Zabbix Security and Encryption Day1 P6

Questions and Answers

What happens if deny rules are not defined at all for agent key rules?

• The agent exits with an error for all items except system.run[*] (correct)
• AllowKey without DenyKey rules are meaningless for all items
• Allow list without a single deny rule is only permitted for system.run[*] items
• The agent treats the key as if it is not supported

What is the behavior when a key is restricted by configuration?

• The agent logs denied remote commands at any debug level
• The agent displays keys that are not allowed in the command line options
• The agent allows the key to be used with restrictions
• The agent treats the key as if it is not supported (correct)

What is the consequence of denied remote commands?

• Denied remote commands will trigger an error message
• Denied remote commands will be executed with restrictions
• Denied remote commands will be logged in the agent log
• Denied remote commands will not be logged in the agent log (correct)

How do AllowKey and DenyKey rules affect configuration parameters?

They have no effect on the configuration parameters (C)

What is the outcome of using the DenyKey rule for a single file?

The file is not supported by the agent (D)

What is the implication of using AllowKeys for agent key rules?

It permits the usage of keys only if explicitly allowed (D)

How does the agent behave when keys that are not allowed are accessed?

The agent denies the access and logs the event (D)

What is the behavior of the agent when deny rules are not defined for a specific item?

The agent treats the item as unsupported (C)

What is the consequence of using the allow list without a single deny rule for non-system.run[*] items?

The agent exits with an error for all non-system.run[*] items (B)

What happens when a key is accessed with a path that tricks the deny rule?

The agent treats the key as unsupported (B)

Which encryption method is not supported in Zabbix?

PSK (C)

What is the storage format of pre-shared keys in Zabbix database and agent/proxy configuration files?

Plain text (D)

What are the steps involved in setting up PSK encryption on Zabbix agent or proxy?

Creating a directory for keys, generating a PSK key, and changing the configuration (D)

What is the requirement for Zabbix server, proxies, and agents when using certificates for encryption?

CA certificate, server certificate, and certificate private key (A)

What type of keys cannot be used with the same PSK identity?

Two different PSK keys (A)

Which version of GnuTLS onwards supports mixed encryption?

3.1.18 (D)

Where are PSK (pre-shared key) pairs stored in Zabbix frontend?

Host/proxy settings (D)

What are the required TLS options for Zabbix server, proxies, and agents when using certificates for encryption?

CA certificate, certificate file, and key file (C)

What is the supported replacement of OpenSSL from Zabbix 2.7 and 3.0.x?

LibreSSL (A)

What type of errors and network issues are mentioned in the text?

Zabbix agent checks on different hosts (D)

What type of keys starting with 'system.swap' are denied by the Zabbix Agent?

Keys related to swap memory usage (C)

Which Zabbix Agent key is allowed as a percentage?

Free swap size (B)

What type of items are disabled by default in Zabbix?

system.run items (D)

How does the Zabbix Agent allow for executing remote commands?

Using passive or active checks (C)

Which option can be used to log remote commands executed by the Zabbix Agent?

LogRemoteCommands option (C)

Which version of TLS is used for internal communications in Zabbix?

TLS 1.2 and TLS v1.3 (A)

In Zabbix 6.0, which components can natively encrypt communications?

Zabbix server, proxies, agents, databases, and web services (A)

Which component's communication is not natively encrypted in Zabbix?

Zabbix server/proxies and Zabbix Java gateway (B)

How does Zabbix support encryption of communication with databases?

Using TLS and certificates (B)

What is required for advanced setups for database encryption in Zabbix?

User-generated custom CA, server, and client certificates (C)

Study Notes

Zabbix Security and Encryption Overview

• Zabbix Agent key "Free swap size" is allowed as a percentage
• All other keys starting with "system.swap" are denied
• The Latest data screen for student-XX host should show the blocked keys
• The "system.run" items are disabled by default
• The Zabbix agent allows for executing remote commands using passive or active checks
• Remote commands can be logged using the LogRemoteCommands option
• Remote commands are used in multiple places including item checks, Zabbix frontend scripts, and actions
• Zabbix uses TLS 1.2 and TLS v1.3 for internal communications
• Zabbix 6.0 can natively encrypt communications between Zabbix server and proxies, agents, databases, and web services
• Communication between Zabbix server/proxies and Zabbix Java gateway is not natively encrypted
• Zabbix supports encryption of communication with databases using TLS and certificates
• Advanced setups for DB encryption require user-generated custom CA, server, and client certificates and must be supported by the database engine

Description

Test your knowledge of Zabbix security and encryption with this quiz. Explore topics such as agent key permissions, remote command execution, TLS encryption, and secure communication with databases.