Restrict access to sensitive information by defining Zabbix agent item Allow and Deny lists.

Zabbix agent enables Zabbix users to collect a multitude of metrics. In some environments collection of a particular metric should be restricted to prevent access to confidential data.

Zabbix Agent Allow and Deny lists enable users to define flexible metric collection rules:

  • Restrict permitted item keys with an Allow or Deny list
  • Restrictions can be defined individually on each Zabbix agent
  • Users can restrict specific item keys or define restrictions based on item key patterns
  • Allow and Deny lists are supported on both Zabbix agent and Zabbix agent 2
  • Allow and Deny lists are supported starting from Zabbix version 5.0

Check out the video to learn how to configure an Allow and Deny list on your Zabbix agent.

How to configure Zabbix agent item Allow and Deny lists:

  1. Navigate to Zabbix agent configuration file location
  2. Open the Zabbix agent configuration file
  3. Define the DenyKey – DenyKey=vfs.file.contents[/etc/*]
  4. Define the AllowKey above the DenyKey –
    AllowKey=vfs.file.contents[/etc/os-release]
  5. Apply the changes by restarting the Zabbix agent
  6. Test the items with the Zabbix agent test command line parameter
  7. Test the access to the confidential file: zabbix_agentd -t
    vfs.file.contents[/etc/passwd]
  8. Test the access to the public file: zabbix_agentd -t
    vfs.file.contents[/etc/os-release]
  9. Check the item status in the Zabbix frontend
Tips and best practices:
  • All system.run[*] items are denied by default.
  • Use AllowKey=system.run[*] to allow remote commands
  • A whitelist without a deny rule is allowed only for system.run[*]
  • A denied item will become unsupported in the Zabbix frontend
  • The order of how rules are defined matters
  • When collecting an item, Zabbix agent will use the first matching Allow or Deny rule
  • An unlimited number of Allow and Deny rules can be defined
  • Allow and Deny rules do not affect HostnameItem, HostMetadataItem and HostInterfaceItem