12 Restricting agent checks

    Overview

    To do that use a combination of two agent parameters:

    • - which checks are allowed; <pattern> is specified using a wildcard (*) expression
    • DenyKey=<pattern> - which checks are denied; <pattern> is specified using a wildcard (*) expression

    Note that:

    • All system.run[*] items (remote commands, scripts) are disabled by default, even when no deny keys are specified, it should be assumed that DenyKey=system.run[*] is implicitly appended.
    • Since Zabbix 5.0.2 the EnableRemoteCommands agent parameter is:

    Therefore, to allow remote commands, specify an AllowKey=system.run[<command>,*] for each allowed command, * stands for wait and nowait mode. It is also possible to specify AllowKey=system.run[*] parameter to allow all commands with wait and nowait modes. To disallow specific remote commands, add DenyKey parameters with system.run[] commands before the AllowKey=system.run[*] parameter.

    Important rules

    • A whitelist without a deny rule is only allowed for system.run[*] items. For all other items, AllowKey parameters are not allowed without a DenyKey parameter; in this case Zabbix agent will not start with only AllowKey parameters.
    • The order matters. The specified parameters are checked one by one according to their appearance order in the configuration file:
      • The order affects also EnableRemoteCommands parameter (if used).
    • Unlimited numbers of AllowKey/DenyKey parameters is supported.
    • AllowKey, DenyKey rules do not affect HostnameItem, HostMetadataItem, HostInterfaceItem configuration parameters.
    • Key pattern is a wildcard expression where the wildcard (*) character matches any number of any characters in certain position. It might be used in both the key name and parameters.
    • If a specific item key is disallowed in the agent configuration, the item will be reported as unsupported (no hint is given as to the reason);
    • Zabbix agent with —print (-p) command line option will not show keys that are not allowed by configuration;
    • Zabbix agent with —test (-t) command line option will return “Unsupported item key.” status for keys that are not allowed by configuration;
    • Denied remote commands will not be logged in the agent log (if LogRemoteCommands=1).

    Use cases

    Deny specific check
    • Blacklist a specific check with DenyKey parameter. Matching keys will be disallowed. All non-matching keys will be allowed, except system.run[] items.

    For example:

    1. # Deny secure data access
    2.        DenyKey=vfs.file.contents[/etc/passwd,*]

    A blacklist may not be a good choice, because a new Zabbix version may have new keys that are not explicitly restricted by the existing configuration. This could cause a security flaw.

    Deny specific command, allow others
    • Blacklist a specific command with DenyKey parameter. Whitelist all other commands, with the AllowKey parameter.
    Allow specific check, deny others
    • Whitelist specific checks with AllowKey parameters, deny others with DenyKey=*
    1. # Allow reading logs:
    3.        # Allow localtime checks
    6.        # Deny all other keys
    7.        DenyKey=*

    Pattern examples

    system.run and AllowKey

    A hypothetical script like ‘myscript.sh’ may be executed on a host via Zabbix agent in several ways:

    1. As an item key in a passive or active check, for example:

    • system.run[myscript.sh]
    • system.run[myscript.sh,wait]
    • system.run[myscript.sh.nowait]

    Here the user may add “wait”, “nowait” or omit the 2nd argument to use its default value in system.run[].

    2. As a global script (initiated by user in frontend or API).

    A user configures this script in AlertsScripts, sets “Execute on: Zabbix agent” and puts “myscript.sh” into the script’s “Commands” input field. When invoked from frontend or API the Zabbix server sends to agent:

    • system.run[myscript.sh,wait] - up to Zabbix 5.0.4
    • system.run[myscript.sh] - since 5.0.5

    3. As a remote command from an action. The Zabbix server sends to agent:

    • system.run[myscript.sh,nowait]

    Here again the user does not control the “wait”/“nowait” parameters.

    What that means is if we set AllowKey like:

    then

    • system.run[myscript.sh] - will be allowed
    • system.run[myscript.sh,wait], system.run[myscript.sh,nowait] will not be allowed - the script will not be run if invoked as a step of action

    To allow all described variants you may add: