checkmk is an enterprise monitoring solution with a feature set including host/service monitoring, alerting, and reporting. It includes web interface, API, and agent components that require proper security hardening. This guide covers security measures for production checkmk deployments.
checkmk architecture includes multiple security-sensitive components:
Key security concerns include web interface protection, API access control, agent security, and sensitive data exposure through monitoring data.
Configure firewall rules for checkmk components:
# checkmk Web Interface (Apache)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# checkmk Agent (TCP)
ufw allow from 10.0.1.0/24 to any port 6556 proto tcp
# checkmk Agent (HTTPS)
ufw allow from 10.0.1.0/24 to any port 8000 proto tcp
# Livestatus (if exposed)
ufw allow from 127.0.0.1 to any port 6557 proto tcp
# Block external access
ufw deny from any to any port 6556 proto tcp
ufw deny from any to any port 6557 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: checkmk-network-policy
spec:
podSelector:
matchLabels:
app: checkmk
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 6556
Configure Apache binding for checkmk:
# /etc/apache2/sites-available/checkmk.conf
<VirtualHost 10.0.1.100:443>
ServerName checkmk.company.com
DocumentRoot /omd/sites/mysite/share/checkmk
SSLEngine on
SSLCertificateFile /etc/ssl/certs/checkmk.crt
SSLCertificateKeyFile /etc/ssl/private/checkmk.key
<Directory /omd/sites/mysite/share/checkmk>
Require ip 10.0.0.0/8 192.168.0.0/16
Options None
AllowOverride None
</Directory>
</VirtualHost>
Configure agent binding:
# /etc/check_mk/agent.cfg
# Agent controller configuration
only_from = 10.0.1.0/24
Configure HTTP authentication:
# /etc/apache2/conf-available/checkmk.conf
<Location /checkmk>
AuthType Basic
AuthName "checkmk Access"
AuthUserFile /etc/checkmk/htpasswd
Require valid-user
</Location>
Manage users:
# Create admin user
htpasswd -c /etc/checkmk/htpasswd admin
# Add additional users
htpasswd /etc/checkmk/htpasswd username
Configure checkmk roles:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/roles.py
roles["admin"] = {
"alias": "Administrator",
"permissions": ["*"],
}
roles["operator"] = {
"alias": "Operator",
"permissions": [
"monitoring",
"wato_hosts",
"wato_services",
],
}
roles["viewer"] = {
"alias": "Viewer",
"permissions": [
"monitoring",
],
}
Configure notification contacts:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/contacts.py
contacts["admin"] = {
"alias": "System Administrator",
"email": "admin@company.com",
"pager": "+1234567890",
}
contactgroups["admins"] = {
"alias": "Administrators",
"members": ["admin", "ops-lead"],
}
LDAP Authentication:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/ldap.py
ldap_credentials = {
"server": "ldap.company.com",
"port": 636,
"protocol": "ldaps",
"bind_dn": "cn=checkmk,ou=services,dc=company,dc=com",
"bind_pw": "${LDAP_PASSWORD}",
"user_base": "ou=users,dc=company,dc=com",
"user_filter": "(objectClass=inetOrgPerson)",
"user_attr": "uid",
"group_base": "ou=groups,dc=company,dc=com",
}
SAML Authentication:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/saml.py
saml_config = {
"idp_metadata": "https://sso.company.com/saml/metadata",
"sp_entity_id": "checkmk",
"acs_url": "https://checkmk.company.com/checkmk/saml/acs",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
}
Enable two-factor authentication:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/mfa.py
# Enable TOTP for users
mfa_settings = {
"enabled": True,
"required_for_roles": ["admin", "operator"],
"totp_issuer": "checkmk",
}
Configure HTTPS for checkmk:
# /etc/apache2/sites-available/checkmk-ssl.conf
<VirtualHost *:443>
ServerName checkmk.company.com
DocumentRoot /omd/sites/mysite/share/checkmk
SSLEngine on
SSLCertificateFile /etc/ssl/certs/checkmk.crt
SSLCertificateKeyFile /etc/ssl/private/checkmk.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:; connect-src 'self'"
<Directory /omd/sites/mysite/share/checkmk>
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Enable TLS for checkmk agent:
# /etc/check_mk/agent.cfg
# Enable HTTPS agent
encryption = aes256
ca_cert = /etc/check_mk/ssl/ca.crt
server_cert = /etc/check_mk/ssl/agent.crt
server_key = /etc/check_mk/ssl/agent.key
