Ad Widget

Collapse

Zabbix agent, issues with sudo and PAM on Fedora 41.

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Silverwolf
    Junior Member
    • Jan 2025
    • 3
    #1

    Zabbix agent, issues with sudo and PAM on Fedora 41.

    Hi everyone, I'm new to the forum and I'm stuck trying to get Zabbix to run some sudo commands.
    I tried to search around the web and the forums but found no solution to my problem.
    With the help of AI I was able make some progress and managed to run a simple ping to one of my hosts through the web interface.

    My setup:
    • Hardware: Raspberry Pi 4 Model B
    • OS: Fedora 41 (no GUI)
    • SELinux: Enforcing
    • Zabbix 7.2

    My sudoers dropin file at /etc/sudoers.d/:

    Code:
    -r--r-----. 1 root root 407 Jan 18 19:14 01-zabbix-sudoers
    Content of 01-zabbix-sudoers file:

    Code:
    # Allow Zabbix the sudo privilege on specific commands and folders with no password.

# Comands alias.
Cmnd_Alias NMAP = /usr/bin/nmap
Cmnd_Alias PING = /bin/ping

# Don't require terminal for the commands of the user zabbix.
Defaults:zabbix !requiretty, !syslog, !pam_session

# Allow zabbix user to execute sudo commands without password.
zabbix ALL=(root) NOPASSWD: PING
zabbix ALL=(root) NOPASSWD: NMAP
    On the log file of the Zabbix server at /var/log/zabbix/zabbix_server.log I still get this error no matter what I do:

    Code:
    55200:20250118:191634.689 Failed to execute command "sudo /usr/bin/nmap -O 192.168.1.11": sudo: PAM account management error: Permission denied
sudo: unable to send audit message: Permission denied
sudo: a password is required​
    Content of the file /etc/pam.d/sudo:

    Code:
    #%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth
    I corrected all errors on SELinux related with Zabbix permissions and accesses:

    Code:
    [user@mchine ~]# sudo sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log​
    Still I'm unable solve this error. This is what I get on the GUI em I click on the host and try to run the built-in script "Detect operating system":​

    Click image for larger version Name: zabbix error.png Views: 483 Size: 6.1 KB ID: 497360

    I also tried to add the user zabbix to the wheel group with no effect.

    Any help or tip in the right direction would be greatly appreciated.
    Thanks in advance.​
    Tags: agent, fedora, pam, raspberry pi, sudo
    • Blevar
      Member
      • Jan 2025
      • 68
      #2
      Have you added user zabbix to sudoers?
      Code:
      sudo visudo -c

        Comment

        • Silverwolf
          Junior Member
          • Jan 2025
          • 3
          #3
          The dropin file should set zabbix user in the sudoers as stated on previous post. Some of the commands are running with sudo already so I believe this is not the issue but something related with PAM.

          Code:
          zabbix ALL=(root) NOPASSWD: PING
zabbix ALL=(root) NOPASSWD: NMAP
          On this website I found some information about PAM but can't make any sense of what I may be missing:
          An introduction to Pluggable Authentication Modules (PAM) in Linux
          https://www.redhat.com/en/blog/pluggable-authentication-modules-pam
          Pluggable Authentication Modules (PAM) have been around since 1997. I was taught that PAM originated from Sun's Solaris, and it does appear that the first en...


          The file looks parsed correctly:
          Code:
          sudo visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/01-zabbix-sudoers: parsed OK​

            Comment

            Previous template Next
            Working...