You are viewing documentation for the development version, it may be incomplete.
Join our translation project and help translate Zabbix documentation into your native language.

1 Access control

Overview

This section contains best practices for setting up access control in a secure way.

Principle of least privilege

User accounts, at all times, should run with as few privileges as possible. This means that user accounts in Zabbix frontend, database users, or the user for Zabbix server/proxy/agent processes should only have the privileges that are essential for performing the intended functions.

Giving extra privileges to the 'zabbix' user will allow it to access configuration files and execute operations that can compromise the infrastructure security.

When configuring user account privileges, Zabbix frontend user types should be considered. Note that although the Admin user type has fewer privileges than the Super Admin user type, it can still manage configuration and execute custom scripts.

Some information is available even for non-privileged users. For example, while AlertsScripts is available only for Super Admin users, scripts can also be retrieved through Zabbix API. In this case, limiting script permissions and excluding sensitive information from scripts (for example, access credentials) can help avoid exposing sensitive information available in global scripts.

Secure user for Zabbix agent

By default, Zabbix server and Zabbix agent processes share one 'zabbix' user. To ensure that Zabbix agent cannot access sensitive details in the server configuration (for example, database login information), the agent should be run as a different user:

  1. Create a secure user.
  2. Specify this user in the agent configuration file User parameter.
  3. Restart the agent with administrator privileges. Privileges will be dropped to the specified user.

Revoke write access to SSL configuration file in Windows

Zabbix Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\\openssl-64bit. The openssl-64bit directory on disk C: can be created by non-privileged users.

To improve security, create this directory manually and revoke write access from non-admin users.

Please note that directory names will differ on 32-bit and 64-bit versions of Windows.