[PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS)

[PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS)

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 3428 bytes --]

Hi All

Another new version of this patchset, hopefulle removing all 
Michael's concerns about the earlier configfile handling.

In the meantime yet another version of Zabbix was released, so the first
patch is again a plain software update, now to v5.0.21.

Second patch fixes a few small bugs from current pak like not backing up
the modules dir that can contain user supplied binary modules. 
Nothing changed here.

Third patch reorganizes how the Zabbix agent config files are installed
on IPFire to ease future IPFire customizations seperately from user added
configurations.
- The main config file is now a custom one from IPFire, only containing
  the bare minimal config required. 
- Introduced a "mandatory" IPFire specific Zabbix configfile with
  settings required for correct integration of the agent in IPFire
  that should never be modified by the user.
  (pidfile, logfile, logrotation, location of user-managed directories)
- Moved IPFire provided custom "userparameters" to /var/ipfire/... to 
  make /etc/zabbix_agentd/zabbix_agentd.d completely user-managed.
- Up to date vendor supplied configfile (with lots of documentation in it)
  is now deployed and overwritten on every install/update as 
  'zabbix_agentd.conf.example' as reference for the user.
During an update, the current zabbix main config will remain as is, but
"Include" lines will be added at the end to include the new IPFire 
configfiles. Also settings now moved to the IPFire managed "mandatory"
config file are stripped from the current "user"-config.

The fourth patch reorganizes how the sudoers files are installed.
Previously there was one file 'zabbix' with sudo-rights required for the
IPFire specific "userparameter" (pakfire status). And the user was 
encouraged both in the file and on the wiki to use that file if he wants
to add commands himself for the agent to run as root.
This prevents us, or at least makes it more dificult for us to add or 
modify command in the future without touching the user added commands.
Now there are 2 sudoers files installed: 
- 'zabbix_agentd' - managed by IPFire with comment for user not to 
                    touch that file. And
- 'zabbix_agent_user' - initially empty apart from comments, for users
                        to add their own custom commands.
As there where only ever 2 versions of the original sudoers file 'zabbix',
during update it is checked if an existing 'zabbix' 
(or even older 'zabbix.user' file) is still original and untouched by the
user (using md5). If so, it is plain removed as functionality is now in
the new 'zabbix_agentd' sudoers file. If the file was ever modified by 
the user it is renamed to 'zabbix_agentd_user' so that user added
commands will remain working.

The fifth patch configured new zabbix_agentd installs to only listen on 
the GREEN interface. Don't see an immediate reason to let the agent 
listen on all interfaces as it does by default. Changes are the largest
the the user will have his Zabbix server running somewhere in the GREEN
network. And if not, this will at least let the user think about where
to let the agent listen.

The sixth patch adds additional IPFire specific metrics to the agent
for the Zabbix Server to retrieve. Those will be documented on the wiki
after this patch is accepted.

Regards

Robin




-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 1/6] zabbix_agentd: Update to v5.0.21 (LTS)

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 8897 bytes --]

- Update from 4.2.6 to latest LTS version 5.0.21
  See release notes: https://www.zabbix.com/rn/rn5.0.21

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++--
 lfs/zabbix_agentd                       |  11 +-
 2 files changed, 132 insertions(+), 14 deletions(-)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
index 21b8e0122..aa8b899dc 100644
--- a/config/zabbix_agentd/zabbix_agentd.conf
+++ b/config/zabbix_agentd/zabbix_agentd.conf
@@ -63,14 +63,33 @@ LogFileSize=0
 # Default:
 # SourceIP=
 
-### Option: EnableRemoteCommands
-#	Whether remote commands from Zabbix server are allowed.
-#	0 - not allowed
-#	1 - allowed
+### Option: AllowKey
+#	Allow execution of item keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with DenyKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#
+# Mandatory: no
+
+### Option: DenyKey
+#	Deny execution of items keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with AllowKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
 #
 # Mandatory: no
 # Default:
-# EnableRemoteCommands=0
+# DenyKey=system.run[*]
+
+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
+#	Internal alias for AllowKey/DenyKey parameters depending on value:
+#	0 - DenyKey=system.run[*]
+#	1 - AllowKey=system.run[*]
+#
+# Mandatory: no
 
 ### Option: LogRemoteCommands
 #	Enable logging of executed shell commands as warnings.
@@ -177,6 +196,28 @@ ServerActive=127.0.0.1
 # Default:
 # HostMetadataItem=
 
