It is possible to restrict checks on the agent side by creating an item blacklist, a whitelist, or a combination of whitelist/blacklist.
To do that use a combination of two agent configuration parameters:
AllowKey=<pattern>
- which checks are allowed; <pattern> is specified using a wildcard (*) expressionDenyKey=<pattern>
- which checks are denied; <pattern> is specified using a wildcard (*) expressionNote that:
system.run[*]
items (remote commands, scripts) are disabled by default, even when no deny keys are specified;Therefore, to allow all remote commands, specify an AllowKey=system.run[*] parameter. (Before Zabbix 5.0.2, EnableRemoteCommands=1 is also required in the agent configuration.)
To allow only some remote commands, create a whitelist of specific system.run[] commands. To disallow specific remote commands, add DenyKey parameters with system.run[] commands before the AllowKey=system.run[*] parameter.
For example:
A blacklist may not be a good choice, because a new Zabbix version may have new keys that are not explicitly restricted by the existing configuration. This could cause a security flaw.
# Disallow specific command
DenyKey=system.run[ls -l /]
# Allow other scripts
AllowKey=system.run[*]
DenyKey=*
For example:
# Allow reading logs:
AllowKey=vfs.file.*[/var/log/*]
# Allow localtime checks
AllowKey=system.localtime[*]
# Deny all other keys
DenyKey=*
Pattern | Description | Matches | No match |
---|---|---|---|
* | Matches all possible keys with or without parameters. | Any | None |
vfs.file.contents | Matches vfs.file.contents without parameters. |
vfs.file.contents | vfs.file.contents[/etc/passwd] |
vfs.file.contents[] | Matches vfs.file.contents with empty parameters. |
vfs.file.contents[] | vfs.file.contents |
vfs.file.contents[*] | Matches vfs.file.contents with any parameters; will not match vfs.file.contents without square brackets. |
vfs.file.contents[] vfs.file.contents[/path/to/file] |
vfs.file.contents |
vfs.file.contents[/etc/passwd,*] | Matches vfs.file.contents with first parameters matching /etc/passwd and all other parameters having any value (also empty). |
vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf8] |
vfs.file.contents[/etc/passwd] vfs.file.contents[/var/log/zabbix_server.log] vfs.file.contents[] |
vfs.file.contents[*passwd*] | Matches vfs.file.contents with first parameter matching *passwd* and no other parameters. |
vfs.file.contents[/etc/passwd] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] |
vfs.file.contents[*passwd*,*] | Matches vfs.file.contents with only first parameter matching *passwd* and all following parameters having any value (also empty). |
vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd, utf8] |
vfs.file.contents[/etc/passwd] vfs.file.contents[/tmp/test] |
vfs.file.contents[/var/log/zabbix_server.log,*,abc] | Matches vfs.file.contents with first parameter matching /var/log/zabbix_server.log, third parameter matching 'abc' and any (also empty) second parameter. |
vfs.file.contents[/var/log/zabbix_server.log,,abc] vfs.file.contents[/var/log/zabbix_server.log,utf8,abc] |
vfs.file.contents[/var/log/zabbix_server.log,,abc,def] |
vfs.file.contents[/etc/passwd,utf8] | Matches vfs.file.contents with first parameter matching /etc/passwd, second parameter matching 'utf8' and no other arguments. |
vfs.file.contents[/etc/passwd,utf8] | vfs.file.contents[/etc/passwd,] vfs.file.contents[/etc/passwd,utf16] |
vfs.file.* | Matches any keys starting with vfs.file. without any parameters. |
vfs.file.contents vfs.file.size |
vfs.file.contents[] vfs.file.size[/var/log/zabbix_server.log] |
vfs.file.*[*] | Matches any keys starting with vfs.file. with any parameters. |
vfs.file.size.bytes[] vfs.file.size[/var/log/zabbix_server.log, utf8] |
vfs.file.size.bytes |
vfs.*.contents | Matches any key starting with vfs. and ending with .contents without any parameters. |
vfs.mount.point.file.contents vfs..contents |
vfs.contents |
A hypothetical script like 'myscript.sh' may be executed on a host via Zabbix agent in several ways:
1. As an item key in a passive or active check, for example:
Here the user may add "wait", "nowait" or omit the 2nd argument to use its default value in system.run[].
2. As a global script (initiated by user in frontend or API).
A user configures this script in Administration → Scripts, sets "Execute on: Zabbix agent" and puts "myscript.sh" into the script's "Commands" input field. When invoked from frontend or API the Zabbix server sends to agent:
Here the user does not control the "wait"/"nowait" parameters.
3. As a remote command from an action. The Zabbix server sends to agent:
Here again the user does not control the "wait"/"nowait" parameters.
What that means is if we set AllowKey like:
then
To allow all described variants you may add:
to the agent/agent2 parameters.