New security features and improvements in Checkmk 2.2.
LAST TESTED ON CHECKMK 2.2.0P1
Table of Contents
Extend login options (2FA)
2FA webauthn
- Protect user login with second factor
- Hardware token (i.e., YubiKey) or one-time tokens as fallback
https://checkmk.com/werk/13325
Please note: HTTPS and UI access via DNS name is required
SAML authentication how-to
- Many enterprise environments use SAML
- Makes logins across multiple web applications easier
https://checkmk.com/werk/10320
Documentation: https://docs.checkmk.com/latest/en/saml.html
Improved user login process
Better login password hashing
- New passwords are bcrypt hashed
- Existing passwords (hashed differently) still work
- https://checkmk.com/werk/13196
Extended Logging
- Extended logging of failed user logins
- https://checkmk.com/werk/12872
Notification spooler encryption
Goal
- Close last unencrypted communications channel between Checkmk sites.
- Do not break existing installations
Approach
- Same approach as Livestatus encryption → stunnel (TLS socket wrapper)
- https://checkmk.com/werk/13610
- Challenges:
- Livestatus: Connect direction is clear → central site needs to trust remote site
- Spooler: Allows connection in both directions → remote site may need to trust central site
Password store obfuscation
Goal
Mitigate simple attack vector of extracting clear text passwords from password store via grep etc.
Mitigation approach
- Same approach as Livestatus encryption → stunnel (TLS socket wrapper)Encrypted, clear text no longer directly accessible
- Existing store is automatically migrated
- New implementations now all use password store
- Continuing to extend password store coverage
- https://checkmk.com/werk/13633
Improving processes and capabilities
Team build
- Building dedicated internal security team
- Added 3 security devs
- They work integrated with the other teams
External audits
- Regular product and company pen-tests (2x per year)
- ISO-27001 pre-audit in April 202
Process improvements
- Improvement of security-related processes (e.g., incident response)
- Improvement of secure development lifecycle by training etc.
Related articles