Zabbix Documentation 2.2

3.04.05.0 (current)| In development:5.2 (devel)| Unsupported:1.82.02.22.43.23.44.24.4Guidelines

User Tools

Site Tools


manual:installation:requirements:best_practices

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
manual:installation:requirements:best_practices [2017/11/07 13:17]
martins-v secure user for agent
manual:installation:requirements:best_practices [2019/01/14 11:43]
martins-v principle of least privilege for user types
Line 6: Line 6:
  
 The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system. The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system.
 +
 +=== Principle of least privilege ===
 +
 +The principle of least privilege should be used at all times for Zabbix. This principle means that user accounts (in Zabbix frontend) or process user (for Zabbix server/​proxy or agent) have only those privileges that are essential to perform intended functions. In other words, user accounts at all times should run with as few privileges as possible.
 +
 +<note important>​Giving extra permissions to '​zabbix'​ user will allow it to access configuration files and execute operations that can compromise the overall security of infrastructure.</​note>​
 +
 +When implementing the least privilege principle for user accounts, Zabbix [[:​manual/​config/​users_and_usergroups/​permissions|frontend user types]] should be taken into account. It is important to understand that while a %%"​%%Zabbix Admin%%"​%% user type has less privileges than %%"​%%Zabbix Super Admin%%"​%% user type, it has administrative permissions that allow managing configuration and execute custom scripts.
 +
 +<​note>​Some information is available even for non-privileged users. For example, while //​Administration//​ -> //Scripts// is not available for non-Super Admins, scripts themselves are available for retrieval by using Zabbix API. Limiting script permissions and not adding sensitive information (like access credentials,​ etc) should be used to avoid exposure of sensitive information available in global scripts.</​note>​
  
 === Secure user for Zabbix agent === === Secure user for Zabbix agent ===
Line 14: Line 24:
   - Specify this user in the agent [[:​manual/​appendix/​config/​zabbix_agentd|configuration file]] ('​User'​ parameter)   - Specify this user in the agent [[:​manual/​appendix/​config/​zabbix_agentd|configuration file]] ('​User'​ parameter)
   - Restart the agent with administrator privileges. Privileges will be dropped to the specified user.   - Restart the agent with administrator privileges. Privileges will be dropped to the specified user.
 +
 +=== UTF-8 encoding ===
 +
 +UTF-8 is the only encoding supported by Zabbix. It is known to work without any security flaws. Users should be aware that there are known security issues if using some of the other encodings.
  
 === Setting up SSL for Zabbix frontend === === Setting up SSL for Zabbix frontend ===
Line 92: Line 106:
 It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default: It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default:
  
-{{:​manual:​installation:​requirements:​error_page.png|}}+{{:​manual:​installation:​requirements:​error_page_text.png|}}
  
 Default error pages should be replaced/​removed as part of the web server hardening process. The "​ErrorDocument"​ directive can be used to define a custom error page/text for Apache web server (used as an example). Default error pages should be replaced/​removed as part of the web server hardening process. The "​ErrorDocument"​ directive can be used to define a custom error page/text for Apache web server (used as an example).