Hi Robin,

I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.

The lfs file changes look perfect to me.

A general comment I would make is that when you want to do a v2 version then if you enter

git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].

Note it is lower case v

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

• Update from 4.2.6 to latest LTS version 5.0.10 See release notes: https://www.zabbix.com/rn/rn5.0.10

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- lfs/zabbix_agentd | 11 ++- 2 files changed, 121 insertions(+), 14 deletions(-)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..4d6c4c154 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP=

-### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no

+### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*]

+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no

### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem=

+### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface=

+### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem=

• ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. #

@@ -265,7 +306,6 @@ ServerActive=127.0.0.1

Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf

• ####### USER-DEFINED MONITORED PARAMETERS #######

  ### Option: UnsafeUserParameters

@@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules

LoadModulePath=/usr/lib/zabbix

@@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile=

### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer=

### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile=

+####### For advanced users - TLS ciphersuite selection criteria #######

+### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13=

+### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert=

+### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13=

+### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK=

+### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13=

+### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c69643a54..2d57b0dbe 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 4.2.6 +VER = 5.0.10

THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS =

############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212

install : $(TARGET)

@@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \

• --with-openssl
  

• --with-openssl \
  

• --with-libcurl
  
  

  cd $(DIR_APP) && make cd $(DIR_APP) && make install

Hello Adolf,

You can use the Reviewed-by: tag to mark a patch as reviewed by you:

https://wiki.ipfire.org/devel/git/tags

-Michael

On 9 Apr 2021, at 20:25, Adolf Belka adolf.belka@ipfire.org wrote:

Hi Robin,

I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.

The lfs file changes look perfect to me.

A general comment I would make is that when you want to do a v2 version then if you enter

git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].

Note it is lower case v

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

...

• Update from 4.2.6 to latest LTS version 5.0.10 See release notes: https://www.zabbix.com/rn/rn5.0.10

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- lfs/zabbix_agentd | 11 ++- 2 files changed, 121 insertions(+), 14 deletions(-)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..4d6c4c154 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no

+### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*]

+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface=

+### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem=

### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf

####### USER-DEFINED MONITORED PARAMETERS ####### ### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules LoadModulePath=/usr/lib/zabbix @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile=

+####### For advanced users - TLS ciphersuite selection criteria #######

+### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13=

+### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert=

+### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13=

+### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK=

+### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13=

+### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c69643a54..2d57b0dbe 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.2.6 +VER = 5.0.10 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS = ############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 install : $(TARGET) @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \

• --with-openssl
  

• --with-openssl \
  

• --with-libcurl
  

  cd $(DIR_APP) && make cd $(DIR_APP) && make install

Hello,

No, if you have reviewed it you can add the tag. Just anywhere in an email and Patchwork will parse and add credit.

The reason why we are doing the tags is:

* To give credit (because it very often is not only one person who has worked on something, but Git only allows one author field)

* We know what has been reviewed

* And if something is broken, there is a list of people who have been working on this who can be shot… joking… who can be consulted about why something was solved in a certain way, etc.

You can also use Tested-by which is very helpful, too.

Best, -Michael

On 12 Apr 2021, at 12:23, Adolf Belka adolf.belka@ipfire.org wrote:

Hi Michael,

On 12/04/2021 12:27, Michael Tremer wrote:

...

Hello Adolf, You can use the Reviewed-by: tag to mark a patch as reviewed by you: https://wiki.ipfire.org/devel/git/tags

I wasn't sure if I was OK for me to use the reviewed tag or if it was limited to specific people. I will use it in future now when I do a review of a patch.

Regards, Adolf.

...

-Michael

...

On 9 Apr 2021, at 20:25, Adolf Belka adolf.belka@ipfire.org wrote:

Hi Robin,

I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.

The lfs file changes look perfect to me.

A general comment I would make is that when you want to do a v2 version then if you enter

git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].

Note it is lower case v

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

...

• Update from 4.2.6 to latest LTS version 5.0.10 See release notes: https://www.zabbix.com/rn/rn5.0.10

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- lfs/zabbix_agentd | 11 ++- 2 files changed, 121 insertions(+), 14 deletions(-)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..4d6c4c154 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no

+### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*]

+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface=

+### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem=

### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf

####### USER-DEFINED MONITORED PARAMETERS ####### ### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules LoadModulePath=/usr/lib/zabbix @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile=

+####### For advanced users - TLS ciphersuite selection criteria #######

+### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13=

+### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert=

+### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13=

+### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK=

+### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13=

+### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c69643a54..2d57b0dbe 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.2.6 +VER = 5.0.10 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS = ############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 install : $(TARGET) @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \

• --with-openssl
  

• --with-openssl \
  

• --with-libcurl
  

  cd $(DIR_APP) && make cd $(DIR_APP) && make install

Hi Adolf

Indeed, I should have explicitly mentioned the modules-dir; the original /usr/lib/modules which was removed from the rootfile and the custom one, introduced by Alex, but not backed up until now: /usr/lib/zabbix/. I have been digging in the mailinglist archives to find out why Alex was using /usr/lib/zabbix/ and thus I was 'deep' into the modules-dirs saga that I considered it 'common knowledge' at that point in time where I committed this change. But of course, it is no common knowledge for you guys :-) I will try to pay more attention to such things in the future.

Regards Robin

Adolf Belka schreef op vr 09-04-2021 om 21:36 [+0200]:

Hi Robin,

The patches seem fine to me, although again my lack of zabbix knowledge means I can't comment on specifics easily.

Only minor general point I had was that the commit message might have more clearly specified that the modules-dir is /usr/lib/zabbix. I had to read through the whole patch to come to that conclusion.

Overall these look good patches for your first input.

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

...

• Add agent modules-dir to backup
• Remove original, not used agent modules dir from rootfile
• Delete agent modules dir only when empty on uninstall thus

keeping    possible user deployed custom module files but removing it if unused.

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/backup/includes/zabbix_agentd    | 3 ++-   config/rootfiles/packages/zabbix_agentd | 4 ++--   src/paks/zabbix_agentd/install.sh       | 2 ++   src/paks/zabbix_agentd/uninstall.sh     | 5 +++++   src/paks/zabbix_agentd/update.sh        | 1 +   5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index cba18d772..d3305cb96 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,3 @@   /etc/sudoers.d/zabbix -/etc/zabbix_agentd/* +/etc/zabbix_agentd/ +/usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 4420bda05..a938f2605 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -8,8 +8,8 @@ etc/zabbix_agentd/zabbix_agentd.d   etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf   usr/bin/zabbix_get   usr/bin/zabbix_sender -usr/lib/modules -usr/lib/zabbix +#usr/lib/modules +#usr/lib/zabbix   usr/sbin/zabbix_agentd   #usr/share/man/man1/zabbix_get.1   #usr/share/man/man1/zabbix_sender.1 diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index e1450a1d8..b98230ea1 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -41,6 +41,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd   # Create additonal directories and set permissions   mkdir -pv /var/log/zabbix   chown zabbix.zabbix /var/log/zabbix +mkdir -pv /usr/lib/zabbix +chown zabbix.zabbix /usr/lib/zabbix     restore_backup ${NAME}   start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index edff3b818..b771d1f63 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,5 +26,10 @@ stop_service ${NAME}   make_backup ${NAME}   remove_files   +# Remove agent modules dir if empty +if [ -z "$(ls -A /usr/lib/zabbix/)" ]; then +       rmdir /usr/lib/zabbix +fi

# Remove init-scripts and symlinks   rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 7fc1c96fb..68bba4f80 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,6 +22,7 @@   ################################################################### #########   #   . /opt/pakfire/lib/functions.sh +extract_backup_includes   ./uninstall.sh   ./install.sh

(forgot to reply to all :-))

Hi

In theory, I think I could move the modules dir from current /usr/lib/zabbix to /etc/zabbix_agentd/modules for example.

However modules are not planin text config files but rather binary (possibly user-created and compiled) libraries that plug into the agent to extend it's functionality. So I assume a user will probably have the source code of the binary library some place else and could probably easily re-deploy the compiled modules after the backup is restored in a recovery situation. But I figured, as it is in a way a configuration of the agent instance, it should also be backed up, not requiring users to re-deploy those after a recovery.  But moving binary files into /etc/... feels a bit awkward.. but technically it could be done.

Robin

Michael Tremer schreef op ma 12-04-2021 om 11:26 [+0100]:

Hello,

So, this is slightly more complicated.

The usual way how we do things is to back up any kind of configuration, uninstall everything, install the new package and then restore the configuration.

Having custom files in a system directory is probably going to break this.

Is there any way to have custom scripts in /etc/zabbix/… or something similar?

-Michael

...

On 10 Apr 2021, at 22:13, Robin Roevens robin.roevens@disroot.org wrote:

Hi Adolf

Indeed, I should have explicitly mentioned the modules-dir; the original /usr/lib/modules which was removed from the rootfile and the custom one, introduced by Alex, but not backed up until now: /usr/lib/zabbix/. I have been digging in the mailinglist archives to find out why Alex was using /usr/lib/zabbix/ and thus I was 'deep' into the modules- dirs saga that I considered it 'common knowledge' at that point in time where I committed this change. But of course, it is no common knowledge for you guys :-) I will try to pay more attention to such things in the future.

