def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
if jobs.choices():
yield ACResultOK(
_("You have configured %d backup jobs") % len(jobs.choices()))
else:
yield ACResultWARN(_("There is no backup job configured"))
def execute(self) -> Iterator[ACResult]:
if self._tmpfs_mounted(omd_site()):
yield ACResultOK(_("The temporary filesystem is mounted"))
else:
yield ACResultWARN(
_("The temporary filesystem is not mounted. Your installation "
"may work with degraded performance."))
def execute(self) -> Iterator[ACResult]:
if not rulebased_notifications_enabled():
yield ACResultCRIT(
"Rulebased notifications are deactivated in the global settings"
)
else:
yield ACResultOK(_("Rulebased notifications are activated"))
def execute(self) -> Iterator[ACResult]:
errors = cmk.gui.utils.get_failed_plugins()
if not errors:
yield ACResultOK(_("No broken extensions were found."))
for plugin_path, e in errors:
yield ACResultCRIT(_('Loading "%s" failed: %s') % (plugin_path, e))
def execute(self) -> Iterator[ACResult]:
if "checkresult" in self._get_effective_global_setting(
"alert_handler_event_types"):
yield ACResultCRIT(
_("Alert handler are configured to handle all check execution."
))
else:
yield ACResultOK(_("Alert handlers will handle state changes."))
def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
for job in jobs.objects.values():
if job.is_encrypted():
yield ACResultOK(_('The job "%s" is encrypted') % job.title())
else:
yield ACResultWARN(
_('There job "%s" is not encrypted') % job.title())
def execute(self) -> Iterator[ACResult]:
cfg = ConfigDomainOMD().default_globals()
if not cfg["site_livestatus_tcp"]:
yield ACResultOK(_("Livestatus network traffic is encrypted"))
return
if not cfg["site_livestatus_tcp"]["tls"]:
yield ACResultCRIT(_("Livestatus network traffic is unencrypted"))
def execute(self) -> Iterator[ACResult]:
if (cmk.gui.plugins.userdb.htpasswd.HtpasswdUserConnector(
{}).check_credentials(UserId("omdadmin"), "omd") == "omdadmin"):
yield ACResultCRIT(
_("Found <tt>omdadmin</tt> with default password. "
"It is highly recommended to change this password."))
else:
yield ACResultOK(
_("Found <tt>omdadmin</tt> using custom password."))
def execute(self) -> Iterator[ACResult]:
try:
num_cpu = multiprocessing.cpu_count()
except NotImplementedError:
yield ACResultOK(
_("Cannot test. Unable to determine the number of CPUs on target system."
))
return
if self._get_effective_global_setting("cmc_checker_helpers") > num_cpu:
yield ACResultWARN(
_("Configuring more checkers than the number of available CPUs (%d) have "
"a detrimental effect, since they are not IO bound.") %
num_cpu)
return
yield ACResultOK(
_("Number of Checkmk checkers is less than number of CPUs"))
def execute(self) -> Iterator[ACResult]:
users = userdb.load_users()
num_users = len(users)
user_warn_threshold = 500
if num_users <= user_warn_threshold:
yield ACResultOK(_("You have %d users configured") % num_users)
else:
yield ACResultWARN(
_("You have %d users configured. Please review the number of "
"users you have configured in Checkmk.") % num_users)
def execute(self) -> Iterator[ACResult]:
rules = self._get_rules()
if not bool(rules):
yield ACResultOK(
_("No ruleset <b>State in case of restricted address mismatch</b> is configured"
))
return
for folder_title, rule_state in rules:
yield ACResultCRIT("Rule in <b>%s</b> has value <b>%s</b>" %
(folder_title, rule_state))
def _check_site(self, site_id):
if _site_is_using_livestatus_proxy(site_id):
yield ACResultOK(_("Site is using the Livestatus Proxy Daemon"))
elif not is_wato_slave_site():
yield ACResultWARN(
_("The Livestatus Proxy is not only good for slave sites, "
"enable it for your master site"))
else:
yield ACResultWARN(
_("Use the Livestatus Proxy Daemon for your site"))
def execute(self) -> Iterator[ACResult]:
all_rules_ok = True