Generate agent certificates:
# On checkmk server
cmk -gen-agent-cert <hostname>
# Copy certificates to agent
scp ca.crt agent.crt agent.key agent-host:/etc/check_mk/ssl/
Secure Livestatus connections:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/livestatus.py
livestatus_tcp = {
"host": "127.0.0.1",
"port": 6557,
"tls": {
"enabled": True,
"ca_cert": "/omd/sites/mysite/etc/ssl/ca.crt",
"client_cert": "/omd/sites/mysite/etc/ssl/livestatus.crt",
"client_key": "/omd/sites/mysite/etc/ssl/livestatus.key",
}
}
Secure checkmk REST API:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /objects/host |
Low | Viewer role |
GET /domain-types/service |
Low | Viewer role |
POST /domain-types/host_config |
High | Admin role |
PUT /objects/host_config |
High | Admin role |
DELETE /objects/host |
Critical | Admin role |
POST /domain-types/bakery |
Critical | Admin role |
Implement API authentication:
# Use Bearer token
curl -X GET \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Accept: application/json" \
https://checkmk.company.com/mysite/check_mk/api/1.0/hosts
Configure security settings:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/security.py
# Session settings
session_timeout = 3600
session_secure_cookie = True
# CSRF protection
csrf_protection = True
# Content Security Policy
csp_enabled = True
Restrict agent access:
# /etc/check_mk/agent.cfg
# Only allow specific server IPs
only_from = 10.0.1.100
# Enable encryption
encryption = aes256
# Restrict plugins
plugins_enabled = yes
local_enabled = yes
mrpe_enabled = no # Disable if not needed
Secure Livestatus queries:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/livestatus.py
# Restrict Livestatus access
livestatus_allowed_clients = ["127.0.0.1", "10.0.1.0/24"]
# Enable authentication
livestatus_auth_required = True
Protect checkmk configuration:
# Set restrictive permissions
chown -R mysite:mysite /omd/sites/mysite/
chmod -R 750 /omd/sites/mysite/
# Protect sensitive files
chmod 600 /omd/sites/mysite/etc/check_mk/passwords.mk
chmod 600 /omd/sites/mysite/etc/check_mk/snmp_credentials.mk
Secure sensitive credentials:
# Use vault integration
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/vault.py
vault_config = {
"url": "https://vault.company.com",
"token": "${VAULT_TOKEN}",
"path": "secret/checkmk",
}
# Or use environment variables
import os
db_password = os.environ.get("CHECKMK_DB_PASSWORD")
Secure checkmk database:
-- Create dedicated database user
CREATE USER 'checkmk'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mysite.* TO 'checkmk'@'localhost';
FLUSH PRIVILEGES;
-- Enable SSL
ALTER USER 'checkmk'@'localhost' REQUIRE SSL;
Secure checkmk backups:
#!/bin/bash
# Secure backup script
SITE="mysite"
BACKUP_DIR="/secure/backups/checkmk"
DATE=$(date +%Y%m%d)
# Create backup
omd backup ${SITE} > ${BACKUP_DIR}/${SITE}-${DATE}.tar.gz
# Encrypt backup
gpg -e --recipient security@company.com ${BACKUP_DIR}/${SITE}-${DATE}.tar.gz
# Set restrictive permissions
chmod 600 ${BACKUP_DIR}/${SITE}-${DATE}.tar.gz.gpg
# Remove unencrypted backup
rm ${BACKUP_DIR}/${SITE}-${DATE}.tar.gz
Enable logging:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/logging.py
log_level = "INFO"
log_file = "/omd/sites/mysite/var/log/web.log"
# Enable audit logging
audit_logging = True
audit_log_file = "/omd/sites/mysite/var/log/audit.log"
Configure web server access logging:
# /etc/apache2/sites-available/checkmk.conf
CustomLog /var/log/apache2/checkmk_access.log combined
ErrorLog /var/log/apache2/checkmk_error.log
# Log format with timing
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
Create checkmk alerts for security events:
# /omd/sites/mysite/etc/check_mk/multisite.d/wato/alerts.py
# Alert on failed login attempts
alert_rules["failed_logins"] = {
"condition": {
"service_description": "Failed Logins",
"state": "CRIT",
},
"notification": {
"contacts": ["security-team"],
"plugin": "mail",
}
}
# Alert on configuration changes
alert_rules["config_changes"] = {
"condition": {
"service_description": "Config Modified",
"state": "WARN",
},
"notification": {
"contacts": ["ops-team"],
"plugin": "mail",
}
}
Forward logs to SIEM:
# /etc/rsyslog.d/checkmk.conf
:programname, isequal, "cmk" /var/log/checkmk/syslog.log
:programname, isequal, "cmk" @siem.company.com:514