Regards Robin

Adolf Belka schreef op vr 09-04-2021 om 21:36 [+0200]:

...

Hi Robin,

The patches seem fine to me, although again my lack of zabbix knowledge means I can't comment on specifics easily.

Only minor general point I had was that the commit message might have more clearly specified that the modules-dir is /usr/lib/zabbix. I had to read through the whole patch to come to that conclusion.

Overall these look good patches for your first input.

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

...

• Add agent modules-dir to backup
• Remove original, not used agent modules dir from rootfile
• Delete agent modules dir only when empty on uninstall thus

keeping    possible user deployed custom module files but removing it if unused.

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/backup/includes/zabbix_agentd    | 3 ++-   config/rootfiles/packages/zabbix_agentd | 4 ++--   src/paks/zabbix_agentd/install.sh       | 2 ++   src/paks/zabbix_agentd/uninstall.sh     | 5 +++++   src/paks/zabbix_agentd/update.sh        | 1 +   5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index cba18d772..d3305cb96 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,3 @@   /etc/sudoers.d/zabbix -/etc/zabbix_agentd/* +/etc/zabbix_agentd/ +/usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 4420bda05..a938f2605 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -8,8 +8,8 @@ etc/zabbix_agentd/zabbix_agentd.d   etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf   usr/bin/zabbix_get   usr/bin/zabbix_sender -usr/lib/modules -usr/lib/zabbix +#usr/lib/modules +#usr/lib/zabbix   usr/sbin/zabbix_agentd   #usr/share/man/man1/zabbix_get.1   #usr/share/man/man1/zabbix_sender.1 diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index e1450a1d8..b98230ea1 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -41,6 +41,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd   # Create additonal directories and set permissions   mkdir -pv /var/log/zabbix   chown zabbix.zabbix /var/log/zabbix +mkdir -pv /usr/lib/zabbix +chown zabbix.zabbix /usr/lib/zabbix     restore_backup ${NAME}   start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index edff3b818..b771d1f63 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,5 +26,10 @@ stop_service ${NAME}   make_backup ${NAME}   remove_files   +# Remove agent modules dir if empty +if [ -z "$(ls -A /usr/lib/zabbix/)" ]; then +       rmdir /usr/lib/zabbix +fi

# Remove init-scripts and symlinks   rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 7fc1c96fb..68bba4f80 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,6 +22,7 @@   ############################################################### #### #########   #   . /opt/pakfire/lib/functions.sh +extract_backup_includes   ./uninstall.sh   ./install.sh

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Hi

That directory is purely meant for user-modules and by default is empty as nor we, nor Zabbix ship user-modules with the agent. And I don't see that changing in the near future. So currently indeed only user-files will be located there.

Robin

Michael Tremer schreef op ma 12-04-2021 om 11:52 [+0100]:

Hello,

I agree, /etc isn’t exactly the best place for it, but it comes with a couple of benefits:

• We will include those files in the backup (or at least should be

doing so)

• We have control over /usr/lib/zabbix and can do whatever we need

there (I was assuming that there are some system files in there - if that is wrong and there is nothing in this directory apart from user files, we can leave it as /usr/lib/zabbix)

-Michael

...

On 12 Apr 2021, at 11:50, Robin Roevens robin.roevens@disroot.org wrote:

(forgot to reply to all :-))

Hi

In theory, I think I could move the modules dir from current /usr/lib/zabbix to /etc/zabbix_agentd/modules for example.

However modules are not planin text config files but rather binary (possibly user-created and compiled) libraries that plug into the agent to extend it's functionality. So I assume a user will probably have the source code of the binary library some place else and could probably easily re-deploy the compiled modules after the backup is restored in a recovery situation. But I figured, as it is in a way a configuration of the agent instance, it should also be backed up, not requiring users to re-deploy those after a recovery. But moving binary files into /etc/... feels a bit awkward.. but technically it could be done.

Robin

Michael Tremer schreef op ma 12-04-2021 om 11:26 [+0100]:

...

Hello,

So, this is slightly more complicated.

The usual way how we do things is to back up any kind of configuration, uninstall everything, install the new package and then restore the configuration.

Having custom files in a system directory is probably going to break this.

Is there any way to have custom scripts in /etc/zabbix/… or something similar?

-Michael

...