+### Option: HostInterface
+#	Optional parameter that defines host interface.
+#	Host interface is used at host auto-registration process.
+#	An agent will issue an error and not start if the value is over limit of 255 characters.
+#	If not defined, value will be acquired from HostInterfaceItem.
+#
+# Mandatory: no
+# Range: 0-255 characters
+# Default:
+# HostInterface=
+
+### Option: HostInterfaceItem
+#	Optional parameter that defines an item used for getting host interface.
+#	Host interface is used at host auto-registration process.
+#	During an auto-registration request an agent will log a warning message if
+#	the value returned by specified item is over limit of 255 characters.
+#	This option is only used when HostInterface is not defined.
+#
+# Mandatory: no
+# Default:
+# HostInterfaceItem=
+
 ### Option: RefreshActiveChecks
 #	How often list of active checks is refreshed, in seconds.
 #
@@ -265,7 +306,6 @@ ServerActive=127.0.0.1
 
 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 
-
 ####### USER-DEFINED MONITORED PARAMETERS #######
 
 ### Option: UnsafeUserParameters
@@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 #
 # Mandatory: no
 # Default:
-# LoadModulePath=/usr/lib/modules
+# LoadModulePath=${libdir}/modules
 
 LoadModulePath=/usr/lib/zabbix
 
@@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
 # TLSCRLFile=
 
 ### Option: TLSServerCertIssuer
-#	Allowed server certificate issuer.
+#		Allowed server certificate issuer.
 #
 # Mandatory: no
 # Default:
 # TLSServerCertIssuer=
 
 ### Option: TLSServerCertSubject
-#	Allowed server certificate subject.
+#		Allowed server certificate subject.
 #
 # Mandatory: no
 # Default:
@@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix
 # Mandatory: no
 # Default:
 # TLSPSKFile=
+
+####### For advanced users - TLS ciphersuite selection criteria #######
+
+### Option: TLSCipherCert13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert13=
+
+### Option: TLSCipherCert
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert=
+
+### Option: TLSCipherPSK13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example:
+#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK13=
+
+### Option: TLSCipherPSK
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
+#	Example for OpenSSL:
+#		kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK=
+
+### Option: TLSCipherAll13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example:
+#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll13=
+
+### Option: TLSCipherAll
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll=
+
+####### For advanced users - TCP-related fine-tuning parameters #######
+
+## Option: ListenBacklog
+#       The maximum number of pending connections in the queue. This parameter is passed to
+#       listen() function as argument 'backlog' (see "man listen").
+#
+# Mandatory: no
+# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum)
+# Default: SOMAXCONN (hard-coded constant, depends on system)
+# ListenBacklog=
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index dbf6f2d77..5ee1b94e5 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Zabbix Agent
 
-VER        = 4.2.6
+VER        = 5.0.21
 
 THISAPP    = zabbix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
-PAK_VER    = 4
+PAK_VER    = 5
 DEPS       =
 
 SERVICES   = zabbix_agentd
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
+$(DL_FILE)_MD5 = fd0d3511aad0410427649bd134364889
 
 install : $(TARGET)
 
@@ -84,7 +84,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--prefix=/usr \
 		--enable-agent \
 		--sysconfdir=/etc/zabbix_agentd \
-		--with-openssl
+		--with-openssl \
+		--with-libcurl
 
 	cd $(DIR_APP) && make
 	cd $(DIR_APP) && make install
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 2/6] zabbix_agentd: Fix agent modules dir and few minor bugs

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 2821 bytes --]

- Add agent modules-dir to backup
- Remove original, not used agent modules dir from rootfile
- Create modules-dir during install if it not already exists
- bugfix: Add existence check before creating log-dir, avoiding error
             messages if it already exists from a previous install
- bugfix: add extract_backup_includes to update.sh script to make
              sure backup includes exist when backup is taken.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/backup/includes/zabbix_agentd    | 3 ++-
 config/rootfiles/packages/zabbix_agentd | 2 +-
 src/paks/zabbix_agentd/install.sh       | 4 ++--
 src/paks/zabbix_agentd/update.sh        | 1 +
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index cba18d772..d3305cb96 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,2 +1,3 @@
 /etc/sudoers.d/zabbix
-/etc/zabbix_agentd/*
+/etc/zabbix_agentd/
+/usr/lib/zabbix/
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 4420bda05..d9bbc3ccf 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -8,7 +8,7 @@ etc/zabbix_agentd/zabbix_agentd.d
 etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
 usr/bin/zabbix_get
 usr/bin/zabbix_sender
-usr/lib/modules
+#usr/lib/modules
 usr/lib/zabbix
 usr/sbin/zabbix_agentd
 #usr/share/man/man1/zabbix_get.1
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index e1450a1d8..cf435918d 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -39,8 +39,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd
 ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
 
 # Create additonal directories and set permissions
-mkdir -pv /var/log/zabbix
-chown zabbix.zabbix /var/log/zabbix
+[ -d /var/log/zabbix ] || ( mkdir -pv /var/log/zabbix && chown zabbix.zabbix /var/log/zabbix )
+[ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix )
 
 restore_backup ${NAME}
 start_service --background ${NAME}
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 7fc1c96fb..68bba4f80 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -22,6 +22,7 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+extract_backup_includes
 ./uninstall.sh
 ./install.sh
 
