Werk #17012: Check for predefined connections when deploying xinetd config

Component Checks & agents
Title Check for predefined connections when deploying xinetd config
Date Jul 1, 2024
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p11 Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p32 Checkmk Cloud (CCE)

When an agent rule Agent controller auto-registration (Managed Services Edition, Cloud Edition) was configured for an agent package one might assume that when installing this package the agent encrypts its traffic. But when installing such a package on a system without systemd but with xinetd installed or a very old systemd versions, the agent was deployed without registration and encryption.

With this Werk the deployment script for systemd/xinetd checks for predefined/preconfigured connections and if it finds any it refuses to configure the legacy mode. The agent is still installed though but will not be accessible via the network, so access with SSH will still be possible.

Therefore you can no longer use baked packages with auto registration for systems without systemd or very old systemd versions where the legacy mode is desired. These systems need to be excluded from the Agent controller auto-registration (Managed Services Edition, Cloud Edition) rule.

Vulnerability Management:

We do not rate this as a exploitable vulnerability but a safe guard for unintended configurations, therefore no CVE was assigned.

To aid automated scanning we assign a CVSS score of 0.0 None (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

To the list of all Werks