Remote Alert Handlers

I have read the documentation for Remote Alert Handlers, but I have a question.

It says that Checkmk will log into a host over ssh and then execute the commands as a user. The default is root. It generates its own SSH key when you create the rule.

How is that key authorized to authenticate as root?

Why does it need to SSH at all? Why not just send a command to the installed Agent to run the command?

For security reasons, we do not allow SSH connections as root. I think that is a sane policy most everyone should have. How do Remote Alert Handlers work in that case?

I’d prefer to create a service account in our IDM system with an SSH key, and have CheckMK use that, and then sudo to run the Remote Alert Handler. Is that an option, and if so, how?


Because the agent itself is read-only for security reasons.

Have you looked at how the remote alert handler is implemented?
It installs the SSH public key into /root/.ssh/authorized_keys with a command restriction that only allows to execute the remote alert handler. Seems pretty secure to me.

If you want to do it this way you have to come up with your own solution.

You do not have to use root account, you can create a separate service account that will only be used for remote handlers and you can allow sudoers to manage access.

We dont use alert handlers as it breaks other security policies (won’t go into details) instead we use custom notifications together with Kafka and EDA - its more secure and gives way more options

1 Like