With the arrival of zabbix 2.0 I'm faced with having to update the windows agent on lots of boxes to 2.0 if we want the full functionality of 2.0.
Whilst a script to download and update the agent is trivial using either batch file or vbs (the option I've gone for) and I can even make it update the format of the config file if required.
Ideally the script would be scheduled so it would check if there was a new version of the agent and then download it and install it automatically overnight.
However, I'm still wondering about how to do this securely... I could host the agent zips on my zabbix server, but there is always the chance of a compromise there and then an infected agent could be automatically spread to all the windows machines which would be a disaster. I can calculate a checksum against the agent zip, but then how would this be distributed to all the machines safely?
I had a thought that could sign/encrypt the zip file using a private key and then put the public key on the machines with the agent and so it checks if every file is signed before installing... The private key would not be kept on the zabbix server so this option is a lot safer... The problem is I cannot seem to find a way of doing this that doesn't require lots of extra software installed on the windows machine...
Has anyone else faced this problem and how have you overcome it? Is there any (ideally free) software for signing zip files using a public key system that doesn't require lots of extra software on the windows side.
Whilst a script to download and update the agent is trivial using either batch file or vbs (the option I've gone for) and I can even make it update the format of the config file if required.
Ideally the script would be scheduled so it would check if there was a new version of the agent and then download it and install it automatically overnight.
However, I'm still wondering about how to do this securely... I could host the agent zips on my zabbix server, but there is always the chance of a compromise there and then an infected agent could be automatically spread to all the windows machines which would be a disaster. I can calculate a checksum against the agent zip, but then how would this be distributed to all the machines safely?
I had a thought that could sign/encrypt the zip file using a private key and then put the public key on the machines with the agent and so it checks if every file is signed before installing... The private key would not be kept on the zabbix server so this option is a lot safer... The problem is I cannot seem to find a way of doing this that doesn't require lots of extra software installed on the windows machine...
Has anyone else faced this problem and how have you overcome it? Is there any (ideally free) software for signing zip files using a public key system that doesn't require lots of extra software on the windows side.
Comment