_log_backup". If anything goes wrong during the update, you have to copy the files back to ~var/check_mk/wato/log and remove the automation secrets manually. If the update works as expected, you can remove the backup files. In distributed setups which do not replicate the configuration, automation secrets are replaced during the update of each site. In setups which replicate the configuration from central to remote sites no automation secrets should be present in the logs of the remote site, since only information about the activation is logged. Only if you switched to a replicated setup after the upgrade to the 2.0, automation secrets can be present in the logs. Since automation secrets may be in this scenario as well, the steps described before also apply. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Mitigations*: Remove automation secrets manually within the files located in ~var/check_mk/wato/log. *Vulnerability Management*: We have rated the issue with a CVSS Score of <2.7 (Low)> with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE `CVE-2024-28830`. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Don't show automation secret in the audit log (addresses CVE-2024-28830) key | value ---------- | --- date | 2024-06-19T12:10:00+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 2 compatible | no By default only admin users are able to see the audit log. Guests and normal monitoring users do not have acces to the audit log. Werk #13330 already fixed a problem where passwords were shown in the audit log. This werk now addresses the problem, that still automation secrets of automation user were logged in clear text to the audit log, e.g. on change of the automation secret via REST-API or the user interface. Existing automation secrets in the audit log should be removed automatically during the update but please double check that no automation secrets remain in the log (see next paragraph for details). A backup of the original audit log (before automation secrets were removed) is - copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong ? - ^^^^^^^ -------- --------- + copied to "~/audit_log_backup". If anything goes wrong ? ^^^^ during the update, you have to copy the files back to ~var/check_mk/wato/log and remove the automation secrets manually. If the update works as expected, you can remove the backup files. In distributed setups which do not replicate the configuration, automation secrets are replaced during the update of each site. In setups which replicate the configuration from central to remote sites no automation secrets should be present in the logs of the remote site, since only information about the activation is logged. Only if you switched to a replicated setup after the upgrade to the 2.0, automation secrets can be present in the logs. Since automation secrets may be in this scenario as well, the steps described before also apply. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Mitigations*: Remove automation secrets manually within the files located in ~var/check_mk/wato/log. *Vulnerability Management*: We have rated the issue with a CVSS Score of <2.7 (Low)> with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE `CVE-2024-28830`.

2 months, 4 weeks

[2.2.0] Checkmk Werk 17056 created: Don't show automation secret in the audit log (addresses CVE-2024-28830)

by Checkmk werks level 2

Title: Don't show automation secret in the audit log (addresses CVE-2024-28830) Class: security Compatible: incomp Component: wato Date: 1718799000 Edition: cre Level: 2 Version: 2.2.0p28 By default only admin users are able to see the audit log. Guests and normal monitoring users do not have acces to the audit log. Werk #13330 already fixed a problem where passwords were shown in the audit log. This werk now addresses the problem, that still automation secrets of automation user were logged in clear text to the audit log, e.g. on change of the automation secret via REST-API or the user interface. Existing automation secrets in the audit log should be removed automatically during the update but please double check that no automation secrets remain in the log (see next paragraph for details). A backup of the original audit log (before automation secrets were removed) is copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong during the update, you have to copy the files back to ~var/check_mk/wato/log and remove the automation secrets manually. If the update works as expected, you can remove the backup files. In distributed setups which do not replicate the configuration, automation secrets are replaced during the update of each site. In setups which replicate the configuration from central to remote sites no automation secrets should be present in the logs of the remote site, since only information about the activation is logged. Only if you switched to a replicated setup after the upgrade to the 2.0, automation secrets can be present in the logs. Since automation secrets may be in this scenario as well, the steps described before also apply. Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: Remove automation secrets manually within the files located in ~var/check_mk/wato/log. Vulnerability Management: We have rated the issue with a CVSS Score of <2.7 (Low)> with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code> and assigned CVE <code>CVE-2024-28830</code>.

3 months

[2.3.0] Checkmk Werk 17056 created: Don't show automation secret in the audit log (addresses CVE-2024-28830)

by Checkmk werks level 2

[//]: # (werk v2) # Don't show automation secret in the audit log (addresses CVE-2024-28830) key | value ---------- | --- date | 2024-06-19T12:10:00+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 2 compatible | no By default only admin users are able to see the audit log. Guests and normal monitoring users do not have acces to the audit log. Werk #13330 already fixed a problem where passwords were shown in the audit log. This werk now addresses the problem, that still automation secrets of automation user were logged in clear text to the audit log, e.g. on change of the automation secret via REST-API or the user interface. Existing automation secrets in the audit log should be removed automatically during the update but please double check that no automation secrets remain in the log (see next paragraph for details). A backup of the original audit log (before automation secrets were removed) is copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong during the update, you have to copy the files back to ~var/check_mk/wato/log and remove the automation secrets manually. If the update works as expected, you can remove the backup files. In distributed setups which do not replicate the configuration, automation secrets are replaced during the update of each site. In setups which replicate the configuration from central to remote sites no automation secrets should be present in the logs of the remote site, since only information about the activation is logged. Only if you switched to a replicated setup after the upgrade to the 2.0, automation secrets can be present in the logs. Since automation secrets may be in this scenario as well, the steps described before also apply. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Mitigations*: Remove automation secrets manually within the files located in ~var/check_mk/wato/log. *Vulnerability Management*: We have rated the issue with a CVSS Score of <2.7 (Low)> with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE `CVE-2024-28830`.

