Hello,
I know there are several topics about fping, but I've read through them all and I am still having trouble getting something that should be pretty simple working.
I am trying to do a simple ping test from a host (that's running zabbix agent) to an external host.
In my zabbix_agentd.conf file I have setup a UserParameter such as:
UserParameter=vpnPing[*],fping $1 |grep -c alive
My fping permissions are as such:
# ls -l /sbin/fping
-rwsr-sr-x. 1 root zabbix 52904 Aug 5 2019 /sbin/fping
If I run the zabbix_agentd test I get (fake ip listed for example purposes)
# zabbix_agentd -t vpnPing[123.456.78.901]
vpnPing[123.456.78.901] [t|1]
So that seems to work.
When I go to the zabbix UI and look at the latest data I see:
The interesting this is the 0 at the bottom. I've also seen it be 1 at times. That sounds like something is working, but I don't get why I get the permission denied.
Also when I look at the audit log I see:
type=AVC msg=audit(1591307793.058:12551): avc: denied { execute } for pid=30242 comm="sh" name="fping" dev="nvme0n1p2" ino=8410299 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u
bject_r
ing_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1591307793.058:12551): arch=c000003e syscall=21 success=no exit=-13 a0=55c20f61e450 a1=1 a2=7ffc91d9bb10 a3=0 items=0 ppid=30241 pid=30242 auid=4294967295 uid=990 gid=988 euid=990 suid=990 fsuid=990 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=access AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=PROCTITLE msg=audit(1591307793.058:12551):
I'm running RHEL 8.2.
# zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.4.9
$ zabbix_server -V
zabbix_server (Zabbix) 4.4.9
# fping -v
fping: Version 3.16
I have the Item in Zabbix configured as Type: Zabbix agent
If I try: zabbix_get -s [my_zabbix_server_ip] -k vpnPing[123.456.78.901]
it does timeout (not sure why): zabbix_get [30549]: Timeout while executing operation
But not sure that last part with zabbix_get is relevant b/c the checks to seem to be getting back to the zabbix server but it just says permission denied.
I've been struggling with this for a while now and hoping someone can help me out?
I know there are several topics about fping, but I've read through them all and I am still having trouble getting something that should be pretty simple working.
I am trying to do a simple ping test from a host (that's running zabbix agent) to an external host.
In my zabbix_agentd.conf file I have setup a UserParameter such as:
UserParameter=vpnPing[*],fping $1 |grep -c alive
My fping permissions are as such:
# ls -l /sbin/fping
-rwsr-sr-x. 1 root zabbix 52904 Aug 5 2019 /sbin/fping
If I run the zabbix_agentd test I get (fake ip listed for example purposes)
# zabbix_agentd -t vpnPing[123.456.78.901]
vpnPing[123.456.78.901] [t|1]
So that seems to work.
When I go to the zabbix UI and look at the latest data I see:
| 2020-06-04 17:55:30 | sh: /usr/sbin/fping: Permission denied 0 |
Also when I look at the audit log I see:
type=AVC msg=audit(1591307793.058:12551): avc: denied { execute } for pid=30242 comm="sh" name="fping" dev="nvme0n1p2" ino=8410299 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u
bject_ring_exec_t:s0 tclass=file permissive=0type=SYSCALL msg=audit(1591307793.058:12551): arch=c000003e syscall=21 success=no exit=-13 a0=55c20f61e450 a1=1 a2=7ffc91d9bb10 a3=0 items=0 ppid=30241 pid=30242 auid=4294967295 uid=990 gid=988 euid=990 suid=990 fsuid=990 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=access AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=PROCTITLE msg=audit(1591307793.058:12551):
I'm running RHEL 8.2.
# zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.4.9
$ zabbix_server -V
zabbix_server (Zabbix) 4.4.9
# fping -v
fping: Version 3.16
I have the Item in Zabbix configured as Type: Zabbix agent
If I try: zabbix_get -s [my_zabbix_server_ip] -k vpnPing[123.456.78.901]
it does timeout (not sure why): zabbix_get [30549]: Timeout while executing operation
But not sure that last part with zabbix_get is relevant b/c the checks to seem to be getting back to the zabbix server but it just says permission denied.
I've been struggling with this for a while now and hoping someone can help me out?
Comment