13 Limitare i controlli degli agenti

Overview

It is possible to restrict checks on the agent side by creating an item blacklist, a whitelist, or a combination of whitelist/blacklist.

To do that use a combination of two agent configuration parameters:

AllowKey=<pattern> - which checks are allowed; <pattern> is specified using a wildcard (*) expression
DenyKey=<pattern> - which checks are denied; <pattern> is specified using a wildcard (*) expression

Note that:

All system.run[*] items (remote commands, scripts) are disabled by default, even when no deny keys are specified;
Since Zabbix 5.0.2 the EnableRemoteCommands agent parameter is:

   * deprecated by Zabbix agent
          * unsupported by Zabbix agent2

Therefore, to allow all remote commands, specify an AllowKey=system.run[*] parameter. To allow only some remote commands, create a whitelist of specific system.run[] commands. To disallow specific remote commands, add DenyKey parameters with system.run[] commands before the AllowKey=system.run[*] parameter.

Important rules

A whitelist without a deny rule is only allowed for system.run[*] items. For all other items, AllowKey parameters are not allowed without a DenyKey parameter; in this case Zabbix agent will not start with only AllowKey parameters.
The order matters. The specified parameters are checked one by one according to their appearance order in the configuration file:
- As soon as an item key matches an allow/deny rule, the item is either allowed or denied; and rule checking stops. So if an item matches both an allow rule and a deny rule, the result will depend on which rule comes first.
- The order affects also EnableRemoteCommands parameter (if used).
Unlimited numbers of AllowKey/DenyKey parameters is supported.
AllowKey, DenyKey rules do not affect HostnameItem, HostMetadataItem, HostInterfaceItem configuration parameters.
Key pattern is a wildcard expression where the wildcard (*) character matches any number of any characters in certain position. It might be used in both the key name and parameters.
If a specific item key is disallowed in the agent configuration, the item will be reported as unsupported (no hint is given as to the reason);
Zabbix agent with --print (-p) command line option will not show keys that are not allowed by configuration;
Zabbix agent with --test (-t) command line option will return "Unsupported item key." status for keys that are not allowed by configuration;
Denied remote commands will not be logged in the agent log (if LogRemoteCommands=1).

Allow/deny rule order

You can specify an unlimited number of AllowKey or DenyKey rules, though their order matters.

Rules are evaluated one by one, from top to bottom.
When an item key matches a rule, it is either allowed or denied, and rule evaluation stops.

For example, when evaluating vfs.file.contents[/etc/passwd], the rules are processed as follows:

AllowKey=vfs.file.contents[/tmp/app.log]    # Item key pattern does not match, agent proceeds to the next rule.
       AllowKey=vfs.file.contents[/etc/passwd]     # Item key pattern matches; agent allows the item check and stops rule evaluation.
       DenyKey=vfs.file.*[*]                       # Agent ignores the rule, as the evaluation has stopped.

The following rule order will deny the item check:

DenyKey=vfs.file.*[*]                       # Item key pattern matches; agent denies the item check and stops rule evaluation.
       AllowKey=vfs.file.contents[/etc/passwd]     # Agent ignores the rule, as the evaluation has stopped.
       AllowKey=vfs.file.contents[/tmp/app.log]    # Agent ignores the rule, as the evaluation has stopped.

Casi d'uso

Allowing specific checks and commands

Allow only two vfs.file item checks and two system.run commands:

AllowKey=vfs.file.contents[/tmp/app.log]
       AllowKey=vfs.file.size[/tmp/app.log]
       AllowKey=system.run[/usr/bin/uptime]
       AllowKey=system.run[/usr/bin/df -h /]
       DenyKey=vfs.file.*[*]

Setting DenyKey=system.run[*] is unnecessary, because all other system.run commands are denied by default.

Allowing scripts

Allow Zabbix agent to execute scripts on hosts via all available methods:

Global scripts that can be executed in the frontend or via API (this method always uses the system.run[myscript.sh] key)
Remote commands from action operations (this method always uses the system.run[myscript.sh,nowait] key)
system.run Zabbix agent items with the script, for example:
- system.run[myscript.sh]
- system.run[myscript.sh,wait]
- system.run[myscript.sh,nowait]

AllowKey=system.run[myscript.sh,*]

To control the wait/nowait parameter, you must set a different rule. For example, you can allow only system.run[myscript.sh,wait] items, thus excluding other methods:

AllowKey=system.run[myscript.sh,wait]

Securing allow/deny rules

This example shows how to secure overly permissive AllowKey or DenyKey rules.

