Ad Widget

Collapse

Encryption of passwords i Zabbix database

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • lomholt_2018
    Junior Member
    • Oct 2018
    • 6
    #1

    Encryption of passwords i Zabbix database

    I haven't been able to find an answer to the below question:

    Are passwords from the configuration like odbc passwords in items encrypted in the Zabbix database?

    Another post showed how to mask passwords in the web interface, but it doesn't mention encryption in the database.
    Tags: encryption, password
    • lomholt_2018
      Junior Member
      • Oct 2018
      • 6
      #2
      I seems as if item passwords in general are not encrypted in the zabbix database. And more over it is easy to remove masking of item passwords in the web interface.

      This is a problem for odbc and jmx monitoring of critical production systems since security can easily compromized.

      Does the Zabbix team have any intention of changing this?

      Regards Steffen

        Comment

        • kloczek
          Senior Member
          • Jun 2006
          • 1771
          #3
          Originally posted by lomholt_2018
          I seems as if item passwords in general are not encrypted in the zabbix database. And more over it is easy to remove masking of item passwords in the web interface.

          This is a problem for odbc and jmx monitoring of critical production systems since security can easily compromized.

          Does the Zabbix team have any intention of changing this?
          It is not any kind problem because only exact DB user has and access to database content.
          By putting zabbix user into non-admin group you can limit access to all passwords.
          http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
          https://kloczek.wordpress.com/
          zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
          My zabbix templates https://github.com/kloczek/zabbix-templates

            Comment

            • lomholt_2018
              Junior Member
              • Oct 2018
              • 6
              #4
              Yes, I know. But I think the problem is that the Zabbix database password is stored non-encrypted in the configuration file of the web-frontend.

              So anybody with sudo rights on the Zabbix server will have access to the configuration file and consequently to the Zabbix database password.

              And again, anybody with sudo rights on the Zabbix server can remove the masking of passwords in the web interface.

              The only solution, as far as I can see, is that only database administrators have sudo rights on the Zabbix server.

              Am I missing something?

              Regards Steffen

                Comment

                • kloczek
                  Senior Member
                  • Jun 2006
                  • 1771
                  #5
                  Originally posted by lomholt_2018
                  So anybody with sudo rights on the Zabbix server will have access to the configuration file and consequently to the Zabbix database password.
                  Again: please choose right set of people who needs admin privileges.
                  Just ask yourself: if all zabbix users will have admin privileges does introduction any encryption will change something?
                  http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
                  https://kloczek.wordpress.com/
                  zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
                  My zabbix templates https://github.com/kloczek/zabbix-templates

                    Comment

                    • lomholt_2018
                      Junior Member
                      • Oct 2018
                      • 6
                      #6
                      Originally posted by kloczek

                      Again: please choose right set of people who needs admin privileges.
                      Just ask yourself: if all zabbix users will have admin privileges does introduction any encryption will change something?
                      I get your point.

                      But Zabbix administrators are not necessarily database administrators. At least not in my customer's organization. This means that Zabbix administrators, even if very limited number, should not have access to production database passwords.

                      What I would prefer was that the database administrators could type in the passwords while the Zabbix administrators closed their eyes and after that were unable the hack the passwords.

                      A Zabbix administrator might not be at the same security level as the database administrator.

                      Regards Steffen

                        Comment

                        • kloczek
                          Senior Member
                          • Jun 2006
                          • 1771
                          #7
                          Originally posted by lomholt_2018
                          But Zabbix administrators are not necessarily database administrators. At least not in my customer's organization. This means that Zabbix administrators, even if very limited number, should not have access to production database passwords.
                          You don't need t grant full admin access to DB content for the D user used by zabbix server/proxy/frontend.
                          Such user does not need to have an access to DB engine users passwords.
                          http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
                          https://kloczek.wordpress.com/
                          zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
                          My zabbix templates https://github.com/kloczek/zabbix-templates

                            Comment

                            Previous template Next
                            Working...