Checkmk 2.2 security highlights

Owned by Matthew Hierholzer
Last updated: Sept 19, 2024
1 min read

New security features and improvements in Checkmk 2.2.

LAST TESTED ON CHECKMK 2.2.0P1


Table of Contents


Extend login options (2FA)

2FA webauthn

  • Protect user login with second factor
  • Hardware token (i.e., YubiKey) or one-time tokens as fallback

  • https://checkmk.com/werk/13325

    Please note: HTTPS and UI access via DNS name is required

SAML authentication how-to

Improved user login process

Better login password hashing


Extended Logging

Notification spooler encryption

Goal

  • Close last unencrypted communications channel between Checkmk sites
  • Do not break existing installations

Approach

  • Same approach as Livestatus encryption → stunnel (TLS socket wrapper)
  • https://checkmk.com/werk/13610
  • Challenges:
    • Livestatus: Connect direction is clear → central site needs to trust remote site
    • Spooler: Allows connection in both directions → remote site may need to trust central site

Password store obfuscation

Goal

Mitigate simple attack vector of extracting clear text passwords from password store via grep etc. 

Mitigation approach

  • Same approach as Livestatus encryption → stunnel (TLS socket wrapper)Encrypted, clear text no longer directly accessible 
  • Existing store is automatically migrated
  • New implementations now all use password store
  • Continuing to extend password store coverage
  • https://checkmk.com/werk/13633

Improving processes and capabilities

Team build

  • Building dedicated internal security team
  • Added 3 security devs
  • They work integrated with the other teams

External audits

  • Regular product and company pen-tests (2x per year)
  • ISO-27001 pre-audit in April 202

Process improvements

  • Improvement of security-related processes (e.g., incident response)
  • Improvement of secure development lifecycle by training etc.