Zabbix Encryption Examples PDF
Document Details
Uploaded by SpellboundTropicalIsland
Tags
Summary
This document provides examples of encryption in the Zabbix system. It details different components, toolkits, and methods associated with Zabbix components and connections.
Full Transcript
ENCRYPTION - EXAMPLES Certificate example: Issuer Validity Signing key Y P Issuer: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix Signing CA Validity Not Before: Dec 19 12:17:06 2021 GMT Not After : Dec 18 12:17:06 2023 GMT Subject: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix serve...
ENCRYPTION - EXAMPLES Certificate example: Issuer Validity Signing key Y P Issuer: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix Signing CA Validity Not Before: Dec 19 12:17:06 2021 GMT Not After : Dec 18 12:17:06 2023 GMT Subject: DC=com,DC=zabbix,O=Zabbix SIA,OU=Dev team, CN=Zabbix server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) 00:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: 9d:3b:ef -----BEGIN CERTIFICATE----MIIECDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk 625a425665472a2d25a372644c5791015e8a893f0c2f91d15993ccacb7e50aca ad0adee58783601cf8c3ae31da067ac82d548afa61d9f08d1e9a22071825396f h02u1GHiy46GI+xfRbad2bc917a72abe9bd1a1552c3c9952428bb3c04f02567c ee81286ef38a7630adc072e825ad2b58a8ea5ae36bf1926bb4806dbe22942bad -----END CERTIFICATE----- E D U T S 6.0 Certified Professional ● Day 1 T N O C © 2023 by Zabbix. All rights reserved Theory 121 USING DIFFERENT METHODS Different components can use different toolkits or methods Some connections may be left unencrypted Y P Protected by VPN or other methods If the network is considered "safe" U T S Zabbix Agent 6.0 Certified Professional ● Day 1 T N unencrypted E D Local Network unencrypted O C Command-line utilities certificates PSK PSK Zabbix Server Zabbix Proxy Zabbix Agent OpenSSL OpenSSL GnuTLS © 2023 by Zabbix. All rights reserved Theory 122 ENCRYPTION - SETTING UP Prepare Certificates or Pre-shared keys Y P Always generate your own unique keys (do not use keys from documentation, slides, etc.) Configure encryption in the frontend: O C Configuration -> Hosts -> Encryption tab for Zabbix Agent Administration -> Proxies -> Encryption tab for Zabbix Proxy Edit TLS parameters in the proxy or agent configuration file: T N Specify direction of connection Specify Certificates or Pre-shared keys E D Restart Zabbix agent or proxy service U T Insecure configuration S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 123 ENCRYPTION - TLS CONNECT TLS Connect specifies what encryption to use for outgoing connections: Y P Unencrypted PSK Certificate Only one option can be specified Agent / Proxy settings for outgoing connections E D U T Server settings for accepting connections S 6.0 Certified Professional ● Day 1 T N ### Option: TLSConnect TLSConnect=psk O C © 2023 by Zabbix. All rights reserved Theory 124 ENCRYPTION - TLS ACCEPT TLS Accept specifies what encryption to use for accepting connections: Unencrypted PSK Certificate One or multiple options can be specified Agent / Proxy settings for accepting connections S 6.0 Certified Professional ● Day 1 O C E D U T Server settings T N ### Option: TLSAccept TLSAccept=psk,certificate Y P © 2023 by Zabbix. All rights reserved Theory 125 ENCRYPTION - LIMITATIONS Protect access and key files of a database : Y P Certificate private keys are stored as plain text files Pre-shared keys specified in the frontend are stored in a database in plain text O C Built-in encryption does not protect communications: Between Zabbix frontend and Zabbix server Between Zabbix server / proxy and Zabbix Java gateway T N E D Each encrypted connection opens with a full TLS handshake: No session caching and tickets are implemented Adding encryption increases the time for item checks and actions depending on the network latency U T S Encryption is not supported by network discovery If Zabbix passive agent is configured to reject unencrypted connections, it cannot be discovered 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 126 ADDITIONAL COURSES More details how to set up encryption in Zabbix are covered in: Y P Zabbix certified expert 6.0 course Advanced Zabbix security administration one-day course T N O C These courses cover following topics (including practical tasks): E D Encrypt MySQL and PostgreSQL DB connections with enhanced security settings Encrypt Zabbix internal communications using certificates U T Specify custom ciphers for internal or database communications S Configure Zabbix to use HashiCorp vault as a storage for important passwords Use external authentication providers 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 127 PRACTICAL SETUP Y P 1) Encrypt Zabbix agent 2 communication Create a directory for encryption keys Assign access permissions to the directory Generate PSK for Zabbix agent 2 Change Zabbix Agent 2 configuration to use PSK for the communication T N O C 2) Update encryption for the agent in frontend for all the hosts using local Zabbix agent Training-VM-XX Zabbix MySQL database Zabbix server E D 3) Test encryption using command line utilities U T Use Zabbix sender to send information using encryption Use Zabbix get to test the item key on the encrypted agent S Day 1 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 30 minutes Practical task No: 7 128 Y P T N O C E D Zabbix frontend scripts U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 10 minutes 129 FRONTEND SCRIPTS Scripts are created in Administration -> Scripts frontend section Y P Scope must be set to "Manual host action" Choose type (Webhook, Script, SSH, Telnet or IPMI command) E D U T S 6.0 Certified Professional ● Day 1 T N O C © 2023 by Zabbix. All rights reserved Theory 130 FRONTEND SCRIPT PARAMETERS Frontend script parameters: Parameter Definition Y P O C Name Unique name of the script Scope Manual host action Menu path Menu path in format <Menu/Submenu> Type Webhook, Script, SSH, Telnet or IPMI command Execute on Script will be executed on Zabbix server, proxy or agent. T N E D Commands All commands to be executed within the script. Some macros are supported. User/host group U T Required host permission Enable confirmation S Confirmation text 6.0 Certified Professional ● Day 1 User/host group that the script is available. Permission level for the host group (Read or Write). Display a confirmation message before executing the script. Custom confirmation text for the confirmation popup. © 2023 by Zabbix. All rights reserved Theory 131 USING FRONTEND SCRIPTS Frontend scripts are available in Monitoring section: Y P Hosts Problems Dashboard Maps T N Click on a host name – the menu will pop up: E D Exit code is checked U T i S O C .../6.0/manual/web_interface/frontend_sections/administration/scripts 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 132 PRACTICAL SETUP Y P 1) Create a "Manual host action" frontend script: Name: Menu path: Commands: Execute on: Configuration cache reload Zabbix sudo zabbix_server -R config_cache_reload Zabbix server T N O C 2) Give proper permissions to Zabbix Administrators to allow them to run the script 3) Limit script execution to the Zabbix server host group only E D 4) Add Zabbix to "sudoers" file (reload configuration cache as root) 5) Make sure your script works U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 15 minutes Practical task No: 8 133 Y P E D U T S 6.0 Certified Professional ● Day 1 T N O C Time for a break :) © 2023 by Zabbix. All rights reserved