I have a few open points that I would like to discuss in this round in regards to the use of CheckMK monitoring. Please feel free to add or correct any points you feel that need to be added or corrected.
Firstly, the installation and distribution of the agent will be automated. The configuration and Host registration has to be completed via CheckMK portal, as well as moving the Host to its respective folder and applying the required rule set to achieve effective monitoring.
Secondly, there should be a specific service account used for the agent itself, to prevent any security vulnerabilities connected to using the local system account. I am suggesting either MSA (managed service account) which requires domain functional level 2008 R2 or gMSA (group managed service account) that requires domain functional level 2012 R2 and higher. From these two options the obviously simpler to use and set up would be gMSA as this could be a single service account used for all hosts. This service would also gain the read rights to specific objects and databases in MS SQL, interactive logon will be disabled. The biggest advantage of this setup is that there is no need to manage passwords as the domain will fulfill this role.
Thirdly, we should have a standard way of building infrastructure for the purpose of enabling monitoring. As an addition to this standard I would like to suggest that there will be a “Slave” CheckMK monitoring site for each customer per environment, in most cases this would result in 3 monitoring sites per customer (PROD, REF/UAT, TEST/SIT). By following this setup we would not need to request FW rules for each new or already existing Host, but instead only allow the “slave” monitoring site server to communicate with the “master” monitoring site server on port 6556.