Checkmk 2.0 ist hier! Alle Neuigkeiten erfahren.

Werk #12672: real-time-checks: Provide default password

Komponente Checks und Agenten
Titel real-time-checks: Provide default password
Datum 01.04.2021
Checkmk-Editon Checkmk Enterprise (CEE)
Checkmk-Version 2.1.0i1 2.0.0p4
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

This Werk fixes a security issue that may arise from a misconfiguration of real-time checks.

As mentioned in Werk #8350 (Introduction of real-time checks), a password has to be provided when configuring real-time checks.
When using the agent bakery, the ruleset "Encryption" is used to provide the encryption password, while the real-time checks itself are activated for the agents via the ruleset "Send data for real-time checks". If the real-time checks get activated without providing a password, this will result in an empty password, that will nevertheless be used by the agent to encrypt the real-time check data on the host.
While the user would most likely fix this situation, because real-time checks won't work (A password is mandatory to activate real-time checks in CMC), the real-time check data can be decrypted without a password/key in this case, resulting in a security issue.

This is now fixed with the following mechanism:

  • The agent bakery will read the default password from the global setting "Monitoring core/Enable handling of real-time checks" and bake it into the agents that have the rule "Send data for real-time checks" activated. Accordingly, a changed global setting will lead to new agents on next bake.
  • The agent bakery will keep to package the password from the "Encryption" rule, and the Linux agent will prefer it over the default password from the CMC configuration.
  • If none of the two passwords are configured, but the "Send data for real-time checks" rule is active, the agent bakery will refuse to bake agents.
  • If the Linux agent is requested to send encrypted real-time check data, but no password is deployed, the sending be inhibited. However, up from now, this may only happen if real-time checks are configured without the agent bakery.
Zur Liste aller Werks