Summary

This document provides examples of encryption in the Zabbix system. It details different components, toolkits, and methods associated with Zabbix components and connections.

Full Transcript

ENCRYPTION - EXAMPLES Certificate example: Issuer Validity Signing key Y P Issuer: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix Signing CA Validity Not Before: Dec 19 12:17:06 2021 GMT Not After : Dec 18 12:17:06 2023 GMT Subject: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix serve...

ENCRYPTION - EXAMPLES Certificate example: Issuer Validity Signing key Y P Issuer: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix Signing CA Validity Not Before: Dec 19 12:17:06 2021 GMT Not After : Dec 18 12:17:06 2023 GMT Subject: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) 00:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: 9d:3b:ef -----BEGIN CERTIFICATE----MIIECDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk 625a425665472a2d25a372644c5791015e8a893f0c2f91d15993ccacb7e50aca ad0adee58783601cf8c3ae31da067ac82d548afa61d9f08d1e9a22071825396f h02u1GHiy46GI+xfRbad2bc917a72abe9bd1a1552c3c9952428bb3c04f02567c ee81286ef38a7630adc072e825ad2b58a8ea5ae36bf1926bb4806dbe22942bad -----END CERTIFICATE----- E D U T S 6.0 Certified Professional ● Day 1 T N O C © 2023 by Zabbix. All rights reserved Theory 121 USING DIFFERENT METHODS Different components can use different toolkits or methods Some connections may be left unencrypted Y P Protected by VPN or other methods If the network is considered "safe" U T S Zabbix Agent 6.0 Certified Professional ● Day 1 T N unencrypted E D Local Network unencrypted O C Command-line utilities certificates PSK PSK Zabbix Server Zabbix Proxy Zabbix Agent OpenSSL OpenSSL GnuTLS © 2023 by Zabbix. All rights reserved Theory 122 ENCRYPTION - SETTING UP Prepare Certificates or Pre-shared keys Y P Always generate your own unique keys (do not use keys from documentation, slides, etc.) Configure encryption in the frontend: O C Configuration -> Hosts -> Encryption tab for Zabbix Agent Administration -> Proxies -> Encryption tab for Zabbix Proxy Edit TLS parameters in the proxy or agent configuration file: T N Specify direction of connection Specify Certificates or Pre-shared keys E D Restart Zabbix agent or proxy service U T Insecure configuration S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 123 ENCRYPTION - TLS CONNECT TLS Connect specifies what encryption to use for outgoing connections: Y P Unencrypted PSK Certificate Only one option can be specified Agent / Proxy settings for outgoing connections E D U T Server settings for accepting connections S 6.0 Certified Professional ● Day 1 T N ### Option: TLSConnect TLSConnect=psk O C © 2023 by Zabbix. All rights reserved Theory 124 ENCRYPTION - TLS ACCEPT TLS Accept specifies what encryption to use for accepting connections: Unencrypted PSK Certificate One or multiple options can be specified Agent / Proxy settings for accepting connections S 6.0 Certified Professional ● Day 1 O C E D U T Server settings T N ### Option: TLSAccept TLSAccept=psk,certificate Y P © 2023 by Zabbix. All rights reserved Theory 125 ENCRYPTION - LIMITATIONS Protect access and key files of a database : Y P Certificate private keys are stored as plain text files Pre-shared keys specified in the frontend are stored in a database in plain text O C Built-in encryption does not protect communications: Between Zabbix frontend and Zabbix server Between Zabbix server / proxy and Zabbix Java gateway T N E D Each encrypted connection opens with a full TLS handshake: No session caching and tickets are implemented Adding encryption increases the time for item checks and actions depending on the network latency U T S Encryption is not supported by network discovery If Zabbix passive agent is configured to reject unencrypted connections, it cannot be discovered 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 126 ADDITIONAL COURSES More details how to set up encryption in Zabbix are covered in: Y P Zabbix certified expert 6.0 course Advanced Zabbix security administration one-day course T N O C These courses cover following topics (including practical tasks): E D Encrypt MySQL and PostgreSQL DB connections with enhanced security settings Encrypt Zabbix internal communications using certificates U T Specify custom ciphers for internal or database communications S Configure Zabbix to use HashiCorp vault as a storage for important passwords Use external authentication providers 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 127 PRACTICAL SETUP Y P 1) Encrypt Zabbix agent 2 communication Create a directory for encryption keys Assign access permissions to the directory Generate PSK for Zabbix agent 2 Change Zabbix Agent 2 configuration to use PSK for the communication T N O C 2) Update encryption for the agent in frontend for all the hosts using local Zabbix agent Training-VM-XX Zabbix MySQL database Zabbix server E D 3) Test encryption using command line utilities U T Use Zabbix sender to send information using encryption Use Zabbix get to test the item key on the encrypted agent S Day 1 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 30 minutes Practical task No: 7 128 Y P T N O C E D Zabbix frontend scripts U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 10 minutes 129 FRONTEND SCRIPTS Scripts are created in Administration -> Scripts frontend section Y P Scope must be set to "Manual host action" Choose type (Webhook, Script, SSH, Telnet or IPMI command) E D U T S 6.0 Certified Professional ● Day 1 T N O C © 2023 by Zabbix. All rights reserved Theory 130 FRONTEND SCRIPT PARAMETERS Frontend script parameters: Parameter Definition Y P O C Name Unique name of the script Scope Manual host action Menu path Menu path in format <Menu/Submenu> Type Webhook, Script, SSH, Telnet or IPMI command Execute on Script will be executed on Zabbix server, proxy or agent. T N E D Commands All commands to be executed within the script. Some macros are supported. User/host group U T Required host permission Enable confirmation S Confirmation text 6.0 Certified Professional ● Day 1 User/host group that the script is available. Permission level for the host group (Read or Write). Display a confirmation message before executing the script. Custom confirmation text for the confirmation popup. © 2023 by Zabbix. All rights reserved Theory 131 USING FRONTEND SCRIPTS Frontend scripts are available in Monitoring section: Y P Hosts Problems Dashboard Maps T N Click on a host name – the menu will pop up: E D Exit code is checked U T i S O C .../6.0/manual/web_interface/frontend_sections/administration/scripts 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 132 PRACTICAL SETUP Y P 1) Create a "Manual host action" frontend script: Name: Menu path: Commands: Execute on: Configuration cache reload Zabbix sudo zabbix_server -R config_cache_reload Zabbix server T N O C 2) Give proper permissions to Zabbix Administrators to allow them to run the script 3) Limit script execution to the Zabbix server host group only E D 4) Add Zabbix to "sudoers" file (reload configuration cache as root) 5) Make sure your script works U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 15 minutes Practical task No: 8 133 Y P E D U T S 6.0 Certified Professional ● Day 1 T N O C Time for a break :) © 2023 by Zabbix. All rights reserved

Use Quizgecko on...
Browser
Browser