[ZBXNEXT-1085] restrict available checks on the agent side - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: New Feature Request
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.8.10
Fix Version/s: 5.0.0alpha1, 5.0 (plan)
Component/s: Agent (G)
Labels:
- security

Team:
Team C
Sprint:
Sprint 58 (Nov 2019), Sprint 59 (Dec 2019), Sprint 60 (Jan 2020)
Story Points:
2.125

Description

As a security measure, Zabbix agent provides a configuration parameter EnableRemoteCommands to restrict system.run[] checks.

However, system.run[] is not the only way to compromise security through Zabbix agent. For instance, a malicious administrator can potentially query vfs.file.contents[] on a user's workstation to peek on files in the system that contain cached passwords.

Thus, it would be nice if there would be a way to restrict availability of arbitrary checks on the agent, not just system.run[].

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ZBXNEXT-1085-restriction-of-metrics.png
50 kB
2019 Nov 15 12:21

Issue Links

causes

ZBX-17367 Deprecated flag EnableRemoteCommands is still required to use system.run keys

Open

ZBX-17699 Unsupported item key error on manual script execution when item key is denied by DenyKey

Closed

ZBX-17700 Enabling remote commands on Zabbix agent is very hard and misleading

Closed

is duplicated by

ZBXNEXT-1681 Restrict item keys offered by Zabbix-Agent

Closed

ZBX-11290 Zabbix agent execute command

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

(3 mentioned in)

Activity

People

Assignee:: Andrejs Tumilovics

Reporter:: Aleksandrs Saveljevs

Votes:: 8 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 2012 Jan 18 10:14

Updated:: 2020 May 11 14:28

Resolved:: 2020 Jan 17 09:26