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 3/6] zabbix_agentd: Configfile reorganization

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 24770 bytes --]

- Restrict default main config to only the bare minimum options
  and add upstream provided config as example file.
- Remove /etc/zabbix_agentd from backup and instead add only
  zabbix_agentd.conf and subdirs 'scripts' and 'zabbix_agentd.d' to
  the backup.
- Move ipfire managed userparameter_pakfire.conf from
  user managed dir /etc/zabbix_agentd/zabbix_agent.d to
  ipfire managed dir /var/ipfire/zabbix_agentd/userparameters
- Add Include line to existing zabbix_agentd.conf to include
  the new ipfire managed config dir /var/ipfire/zabbix_agentd/...
- Add and include mandatory IPFire specific agent configuration
  which should never be changed by the user.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/backup/includes/zabbix_agentd          |   4 +-
 config/rootfiles/packages/zabbix_agentd       |   5 +-
 config/zabbix_agentd/zabbix_agentd.conf       | 521 +-----------------
 .../zabbix_agentd_ipfire_mandatory.conf       |  11 +
 lfs/zabbix_agentd                             |  11 +-
 src/paks/zabbix_agentd/install.sh             |  33 ++
 6 files changed, 75 insertions(+), 510 deletions(-)
 create mode 100644 config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index d3305cb96..4be365297 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,3 +1,5 @@
 /etc/sudoers.d/zabbix
-/etc/zabbix_agentd/
+/etc/zabbix_agentd/zabbix_agentd.conf
+/etc/zabbix_agentd/scripts/
+/etc/zabbix_agentd/zabbix_agentd.d/
 /usr/lib/zabbix/
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index d9bbc3ccf..66a1087cf 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -5,7 +5,6 @@ etc/zabbix_agentd
 etc/zabbix_agentd/scripts
 etc/zabbix_agentd/zabbix_agentd.conf
 etc/zabbix_agentd/zabbix_agentd.d
-etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
 usr/bin/zabbix_get
 usr/bin/zabbix_sender
 #usr/lib/modules
@@ -15,4 +14,8 @@ usr/sbin/zabbix_agentd
 #usr/share/man/man1/zabbix_sender.1
 #usr/share/man/man8/zabbix_agentd.8
 var/ipfire/backup/addons/includes/zabbix_agentd
+var/ipfire/zabbix_agentd
+var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
+var/ipfire/zabbix_agentd/userparameters
+var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 #var/log/zabbix
diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
index aa8b899dc..76cd87528 100644
--- a/config/zabbix_agentd/zabbix_agentd.conf
+++ b/config/zabbix_agentd/zabbix_agentd.conf
@@ -1,516 +1,23 @@
 # This is a configuration file for Zabbix agent daemon (Unix)
 # To get more information about Zabbix, visit http://www.zabbix.com
-
-############ GENERAL PARAMETERS #################
-
-### Option: PidFile
-#	Name of PID file.
-#
-# Mandatory: no
-# Default:
-# PidFile=/tmp/zabbix_agentd.pid
-
-PidFile=/var/run/zabbix/zabbix_agentd.pid
-
-### Option: LogType
-#	Specifies where log messages are written to:
-#		system  - syslog
-#		file    - file specified with LogFile parameter
-#		console - standard output
-#
-# Mandatory: no
-# Default:
-# LogType=file
-
-### Option: LogFile
-#	Log file name for LogType 'file' parameter.
 #
-# Mandatory: yes, if LogType is set to file, otherwise no
-# Default:
-# LogFile=
+# For possible configuration options, 
+# see /etc/zabbix_agentd/zabbix_agentd.conf.example
 
