It is possible to restrict checks on the agent side by creating an item blacklist, a whitelist, or a combination of whitelist/blacklist.
To do that use a combination of two agent configuration parameters:
AllowKey=<pattern>
- which checks are allowed; <pattern> is specified using a wildcard (*) expressionDenyKey=<pattern>
- which checks are denied; <pattern> is specified using a wildcard (*) expressionNote that:
system.run[*]
items (remote commands, scripts) are disabled by default, even when no deny keys are specified; Therefore, to allow all remote commands, specify an AllowKey=system.run[*] parameter. (Before Zabbix 5.0.2, EnableRemoteCommands=1 is also required in the agent configuration.)
To allow only some remote commands, create a whitelist of more specific AllowKey[] parameters. To disallow specific remote commands, add DenyKey parameters before the AllowKey=system.run[*] parameter.
For example:
# Deny secure data access DenyKey=vfs.file.contents[/etc/passwd,*]
# Disallow specific command DenyKey=system.run[ls -l /] # Allow other scripts AllowKey=system.run[*]
DenyKey=*
For example:
# Allow reading logs: AllowKey=vfs.file.*[/var/log/*] # Allow localtime checks AllowKey=system.localtime[*] # Deny all other keys DenyKey=*
Pattern | Description | Matches | No match |
---|---|---|---|
* | Matches all possible keys with or without parameters. | Any | None |
vfs.file.contents | Matches vfs.file.contents without parameters. | vfs.file.contents | vfs.file.contents[/etc/passwd] |
vfs.file.contents[] | Matches vfs.file.contents with empty parameters. | vfs.file.contents[] | vfs.file.contents |
vfs.file.contents[*] | Matches vfs.file.contents with any parameters; will not match vfs.file.contents without square brackets. | vfs.file.contents[] vfs.file.contents[/path/to/file] | vfs.file.contents |
vfs.file.contents[/etc/passwd,*] | Matches vfs.file.contents with first parameters matching /etc/passwd and all other parameters having any value (also empty). | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf8] | vfs.file.contents[/etc/passwd] vfs.file.contents[/var/log/zabbix_server.log] vfs.file.contents[] |
vfs.file.contents[*passwd*] | Matches vfs.file.contents with first parameter matching *passwd* and no other parameters. | vfs.file.contents[/etc/passwd] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] |
vfs.file.contents[*passwd*,*] | Matches vfs.file.contents with only first parameter matching *passwd* and all following parameters having any value (also empty). | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] | vfs.file.contents[/etc/passwd] vfs.file.contents[/tmp/test] |
vfs.file.contents[/var/log/zabbix_server.log,*,abc] | Matches vfs.file.contents with first parameter matching /var/log/zabbix_server.log, third parameter matching 'abc' and any (also empty) second parameter. | vfs.file.contents[/var/log/zabbix_server.log,,abc] vfs.file.contents[/var/log/zabbix_server.log,utf8,abc] | vfs.file.contents[/var/log/zabbix_server.log,,abc,def] |
vfs.file.contents[/etc/passwd,utf8] | Matches vfs.file.contents with first parameter matching /etc/passwd, second parameter matching 'utf8' and no other arguments. | vfs.file.contents[/etc/passwd,utf8] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf16] |
vfs.file.* | Matches any keys starting with vfs.file. without any parameters. | vfs.file.contents vfs.file.size | vfs.file.contents[] vfs.file.size[/var/log/zabbix_server.log] |
vfs.file.*[*] | Matches any keys starting with vfs.file. with any parameters. | vfs.file.size.bytes[] vfs.file.size[/var/log/zabbix_server.log, utf8] | vfs.file.size.bytes |
vfs.*.contents | Matches any key starting with vfs. and ending with .contents without any parameters. | vfs.mount.point.file.contents vfs..contents | vfs.contents |
A hypothetical script like 'myscript.sh' may be executed on a host via Zabbix agent in several ways:
1. As an item key in a passive or active check, for example:
Here the user may add "wait", "nowait" or omit the 2nd argument to use its default value in system.run[].
2. As a global script (initiated by user in frontend or API).
A user configures this script in Administration → Scripts, sets “Execute on: Zabbix agent” and puts “myscript.sh” into the script's “Commands” input field. When invoked from frontend or API the Zabbix server sends to agent:
Here the user does not control the "wait"/"nowait" parameters.
3. As a remote command from an action. The Zabbix server sends to agent:
Here again the user does not control the "wait"/"nowait" parameters.
What that means is if we set AllowKey like:
AllowKey=system.run[myscript.sh]
then
To allow all described variants you may add:
AllowKey=system.run[myscript.sh,*] DenyKey=system.run[*]
to the agent/agent2 parameters.