Table of Contents
1 Access control
Overview
This section contains best practices for setting up access control in a secure way.
Principle of least privilege
User accounts, at all times, should run with as few privileges as possible. This means that user accounts in Zabbix frontend, database users, or the user for Zabbix server/proxy/agent processes should only have the privileges that are essential for performing the intended functions.
Giving extra privileges to the 'zabbix' user will allow it to access configuration files and execute operations that can compromise the infrastructure security.
When configuring user account privileges, Zabbix frontend user types should be considered. Note that although the Admin user type has fewer privileges than the Super Admin user type, it can still manage configuration and execute custom scripts.
Some information is available even for non-privileged users. For example, while Alerts → Scripts is available only for Super Admin users, scripts can also be retrieved through Zabbix API. In this case, limiting script permissions and excluding sensitive information from scripts (for example, access credentials) can help avoid exposing sensitive information available in global scripts.
Secure user for Zabbix agent
By default, Zabbix server and Zabbix agent processes share one 'zabbix' user. To ensure that Zabbix agent cannot access sensitive details in the server configuration (for example, database login information), the agent should be run as a different user:
- Create a secure user.
- Specify this user in the agent configuration file
Userparameter. - Restart the agent with administrator privileges. Privileges will be dropped to the specified user.
Revoke write access to SSL configuration file in Windows
Zabbix Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\openssl-64bit. The openssl-64bit directory on disk C: can be created by non-privileged users.
To improve security, create this directory manually and revoke write access from non-admin users.
Please note that directory names will differ on 32-bit and 64-bit versions of Windows.
Hardening security of Zabbix components
Some functionality can be switched off to harden the security of Zabbix components:
- global script execution on Zabbix server can be disabled by setting EnableGlobalScripts=0 in server configuration;
- global script execution on Zabbix proxy is disabled by default (can be enabled by setting EnableRemoteCommands=1 in proxy configuration);
- global script execution on Zabbix agents is disabled by default (can be enabled by adding an AllowKey=system.run[<command>,*] parameter for each allowed command in agent configuration);
- user HTTP authentication can be disabled by setting
$ALLOW_HTTP_AUTH=falsein the frontend configuration file (zabbix.conf.php). Note that reinstalling the frontend (running setup.php) will remove this parameter.