-LogFile=/var/log/zabbix/zabbix_agentd.log
-
-### Option: LogFileSize
-#	Maximum size of log file in MB.
-#	0 - disable automatic log rotation.
-#
-# Mandatory: no
-# Range: 0-1024
-# Default:
-# LogFileSize=1
-
-LogFileSize=0
-
-### Option: DebugLevel
-#	Specifies debug level:
-#	0 - basic information about starting and stopping of Zabbix processes
-#	1 - critical information
-#	2 - error information
-#	3 - warnings
-#	4 - for debugging (produces lots of information)
-#	5 - extended debugging (produces even more information)
-#
-# Mandatory: no
-# Range: 0-5
-# Default:
-# DebugLevel=3
-
-### Option: SourceIP
-#	Source IP address for outgoing connections.
-#
-# Mandatory: no
-# Default:
-# SourceIP=
-
-### Option: AllowKey
-#	Allow execution of item keys matching pattern.
-#	Multiple keys matching rules may be defined in combination with DenyKey.
-#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
-#	Parameters are processed one by one according their appearance order.
-#	If no AllowKey or DenyKey rules defined, all keys are allowed.
-#
-# Mandatory: no
-
-### Option: DenyKey
-#	Deny execution of items keys matching pattern.
-#	Multiple keys matching rules may be defined in combination with AllowKey.
-#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
-#	Parameters are processed one by one according their appearance order.
-#	If no AllowKey or DenyKey rules defined, all keys are allowed.
-#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
-#
-# Mandatory: no
-# Default:
-# DenyKey=system.run[*]
-
-### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
-#	Internal alias for AllowKey/DenyKey parameters depending on value:
-#	0 - DenyKey=system.run[*]
-#	1 - AllowKey=system.run[*]
-#
-# Mandatory: no
-
-### Option: LogRemoteCommands
-#	Enable logging of executed shell commands as warnings.
-#	0 - disabled
-#	1 - enabled
-#
-# Mandatory: no
-# Default:
-# LogRemoteCommands=0
-
-##### Passive checks related
-
-### Option: Server
-#	List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies.
-#	Incoming connections will be accepted only from the hosts listed here.
-#	If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
-#	and '::/0' will allow any IPv4 or IPv6 address.
-#	'0.0.0.0/0' can be used to allow any IPv4 address.
-#	Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
-#
-# Mandatory: yes, if StartAgents is not explicitly set to 0
-# Default:
-# Server=
+# To make sure all Zabbix configuration is correctly included in IPFire backups:
+# - Put custom userparameters in /etc/zabbix_agentd/zabbix_agentd.d/*.conf
+# - Put custom scripts in /etc/zabbix_agentd/scripts
+# - Put custom modules in /usr/lib/zabbix
 
+# Set your Zabbix Server IP or hostname here (Passive and/or Active):
 Server=127.0.0.1
-
-### Option: ListenPort
-#	Agent will listen on this port for connections from the server.
-#
-# Mandatory: no
-# Range: 1024-32767
-# Default:
-# ListenPort=10050
-
-### Option: ListenIP
-#	List of comma delimited IP addresses that the agent should listen on.
-#	First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
-#
-# Mandatory: no
-# Default:
-# ListenIP=0.0.0.0
-
-### Option: StartAgents
-#	Number of pre-forked instances of zabbix_agentd that process passive checks.
-#	If set to 0, disables passive checks and the agent will not listen on any TCP port.
-#
-# Mandatory: no
-# Range: 0-100
-# Default:
-# StartAgents=3
-
-##### Active checks related
-
-### Option: ServerActive
-#	List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks.
-#	If port is not specified, default port is used.
-#	IPv6 addresses must be enclosed in square brackets if port for that host is specified.
-#	If port is not specified, square brackets for IPv6 addresses are optional.
-#	If this parameter is not specified, active checks are disabled.
-#	Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
-#
-# Mandatory: no
-# Default:
-# ServerActive=
-
 ServerActive=127.0.0.1
 
-### Option: Hostname
-#	Unique, case sensitive hostname.
-#	Required for active checks and must match hostname as configured on the server.
-#	Value is acquired from HostnameItem if undefined.
-#
-# Mandatory: no
-# Default:
-# Hostname=
-
-### Option: HostnameItem
-#	Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
-#	Does not support UserParameters or aliases.
-#
-# Mandatory: no
-# Default:
-# HostnameItem=system.hostname
-
-### Option: HostMetadata
-#	Optional parameter that defines host metadata.
-#	Host metadata is used at host auto-registration process.
-#	An agent will issue an error and not start if the value is over limit of 255 characters.
-#	If not defined, value will be acquired from HostMetadataItem.
-#
-# Mandatory: no
-# Range: 0-255 characters
-# Default:
-# HostMetadata=
-
-### Option: HostMetadataItem
-#	Optional parameter that defines an item used for getting host metadata.
-#	Host metadata is used at host auto-registration process.
-#	During an auto-registration request an agent will log a warning message if
-#	the value returned by specified item is over limit of 255 characters.
-#	This option is only used when HostMetadata is not defined.
-#
-# Mandatory: no
-# Default:
-# HostMetadataItem=
-
-### Option: HostInterface
-#	Optional parameter that defines host interface.
-#	Host interface is used at host auto-registration process.
-#	An agent will issue an error and not start if the value is over limit of 255 characters.
-#	If not defined, value will be acquired from HostInterfaceItem.
-#
-# Mandatory: no
-# Range: 0-255 characters
-# Default:
-# HostInterface=
-
-### Option: HostInterfaceItem
-#	Optional parameter that defines an item used for getting host interface.
-#	Host interface is used at host auto-registration process.
-#	During an auto-registration request an agent will log a warning message if
-#	the value returned by specified item is over limit of 255 characters.
-#	This option is only used when HostInterface is not defined.
-#
-# Mandatory: no
-# Default:
-# HostInterfaceItem=
-
-### Option: RefreshActiveChecks
-#	How often list of active checks is refreshed, in seconds.
-#
-# Mandatory: no
-# Range: 60-3600
-# Default:
-# RefreshActiveChecks=120
-
-### Option: BufferSend
-#	Do not keep data longer than N seconds in buffer.
-#
-# Mandatory: no
-# Range: 1-3600
-# Default:
-# BufferSend=5
-
-### Option: BufferSize
-#	Maximum number of values in a memory buffer. The agent will send
-#	all collected data to Zabbix Server or Proxy if the buffer is full.
-#
-# Mandatory: no
-# Range: 2-65535
-# Default:
-# BufferSize=100
-
-### Option: MaxLinesPerSecond
-#	Maximum number of new lines the agent will send per second to Zabbix Server
-#	or Proxy processing 'log' and 'logrt' active checks.
-#	The provided value will be overridden by the parameter 'maxlines',
-#	provided in 'log' or 'logrt' item keys.
-#
-# Mandatory: no
-# Range: 1-1000
-# Default:
-# MaxLinesPerSecond=20
-
-############ ADVANCED PARAMETERS #################
-
-### Option: Alias
-#	Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
-#	Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
-#	Different Alias keys may reference the same item key.
-#	For example, to retrieve the ID of user 'zabbix':
-#	Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
-#	Now shorthand key zabbix.userid may be used to retrieve data.
-#	Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
-#
-# Mandatory: no
-# Range:
-# Default:
+# This line activates IPFire specific userparameters. See IPFire wiki for details.
+# To deactivate them: Comment this line out.
+# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)
+Include=/var/ipfire/zabbix_agentd/userparameters/*.conf
 
