Zabbix Documentation 5.0

3.04.04.45.0 (current)| In development:5.2 (devel)| Unsupported:1.82.02.22.43.23.44.2Guidelines

User Tools

Site Tools


Sidebar

manual:appendix:config:restrict_checks

8 Restricting agent checks

Overview

It is possible to restrict checks on the agent side by using a combination of two agent configuration parameters:

  • AllowKey=<pattern> - which checks are allowed; <pattern> is specified using a wildcard (*) expression
  • DenyKey=<pattern> - which checks are denied; <pattern> is specified using a wildcard (*) expression

These parameters are supported since Zabbix 5.0.

Note that EnableRemoteCommands parameter is still supported (it may get deprecated and removed in the future) alongside the new DenyKey/AllowKey parameters. Thus remote commands will not be allowed unless you:

  • Set EnableRemoteCommands=1
  • Remove or comment out DenyKey=system.run[*]

In this case remote commands will be allowed without restrictions. To create restrictions, use a combination of AllowKey and DenyKey parameters.

Rules

  • Unlimited numbers of AllowKey/DenyKey parameters is supported;
  • AllowKey/DenyKey parameters are checked one by one according their appearance order. If an item key matches allow/deny rule, the item is either allowed or denied accordingly. Rule checking stops at first match.
  • If no AllowKey or DenyKey parameters are specified, all keys are allowed;
  • Key pattern is a wildcard expression where the wildcard (*) character matches any number of any characters in certain position. It might be used in both the key name and parameters.
  • If a specific item key is disallowed in the agent configuration, the item will turn unsupported (no hint is given as to the reason);
  • Zabbix agent with –print (-p) command line option will not show keys that are not allowed by configuration;
  • Zabbix agent with –test (-t) command line option will return "Unsupported item key." status for keys that are not allowed by configuration.
  • Denied remote commands will not be logged in the agent log (if LogRemoteCommands=1).

Use cases

Defining blacklist
  • Define DenyKey parameters. Matching keys will be disallowed. All non-matching keys will be allowed.

For example:

# Deny secure data access
DenyKey=vfs.file.contents[/etc/passwd,*]
 
# Don't allow scripts
DenyKey=system.run[*]
A blacklist may not be a good choice, because a new Zabbix version may have new keys that are not explicitly restricted by the existing configuration. This could cause a security flaw.
Defining whitelist
  • Define AllowKey parameters;
  • Define DenyKey=* as the last parameter

For example:

# Allow reading logs:
AllowKey=vfs.file.*[/var/log/*]

# Allow localtime checks
AllowKey=system.localtime[*]

# Deny all other keys
DenyKey=*

Note that if there are only AllowKey parameters defined, a DenyKey=* parameter will be automatically appended anyway for correct whitelist configuration. An exception to this is if there is an AllowKey=* defined.

Pattern examples

PatternDescriptionMatchesNo match
* Matches all possible keys with or without parameters. Any None
vfs.file.contents Matches vfs.file.contents without parameters. vfs.file.contents vfs.file.contents[/etc/passwd]
vfs.file.contents[] Matches vfs.file.contents with empty parameters. vfs.file.contents[] vfs.file.contents
vfs.file.contents[*] Matches vfs.file.contents with any parameters; will not match vfs.file.contents without square brackets. vfs.file.contents[]
vfs.file.contents[/path/to/file]
vfs.file.contents
vfs.file.contents[/etc/passwd,*] Matches vfs.file.contents with first parameters matching /etc/passwd and all other parameters having any value (also empty). vfs.file.contents[/etc/passwd,]
vfs.file.contents[/etc/passwd,utf8]
vfs.file.contents[/etc/passwd]
vfs.file.contents[/var/log/zabbix_server.log]
vfs.file.contents[]
vfs.file.contents[*passwd*] Matches vfs.file.contents with first parameter matching *passwd* and no other parameters. vfs.file.contents[/etc/passwd] vfs.file.contents[/etc/passwd,]
vfs.file.contents[/etc/passwd, utf8]
vfs.file.contents[*passwd*,*] Matches vfs.file.contents with only first parameter matching *passwd* and all following parameters having any value (also empty). vfs.file.contents[/etc/passwd,]
vfs.file.contents[/etc/passwd, utf8]
vfs.file.contents[/etc/passwd]
vfs.file.contents[/tmp/test]
vfs.file.contents[/var/log/zabbix_server.log,*,abc] Matches vfs.file.contents with first parameter matching /var/log/zabbix_server.log, third parameter matching 'abc' and any (also empty) second parameter. vfs.file.contents[/var/log/zabbix_server.log,,abc]
vfs.file.contents[/var/log/zabbix_server.log,utf8,abc]
vfs.file.contents[/var/log/zabbix_server.log,,abc,def]
vfs.file.contents[/etc/passwd,utf8] Matches vfs.file.contents with first parameter matching /etc/passwd, second parameter matching 'utf8' and no other arguments. vfs.file.contents[/etc/passwd,utf8] vfs.file.contents[/etc/passwd,]
vfs.file.contents[/etc/passwd,utf16]
vfs.file.* Matches any keys starting with vfs.file. without any parameters. vfs.file.contents
vfs.file.size
vfs.file.contents[]
vfs.file.size[/var/log/zabbix_server.log]
vfs.file.*[*] Matches any keys starting with vfs.file. with any parameters. vfs.file.size.bytes[]
vfs.file.size[/var/log/zabbix_server.log, utf8]
vfs.file.size.bytes
vfs.*.contents Matches any key starting with vfs. and ending with .contents without any parameters. vfs.mount.point.file.contents
vfs..contents
vfs.contents