3 months

[2.2.0] Checkmk Werk 16766 created: mknotifyd: use site names in service description

by Checkmk werks level 2

Title: mknotifyd: use site names in service description Class: fix Compatible: incomp Component: checks Date: 1716821823 Edition: cre Level: 2 Version: 2.2.0p28 This update affects users monitoring the OMD Notify Connection services, regardless of whether the connection is encrypted. Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1. To resolve this issue, we have updated the service naming. Now, the names of the involved sites will be shown in the format: OMD MySite Notification Spooler connection to MyRemoteSite. Impact: LI: Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual. LI: Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible LI: To maintain service history, users can create a service description translation rule. This can be done in the configuration at: Setup > Agents > Access to agents > Translation of service descriptions. Use a regex or static string to map the old service names to the new ones.

3 months

[2.3.0] Checkmk Werk 16766 created: mknotifyd: use site names in service description

by Checkmk werks level 2

[//]: # (werk v2) # mknotifyd: use site names in service description key | value ---------- | --- date | 2024-05-27T14:57:03+00:00 version | 2.3.0p7 class | fix edition | cre component | checks level | 2 compatible | no This update affects users monitoring the _OMD Notify Connection_ services, regardless of whether the connection is encrypted. Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1. To resolve this issue, we have updated the service naming. Now, the names of the involved sites will be shown in the format: _OMD MySite Notification Spooler connection to MyRemoteSite_. Impact: - Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual. - Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible - To maintain service history, users can create a service description translation rule. This can be done in the configuration at: _Setup_ > _Agents_ > _Access to agents_ > _Translation of service descriptions_. Use a regex or static string to map the old service names to the new ones.

3 months

[2.4.0] Checkmk Werk 16766 created: mknotifyd: use site names in service description

by Checkmk werks level 2

[//]: # (werk v2) # mknotifyd: use site names in service description key | value ---------- | --- date | 2024-05-27T14:57:03+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 2 compatible | no This update affects users monitoring the _OMD Notify Connection_ services, regardless of whether the connection is encrypted. Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1. To resolve this issue, we have updated the service naming. Now, the names of the involved sites will be shown in the format: _OMD MySite Notification Spooler connection to MyRemoteSite_. Impact: - Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual. - Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible - To maintain service history, users can create a service description translation rule. This can be done in the configuration at: _Setup_ > _Agents_ > _Access to agents_ > _Translation of service descriptions_. Use a regex or static string to map the old service names to the new ones.

3 months

[2.4.0] Checkmk Werk 16767 created: NetApp via WebAPI: remove deprecated agent and plugin

by Checkmk werks level 2

[//]: # (werk v2) # NetApp via WebAPI: remove deprecated agent and plugin key | value ---------- | --- date | 2024-06-07T08:39:33+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | no This werk impacts users who monitor a NetApp environment with the deprecated special agent "NetApp via WebAPI" (agent_netapp). As of Checkmk version 2.4.0, the agent "NetApp via WebAPI" and its associated checks and inventory plugins have been removed. Please configure the new special agent using the "NetApp via Ontap REST API" ruleset and perform a re-discovery. The following plugins are no longer available: - NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_aggr_) - NetApp Ontap Filer: 7Mode Cluster Status (_netapp_api_cluster_) - NetApp API Connection (_netapp_api_connection_) - NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_cpu_) - NetApp Clustermode Filer: NVRAM Battery (_netapp_api_cpu_nvram_bat_) - NetApp Filer: 7Mode Global CPU Utilization (_netapp_api_cpu_utilization_) - NetApp Filer: Disk (_Summarynetapp_api_disk_summary_) - NetApp Filer Clustermode: PSU Fault Info (_netapp_api_environment_) - NetApp Filer Clustermode: System Electrical Current (_netapp_api_environment_current_) - NetApp Filer Clustermode: Fan Fault Info (_netapp_api_environment_fan_faults_) - NetApp Filer Clustermode: System Fan Speed (_netapp_api_environment_fans_) - NetApp Filer Clustermode: System Temperature (_netapp_api_environment_temperature_) - NetApp Filer Clustermode: System Electrical Voltage (_netapp_api_environment_voltage_) - NetApp Filer: FANs (_netapp_api_fan_) - NetApp Filer: FANs Summary (_netapp_api_fan_summary_) - NetApp Cluster-Mode: State of Fibrechannel Interfaces (_netapp_api_fcp_) - NetApp Filer: State of Network Interfaces (_netapp_api_if_) - NetApp Filer: Version Info (_netapp_api_info_) - NetApp Filer: Used Space of LUNs (_netapp_api_luns_) - NetApp Filer: Ports (_netapp_api_ports_) - NetApp Filer 7Mode: Protocols (_netapp_api_protocol_) - NetApp Filer: Power Supplies (_netapp_api_psu_) - NetApp Filer: Power Supplies Summary (_netapp_api_psu_summary_) - NetApp Filer: Used Space of qtrees in Volumes (_netapp_api_qtree_quota_) - NetApp Filer: Used Space in Snapshots of Volumes (_netapp_api_snapshots_) - NetApp Filer: Snapvault/Snapmirror Lag-time (_netapp_api_snapvault_) - NetApp Filer: Overall System Health (_netapp_api_status_) - NetApp Filer: Systemtime (_netapp_api_systemtime_) - NetApp Filer: Temperature Sensors (_netapp_api_temp_) - NetApp Filer 7Mode: vFiler CPU Utilization (_netapp_api_vf_stats_) - NetApp Filer: vFiler Traffic (_netapp_api_vf_stats_traffic_) - NetApp Filer: vFiler Status (_netapp_api_vf_status_) - NetApp Filer: Used Space and Traffic of Volumes (_netapp_api_volumes_) - NetApp Filer: vServer Status (_netapp_api_vs_status_) - NetApp Filer: vServer Traffic Summary (_netapp_api_vs_traffic_)

