Zabbix Documentation 2.2

2.23.04.04.2 (current)In development:4.4 (devel)Unsupported:1.82.02.43.23.4

User Tools

Site Tools


manual:installation:requirements:best_practices

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
manual:installation:requirements:best_practices [2018/12/04 07:18]
martins-v updating screenshot
manual:installation:requirements:best_practices [2019/01/14 11:43] (current)
martins-v principle of least privilege for user types
Line 6: Line 6:
  
 The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system. The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system.
 +
 +=== Principle of least privilege ===
 +
 +The principle of least privilege should be used at all times for Zabbix. This principle means that user accounts (in Zabbix frontend) or process user (for Zabbix server/​proxy or agent) have only those privileges that are essential to perform intended functions. In other words, user accounts at all times should run with as few privileges as possible.
 +
 +<note important>​Giving extra permissions to '​zabbix'​ user will allow it to access configuration files and execute operations that can compromise the overall security of infrastructure.</​note>​
 +
 +When implementing the least privilege principle for user accounts, Zabbix [[:​manual/​config/​users_and_usergroups/​permissions|frontend user types]] should be taken into account. It is important to understand that while a %%"​%%Zabbix Admin%%"​%% user type has less privileges than %%"​%%Zabbix Super Admin%%"​%% user type, it has administrative permissions that allow managing configuration and execute custom scripts.
 +
 +<​note>​Some information is available even for non-privileged users. For example, while //​Administration//​ -> //Scripts// is not available for non-Super Admins, scripts themselves are available for retrieval by using Zabbix API. Limiting script permissions and not adding sensitive information (like access credentials,​ etc) should be used to avoid exposure of sensitive information available in global scripts.</​note>​
  
 === Secure user for Zabbix agent === === Secure user for Zabbix agent ===