[ZBXNEXT-5639] Agent2: restrict available checks on the agent side - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: New Feature Request
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.0.0alpha1, 5.0 (plan)
Component/s: Agent (G)
Labels:
None

Team:
Team C
Sprint:
Sprint 59 (Dec 2019), Sprint 60 (Jan 2020)
Story Points:
2

Description

As a security measure, Zabbix agent provides a configuration parameter EnableRemoteCommands to restrict system.run[] checks.

However, system.run[] is not the only way to compromise security through Zabbix agent. For instance, a malicious administrator can potentially query vfs.file.contents[] on a user's workstation to peek on files in the system that contain cached passwords.

Thus, it would be nice if there would be a way to restrict availability of arbitrary checks on the agent, not just system.run[].

C agent implementation done in parent task: ~~ZBXNEXT-1085~~

ACC: https://confluence.zabbix.lan/x/Q5RLAw
SPEC: https://confluence.zabbix.lan/x/xJZLAw
PLAN: https://teamplan.zabbix.lan/project/view/3431

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

conf_refactor.diff
8 kB
2020 Jan 07 01:47

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Andrejs Tumilovics

Reporter:: Andrejs Tumilovics

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2019 Dec 11 10:12

Updated:: 2020 Jan 22 08:44

Resolved:: 2020 Jan 17 14:20