13 限制 agent 检查
概述
可以通过创建监控项来限制agent端的检查 黑名单、白名单或白名单/黑名单的组合。
为此,使用两个agent的组合 configuration 参数:
AllowKey=<pattern>- 允许执行哪些检查;<pattern>是 使用通配符(*)表达式指定-
DenyKey=<pattern>- 哪些检查被拒绝; <pattern>是specified using a wildcard (*) expression
请注意:
- 所有
system.run[*]监控项(远程命令、脚本)默认被禁用 默认情况下,即使未指定任何拒绝密钥; -
自Zabbix 5.0.2起,EnableRemoteCommands agent参数为:
- deprecated by Zabbix agent
- unsupported by Zabbix agent2
因此,要允许远程命令,需指定 AllowKey=system.run[<command>,*] 对于每个允许的命令,* 代表等待和非等待模式。也可以指定 AllowKey=system.run[*] 参数用于允许所有带有wait和nowait模式的命令。要禁止特定的远程命令,需添加带有system.run[]的DenyKey参数 在AllowKey=system.run[*]参数之前的命令。
重要规则
- 不带拒绝规则的白名单仅允许用于系统.run[*] 监控项. 对于所有其他监控项, 不允许使用AllowKey参数 没有DenyKey参数的情况下;此时Zabbix agent 将不会 start 仅使用 AllowKey 参数。
- 顺序很重要。指定的参数会逐一进行检查
根据它们在配置中的出现顺序file:
- 一旦监控项键匹配到允许/拒绝规则,该监控项即被 允许或拒绝;规则检查随即停止。因此,如果某个监控项 既匹配允许规则又匹配拒绝规则时,结果将是 取决于哪条规则先出现。
- 该顺序还会影响EnableRemoteCommands参数(如果使用)。
- 支持无限数量的AllowKey/DenyKey参数
- AllowKey、DenyKey规则不影响HostnameItem HostMetadataItem, HostInterfaceItem 配置参数。
- 键模式是一个包含通配符(*)的通配符表达式 字符匹配在特定位置上的任意数量的任意字符。 它可能同时用于键名和参数中。
- 如果在agent配置中禁止使用特定的监控项键 监控项 将被报告为不受支持(未提供任何提示说明原因) 原因);
- 使用--print (-p)命令行选项的Zabbix agent将不会显示 配置不允许的键
- 使用--test (-t)命令行选项的Zabbix agent将返回 "不支持 监控项 键。" 对于不允许的键的状态 配置
- 被拒绝的远程命令将不会记录在agent日志中(如果
LogRemoteCommands=1).
远程日志命令=1).
Allow/deny rule order
You can specify an unlimited number of AllowKey or DenyKey rules, though their order matters.
- Rules are evaluated one by one, from top to bottom.
- When an item key matches a rule, it is either allowed or denied, and rule evaluation stops.
For example, when evaluating vfs.file.contents[/etc/passwd], the rules are processed as follows:
AllowKey=vfs.file.contents[/tmp/app.log] # Item key pattern does not match, agent proceeds to the next rule.
AllowKey=vfs.file.contents[/etc/passwd] # Item key pattern matches; agent allows the item check and stops rule evaluation.
DenyKey=vfs.file.*[*] # Agent ignores the rule, as the evaluation has stopped.The following rule order will deny the item check:
DenyKey=vfs.file.*[*] # Item key pattern matches; agent denies the item check and stops rule evaluation.
AllowKey=vfs.file.contents[/etc/passwd] # Agent ignores the rule, as the evaluation has stopped.
AllowKey=vfs.file.contents[/tmp/app.log] # Agent ignores the rule, as the evaluation has stopped.使用场景
Allowing specific checks and commands
Allow only two vfs.file item checks and two system.run commands:
AllowKey=vfs.file.contents[/tmp/app.log]
AllowKey=vfs.file.size[/tmp/app.log]
AllowKey=system.run[/usr/bin/uptime]
AllowKey=system.run[/usr/bin/df -h /]
DenyKey=vfs.file.*[*]Setting DenyKey=system.run[*] is unnecessary, because all other system.run commands are denied by default.
Allowing scripts
Allow Zabbix agent to execute scripts on hosts via all available methods:
- Global scripts that can be executed in the frontend or via API (this method always uses the
system.run[myscript.sh]key) - Remote commands from action operations (this method always uses the
system.run[myscript.sh,nowait]key) system.runZabbix agent items with the script, for example:system.run[myscript.sh]system.run[myscript.sh,wait]system.run[myscript.sh,nowait]
AllowKey=system.run[myscript.sh,*]To control the wait/nowait parameter, you must set a different rule.
