class ACTestDeprecatedInventoryPlugins(ACTest):
def category(self) -> str:
return ACTestCategories.deprecations
def title(self) -> str:
return _("Deprecated HW/SW inventory plugins")
def help(self) -> str:
return _(
"The old inventory plugin API has been removed in Checkmk version 2.2."
" Plugin files in <tt>'%s'</tt> are ignored."
" Please migrate the plugins to the new API."
) % str(local_inventory_dir)
def is_relevant(self) -> bool:
return True
def execute(self) -> Iterator[ACResult]:
with suppress(FileNotFoundError):
if plugin_files := list(local_inventory_dir.iterdir()):
yield ACResultCRIT(
_("%d ignored HW/SW inventory plugins found: %s")
% (len(plugin_files), ", ".join(f.name for f in plugin_files))
)
return
yield ACResultOK(_("No ignored HW/SW inventory plugins found"))
def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
for job in jobs.objects.values():
if job.is_encrypted():
yield ACResultOK(_('The job "%s" is encrypted') % job.title())
else:
yield ACResultWARN(_('There job "%s" is not encrypted') % job.title())
def execute(self) -> Iterator[ACResult]:
errors = cmk.gui.utils.get_failed_plugins()
if not errors:
yield ACResultOK(_("No broken extensions were found."))
for plugin_path, e in errors:
yield ACResultCRIT(_('Loading "%s" failed: %s') % (plugin_path, e))
def execute(self) -> Iterator[ACResult]:
cfg = ConfigDomainOMD().default_globals()
if not cfg["site_livestatus_tcp"]:
yield ACResultOK(_("Livestatus network traffic is encrypted"))
return
if not cfg["site_livestatus_tcp"]["tls"]:
yield ACResultCRIT(_("Livestatus network traffic is unencrypted"))
def execute(self) -> Iterator[ACResult]:
if self._tmpfs_mounted(omd_site()):
yield ACResultOK(_("The temporary filesystem is mounted"))
else:
yield ACResultWARN(
_(
"The temporary filesystem is not mounted. Your installation "
"may work with degraded performance."
)
)
def execute(self) -> Iterator[ACResult]:
rules = self._get_rules()
if not bool(rules):
yield ACResultOK(
_("No ruleset <b>State in case of restricted address mismatch</b> is configured")
)
return
for folder_title, rule_state in rules:
yield ACResultCRIT("Rule in <b>%s</b> has value <b>%s</b>" % (folder_title, rule_state))
def execute(self) -> Iterator[ACResult]:
try:
num_cpu = multiprocessing.cpu_count()
except NotImplementedError:
yield ACResultOK(
_("Cannot test. Unable to determine the number of CPUs on target system.")
)
return
if self._get_effective_global_setting("cmc_checker_helpers") > num_cpu:
yield ACResultWARN(
_(
"Configuring more checkers than the number of available CPUs (%d) have "
"a detrimental effect, since they are not IO bound."
)
% num_cpu
)
return
yield ACResultOK(_("Number of Checkmk checkers is less than number of CPUs"))
def execute(self) -> Iterator[ACResult]:
all_rules_ok = True
for folder, rule_index, rule in self._get_rules():
vsphere_queries_agent = rule.value.get("direct") in ["agent", "hostsystem_agent"]
if vsphere_queries_agent:
all_rules_ok = False
yield ACResultCRIT(
_("Rule %d in Folder %s is affected") % (rule_index + 1, folder.title())
)
if all_rules_ok:
yield ACResultOK(_("No configured rules are affected"))
def _check_site(self, site_id):
if _site_is_using_livestatus_proxy(site_id):
yield ACResultOK(_("Site is using the Livestatus Proxy Daemon"))
elif not is_wato_slave_site():
yield ACResultWARN(
_(
"The Livestatus Proxy is not only good for slave sites, "
"enable it for your master site"
)
)
else:
yield ACResultWARN(_("Use the Livestatus Proxy Daemon for your site"))
def execute(self) -> Iterator[ACResult]:
for connection_id, connection in userdb.active_connections():
if connection.type() != "ldap":
continue
assert isinstance(connection, ldap.LDAPUserConnector)
if connection.use_ssl():
yield ACResultOK(_("%s: Uses SSL") % connection_id)
else:
yield ACResultWARN(
_("%s: Not using SSL. Consider enabling it in the " "connection settings.")
% connection_id
)
def execute(self) -> Iterator[ACResult]:
users = userdb.load_users()
num_users = len(users)
user_warn_threshold = 500
if num_users <= user_warn_threshold:
yield ACResultOK(_("You have %d users configured") % num_users)
else:
yield ACResultWARN(
_(
"You have %d users configured. Please review the number of "
"users you have configured in Checkmk."
)
% num_users
)
def execute(self) -> Iterator[ACResult]:
if (
cmk.gui.plugins.userdb.htpasswd.HtpasswdUserConnector({}).check_credentials(
UserId("omdadmin"), "omd"
)
== "omdadmin"
):
yield ACResultCRIT(
_(
"Found <tt>omdadmin</tt> with default password. "
"It is highly recommended to change this password."
)
)
else:
yield ACResultOK(_("Found <tt>omdadmin</tt> using custom password."))
class ACTestMknotifydCommunicationEncrypted(ACTest):
def category(self) -> str:
return ACTestCategories.security
def title(self) -> str:
return _("Encrypt notification daemon communication")
def help(self) -> str:
return _(
"Since version 2.1 it is possible to encrypt the communication of the notification "
"daemon with TLS. After an upgrade of an existing site incoming connections will still "
"use plain text communication and outgoing connections will try to use TLS and fall "
"back to plain text communication if the remote site does not support TLS. It is "
"recommended to enforce TLS encryption as soon as all sites support it."