-### Option: Timeout
-#	Spend no more than Timeout seconds on processing
-#
-# Mandatory: no
-# Range: 1-30
-# Default:
-# Timeout=3
-
-### Option: AllowRoot
-#	Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
-#	will try to switch to the user specified by the User configuration option instead.
-#	Has no effect if started under a regular user.
-#	0 - do not allow
-#	1 - allow
-#
-# Mandatory: no
-# Default:
-# AllowRoot=0
-
-### Option: User
-#	Drop privileges to a specific, existing user on the system.
-#	Only has effect if run as 'root' and AllowRoot is disabled.
-#
-# Mandatory: no
-# Default:
-# User=zabbix
-
-### Option: Include
-#	You may include individual files or all files in a directory in the configuration file.
-#	Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time.
-#
-# Mandatory: no
-# Default:
-# Include=
-
-Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
-
-####### USER-DEFINED MONITORED PARAMETERS #######
-
-### Option: UnsafeUserParameters
-#	Allow all characters to be passed in arguments to user-defined parameters.
-#	The following characters are not allowed:
-#	\ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
-#	Additionally, newline characters are not allowed.
-#	0 - do not allow
-#	1 - allow
-#
-# Mandatory: no
-# Range: 0-1
-# Default:
-# UnsafeUserParameters=0
-
-### Option: UserParameter
-#	User-defined parameter to monitor. There can be several user-defined parameters.
-#	Format: UserParameter=<key>,<shell command>
-#	See 'zabbix_agentd' directory for examples.
-#
-# Mandatory: no
-# Default:
-# UserParameter=
-
-####### LOADABLE MODULES #######
-
-### Option: LoadModulePath
-#	Full path to location of agent modules.
-#	Default depends on compilation options.
-#	To see the default path run command "zabbix_agentd --help".
-#
-# Mandatory: no
-# Default:
-# LoadModulePath=${libdir}/modules
-
-LoadModulePath=/usr/lib/zabbix
-
-### Option: LoadModule
-#	Module to load at agent startup. Modules are used to extend functionality of the agent.
-#	Formats:
-#		LoadModule=<module.so>
-#		LoadModule=<path/module.so>
-#		LoadModule=</abs_path/module.so>
-#	Either the module must be located in directory specified by LoadModulePath or the path must precede the module name.
-#	If the preceding path is absolute (starts with '/') then LoadModulePath is ignored.
-#	It is allowed to include multiple LoadModule parameters.
-#
-# Mandatory: no
-# Default:
-# LoadModule=
-
-####### TLS-RELATED PARAMETERS #######
-
-### Option: TLSConnect
-#	How the agent should connect to server or proxy. Used for active checks.
-#	Only one value can be specified:
-#		unencrypted - connect without encryption
-#		psk         - connect using TLS and a pre-shared key
-#		cert        - connect using TLS and a certificate
-#
-# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
-# Default:
-# TLSConnect=unencrypted
-
-### Option: TLSAccept
-#	What incoming connections to accept.
-#	Multiple values can be specified, separated by comma:
-#		unencrypted - accept connections without encryption
-#		psk         - accept connections secured with TLS and a pre-shared key
-#		cert        - accept connections secured with TLS and a certificate
-#
-# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
-# Default:
-# TLSAccept=unencrypted
-
-### Option: TLSCAFile
-#	Full pathname of a file containing the top-level CA(s) certificates for
-#	peer certificate verification.
-#
-# Mandatory: no
-# Default:
-# TLSCAFile=
-
-### Option: TLSCRLFile
-#	Full pathname of a file containing revoked certificates.
-#
-# Mandatory: no
-# Default:
-# TLSCRLFile=
-
-### Option: TLSServerCertIssuer
-#		Allowed server certificate issuer.
-#
-# Mandatory: no
-# Default:
-# TLSServerCertIssuer=
-
-### Option: TLSServerCertSubject
-#		Allowed server certificate subject.
-#
-# Mandatory: no
-# Default:
-# TLSServerCertSubject=
-
-### Option: TLSCertFile
-#	Full pathname of a file containing the agent certificate or certificate chain.
-#
-# Mandatory: no
-# Default:
-# TLSCertFile=
-
-### Option: TLSKeyFile
-#	Full pathname of a file containing the agent private key.
-#
-# Mandatory: no
-# Default:
-# TLSKeyFile=
-
-### Option: TLSPSKIdentity
-#	Unique, case sensitive string used to identify the pre-shared key.
-#
-# Mandatory: no
-# Default:
-# TLSPSKIdentity=
-
-### Option: TLSPSKFile
-#	Full pathname of a file containing the pre-shared key.
-#
-# Mandatory: no
-# Default:
-# TLSPSKFile=
-
-####### For advanced users - TLS ciphersuite selection criteria #######
-
-### Option: TLSCipherCert13
-#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
-#	Override the default ciphersuite selection criteria for certificate-based encryption.
-#
-# Mandatory: no
-# Default:
-# TLSCipherCert13=
-
-### Option: TLSCipherCert
-#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
-#	Override the default ciphersuite selection criteria for certificate-based encryption.
-#	Example for GnuTLS:
-#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
-#	Example for OpenSSL:
-#		EECDH+aRSA+AES128:RSA+aRSA+AES128
-#
-# Mandatory: no
-# Default:
-# TLSCipherCert=
-
-### Option: TLSCipherPSK13
-#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
-#	Override the default ciphersuite selection criteria for PSK-based encryption.
-#	Example:
-#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
-#
-# Mandatory: no
-# Default:
-# TLSCipherPSK13=
-
-### Option: TLSCipherPSK
-#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
-#	Override the default ciphersuite selection criteria for PSK-based encryption.
-#	Example for GnuTLS:
-#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
-#	Example for OpenSSL:
-#		kECDHEPSK+AES128:kPSK+AES128
-#
-# Mandatory: no
-# Default:
-# TLSCipherPSK=
-
-### Option: TLSCipherAll13
-#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
-#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
-#	Example:
-#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
-#
-# Mandatory: no
-# Default:
-# TLSCipherAll13=
-
-### Option: TLSCipherAll
-#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
-#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
-#	Example for GnuTLS:
-#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
-#	Example for OpenSSL:
-#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
-#
-# Mandatory: no
-# Default:
-# TLSCipherAll=
-
-####### For advanced users - TCP-related fine-tuning parameters #######
-
-## Option: ListenBacklog
-#       The maximum number of pending connections in the queue. This parameter is passed to
-#       listen() function as argument 'backlog' (see "man listen").
-#
-# Mandatory: no
-# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum)
-# Default: SOMAXCONN (hard-coded constant, depends on system)
-# ListenBacklog=
+# Mandatory Zabbix Agent configuration to start and run on IPFire correctly
+# DO NOT REMOVE OR MODIFY THIS LINE:
+Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
\ No newline at end of file
diff --git a/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
new file mode 100644
index 000000000..c6be948be
--- /dev/null
+++ b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
@@ -0,0 +1,11 @@
+PidFile=/var/run/zabbix/zabbix_agentd.pid
+
+# Log rotation is managed by logrotate
+LogFile=/var/log/zabbix/zabbix_agentd.log
+LogFileSize=0
+
+# These paths are included in the IPFire backups. Do not put user modules
+# or configuration files in other locations if you want them included in the
+# backups.
+LoadModulePath=/usr/lib/zabbix
+Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
\ No newline at end of file
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 5ee1b94e5..6e995f40b 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -94,10 +94,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	-rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d
 	-mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d
 	-mkdir -pv /etc/zabbix_agentd/scripts
+	# Move upstream supplied config out of the way for reference
+	# and install our own version of the config.
+	-mv /etc/zabbix_agentd/zabbix_agentd.conf \
+		/etc/zabbix_agentd/zabbix_agentd.conf.example
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \
 		/etc/zabbix_agentd/zabbix_agentd.conf
+
+	# Install IPFire-specific Zabbix Agent config
+	-mkdir -pv /var/ipfire/zabbix_agentd/userparameters
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \
+		/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \
-		/etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
+		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index cf435918d..d9130dfb4 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -43,4 +43,37 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
 [ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix )
 