For example, you can allow only system.run[myscript.sh,wait] items, thus excluding other methods:
AllowKey=system.run[myscript.sh,wait]Securing allow/deny rules
This example shows how to secure overly permissive AllowKey or DenyKey rules.
Consider the following rules:
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat*"]
DenyKey=vfs.file.*
DenyKey=system.cpu.load[*]On Windows, you must escape spaces in the path using a caret (^).
These rules contain a wildcard (*), which can be misused:
- The
test.batscript can be executed with any arguments, including unintended ones. - The
vfs.file.*pattern matches only item keys without parameters; however, allvfs.fileitems require parameters. - The
system.cpu.load[*]pattern matches only item keys with parameters; howeversystem.cpu.loaditems do not require parameters.
To secure these rules, explicitly allow executing test.bat only with specific arguments, and deny correct item key patterns; for example:
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat status"]
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat version"]
DenyKey=vfs.file.*[*]
DenyKey=system.cpu.load
DenyKey=system.cpu.load[*]You can test the rules by running the following commands, which will return ZBX_NOTSUPPORTED.
cd "C:\Program Files\Zabbix Agent 2"
zabbix_agent2.exe -t system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat debug"]
zabbix_agent2.exe -t vfs.file.size["C:\ProgramData\MyApp\config.ini"]
zabbix_agent2.exe -t vfs.file.contents["C:\Windows\System32\drivers\etc\hosts"]
zabbix_agent2.exe -t system.cpu.load
zabbix_agent2.exe -t system.cpu.load[all,avg1]模式示例
| 模式 | 描述 | 匹配项 | 不匹配项 |
|---|---|---|---|
| * | 匹配所有带参数或不带参数的键。 | 任意 | 无 |
| vfs.file.contents | 匹配不带参数的vfs.file.contents。 |
vfs.file.contents | vfs.file.contents[/etc/passwd] |
| vfs.file.contents[] | 匹配带有空参数的vfs.file.contents。 |
vfs.file.contents[] | vfs.file.contents |
| vfs.file.contents[*] | 匹配带任意参数的vfs.file.contents;不带方括号的vfs.file.contents将不会被匹配 |
vfs.file.contents[] vfs.file.contents[/path/to/file] |
vfs.file.contents |
| vfs.file.contents[/etc/passwd,*] | 匹配第一个参数为/etc/passwd且其他参数为任意值(包括空值)的vfs.file.contents |
vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf8] |
vfs.file.contents[/etc/passwd] vfs.file.contents[/var/log/zabbix_server.log] vfs.file.contents[] |
| vfs.file.contents[*passwd*] | 匹配第一个参数为*passwd*且无其他参数的vfs.file.contents。 |
vfs.file.contents[/etc/passwd] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] |
| vfs.file.contents[*passwd*,*] | 匹配仅第一个参数符合*passwd*且后续所有参数可为任意值(包括空值)的vfs.file.contents |
vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] |
vfs.file.contents[/etc/passwd] vfs.file.contents[/tmp/test] |
| vfs.file.contents[/var/log/zabbix_server.log,*,abc] | 匹配第一个参数为/var/log/zabbix_server.log、第三个参数为'abc'且第二个参数可为任意值(包括空值)的vfs.file.contents |
vfs.file.contents[/var/log/zabbix_server.log,,abc] vfs.file.contents[/var/log/zabbix_server.log,utf8,abc] |
vfs.file.contents[/var/log/zabbix_server.log,,abc,def] |
| vfs.file.contents[/etc/passwd,utf8] | 匹配 vfs.file.contents,其中第一个参数匹配/etc/passwd,第二个参数匹配'utf8'且无其他参数。 |
vfs.file.contents[/etc/passwd,utf8] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf16] |
| vfs.file.* | 匹配任何以vfs.file.开头且不带参数的键 |
vfs.file.contents vfs.file.size |
vfs.file.contents[] vfs.file.size[/var/log/zabbix_server.log] |
| vfs.file.*[*] | 匹配任何以vfs.file.开头且带有任意参数的键。 |
vfs.file.size.bytes[] vfs.file.size[/var/log/zabbix_server.log, utf8] |
vfs.file.size.bytes |
| vfs.*.contents | 匹配任何以vfs.开头并以.contents结尾且不带任何参数的键 |
vfs.mount.point.file.contents vfs..contents |
vfs.contents |