Does the piggyback feature depend on any extra configuration - i.e. a whitelist of any kind?
If I have two hosts defined (in a multi-tenant check_mk), and a malicious actor configures host1’s check_mk agent to return <<<<host2>>>> (i.e. they guessed or know the other hostname), isn’t that a security issue?
No - what you mean exactly - piggyback is a passive feature you don’t do anything there if you don’t want to rename some host names for the data.
No - why? If your “attacker” insert a host name in the agent output then it will only affect the monitoring if this host is also monitored on his own site. I expect if you have a multi-tenant setup that every tenant has his own monitoring site. If you have no separate sites for your tenants then you have no multi-tenant setup.
With this you can forbid that a host hast piggyback data processed. Attention today i have nearly on every host piggyback data (ESX / Veeam / HyperV). All these plugins will not work if you forbid to process piggyback data.
We may disagree slightly over the term multi-tenancy, but that’s not important. Check_mk will contact host1 for it’s agent output and by default host1 can reply with host2 instead? Surely this is only a “feature” for highly-trusted systems and should be more restricted.
It’s a relatively low security risk due to what the attacker can achieve, but I feel it’s a security issue nonetheless. I think it should be off by default - it’s principle of least privilege. Most hosts do not need to piggyback. And the esxi/veeam/hyper-v agent connects to more-secure systems.
Even if every customer was perfectly isolated, poisoning the results to raise alerts is an attack against our on-call sysadmins’ sleep
No - it can only transfer check results for a “host2” as an addition to it’s own data.
But why should this be a security issue?
Can you please describe what should be the security issue.
If you transfer piggyback data for a other host you do only provide false data but you cannot compromise some existing data or get access to some data.
A Veeam, HyperV or ESX host is nothing else than any other host. These systems provide data vor all virtual / backed up servers. That means you cannot forbid to use piggyback data for these hosts. And as a result i can provide false piggyback data for such hosts. But now again my question - where do you see the security issue?
No you can only “poison” the check results from the customers own machines. Not from anywhere else.
Then you have a real problem and the admin should be happy to receive a false alert.