Werk #17012: Check for predefined connections when deploying xinetd config
| Component | Checks & agents | ||||||
| Title | Check for predefined connections when deploying xinetd config | ||||||
| Date | Jul 1, 2024 | ||||||
| Level | Trivial Change | ||||||
| Class | Security Fix | ||||||
| Compatibility | Incompatible - Manual interaction might be required | ||||||
| Checkmk versions & editions |
|
When an agent rule Agent controller auto-registration (Managed Services Edition, Cloud Edition) was configured for an agent package one might assume that when installing this package the agent encrypts its traffic. But when installing such a package on a system without systemd but with xinetd installed or a very old systemd versions, the agent was deployed without registration and encryption.
With this Werk the deployment script for systemd/xinetd checks for predefined/preconfigured connections and if it finds any it refuses to configure the legacy mode. The agent is still installed though but will not be accessible via the network, so access with SSH will still be possible.
Therefore you can no longer use baked packages with auto registration for systems without systemd or very old systemd versions where the legacy mode is desired. These systems need to be excluded from the Agent controller auto-registration (Managed Services Edition, Cloud Edition) rule.
Vulnerability Management:
We do not rate this as a exploitable vulnerability but a safe guard for unintended configurations, therefore no CVE was assigned.
To aid automated scanning we assign a CVSS score of 0.0 None (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).