0.14.1 #1346
mickem
announced in
Announcements
0.14.1
#1346
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Host security posture, JSON-aware HTTP checks, and a clearer licence
This release adds a brand-new CheckSecurity module for monitoring a host's
security posture — certificates, firewall, antivirus, BitLocker, Secure Boot,
NLA and logged-on users — and teaches
check_httpto assert on values inside aJSON response body. It also fixes boolean check arguments over REST, tidies up
process aggregation and module activation, relicenses the project under a clear
dual licence, and reworks the documentation to handle Windows and Linux side by
side.
Highlights
CheckSecuritymodule. Seven new checks for host security posture:check_certificate,check_firewall,check_antivirus,check_bitlocker,check_secureboot,check_nlaandcheck_users.check_certificateandcheck_usersrun everywhere; the rest are Windows-only. (Added check security #1339)check_httpcan assert on JSON responses. Newjson-path=alias:pathoptions extract values from a JSON body into filter keywords you can threshold
on and emit as perfdata. (Feature/check net json support #1341)
check_http,check_tcpand friends graph out of the box without an explicitperfsyntax. (Feature/check net json support #1341)
check_ping host=www.google.com total=truenow works alongside the bare-flagform — the form REST already used. (Boolean arguments in check command now work with values as well as as… #1338)
nscp settings --active-module CheckSystem CheckNet. (Fix installer deleting nsclient.ini on upgrade #1329-follow-up)machine-readable REUSE metadata and third-party notices. (Feature/license change #1343)
and features together instead of assuming one platform. (Feature/multi os docs #1342)
Detailed changes
CheckSecurity — new host security-posture module
A new module,
CheckSecurity(aliassecurity), checks whether a host is inthe security state you expect. Each check is a normal
modern_filtercheck, soyou can override the default
warn/critexpressions,filter, anddetail-syntax/top-syntaxas usual.check_certificatecheck_userscheck_firewallcheck_antiviruscheck_bitlockercheck_securebootcheck_nlacheck_certificatedefaults to warning when a certificate expires within 30days and critical within 10 (matching common practice), emits
expires_in(wholedays until expiry) as perfdata, and can scan a whole directory:
The Windows checks expose the raw state fields so you can tighten or relax the
default posture.
check_firewalladds anactiveflag (which profile iscurrently in effect) alongside
enabled, so you can warn when a machine silentlyfalls back to the Public profile after a network change:
On a platform where a Windows-only check does not apply, the check returns
UNKNOWN with a clear message rather than failing.
CheckNet —
check_httpJSON path extractioncheck_httpcan now pull values out of a JSON response body and treat them asfilter keywords. Each
json-path=alias:pathoption extracts the value at adotted path (numeric segments index into arrays; single-quote a segment that
itself contains a dot) and makes it available for
warning=/critical=expressions and perfdata:
Numeric values keep full precision, strings compare and render as strings, and
booleans read as
1/0. A missing path — or a body that is not valid JSON —leaves the alias empty rather than failing the check, and multiple
json-pathoptions can be combined freely.
CheckNet — default performance data
CheckNet queries now attach sensible performance data by default, so
check_http,check_tcpand the other network checks produce graphableperfdata without a hand-written
perfsyntax.check_ntp_offsetthresholdhandling was also tidied up in the same change.
Check arguments — boolean options accept values
Boolean check options now accept an explicit value in addition to the bare-flag
form:
Previously the value form was rejected from the CLI even though REST always
passes flags as
key=truetokens, so a boolean option that worked over RESTcould look broken from the command line. Both forms now behave identically.
CheckSystem — process total aggregation
check_processprocess-total aggregation now correctly reports the startedand hung states (on both Windows and Linux), so totals of these statuses
match what the per-process detail shows.
Settings — activate multiple modules at once
nscp settings --active-modulenow accepts several module names in oneinvocation:
Licensing — dual-licensed Apache-2.0 OR GPL-2.0-only
NSClient++ is now explicitly dual-licensed under Apache-2.0 OR
GPL-2.0-only. Source headers were updated to SPDX identifiers, the project
carries machine-readable REUSE metadata
(
REUSE.toml,LICENSES/), and aTHIRD-PARTY-NOTICES.md/NOTICEcollectthe third-party licences. The installer, packaging and docs licence text were
updated to match.
Build — Python library discovery
CMake now derives the default Python library name instead of hardcoding a
version, and defaults it to the soname so the module loads without the Python
development packages installed. This makes Linux builds far less sensitive to
the exact Python version on the build and target hosts. (#1334)
Documentation
present Windows and Linux options and features together, handling checks whose
options diverge by platform instead of documenting a single OS. Windows docs
were regenerated. (Feature/multi os docs #1342)
docs/samples/usage examples and descriptions for every newCheckSecuritycommand and thecheck_httpJSON feature.check_processdocs cross-referencefilter_perffor top-N processes. (docs: cross-reference filter_perf from check_process for top-N processes #1330)Quality and CI
codespellGitHub workflow was added and spelling errors inlog messages and settings descriptions were fixed. (add codespell github workflow #1314, Fix some spelling errors in log messages and settings descriptions #1344)
VM in Azure, alongside the existing REST-driven integration tests. New
integration tests cover
CheckSecurity, thecheck_httpJSON feature, and--active-module. (Added live test in azure #1335)Upgrade notes
GPL-2.0-only. This is a clarification/relicensing — review it if your
organisation tracks the exact licence of bundled software. No code or runtime
behaviour changes as a result.
data without an explicit
perfsyntax. If you were adding perfdata manually,double-check you are not now emitting it twice; graphs that previously showed
nothing will start populating.
option=true/option=falsenow work from theCLI as well as over REST. Existing bare-flag usage is unchanged.
CheckSecurityis not loaded by default. Enable it before using the newchecks, e.g.
nscp settings --active-module CheckSecurity. Windows-onlychecks return UNKNOWN on other platforms rather than erroring.
Full Changelog: 0.14.0...0.14.1
This discussion was created from the release 0.14.1.
Beta Was this translation helpful? Give feedback.
All reactions