Announcement

Collapse
No announcement yet.

How to use user zabbix intead of root to get hardware info

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    How to use user zabbix intead of root to get hardware info

    Are there another way to use system.hw.chassis key without enable root user for zabbix agent?

    I know that enabling AllowRoot=1 on zabbix-agent.conf it works, but I want keep zabbix default user running.

    #2
    Originally posted by fcatto View Post
    Are there another way to use system.hw.chassis key without enable root user for zabbix agent?

    I know that enabling AllowRoot=1 on zabbix-agent.conf it works, but I want keep zabbix default user running.
    zabbix agent system.hw.chassis key is accessing to the /sys/firmware/dmi/tables/DMI and part of DMI interface allows to talk with CPU MI engine (Management Interface) which has in CPU own small Minix based operating system.
    As this part of the HW interface is very sensitive from security point of view I would be very careful. Probably best way reading DMI data would be modify Linux sysfs to expose somewhere under /sys/firmware/dmi separated entry with hw description in RO mode. As for example /proc/cpuinfo is readable for everyone there is no probably any reasons why at least some parts of the DMI table data should not be accessible in RO mode as well.
    http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
    https://kloczek.wordpress.com/
    zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
    My zabbix templates https://github.com/kloczek/zabbix-templates

    Comment


      #3
      Seems it is some possibly. Just done small test on my laptop

      Code:
      [[email protected] ~]$ /usr/sbin/zabbix_agentd -t system.hw.chassis
      system.hw.chassis                             [m|ZBX_NOTSUPPORTED] [Cannot obtain hardware information.]
      [[email protected] ~]$ sudo getcap /usr/sbin/zabbix_agentd
      [[email protected] ~]$ sudo setcap cap_dac_read_search+ep /usr/sbin/zabbix_agentd
      [[email protected] ~]$ /usr/sbin/zabbix_agentd -t system.hw.chassis
      system.hw.chassis                             [s|Sony Corporation VPCSB2M9E 27547484-5001800 Notebook]
      [[email protected] ~]$ sudo getcap /usr/sbin/zabbix_agentd
      /usr/sbin/zabbix_agentd = cap_dac_read_search+ep
      Disable read DAC gives ability to read any file in the system and as it is still quite heavy ax still you need to be careful about use this.
      Nevertheless at least it has way lower impact than executing agent as root process because wit agent started as root process will have RW access to everything.
      BTW: seems disable read DAC may be useful on monitoring agent logs monitoring keys when zabbix user has no R access to the monitored logs.

      Maybe it is another capability which will allow give less power to zabbix agent (?) ..

      I'm not sure is it will be possible to give only read access to zabbix_agent binary only on access to /sys/firmware/dmi/tables/DMI over SELinux.
      Nevertheless still I think that the best way to sort this out would be rewrite a bit kernel DMI interface to expose HW type over regular sysfs file with 444 mode like it is on /proc/cpuinfo.
      Last edited by kloczek; 04-12-2017, 23:08.
      http://uk.linkedin.com/pub/tomasz-k%...zko/6/940/430/
      https://kloczek.wordpress.com/
      zapish - Zabbix API SHell binding https://github.com/kloczek/zapish
      My zabbix templates https://github.com/kloczek/zabbix-templates

      Comment

      Working...
      X