[ZBX-11397] item system.hw.chassis[vendor] [m|ZBX_NOTSUPPORTED] Created: 2016 Oct 26 Updated: 2017 May 30 Resolved: 2016 Nov 30 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G) |
Affects Version/s: | 3.0.5 |
Fix Version/s: | 2.2.16rc1, 3.0.6rc1, 3.2.2rc1, 3.4.0alpha1 |
Type: | Incident report | Priority: | Trivial |
Reporter: | Dominique Geoffrion | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
Hello, We are trying to use item system.hw.chassis[vendor] to populate the vendor filed of the host inventory, it works on our virtual dev environment but not on the production servers. sorry if this has been covered before but i have not found a working solution in older posts. in our agent conf file we do have AllowRoot=1 and when running dmidecode we do get system informations. Any suggestions? Thank you! # zabbix_agentd -f -t system.hw.chassis[vendor] system.hw.chassis[vendor] [m|ZBX_NOTSUPPORTED] [Cannot obtain hardware information.] #dmidecode -q ... Base Board Information Manufacturer: HP Product Name: ProLiant DL360 Gen9 Version: Not Specified Serial Number: ... Chassis Information Manufacturer: HP Type: Rack Mount Chassis Lock: ... |
Comments |
Comment by richlv [ 2016 Oct 26 ] |
to clarify, are you running agent as root ? |
Comment by Dominique Geoffrion [ 2016 Oct 26 ] |
yes even running as root does not work compute-1.qa-site1:~$ grep AllowRoot /etc/zabbix/zabbix_agentd.conf compute-1.qa-site1:~$ sudo zabbix_agentd -f -t system.hw.chassis[vendor] compute-1.qa-site1:~$ zabbix_agentd -f -t system.hw.chassis[vendor] |
Comment by richlv [ 2016 Oct 26 ] |
a couple of things to try :
|
Comment by Dominique Geoffrion [ 2016 Oct 26 ] |
... |
Comment by richlv [ 2016 Oct 26 ] |
which distro, kernel ? i don't think zabbix can do much about being denied permission, except maybe having a more user-friendly error message |
Comment by Dominique Geoffrion [ 2016 Oct 26 ] |
we are running a Ubuntu xenial 16.04.1 syslog -> Oct 26 16:23:30 compute-1.qa-site1 sudo: ansible : TTY=pts/0 ; PWD=/home/ansible ; USER=root ; COMMAND=/usr/bin/zabbix_get -s127.0.0.1 -p10050 -k system.hw.chassis[vendor] |
Comment by Vladislavs Sokurenko [ 2016 Oct 27 ] |
It should be related to this: Some applications (Xorg) need direct access to the physical memory from user-space. The special file /dev/mem exists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access (originally named CONFIG_NONPROMISC_DEVMEM). |
Comment by Dominique Geoffrion [ 2016 Oct 27 ] |
Thank you very much for taking the time to help us on this matter. As further tests done by our team we ran a strace on dmidecode and it is not reading from /dev/mem. It is reading from /sys/firmware/dmi/tables/smbios_entry_point which might explain why dmidecode is running fine and not zabbix_agentd for this key. Thank You vso I confirm that zabbix_agentd reads from /dev/mem but latest dmidecode version from: |
Comment by Vladislavs Sokurenko [ 2016 Oct 28 ] |
Fixed in development branch: Tested on kernel version 2.4.7-10 where sysfs is not available and 4.4.0-45-generic where sysfs is available but /dev/mem is not. Changed key system.hw.chassis to read DMI tables through sysfs instead of /dev/mem which can be denied due to security reasons. |
Comment by Vladislavs Sokurenko [ 2016 Oct 28 ] |
(1) [D] Documentation should state that this key depends on the availability of the SMBIOS table in sysfs, or in memory if not available through sysfs. vso Updated pages: https://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2216 sasha Thanks! CLOSED |
Comment by Sergejs Paskevics [ 2016 Nov 11 ] |
(2) I think better not to change the order of processing, I mean, firstly need to read from /dev/mem (how it was done before) and if agent cannot read from /dev/mem, then need to read from /sys/firmware/dmi/tables. s.paskevics Firstly need to read from /sys/firmware/dmi/tables. |
Comment by Sergejs Paskevics [ 2016 Nov 11 ] |
(3) File SYS_TABLE_FILE doesn't close if lseek returns error. vso RESOLVED in r63727 s.paskevics CLOSED |
Comment by Sergejs Paskevics [ 2016 Nov 14 ] |
(4) Necessary to add additional checks for lseek and read calls. vso RESOLVED in r63778 s.paskevics Please review minor style fixes in r63805. |
Comment by Vladislavs Sokurenko [ 2016 Nov 17 ] |
Fixed in: |
Comment by Vladislavs Sokurenko [ 2016 Nov 21 ] |
(5) CID 154396: Security best practices violations (TOCTOU) reported by Coverity scan. s.paskevics Successfully tested. |
Comment by Vladislavs Sokurenko [ 2016 Nov 24 ] |
Fixed in: |
Comment by Vladislavs Sokurenko [ 2016 Nov 24 ] |
vso When stat was changed to fstat it was forgotten to close file in case fstat fails, even if fstat should not fail it is better to fix. s.paskevics Looks good. |