for folder, rule_index, rule in self._get_rules():
vsphere_queries_agent = rule.value.get("direct") in [
"agent", "hostsystem_agent"
]
if vsphere_queries_agent:
all_rules_ok = False
yield ACResultCRIT(
_("Rule %d in Folder %s is affected") %
(rule_index + 1, folder.title()))
if all_rules_ok:
yield ACResultOK(_("No configured rules are affected"))
def execute(self) -> Iterator[ACResult]:
for connection_id, connection in userdb.active_connections():
if connection.type() != "ldap":
continue
assert isinstance(connection, ldap.LDAPUserConnector)
if connection.use_ssl():
yield ACResultOK(_("%s: Uses SSL") % connection_id)
else:
yield ACResultWARN(
_("%s: Not using SSL. Consider enabling it in the "
"connection settings.") % connection_id)
class ACTestMknotifydCommunicationEncrypted(ACTest):
def category(self) -> str:
return ACTestCategories.security
def title(self) -> str:
return _("Encrypt notification daemon communication")
def help(self) -> str:
return _(
"Since version 2.1 it is possible to encrypt the communication of the notification "
"daemon with TLS. After an upgrade of an existing site incoming connections will still "
"use plain text communication and outgoing connections will try to use TLS and fall "
"back to plain text communication if the remote site does not support TLS. It is "
"recommended to enforce TLS encryption as soon as all sites support it."
)
def is_relevant(self) -> bool:
return True
def execute(self) -> Iterator[ACResult]:
only_encrypted = True
config = self._get_effective_global_setting(
"notification_spooler_config")
if (incoming := config.get(
"incoming",
{})) and incoming.get("encryption") == "unencrypted":
only_encrypted = False
yield ACResultCRIT(
_("Incoming connections on port %s communicate via plain text")
% incoming["listen_port"])
for outgoing in config["outgoing"]:
socket = f"{outgoing['address']}:{outgoing['port']}"
if outgoing["encryption"] == "upgradable":
only_encrypted = False
yield ACResultWARN(
_("Encryption for %s is only used if it is enabled on the remote site"
) % socket)
if outgoing["encryption"] == "unencrypted":
only_encrypted = False
yield ACResultCRIT(
_("Plain text communication is enabled for %s") % socket)
if only_encrypted:
yield ACResultOK(
"Encrypted communication is enabled for all configured connections"
)
def execute(self) -> Iterator[ACResult]:
if not self._get_effective_global_setting("escape_plugin_output"):
yield ACResultCRIT(
_("Please consider configuring the host or service rulesets "
'<a href="%s">Escape HTML in service output</a> or '
'<a href="%s">Escape HTML in host output</a> instead '
'of <a href="%s">disabling escaping globally</a>') %
(
"wato.py?mode=edit_ruleset&varname=extra_service_conf:_ESCAPE_PLUGIN_OUTPUT",
"wato.py?mode=edit_ruleset&varname=extra_host_conf:_ESCAPE_PLUGIN_OUTPUT",
"wato.py?mode=edit_configvar&varname=escape_plugin_output",
))
else:
yield ACResultOK(
_('Escaping is <a href="%s">enabled globally</a>') %
"wato.py?mode=edit_configvar&varname=escape_plugin_output")
def _check_site(self, site_id, site_config):
persist = site_config.get("persist", False)
if persist and _site_is_using_livestatus_proxy(site_id):
yield ACResultWARN(
_("Persistent connections are nearly useless "
"with Livestatus Proxy Daemon. Better disable it."))
elif persist:
# TODO: At least for the local site we could calculate this.
# Or should we get the apache config from the remote site via automation?
yield ACResultWARN(
_("Either disable persistent connections or "
"carefully review maximum number of Apache processes and "
"possible livestatus connections."))
else:
yield ACResultOK(_("Is not using persistent connections."))
def execute(self) -> Iterator[ACResult]:
if request.is_ssl_request:
yield ACResultOK(_("Site is using HTTPS"))
else:
yield ACResultWARN(
_("Site is using plain HTTP. Consider enabling HTTPS."))