Ad Widget

**Hamardaban** · 15-07-2019, 10:41

Unable. Think about who you want to ban from receiving information? Zabbix server? You can restrict access to site information at the group and user level within Zabbix. (Perhaps If you have such security requirements you should not install the zabbix agent at all!)

**lorenzoa** · 15-07-2019, 11:15

Thank you for the answer Hamardaban,
I feared that maybe this was not possible at all as I couldn't see such an option in the config file.
Kind regards

**kloczek** · 15-07-2019, 15:05

Originally posted by lorenzoa

Good morning,
I installed Zabbix agent on one of our Linux devices and start the daemon as zabbix user. Everything works fine and running ./zabbix_agentd -p I can see a list of all possible requests that can be made by the servers.
The problem is that for security purposes I need to restrict access to the device and/or allow only some requests to be accepted by the agent.
Is there a way to disable some requests on agent side?
For instance can I mark as not supported vfs.dev.read[]???

Zabbix agent binary started from command line reads only data which user can read from the system other way.
What you are trying to do has nothing to do with security.

**ingus.vilnis** · 16-07-2019, 09:31

Originally posted by kloczek

Zabbix agent binary started from command line reads only data which user can read from the system other way.
What you are trying to do has nothing to do with security.

Sure all data can be read from the command line anyways but user does not necessarily need access to command line while access can be granted to Zabbix items. In other words - the request is about hiding data from frontend users and in many cases the user will never have other access to monitored servers anyways.

Imagine one having admin access to certain host groups in Zabbix and now trying to run vfs.file.contents, log and similar nice items where it should not be done. As far as I know there is no native Zabbix way to block it on the agent side though.

**kloczek** · 16-07-2019, 13:23

Originally posted by ingus.vilnis

Sure all data can be read from the command line anyways but user does not necessarily need access to command line while access can be granted to Zabbix items. In other words - the request is about hiding data from frontend users and in many cases the user will never have other access to monitored servers anyways.

Imagine one having admin access to certain host groups in Zabbix and now trying to run vfs.file.contents, log and similar nice items where it should not be done. As far as I know there is no native Zabbix way to block it on the agent side though.

Zabbix agent started from command line does not grant anything. It uses user permission to access to read some data.
Again you want to calm down zabbix agent only because it shows you some "nasty things" to which you have access even without zabbix agent.

**lorenzoa** · 16-07-2019, 21:52

Originally posted by ingus.vilnis

Sure all data can be read from the command line anyways but user does not necessarily need access to command line while access can be granted to Zabbix items. In other words - the request is about hiding data from frontend users and in many cases the user will never have other access to monitored servers anyways.

Imagine one having admin access to certain host groups in Zabbix and now trying to run vfs.file.contents, log and similar nice items where it should not be done. As far as I know there is no native Zabbix way to block it on the agent side though.

Yes, what I'm trying to do is to prevent any frontend user from being able to see the content of some files on the camera.

Ad Widget

Allow only some requests in Zabbix agent

Allow only some requests in Zabbix agent

Comment

Comment

Comment

Comment

Comment

Comment