 restore_backup ${NAME}
+
+# Check if old IPFire specifc userparameters exist and move out of the way
+if [ -f /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf ]; then
+	mv /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf \
+	   /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf.save
+fi
+
+# Check if new IPFire specific config is included in restored config
+# and add if required.
+grep -q "Include=/var/ipfire/zabbix_agentd/userparameters/\*.conf" /etc/zabbix_agentd/zabbix_agentd.conf
+if [ $? -eq 1 ]; then
+	echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "# This line activates IPFire specific userparameters. See IPFire wiki for details." >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "# To deactivate them: Comment this line out." >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)" >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "Include=/var/ipfire/zabbix_agentd/userparameters/*.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf
+fi
+
+grep -q "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" /etc/zabbix_agentd/zabbix_agentd.conf
+if [ $? -eq 1 ]; then
+	# Remove settings that are now in our own config
+	sed -i -e "\|^PidFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	sed -i -e "\|^LogFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	sed -i -e "\|^LogFileSize=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	sed -i -e "\|^LoadModulePath=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	sed -i -e "\|^Include=/etc/zabbix_agentd/zabbix_agentd\.d/\*\.conf$|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	# Include our own config in main config
+	echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "# Mandatory Zabbix Agent configuration to start and run on IPFire correctly" >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "# DO NOT REMOVE OR MODIFY THIS LINE:" >> /etc/zabbix_agentd/zabbix_agentd.conf
+	echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf
+fi
+
 start_service --background ${NAME}
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 4/6] zabbix_agentd: Sudoers file reorganization