Consider the following rules:

AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat*"]
       DenyKey=vfs.file.*
       DenyKey=system.cpu.load[*]

On Windows, you must escape spaces in the path using a caret (^).

These rules contain a wildcard (*), which can be misused:

The test.bat script can be executed with any arguments, including unintended ones.
The vfs.file.* pattern matches only item keys without parameters; however, all vfs.file items require parameters.
The system.cpu.load[*] pattern matches only item keys with parameters; however system.cpu.load items do not require parameters.

To secure these rules, explicitly allow executing test.bat only with specific arguments, and deny correct item key patterns; for example:

AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat status"]
       AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat version"]
       DenyKey=vfs.file.*[*]
       DenyKey=system.cpu.load
       DenyKey=system.cpu.load[*]

You can test the rules by running the following commands, which will return ZBX_NOTSUPPORTED.

cd "C:\Program Files\Zabbix Agent 2"
       zabbix_agent2.exe -t system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat debug"]
       zabbix_agent2.exe -t vfs.file.size["C:\ProgramData\MyApp\config.ini"]
       zabbix_agent2.exe -t vfs.file.contents["C:\Windows\System32\drivers\etc\hosts"]
       zabbix_agent2.exe -t system.cpu.load
       zabbix_agent2.exe -t system.cpu.load[all,avg1]

Pattern examples

Pattern	Description	Matches	No match
*	Matches all possible keys with or without parameters.	Any	None
vfs.file.contents	Matches `vfs.file.contents` without parameters.	vfs.file.contents	vfs.file.contents[/etc/passwd]
vfs.file.contents[]	Matches `vfs.file.contents` with empty parameters.	vfs.file.contents[]	vfs.file.contents
vfs.file.contents[]*	Matches `vfs.file.contents` with any parameters; will not match `vfs.file.contents` without square brackets.	vfs.file.contents[] vfs.file.contents[/path/to/file]	vfs.file.contents
vfs.file.contents[/etc/passwd,]*	Matches `vfs.file.contents` with first parameters matching /etc/passwd and all other parameters having any value (also empty).	vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf8]	vfs.file.contents[/etc/passwd] vfs.file.contents[/var/log/zabbix_server.log] vfs.file.contents[]
vfs.file.contents[passwd]	Matches `vfs.file.contents` with first parameter matching passwd and no other parameters.	vfs.file.contents[/etc/passwd]	vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8]
vfs.file.contents[passwd,]*	Matches `vfs.file.contents` with only first parameter matching passwd and all following parameters having any value (also empty).	vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8]	vfs.file.contents[/etc/passwd] vfs.file.contents[/tmp/test]
vfs.file.contents[/var/log/zabbix_server.log,,abc]*	Matches `vfs.file.contents` with first parameter matching /var/log/zabbix_server.log, third parameter matching 'abc' and any (also empty) second parameter.	vfs.file.contents[/var/log/zabbix_server.log,,abc] vfs.file.contents[/var/log/zabbix_server.log,utf8,abc]	vfs.file.contents[/var/log/zabbix_server.log,,abc,def]
vfs.file.contents[/etc/passwd,utf8]	Matches `vfs.file.contents` with first parameter matching /etc/passwd, second parameter matching 'utf8' and no other arguments.	vfs.file.contents[/etc/passwd,utf8]	vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf16]
vfs.file.*	Matches any keys starting with `vfs.file.` without any parameters.	vfs.file.contents vfs.file.size	vfs.file.contents[] vfs.file.size[/var/log/zabbix_server.log]
vfs.file.[]	Matches any keys starting with `vfs.file.` with any parameters.	vfs.file.size.bytes[] vfs.file.size[/var/log/zabbix_server.log, utf8]	vfs.file.size.bytes
vfs..contents*	Matches any key starting with `vfs.` and ending with `.contents` without any parameters.	vfs.mount.point.file.contents vfs..contents	vfs.contents

Documentation