3 months

[2.4.0] Checkmk Werk 16767 deleted: NetApp via WebAPI: remove deprecated agent and plugin

by Checkmk werks level 2

Werk 16767 was deleted. The following Werk is no longer relevant. [//]: # (werk v2) # NetApp via WebAPI: remove deprecated agent and plugin key | value ---------- | --- date | 2024-06-07T08:39:33+00:00 version | 2.4.0b1 class | feature edition | cre component | checks level | 2 compatible | no This werk impacts users who monitor a NetApp environment with the deprecated special agent "NetApp via WebAPI" (agent_netapp). As of Checkmk version 2.4.0, the agent "NetApp via WebAPI" and its associated checks and inventory plugins have been removed. Please configure the new special agent using the "NetApp via Ontap REST API" ruleset and perform a re-discovery. The following plugins are no longer available: - NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_aggr_) - NetApp Ontap Filer: 7Mode Cluster Status (_netapp_api_cluster_) - NetApp API Connection (_netapp_api_connection_) - NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_cpu_) - NetApp Clustermode Filer: NVRAM Battery (_netapp_api_cpu_nvram_bat_) - NetApp Filer: 7Mode Global CPU Utilization (_netapp_api_cpu_utilization_) - NetApp Filer: Disk (_Summarynetapp_api_disk_summary_) - NetApp Filer Clustermode: PSU Fault Info (_netapp_api_environment_) - NetApp Filer Clustermode: System Electrical Current (_netapp_api_environment_current_) - NetApp Filer Clustermode: Fan Fault Info (_netapp_api_environment_fan_faults_) - NetApp Filer Clustermode: System Fan Speed (_netapp_api_environment_fans_) - NetApp Filer Clustermode: System Temperature (_netapp_api_environment_temperature_) - NetApp Filer Clustermode: System Electrical Voltage (_netapp_api_environment_voltage_) - NetApp Filer: FANs (_netapp_api_fan_) - NetApp Filer: FANs Summary (_netapp_api_fan_summary_) - NetApp Cluster-Mode: State of Fibrechannel Interfaces (_netapp_api_fcp_) - NetApp Filer: State of Network Interfaces (_netapp_api_if_) - NetApp Filer: Version Info (_netapp_api_info_) - NetApp Filer: Used Space of LUNs (_netapp_api_luns_) - NetApp Filer: Ports (_netapp_api_ports_) - NetApp Filer 7Mode: Protocols (_netapp_api_protocol_) - NetApp Filer: Power Supplies (_netapp_api_psu_) - NetApp Filer: Power Supplies Summary (_netapp_api_psu_summary_) - NetApp Filer: Used Space of qtrees in Volumes (_netapp_api_qtree_quota_) - NetApp Filer: Used Space in Snapshots of Volumes (_netapp_api_snapshots_) - NetApp Filer: Snapvault/Snapmirror Lag-time (_netapp_api_snapvault_) - NetApp Filer: Overall System Health (_netapp_api_status_) - NetApp Filer: Systemtime (_netapp_api_systemtime_) - NetApp Filer: Temperature Sensors (_netapp_api_temp_) - NetApp Filer 7Mode: vFiler CPU Utilization (_netapp_api_vf_stats_) - NetApp Filer: vFiler Traffic (_netapp_api_vf_stats_traffic_) - NetApp Filer: vFiler Status (_netapp_api_vf_status_) - NetApp Filer: Used Space and Traffic of Volumes (_netapp_api_volumes_) - NetApp Filer: vServer Status (_netapp_api_vs_status_) - NetApp Filer: vServer Traffic Summary (_netapp_api_vs_traffic_)

3 months, 1 week

[2.4.0] Checkmk Werk 16767 created: NetApp via WebAPI: remove deprecated agent and plugin

by Checkmk werks level 2

3 months, 1 week

← Newer
1
2
3
4
5
6
7
8
...
135
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level2