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 6123 bytes --]

- Remove sudoers file 'zabbix' in favour of new IPFire managed
  'zabbix_agentd' and user managed 'zabbix_agentd_user' which is
  included in the backup
- Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to
  new zabbix_agentd_user sudoers file if it was modified by user.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/backup/includes/zabbix_agentd    |  4 ++--
 config/rootfiles/packages/zabbix_agentd |  3 ++-
 config/zabbix_agentd/sudoers            | 14 ++++----------
 config/zabbix_agentd/sudoers_user       | 16 ++++++++++++++++
 lfs/zabbix_agentd                       |  4 +++-
 src/paks/zabbix_agentd/update.sh        | 22 ++++++++++++++++++----
 6 files changed, 45 insertions(+), 18 deletions(-)
 create mode 100644 config/zabbix_agentd/sudoers_user

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index 4be365297..834766992 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,5 +1,5 @@
-/etc/sudoers.d/zabbix
+/etc/sudoers.d/zabbix_agentd_user
 /etc/zabbix_agentd/zabbix_agentd.conf
 /etc/zabbix_agentd/scripts/
 /etc/zabbix_agentd/zabbix_agentd.d/
-/usr/lib/zabbix/
+/usr/lib/zabbix/
\ No newline at end of file
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 66a1087cf..2ea98fc21 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -1,6 +1,7 @@
 etc/logrotate.d/zabbix_agentd
 etc/rc.d/init.d/zabbix_agentd
-etc/sudoers.d/zabbix
+etc/sudoers.d/zabbix_agentd
+etc/sudoers.d/zabbix_agentd_user
 etc/zabbix_agentd
 etc/zabbix_agentd/scripts
 etc/zabbix_agentd/zabbix_agentd.conf
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index 1b362a4fd..cb4263ff6 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -1,17 +1,11 @@
 # Include file for sudoers file
 #
-# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
-# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo)
 #
-# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not
+#                          included in the backup.
 #
-# Some hints:
-# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
-#   you might end up locking yourself out of your system!
-# - Append the full path incl. parameters to each command, using "," as separator.
-# - Only add commands you really need. Zabbix should not have more rights than it has to.
-#
-# Append / edit the following list of commands to fit your needs:
+# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user
 #
 Defaults:zabbix !requiretty
 zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status
diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user
new file mode 100644
index 000000000..61cbc417b
--- /dev/null
+++ b/config/zabbix_agentd/sudoers_user
@@ -0,0 +1,16 @@
+# Include file for sudoers file
+#
+# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
+# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+#
+# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+#
+# Some hints:
+# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
+#   you might end up locking yourself out of your system!
+# - Append the full path incl. parameters to each command, using "," as separator.
+# - Only add commands you really need. Zabbix should not have more rights than it has to.
+#
+# Uncomment the following line and edit the example of commands to fit your needs:
+
+#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ...
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 6e995f40b..929d36628 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install sudoers include file
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
-		/etc/sudoers.d/zabbix
+		/etc/sudoers.d/zabbix_agentd
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \
+		/etc/sudoers.d/zabbix_agentd_user
 
