def _check_site(self, site_id):
if _site_is_using_livestatus_proxy(site_id):
yield ACResultOK(_("Site is using the Livestatus Proxy Daemon"))
elif not is_wato_slave_site():
yield ACResultWARN(
_(
"The Livestatus Proxy is not only good for slave sites, "
"enable it for your master site"
)
)
else:
yield ACResultWARN(_("Use the Livestatus Proxy Daemon for your site"))
def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
for job in jobs.objects.values():
if job.is_encrypted():
yield ACResultOK(_('The job "%s" is encrypted') % job.title())
else:
yield ACResultWARN(_('There job "%s" is not encrypted') % job.title())
def execute(self) -> Iterator[ACResult]:
if self._tmpfs_mounted(omd_site()):
yield ACResultOK(_("The temporary filesystem is mounted"))
else:
yield ACResultWARN(
_(
"The temporary filesystem is not mounted. Your installation "
"may work with degraded performance."
)
)
def _check_site(self, site_id, site_config):
persist = site_config.get("persist", False)
if persist and _site_is_using_livestatus_proxy(site_id):
yield ACResultWARN(
_(
"Persistent connections are nearly useless "
"with Livestatus Proxy Daemon. Better disable it."
)
)
elif persist:
# TODO: At least for the local site we could calculate this.
# Or should we get the apache config from the remote site via automation?
yield ACResultWARN(
_(
"Either disable persistent connections or "
"carefully review maximum number of Apache processes and "
"possible livestatus connections."
)
)
else:
yield ACResultOK(_("Is not using persistent connections."))
def execute(self) -> Iterator[ACResult]:
users = userdb.load_users()
num_users = len(users)
user_warn_threshold = 500
if num_users <= user_warn_threshold:
yield ACResultOK(_("You have %d users configured") % num_users)
else:
yield ACResultWARN(
_(
"You have %d users configured. Please review the number of "
"users you have configured in Checkmk."
)
% num_users
)
def execute(self) -> Iterator[ACResult]:
for connection_id, connection in userdb.active_connections():
if connection.type() != "ldap":
continue
assert isinstance(connection, ldap.LDAPUserConnector)
if connection.use_ssl():
yield ACResultOK(_("%s: Uses SSL") % connection_id)
else:
yield ACResultWARN(
_("%s: Not using SSL. Consider enabling it in the " "connection settings.")
% connection_id
)
def execute(self) -> Iterator[ACResult]:
process_limit = self._get_maximum_number_of_processes()
average_process_size = self._get_average_process_size()
estimated_memory_size = process_limit * (average_process_size * 1.2)
yield ACResultWARN(
_(
"The Apache may start up to %d processes while the current "
"average process size is %s. With these process limits the Apache may "
"use up to %s RAM. Please ensure that your system is able to "
"handle this."
)
% (
process_limit,
cmk.utils.render.fmt_bytes(average_process_size),
cmk.utils.render.fmt_bytes(estimated_memory_size),
)
)
class ACTestMknotifydCommunicationEncrypted(ACTest):
def category(self) -> str:
return ACTestCategories.security
def title(self) -> str:
return _("Encrypt notification daemon communication")
def help(self) -> str:
return _(
"Since version 2.1 it is possible to encrypt the communication of the notification "
"daemon with TLS. After an upgrade of an existing site incoming connections will still "
"use plain text communication and outgoing connections will try to use TLS and fall "
"back to plain text communication if the remote site does not support TLS. It is "
"recommended to enforce TLS encryption as soon as all sites support it."
)
def is_relevant(self) -> bool:
return True
def execute(self) -> Iterator[ACResult]:
only_encrypted = True
config = self._get_effective_global_setting("notification_spooler_config")
if (incoming := config.get("incoming", {})) and incoming.get("encryption") == "unencrypted":
only_encrypted = False
yield ACResultCRIT(
_("Incoming connections on port %s communicate via plain text")
% incoming["listen_port"]
)
for outgoing in config["outgoing"]:
socket = f"{outgoing['address']}:{outgoing['port']}"
if outgoing["encryption"] == "upgradable":
only_encrypted = False
yield ACResultWARN(
_("Encryption for %s is only used if it is enabled on the remote site") % socket
)
if outgoing["encryption"] == "unencrypted":
only_encrypted = False
yield ACResultCRIT(_("Plain text communication is enabled for %s") % socket)
if only_encrypted:
yield ACResultOK("Encrypted communication is enabled for all configured connections")
def execute(self) -> Iterator[ACResult]:
try:
num_cpu = multiprocessing.cpu_count()
except NotImplementedError:
yield ACResultOK(
_("Cannot test. Unable to determine the number of CPUs on target system.")
)
return
if self._get_effective_global_setting("cmc_checker_helpers") > num_cpu:
yield ACResultWARN(
_(
"Configuring more checkers than the number of available CPUs (%d) have "
"a detrimental effect, since they are not IO bound."
)
% num_cpu
)
return
yield ACResultOK(_("Number of Checkmk checkers is less than number of CPUs"))
def execute(self) -> Iterator[ACResult]:
local_connection = LocalConnection()
row = local_connection.query_row(
"GET status\nColumns: helper_usage_checker average_latency_fetcher\n"
)
checker_usage_perc = 100 * row[0]
fetcher_latency = row[1]
usage_warn, usage_crit = 85, 95
if checker_usage_perc >= usage_crit:
cls: Type[ACResult] = ACResultCRIT
elif checker_usage_perc >= usage_warn:
cls = ACResultWARN
else:
cls = ACResultOK
yield cls(
_(
"The current checker usage is %.2f%%. "
"The checks have an average check latency of %.3fs."
)
% (checker_usage_perc, fetcher_latency)
)
# Only report this as warning in case the user increased the default helper configuration
default_values = ABCConfigDomain.get_all_default_globals()
if (
self._get_effective_global_setting("cmc_checker_helpers")
> default_values["cmc_checker_helpers"]
and checker_usage_perc < 50
):
yield ACResultWARN(
_(
"The checker usage is below 50%, you may decrease the number of "
"checkers to reduce the memory consumption."
)
)
def execute(self) -> Iterator[ACResult]:
jobs = SiteBackupJobs()
if jobs.choices():
yield ACResultOK(_("You have configured %d backup jobs") % len(jobs.choices()))
else:
yield ACResultWARN(_("There is no backup job configured"))
def execute(self) -> Iterator[ACResult]:
if request.is_ssl_request:
yield ACResultOK(_("Site is using HTTPS"))
else:
yield ACResultWARN(_("Site is using plain HTTP. Consider enabling HTTPS."))