Checkmk werks level3

checkmk-werks-lvl3@lists.checkmk.com

81 discussions

[2.4.0] Checkmk Werk 16116 created: Fixed association of contacts with hosts/services/contactgroups

by Checkmk werks level 3

[//]: # (werk v2) # Fixed association of contacts with hosts/services/contactgroups key | value ---------- | --- date | 2024-04-05T13:48:37+00:00 version | 2.4.0b1 class | fix edition | cre component | livestatus level | 3 compatible | yes Checkmk 2.3 beta introduced a regression regarding contacts when then Nagios core was used: The association of contacts with hosts, services and contact groups was incorrect. A symptom of this bug were e.g. missing hosts or services in the GUI.

1 month, 1 week

[2.1.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk werks level 3

Title: mk_oracle(ps1): Prevent privilege esclation to root Class: security Compatible: compat Component: checks Date: 1705479643 Edition: cre Level: 3 Version: 2.1.0p41 The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

1 month, 3 weeks

[2.2.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk werks level 3

Title: mk_oracle(ps1): Prevent privilege esclation to root Class: security Compatible: compat Component: checks Date: 1705479643 Edition: cre Level: 3 Version: 2.2.0p24 The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

1 month, 3 weeks

[2.4.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk werks level 3

[//]: # (werk v2) # mk_oracle(ps1): Prevent privilege esclation to root key | value ---------- | --- compatible | yes version | 2.4.0b1 date | 2024-01-17T08:20:43+00:00 level | 3 class | security component | checks edition | cre The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> * 2.3.0 (beta) * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

1 month, 3 weeks

[2.1.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 3

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.1.0p38 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

4 months

[2.2.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 3

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.2.0p18 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

4 months

[2.3.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk werks level 3

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.3.0b1 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. ### Affected Versions * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older ### Mitigations If updating is not possible, disable the jar_signature plugin. ### Vulnerability Management We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` We have assigned `CVE-2023-6740`. ### Changes The jarsigner binary is now executed by the oracle user.

4 months

[1.2.7] Checkmk Werk 1665 adapted: agent_netapp: New special agent for NetApp monitoring via Web-API

by Checkmk werks level 3

Werk 1665 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: agent_netapp: New special agent for NetApp monitoring via Web-API Level: 3 Component: checks Class: feature Compatible: compat State: unknown Version: 1.2.7i1 Date: 1418736173 The new agent_netapp allows you to collect data from a NetApp Filer through its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is following soon. H2: Agent setup This agent does not run out of the box, because it depends on some files from the <i>Netapp Manageability SDK</i> from NetApp. You can download it <a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a> In this package you will find a python API binding. The agent_netapp requires the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into the sites local directory <tt>~/local/lib/python</tt>. (Our plan is to eleminate this tedious step in a future version) Once the agent has all required files you need to create a user account with the following permissions: <ul> <li>perf-object-get-instances</li> <li>net-ifconfig-get</li> <li>aggr-list-info</li> <li>storage-shelf-bay-list-info</li> <li>disk-list-info</li> <li>vfiler-list-info</li> <li>vfiler-get-status</li> <li>volume-list-info</li> <li>system-get-version</li> <li>system-get-info</li> <li>storage-shelf-environment-list-info</li> <li>cf-status</li> <li>diagnosis-status-get</li> </ul> Note: This list might increase in later versions If the new agent is able to access the Web-API the following new checks are ready to process the data: <table> <tr><th>Check</th><th>Description</th></tr> <tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr> <tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr> <tr><td>netapp_api_cluster</td><td>Cluster status</td></tr> <tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr> <tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr> <tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr> <tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr> <tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr> <tr><td>netapp_api_version</td><td>Version information</td></tr> <tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr> <tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr> <tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr> <tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr> <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr> <tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr> </table> Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems. ------------------------------------<diff>------------------------------------------- Title: agent_netapp: New special agent for NetApp monitoring via Web-API Level: 3 Component: checks Class: feature Compatible: compat State: unknown Version: 1.2.7i1 Date: 1418736173 The new agent_netapp allows you to collect data from a NetApp Filer through its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is following soon. H2: Agent setup This agent does not run out of the box, because it depends on some files from the <i>Netapp Manageability SDK</i> from NetApp. You can download it <a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a> In this package you will find a python API binding. The agent_netapp requires the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into the sites local directory <tt>~/local/lib/python</tt>. (Our plan is to eleminate this tedious step in a future version) Once the agent has all required files you need to create a user account with the following permissions: <ul> <li>perf-object-get-instances</li> <li>net-ifconfig-get</li> <li>aggr-list-info</li> <li>storage-shelf-bay-list-info</li> <li>disk-list-info</li> <li>vfiler-list-info</li> <li>vfiler-get-status</li> <li>volume-list-info</li> <li>system-get-version</li> <li>system-get-info</li> <li>storage-shelf-environment-list-info</li> <li>cf-status</li> <li>diagnosis-status-get</li> </ul> Note: This list might increase in later versions If the new agent is able to access the Web-API the following new checks are ready to process the data: <table> <tr><th>Check</th><th>Description</th></tr> <tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr> <tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr> <tr><td>netapp_api_cluster</td><td>Cluster status</td></tr> <tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr> <tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr> <tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr> <tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr> <tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr> <tr><td>netapp_api_version</td><td>Version information</td></tr> <tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr> <tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr> <tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr> <tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr> - <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td><tr> + <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr> ? + <tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr> </table> Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.

5 months

[2.3.0] Checkmk Werk 16230 created: Add cloud edition features to Managed Services Edition

by Checkmk werks level 3

Title: Add cloud edition features to Managed Services Edition Class: feature Compatible: compat Component: omd Date: 1700123142 Edition: cme Level: 3 Version: 2.3.0b1 With this werk, the Checkmk Managed Services Edition is now based on the Checkmk Cloud Edition and includes thus all features of the Checkmk Cloud Edition. A technical overview of the new features can be found in the user manual: https://docs.checkmk.com/latest/en/cce.html

5 months, 3 weeks

[2.3.0] Checkmk Werk 16230 deleted: Add cloud edition features to Managed Services Edition

by Checkmk werks level 3

Werk 16230 was deleted. The following Werk is no longer relevant. Title: Add cloud edition features to Managed Services Edition Class: feature Compatible: compat Component: omd Date: 1700123142 Edition: cme Level: 3 Version: 2.3.0b1 With this werk, the Checkmk Managed Services Edition is now based on the Checkmk Cloud Edition and includes thus all features of the Checkmk Cloud Edition. A technical overview of the new features can be found in the user manual: https://docs.checkmk.com/latest/en/cce.html

6 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks level3