This article will be completed in the near future to provide a central overview on all aspects of security measures implemented in Checkmk and aids on further improving security.
First the Good News: Since its beginning Checkmk has used an architecture that considers security needs and — wherever possible — applies these to its standard settings. There are however aspects where user intervention is required, for example when keys or certificates have to be generated or imported.
1. Agent output
Since version 2.1.0, Checkmk offers TLS encryption for communication between the server and the agents on Linux and Windows hosts. Detailed information on this communication are covered in the following articles:
However there are some environments where TLS encryptions for Linux or Unix clients cannot be setup. In such cases you might use encrypted tunnels, for example with SSH:
2. HTTP(S) communication
On many places within Checkmk communication is realized over HTTP. This applies to internal communication and configurations such as distributed monitoring. Switch to HTTPS where possible:
3. Access control
Checkmk supports connections to various authentication protocols and is also able to enforce two-factor authentication for even higher security: