Ad Widget

Collapse

Sudo with zabbix Agent scripts

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • peterfm
    Junior Member
    • Apr 2019
    • 8
    #1

    Sudo with zabbix Agent scripts

    I have read a lot of articles on the subject and I am not able to do that in centos 7 the zabbix agent can use sudo commands without disabling the selinux.

    I have installed the agent Zabbix, I have included the necessary permissions in the sudoers file so that the password is not required, but when trying to execute a script that makes a simple "sudo touch /opt/wildfly/standalone/deployments/wars.query2" an error is generated. If I deactivate selinux, everything goes fine, but if I try "tail -f /var/log/audit/audit.log | grep denied | audit2allow -M zabbix_agent_setrlimit; semodule -i zabbix_agent_setrlimit.pp" to generate the necessaries exceptions, I still get permission errors runing the script.

    Is it possible to get this without disabling selinux?

    Here is an example.
    • sudo touch /opt/wildfly/standalone/deployments/wars.query2
    • echo | sudo tee -a /opt/wildfly/standalone/deployments/wars.query3
    • sh: /usr/bin/sudo: Permission denied
    • sh: line 1: /usr/bin/sudo: Permission denied

    In Linux console, I can execute "sudo -u zabbix sudo touch /opt/wildfly/standalone/deployments/wars.query2" without any problem.
    Last edited by peterfm; 21-04-2019, 21:31.
    Tags: None
    • Atsushi
      Senior Member
      • Aug 2013
      • 2028
      #2
      Did you configure requiretty?

      ex. by visudo
      Code:
      Defaults:zabbix    !requiretty

        Comment

        • kloczek
          Senior Member
          • Jun 2006
          • 1771
          #3
          You need use system.run[] key https://www.zabbix.com/documentation...s/zabbix_agent or define UserParameter in zabbix agent configuration https://www.zabbix.com/documentation...userparameters
          http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
          https://kloczek.wordpress.com/
          zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
          My zabbix templates https://github.com/kloczek/zabbix-templates

            Comment

            • peterfm
              Junior Member
              • Apr 2019
              • 8
              #4
              Originally posted by Atsushi
              Did you configure requiretty?

              ex. by visudo
              Code:
              Defaults:zabbix !requiretty

              In Linux console, I can execute "sudo -u zabbix sudo touch /opt/wildfly/standalone/deployments/wars.query2" without any problem.

                Comment

                • Atsushi
                  #4.1
                  Atsushi commented
                  02-05-2019, 06:35
                  Editing a comment
                  Even though it can be run on the console, it requires special configuration when using the sudo command.
                • peterfm
                  Junior Member
                  • Apr 2019
                  • 8
                  #5
                  Originally posted by kloczek
                  You need use system.run[] key https://www.zabbix.com/documentation...s/zabbix_agent or define UserParameter in zabbix agent configuration https://www.zabbix.com/documentation...userparameters
                  Let me to do some tests about this and I'll post if it works.

                    Comment

                    • bonne
                      Junior Member
                      • Aug 2022
                      • 2
                      #6
                      Originally posted by peterfm

                      Let me to do some tests about this and I'll post if it works.
                      Did you manage to solve this? I am facing the same issue - I can create an Item with key system.run that initiates a script on the server - it can "echo test", but when it come to something where it needs sudo, I get the same "/usr/bin/sudo: Permission denied"

                        Comment

                        • j238267431
                          Junior Member
                          • Nov 2022
                          • 11
                          #7
                          Same for me, when I send command to zabbix-agent from zabbix-server zabbix_get -s 139.162.148.190 -k system.run["sudo systemctl restart nginx"]
                          /usr/bin/sudo: Permission denied
                          How can I fix this​

                            Comment

                            • user1234
                              Member
                              • Jul 2022
                              • 35
                              #8
                              Same for me
                              someone have a solution?

                                Comment

                                • j238267431
                                  Junior Member
                                  • Nov 2022
                                  • 11
                                  #9
                                  try this https://unix.stackexchange.com/quest.../606476#606476
                                  polkit

                                    Comment

                                    • parkerm17
                                      Junior Member
                                      • Nov 2022
                                      • 2
                                      #10

                                      For anyone finding this post, I found I had to do the following for Zabbix to run 'sudo shutdown' on a remote machine via an agent script:

                                      1) Set SELinux zabbix_run_sudo boolean
                                      Code:
                                      setsebool -P zabbix_run_sudo=1
                                      2) Compile the following *.te content into a *.pp with the following commands:
                                      Code:
                                      checkmodule -M -m -o allow_zabbix_full_sudo_access.mod allow_zabbix_full_sudo_access.te
semodule_package -o allow_zabbix_full_sudo_access.pp -m allow_zabbix_full_sudo_access.mod
                                      Code:
                                      module allow_zabbix_full_sudo_access 1.0;

require {
type power_unit_file_t;
type kernel_t;
type console_device_t;
type chkpwd_exec_t;
type system_dbusd_t;
type devlog_t;
type shadow_t;
type systemd_systemctl_exec_t;
type user_devpts_t;
type zabbix_agent_t;
type init_t;
class service { start status };
class process getpgid;
class unix_stream_socket connectto;
class dbus send_msg;
class chr_file { ioctl open write };
class capability { audit_write dac_override dac_read_search net_admin };
class file { execute execute_no_trans open read };
class netlink_audit_socket { create nlmsg_relay read write };
class sock_file write;
class unix_dgram_socket { connect create sendto write };
}

#============= zabbix_agent_t ==============

allow zabbix_agent_t chkpwd_exec_t:file execute_no_trans;
allow zabbix_agent_t console_device_t:chr_file { ioctl open write };
allow zabbix_agent_t devlog_t:sock_file write;
allow zabbix_agent_t init_t:dbus send_msg;
allow zabbix_agent_t init_t:process getpgid;
allow zabbix_agent_t init_t:unix_stream_socket connectto;
allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
allow zabbix_agent_t power_unit_file_t:service status;
allow zabbix_agent_t power_unit_file_t:service start;
allow zabbix_agent_t self:capability { audit_write dac_override dac_read_search net_admin };
allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay read write };
allow zabbix_agent_t self:unix_dgram_socket { connect create write };
allow zabbix_agent_t shadow_t:file { open read };
allow zabbix_agent_t system_dbusd_t:dbus send_msg;
allow zabbix_agent_t system_dbusd_t:unix_stream_socket connectto;
allow zabbix_agent_t systemd_systemctl_exec_t:file { execute execute_no_trans };
allow zabbix_agent_t user_devpts_t:chr_file { open write };

                                      3) Install the allow_zabbix_full_sudo_access.pp​ module:
                                      Code:
                                      semodule -i allow_zabbix_full_sudo_access.pp

                                        Comment

                                        • kmfreder
                                          Junior Member
                                          • Feb 2020
                                          • 6
                                          #11
                                          I applied the above selinux module and my error changed from "Permission Denied" to "sudo: account validation failure, is your account locked?" Any ideas on where to go from there?

                                            Comment

                                            • parkerm17
                                              Junior Member
                                              • Nov 2022
                                              • 2
                                              #12
                                              kmfreder: What does the following give you:

                                              Code:
                                              grep AVC /var/log/audit/audit.log

                                                Comment

                                                Previous template Next
                                                Working...