Piggyback feature - security concern

Does the piggyback feature depend on any extra configuration - i.e. a whitelist of any kind?

If I have two hosts defined (in a multi-tenant check_mk), and a malicious actor configures host1’s check_mk agent to return <<<<host2>>>> (i.e. they guessed or know the other hostname), isn’t that a security issue?

EDIT: of course, as soon as I posted, I found https://checkmk.com/check_mk-werks.php?werk_id=7245 . Is that the recommended mitigation?

No - what you mean exactly - piggyback is a passive feature you don’t do anything there if you don’t want to rename some host names for the data.

No - why? If your “attacker” insert a host name in the agent output then it will only affect the monitoring if this host is also monitored on his own site. I expect if you have a multi-tenant setup that every tenant has his own monitoring site. If you have no separate sites for your tenants then you have no multi-tenant setup.

With this you can forbid that a host hast piggyback data processed. Attention today i have nearly on every host piggyback data (ESX / Veeam / HyperV). All these plugins will not work if you forbid to process piggyback data.

We may disagree slightly over the term multi-tenancy, but that’s not important. Check_mk will contact host1 for it’s agent output and by default host1 can reply with host2 instead? Surely this is only a “feature” for highly-trusted systems and should be more restricted.

It’s a relatively low security risk due to what the attacker can achieve, but I feel it’s a security issue nonetheless. I think it should be off by default - it’s principle of least privilege. Most hosts do not need to piggyback. And the esxi/veeam/hyper-v agent connects to more-secure systems.

Even if every customer was perfectly isolated, poisoning the results to raise alerts is an attack against our on-call sysadmins’ sleep :wink:

No - it can only transfer check results for a “host2” as an addition to it’s own data.

But why should this be a security issue?
Can you please describe what should be the security issue.
If you transfer piggyback data for a other host you do only provide false data but you cannot compromise some existing data or get access to some data.

A Veeam, HyperV or ESX host is nothing else than any other host. These systems provide data vor all virtual / backed up servers. That means you cannot forbid to use piggyback data for these hosts. And as a result i can provide false piggyback data for such hosts. But now again my question - where do you see the security issue?

No you can only “poison” the check results from the customers own machines. Not from anywhere else.
Then you have a real problem and the admin should be happy to receive a false alert.

If you don’t believe in the principle of least privilege then I’m not sure my explaining it any further is going to help.

Thanks for clarifying how some parts of Check_MK works though.