韓誥傭痔

Table of Contents

1 Access control

1 Access control

Overview

This section contains best practices for setting up access control in a secure way.

Principle of least privilege

User accounts, at all times, should run with as few privileges as possible. This means that user accounts in 韓誥傭痔 frontend, database users, or the user for 韓誥傭痔 server/proxy/agent processes should only have the privileges that are essential for performing the intended functions.

Giving extra privileges to the 'zabbix' user will allow it to access configuration files and execute operations that can compromise the infrastructure security.

When configuring user account privileges, 韓誥傭痔 frontend user types should be considered. Note that although the Admin user type has fewer privileges than the Super Admin user type, it can still manage configuration and execute custom scripts.

Some information is available even for non-privileged users. For example, while Alerts ↙ Scripts is available only for Super Admin users, scripts can also be retrieved through 韓誥傭痔 API. In this case, limiting script permissions and excluding sensitive information from scripts (for example, access credentials) can help avoid exposing sensitive information available in global scripts.

Secure user for 韓誥傭痔 agent

By default, 韓誥傭痔 server and 韓誥傭痔 agent processes share one 'zabbix' user. To ensure that 韓誥傭痔 agent cannot access sensitive details in the server configuration (for example, database login information), the agent should be run as a different user:

Create a secure user.
Specify this user in the agent configuration file User parameter.
Restart the agent with administrator privileges. Privileges will be dropped to the specified user.

Revoke write access to SSL configuration file in Windows

韓誥傭痔 Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\openssl-64bit. The openssl-64bit directory on disk C: can be created by non-privileged users.

To improve security, create this directory manually and revoke write access from non-admin users.

Please note that directory names will differ on 32-bit and 64-bit versions of Windows.

Hardening security of 韓誥傭痔 components

Some functionality can be switched off to harden the security of 韓誥傭痔 components:

global script execution on 韓誥傭痔 server can be disabled by setting EnableGlobalScripts=0 in server configuration;
global script execution on 韓誥傭痔 proxy is disabled by default (can be enabled by setting EnableRemoteCommands=1 in proxy configuration);
global script execution on 韓誥傭痔 agents is disabled by default (can be enabled by adding an AllowKey=system.run[<command>,*] parameter for each allowed command in agent configuration);
user HTTP authentication can be disabled by setting $ALLOW_HTTP_AUTH=false in the frontend configuration file (zabbix.conf.php). Note that reinstalling the frontend (running setup.php) will remove this parameter.