)
def is_relevant(self) -> bool:
return True
def execute(self) -> Iterator[ACResult]:
only_encrypted = True
config = self._get_effective_global_setting("notification_spooler_config")
if (incoming := config.get("incoming", {})) and incoming.get("encryption") == "unencrypted":
only_encrypted = False
yield ACResultCRIT(
_("Incoming connections on port %s communicate via plain text")
% incoming["listen_port"]
)
for outgoing in config["outgoing"]:
socket = f"{outgoing['address']}:{outgoing['port']}"
if outgoing["encryption"] == "upgradable":
only_encrypted = False
yield ACResultWARN(
_("Encryption for %s is only used if it is enabled on the remote site") % socket
)
if outgoing["encryption"] == "unencrypted":
only_encrypted = False
yield ACResultCRIT(_("Plain text communication is enabled for %s") % socket)
if only_encrypted:
yield ACResultOK("Encrypted communication is enabled for all configured connections")
def execute(self) -> Iterator[ACResult]:
if not self._get_effective_global_setting("escape_plugin_output"):
yield ACResultCRIT(
_(
"Please consider configuring the host or service rulesets "
'<a href="%s">Escape HTML in service output</a> or '
'<a href="%s">Escape HTML in host output</a> instead '
'of <a href="%s">disabling escaping globally</a>'
)
% (
"wato.py?mode=edit_ruleset&varname=extra_service_conf:_ESCAPE_PLUGIN_OUTPUT",
"wato.py?mode=edit_ruleset&varname=extra_host_conf:_ESCAPE_PLUGIN_OUTPUT",
"wato.py?mode=edit_configvar&varname=escape_plugin_output",
)
)
else:
yield ACResultOK(
_('Escaping is <a href="%s">enabled globally</a>')
% "wato.py?mode=edit_configvar&varname=escape_plugin_output"
)
def _check_site(self, site_id, site_config):
persist = site_config.get("persist", False)
if persist and _site_is_using_livestatus_proxy(site_id):
yield ACResultWARN(
_(
"Persistent connections are nearly useless "
"with Livestatus Proxy Daemon. Better disable it."
)
)
elif persist:
# TODO: At least for the local site we could calculate this.
# Or should we get the apache config from the remote site via automation?
yield ACResultWARN(
_(
"Either disable persistent connections or "
"carefully review maximum number of Apache processes and "
"possible livestatus connections."
)
)
else:
yield ACResultOK(_("Is not using persistent connections."))
def _perform_tests(self):
test_sites = self._analyze_sites()
self._logger.debug("Executing tests for %d sites" % len(test_sites))
results_by_site = {}
# Results are fetched simultaneously from the remote sites
result_queue = multiprocessing.JoinableQueue(
) # type: multiprocessing.Queue[Tuple[SiteId, str]]
processes = []
site_id = SiteId("unknown_site")
for site_id in test_sites:
process = multiprocessing.Process(
target=self._perform_tests_for_site,
args=(site_id, result_queue))
process.start()
processes.append((site_id, process))
# Now collect the results from the queue until all processes are finished
while any(p.is_alive() for site_id, p in processes):
try:
site_id, results_data = result_queue.get_nowait()
result_queue.task_done()
result = ast.literal_eval(results_data)
if result["state"] == 1:
raise MKGeneralException(result["response"])
if result["state"] == 0:
test_results = []
for result_data in result["response"]:
result = ACResult.from_repr(result_data)
test_results.append(result)
# Add general connectivity result
result = ACResultOK(_("No connectivity problems"))
result.from_test(ACTestConnectivity())
result.site_id = site_id
test_results.append(result)
results_by_site[site_id] = test_results
else:
raise NotImplementedError()
except six.moves.queue.Empty:
time.sleep(0.5) # wait some time to prevent CPU hogs
except Exception as e:
result = ACResultCRIT("%s" % e)
result.from_test(ACTestConnectivity())
result.site_id = site_id
results_by_site[site_id] = [result]
logger.exception("error analyzing configuration for site %s",
site_id)
self._logger.debug("Got test results")
# Group results by category in first instance and then then by test
results_by_category = {} # type: Dict[str, Dict[str, Dict[str, Any]]]
for site_id, results in results_by_site.items():
for result in results:
category_results = results_by_category.setdefault(
result.category, {})
test_results_by_site = category_results.setdefault(
result.test_id, {
"site_results": {},
"test": {
"title": result.title,
"help": result.help,
}
})
test_results_by_site["site_results"][result.site_id] = result
return results_by_category
def execute(self) -> Iterator[ACResult]:
if "checkresult" in self._get_effective_global_setting("alert_handler_event_types"):
yield ACResultCRIT(_("Alert handler are configured to handle all check execution."))
else:
yield ACResultOK(_("Alert handlers will handle state changes."))
def execute(self) -> Iterator[ACResult]:
if not rulebased_notifications_enabled():
yield ACResultCRIT("Rulebased notifications are deactivated in the global settings")
else:
yield ACResultOK(_("Rulebased notifications are activated"))
def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
if jobs.choices():
yield ACResultOK(_("You have configured %d backup jobs") % len(jobs.choices()))
else:
yield ACResultWARN(_("There is no backup job configured"))
def execute(self) -> Iterator[ACResult]:
if request.is_ssl_request:
yield ACResultOK(_("Site is using HTTPS"))
else:
yield ACResultWARN(_("Site is using plain HTTP. Consider enabling HTTPS."))
