Zabbix Security and Encryption Day1 P6

Questions and Answers

What happens if deny rules are not defined at all for agent key rules?

The agent exits with an error for all items except system.run[*] (correct)

AllowKey without DenyKey rules are meaningless for all items

Allow list without a single deny rule is only permitted for system.run[*] items

The agent treats the key as if it is not supported

What is the behavior when a key is restricted by configuration?

The agent logs denied remote commands at any debug level

The agent displays keys that are not allowed in the command line options

The agent allows the key to be used with restrictions

The agent treats the key as if it is not supported (correct)

What is the consequence of denied remote commands?

Denied remote commands will trigger an error message

Denied remote commands will be executed with restrictions

Denied remote commands will be logged in the agent log

Denied remote commands will not be logged in the agent log (correct)

How do AllowKey and DenyKey rules affect configuration parameters?

They have no effect on the configuration parameters

What is the outcome of using the DenyKey rule for a single file?

The file is not supported by the agent

What is the implication of using AllowKeys for agent key rules?

It permits the usage of keys only if explicitly allowed

How does the agent behave when keys that are not allowed are accessed?

The agent denies the access and logs the event

What is the behavior of the agent when deny rules are not defined for a specific item?

The agent treats the item as unsupported

What is the consequence of using the allow list without a single deny rule for non-system.run[*] items?

The agent exits with an error for all non-system.run[*] items

What happens when a key is accessed with a path that tricks the deny rule?

The agent treats the key as unsupported

Which encryption method is not supported in Zabbix?

PSK

What is the storage format of pre-shared keys in Zabbix database and agent/proxy configuration files?

Plain text

What are the steps involved in setting up PSK encryption on Zabbix agent or proxy?

Creating a directory for keys, generating a PSK key, and changing the configuration

What is the requirement for Zabbix server, proxies, and agents when using certificates for encryption?

CA certificate, server certificate, and certificate private key

What type of keys cannot be used with the same PSK identity?

Two different PSK keys

Which version of GnuTLS onwards supports mixed encryption?

3.1.18

Where are PSK (pre-shared key) pairs stored in Zabbix frontend?

Host/proxy settings

What are the required TLS options for Zabbix server, proxies, and agents when using certificates for encryption?

CA certificate, certificate file, and key file

What is the supported replacement of OpenSSL from Zabbix 2.7 and 3.0.x?

LibreSSL

What type of errors and network issues are mentioned in the text?

Zabbix agent checks on different hosts

What type of keys starting with 'system.swap' are denied by the Zabbix Agent?

Keys related to swap memory usage

Which Zabbix Agent key is allowed as a percentage?

Free swap size

What type of items are disabled by default in Zabbix?

system.run items

How does the Zabbix Agent allow for executing remote commands?

Using passive or active checks

Which option can be used to log remote commands executed by the Zabbix Agent?

LogRemoteCommands option

Which version of TLS is used for internal communications in Zabbix?

TLS 1.2 and TLS v1.3

In Zabbix 6.0, which components can natively encrypt communications?

Zabbix server, proxies, agents, databases, and web services

Which component's communication is not natively encrypted in Zabbix?

Zabbix server/proxies and Zabbix Java gateway

How does Zabbix support encryption of communication with databases?

Using TLS and certificates

What is required for advanced setups for database encryption in Zabbix?

User-generated custom CA, server, and client certificates

Study Notes

Zabbix Security and Encryption Overview

• Zabbix Agent key "Free swap size" is allowed as a percentage
• All other keys starting with "system.swap" are denied
• The Latest data screen for student-XX host should show the blocked keys
• The "system.run" items are disabled by default
• The Zabbix agent allows for executing remote commands using passive or active checks
• Remote commands can be logged using the LogRemoteCommands option
• Remote commands are used in multiple places including item checks, Zabbix frontend scripts, and actions
• Zabbix uses TLS 1.2 and TLS v1.3 for internal communications
• Zabbix 6.0 can natively encrypt communications between Zabbix server and proxies, agents, databases, and web services
• Communication between Zabbix server/proxies and Zabbix Java gateway is not natively encrypted
• Zabbix supports encryption of communication with databases using TLS and certificates
• Advanced setups for DB encryption require user-generated custom CA, server, and client certificates and must be supported by the database engine

Description

Test your knowledge of Zabbix security and encryption with this quiz. Explore topics such as agent key permissions, remote command execution, TLS encryption, and secure communication with databases.