Checkmk 2.2 security highlights
New security features and improvements in Checkmk 2.2.
Extend login options (2FA)
2FA webauthn
Protect user login with second factor
Hardware token (i.e., YubiKey) or one-time tokens as fallback
https://checkmk.com/werk/13325
SAML authentication how-to
Many enterprise environments use SAML
Makes logins across multiple web applications easier
https://checkmk.com/werk/10320
Improved user login process
Better login password hashing
New passwords are bcrypt hashed
Existing passwords (hashed differently) still work
Extended Logging
Extended logging of failed user logins
Notification spooler encryption
Goal
Close last unencrypted communications channel between Checkmk sites
Do not break existing installations
Approach
Same approach as Livestatus encryption → stunnel (TLS socket wrapper)
Challenges:
Livestatus: Connect direction is clear → central site needs to trust remote site
Spooler: Allows connection in both directions → remote site may need to trust central site
Password store obfuscation
Goal
Mitigate simple attack vector of extracting clear text passwords from password store via grep etc.
Mitigation approach
Same approach as Livestatus encryption → stunnel (TLS socket wrapper)Encrypted, clear text no longer directly accessible
Existing store is automatically migrated
New implementations now all use password store
Continuing to extend password store coverage
Improving processes and capabilities
Team build
Building dedicated internal security team
Added 3 security devs
They work integrated with the other teams
External audits
Regular product and company pen-tests (2x per year)
ISO-27001 pre-audit in April 202
Process improvements
Improvement of security-related processes (e.g., incident response)
Improvement of secure development lifecycle by training etc.