 	# Install include file for backup
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 68bba4f80..74a47aa66 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -22,11 +22,25 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+
+# Check if old sudoers file exists and remove if it was not modified
+# or rename to the new zabbix_agentd_user file if it was.
+if [ -f /etc/sudoers.d/zabbix.user ]; then
+	mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
+fi
+
+if [ -f /etc/sudoers.d/zabbix ]; then
+	md5=$(md5sum /etc/sudoers.d/zabbix | cut -f1 -d" ")
+    # from commits 5737a22 & 06fc617
+	if [ "$md5" == "dae8daa1bb7cb3d9959d1438ebe84c71" ] || \
+	   [ "$md5" == "9bc24158734f0bf7c8697d62bf4c952a" ]; then
+		rm -vf /etc/sudoers.d/zabbix
+	else
+		mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user
+	fi
+fi
+
 extract_backup_includes
 ./uninstall.sh
 ./install.sh
 
-# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix
-if [ -e /etc/sudoers.d/zabbix.user ]; then
-	mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
-fi
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 5/6] zabbix_agentd: By default only listen on GREEN ip

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 1807 bytes --]

- Change zabbix_agentd.conf during install to only listen on the
  GREEN ip by default.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/zabbix_agentd/zabbix_agentd.conf |  3 +++
 src/paks/zabbix_agentd/install.sh       | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
index 76cd87528..a12fe3a60 100644
--- a/config/zabbix_agentd/zabbix_agentd.conf
+++ b/config/zabbix_agentd/zabbix_agentd.conf
@@ -13,6 +13,9 @@
 Server=127.0.0.1
 ServerActive=127.0.0.1
 
+# List of comma delimited IP addresses that the agent should listen on.
+ListenIP=GREEN_ADDRESS
+
 # This line activates IPFire specific userparameters. See IPFire wiki for details.
 # To deactivate them: Comment this line out.
 # (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index d9130dfb4..a64d4c84f 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -76,4 +76,14 @@ if [ $? -eq 1 ]; then
 	echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf
 fi
 
+# By default, only listen on GREEN
+( 
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	if [ -n "${GREEN_ADDRESS}" ]; then
+		sed -i -e "s|ListenIP=GREEN_ADDRESS|ListenIP=${GREEN_ADDRESS}|g" /etc/zabbix_agentd/zabbix_agentd.conf
+	else
+		sed -i -e "\|ListenIP=GREEN_ADDRESS|d" /etc/zabbix_agentd/zabbix_agentd.conf
+	fi
+) || :
+
 start_service --background ${NAME}
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH v4 6/6] zabbix_agentd: Add IPFire specific userparameters

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 4328 bytes --]

Provide IPFire specific items for the Zabbix server to monitor:
- ipfire.net.gateway.pingtime: Internet Line Quality
- ipfire.net.gateway.ping: Internet connection
- ipfire.net.fw.hits.raw: JSON formatted list of Firewall hits/chain
- ipfire.dhcpd.clients: Number of active DHCP leases
- ipfire.captive.clients: Number of Captive Portal clients

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/rootfiles/packages/zabbix_agentd        |  1 +
 config/zabbix_agentd/sudoers                   |  2 +-
 config/zabbix_agentd/userparameter_ipfire.conf | 12 ++++++++++++
 lfs/zabbix_agentd                              |  5 ++++-
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 config/zabbix_agentd/userparameter_ipfire.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 2ea98fc21..2ae4e24cb 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -19,4 +19,5 @@ var/ipfire/zabbix_agentd
 var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
 var/ipfire/zabbix_agentd/userparameters
 var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
+var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
 #var/log/zabbix
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index cb4263ff6..2d71ae78f 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -8,4 +8,4 @@
 # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user
 #
 Defaults:zabbix !requiretty
-zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status
+zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat
diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf
new file mode 100644
index 000000000..10c09c25d
--- /dev/null
+++ b/config/zabbix_agentd/userparameter_ipfire.conf
@@ -0,0 +1,12 @@
+# Parameters for monitoring IPFire specific metrics
+#
+# Internet Gateway ping timings, can be used to measure "Internet Line Quality"
+UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2
+# Internet Gateway availability, can be used to check Internet connection
+UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $?
+# Firewall Filter Forward chain drops in bytes/chain (JSON), can be used for discovery of firewall chains and monitoring of firewall hits on each chain
+UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "\/\* DROP_.* \*\/$" | awk 'BEGIN { ORS = ""; print "["} { printf "%s{\"chain\": \"%s\", \"bytes\": \"%s\"}", separator, substr($11, 6), $2; separator = ", "; } END { print"]" }'
+# Number of currently Active DHCP leases
+UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
+# Number of Captive Portal clients
+UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
\ No newline at end of file
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 929d36628..226eb6253 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -35,7 +35,8 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
 PAK_VER    = 5
-DEPS       =
+
+DEPS       = fping
 
 SERVICES   = zabbix_agentd
 
@@ -107,6 +108,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
+		/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix
-- 
2.34.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.