We run a CheckMK (1.6.0p5 Raw) as distributed monitoring for long time now.
The slaves are distributed to different customers.
If one of our customers can access one slave (maybe mount the disc containing /omd to an other VM) he is able to see the configuratíon of all other slaves (and so from all other customers). That could be a big security breech.
If you want to stay with the Raw Edition, the only solution is to turn off Distributed WATO and configure each customer’s monitoring on the respective site. You can still use Distributed Monitoring (Remote Livestatus) to see all monitoring results on one console.
Yes, that’s right. It you turn off Distributed WATO, all sites have independent configuration.
Surely there is room for improvement. The Raw edition is a great base for automation. You can use the REST API to submit configurations, or even generate the hosts.mk and rules.mk files with a configuration management system like Ansible or a templating engine like Perl Template Toolkit. But this must be built outside of Checkmk.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.