13 Limitare i controlli degli agenti

Overview

It is possible to restrict checks on the agent side by creating an item blacklist, a whitelist, or a combination of whitelist/blacklist.

To do that use a combination of two agent configuration parameters:

• AllowKey=<pattern> - which checks are allowed; <pattern> is specified using a wildcard (*) expression
• DenyKey=<pattern> - which checks are denied; <pattern> is specified using a wildcard (*) expression

Note that:

• All system.run[*] items (remote commands, scripts) are disabled by default, even when no deny keys are specified;
• Since Zabbix 5.0.2 the EnableRemoteCommands agent parameter is:

<!-- -->

   * deprecated by Zabbix agent
   * unsupported by Zabbix agent2

Therefore, to allow all remote commands, specify an AllowKey=system.run[*] parameter. To allow only some remote commands, create a whitelist of specific system.run[] commands. To disallow specific remote commands, add DenyKey parameters with system.run[] commands before the AllowKey=system.run[*] parameter.

Important rules

• A whitelist without a deny rule is only allowed for system.run[*] items. For all other items, AllowKey parameters are not allowed without a DenyKey parameter; in this case Zabbix agent will not start with only AllowKey parameters.
• The order matters. The specified parameters are checked one by one according to their appearance order in the configuration file:
  • As soon as an item key matches an allow/deny rule, the item is either allowed or denied; and rule checking stops. So if an item matches both an allow rule and a deny rule, the result will depend on which rule comes first.
  • The order affects also EnableRemoteCommands parameter (if used).
• Unlimited numbers of AllowKey/DenyKey parameters is supported.
• AllowKey, DenyKey rules do not affect HostnameItem, HostMetadataItem, HostInterfaceItem configuration parameters.
• Key pattern is a wildcard expression where the wildcard (*) character matches any number of any characters in certain position. It might be used in both the key name and parameters.
• If a specific item key is disallowed in the agent configuration, the item will be reported as unsupported (no hint is given as to the reason);
• Zabbix agent with --print (-p) command line option will not show keys that are not allowed by configuration;
• Zabbix agent with --test (-t) command line option will return "Unsupported item key." status for keys that are not allowed by configuration;
• Denied remote commands will not be logged in the agent log (if LogRemoteCommands=1).

Allow/deny rule order

You can specify an unlimited number of AllowKey or DenyKey rules, though their order matters.

• Rules are evaluated one by one, from top to bottom.
• When an item key matches a rule, it is either allowed or denied, and rule evaluation stops.

For example, when evaluating vfs.file.contents[/etc/passwd], the rules are processed as follows:

AllowKey=vfs.file.contents[/tmp/app.log]    # Item key pattern does not match, agent proceeds to the next rule.
AllowKey=vfs.file.contents[/etc/passwd]     # Item key pattern matches; agent allows the item check and stops rule evaluation.
DenyKey=vfs.file.*[*]                       # Agent ignores the rule, as the evaluation has stopped.

The following rule order will deny the item check:

DenyKey=vfs.file.*[*]                       # Item key pattern matches; agent denies the item check and stops rule evaluation.
AllowKey=vfs.file.contents[/etc/passwd]     # Agent ignores the rule, as the evaluation has stopped.
AllowKey=vfs.file.contents[/tmp/app.log]    # Agent ignores the rule, as the evaluation has stopped.

Casi d'uso

Allowing specific checks and commands

Allow only two vfs.file item checks and two system.run commands:

AllowKey=vfs.file.contents[/tmp/app.log]
AllowKey=vfs.file.size[/tmp/app.log]
AllowKey=system.run[/usr/bin/uptime]
AllowKey=system.run[/usr/bin/df -h /]
DenyKey=vfs.file.*[*]

Allowing scripts

Allow Zabbix agent to execute scripts on hosts via all available methods:

• Global scripts that can be executed in the frontend or via API (this method always uses the system.run[myscript.sh] key)
• Remote commands from action operations (this method always uses the system.run[myscript.sh,nowait] key)
• system.run Zabbix agent items with the script, for example:
  • system.run[myscript.sh]
  • system.run[myscript.sh,wait]
  • system.run[myscript.sh,nowait]

AllowKey=system.run[myscript.sh,*]

To control the wait/nowait parameter, you must set a different rule. For example, you can allow only system.run[myscript.sh,wait] items, thus excluding other methods:

AllowKey=system.run[myscript.sh,wait]

Securing allow/deny rules

This example shows how to secure overly permissive AllowKey or DenyKey rules.

Consider the following rules:

AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat*"]
DenyKey=vfs.file.*
DenyKey=system.cpu.load[*]

These rules contain a wildcard (*), which can be misused:

• The test.bat script can be executed with any arguments, including unintended ones.
• The vfs.file.* pattern matches only item keys without parameters; however, all vfs.file items require parameters.
• The system.cpu.load[*] pattern matches only item keys with parameters; however system.cpu.load items do not require parameters.

To secure these rules, explicitly allow executing test.bat only with specific arguments, and deny correct item key patterns; for example:

AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat status"]
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat version"]
DenyKey=vfs.file.*[*]
DenyKey=system.cpu.load
DenyKey=system.cpu.load[*]

You can test the rules by running the following commands, which will return ZBX_NOTSUPPORTED.

cd "C:\Program Files\Zabbix Agent 2"
zabbix_agent2.exe -t system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat debug"]
zabbix_agent2.exe -t vfs.file.size["C:\ProgramData\MyApp\config.ini"]
zabbix_agent2.exe -t vfs.file.contents["C:\Windows\System32\drivers\etc\hosts"]
zabbix_agent2.exe -t system.cpu.load
zabbix_agent2.exe -t system.cpu.load[all,avg1]

Pattern examples