On 10 Apr 2021, at 22:13, Robin Roevens robin.roevens@disroot.org wrote:

Hi Adolf

Indeed, I should have explicitly mentioned the modules-dir; the original /usr/lib/modules which was removed from the rootfile and the custom one, introduced by Alex, but not backed up until now: /usr/lib/zabbix/. I have been digging in the mailinglist archives to find out why Alex was using /usr/lib/zabbix/ and thus I was 'deep' into the modules- dirs saga that I considered it 'common knowledge' at that point in time where I committed this change. But of course, it is no common knowledge for you guys :-) I will try to pay more attention to such things in the future.

Regards Robin

Adolf Belka schreef op vr 09-04-2021 om 21:36 [+0200]:

...

Hi Robin,

The patches seem fine to me, although again my lack of zabbix knowledge means I can't comment on specifics easily.

Only minor general point I had was that the commit message might have more clearly specified that the modules-dir is /usr/lib/zabbix. I had to read through the whole patch to come to that conclusion.

Overall these look good patches for your first input.

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:

...

• Add agent modules-dir to backup
• Remove original, not used agent modules dir from rootfile
• Delete agent modules dir only when empty on uninstall

thus keeping    possible user deployed custom module files but removing it if unused.

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/backup/includes/zabbix_agentd    | 3 ++-   config/rootfiles/packages/zabbix_agentd | 4 ++--   src/paks/zabbix_agentd/install.sh       | 2 ++   src/paks/zabbix_agentd/uninstall.sh     | 5 +++++   src/paks/zabbix_agentd/update.sh        | 1 +   5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index cba18d772..d3305cb96 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,3 @@   /etc/sudoers.d/zabbix -/etc/zabbix_agentd/* +/etc/zabbix_agentd/ +/usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 4420bda05..a938f2605 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -8,8 +8,8 @@ etc/zabbix_agentd/zabbix_agentd.d   etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.con f   usr/bin/zabbix_get   usr/bin/zabbix_sender -usr/lib/modules -usr/lib/zabbix +#usr/lib/modules +#usr/lib/zabbix   usr/sbin/zabbix_agentd   #usr/share/man/man1/zabbix_get.1   #usr/share/man/man1/zabbix_sender.1 diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index e1450a1d8..b98230ea1 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -41,6 +41,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd   # Create additonal directories and set permissions   mkdir -pv /var/log/zabbix   chown zabbix.zabbix /var/log/zabbix +mkdir -pv /usr/lib/zabbix +chown zabbix.zabbix /usr/lib/zabbix     restore_backup ${NAME}   start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index edff3b818..b771d1f63 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,5 +26,10 @@ stop_service ${NAME}   make_backup ${NAME}   remove_files   +# Remove agent modules dir if empty +if [ -z "$(ls -A /usr/lib/zabbix/)" ]; then +       rmdir /usr/lib/zabbix +fi

# Remove init-scripts and symlinks   rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 7fc1c96fb..68bba4f80 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,6 +22,7 @@   ########################################################### #### #### #########   #   . /opt/pakfire/lib/functions.sh +extract_backup_includes   ./uninstall.sh   ./install.sh

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Hello,

On 7 Apr 2021, at 21:44, Robin Roevens robin.roevens@disroot.org wrote:

Provide IPFire specific items for the Zabbix server to monitor:

• Networking stats:
• ipfire.net.gateway.pingtime: Internet Line Quality
• ipfire.net.gateway.ping: Internet connection
• ipfire.net.fw.hits[*]: Firewall hits
• IPFire service states:
• ipfire.services: JSON formatted state of all IPFire services using new ipfire_services.pl script.

Users can install the IPFire 2 Zabbix template-set provided here: https://share.zabbix.com/network-appliances/ipfire-2 to monitor these metrics. Or create their own template.

Signed-off-by: Robin Roevens robin.roevens@disroot.org

config/rootfiles/packages/zabbix_agentd | 3 + config/zabbix_agentd/ipfire_services.pl | 221 ++++++++++++++++++ config/zabbix_agentd/sudoers | 2 +- .../template_module_ipfire_network_stats.conf | 4 + .../template_module_ipfire_services.conf | 2 + lfs/zabbix_agentd | 8 +- src/paks/zabbix_agentd/install.sh | 5 + src/paks/zabbix_agentd/uninstall.sh | 2 + 8 files changed, 245 insertions(+), 2 deletions(-) create mode 100755 config/zabbix_agentd/ipfire_services.pl create mode 100644 config/zabbix_agentd/template_module_ipfire_network_stats.conf create mode 100644 config/zabbix_agentd/template_module_ipfire_services.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 6945c5ef7..aa3f1846b 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -3,9 +3,12 @@ etc/rc.d/init.d/zabbix_agentd etc/sudoers.d/zabbix.ipfirenew #etc/zabbix_agentd #etc/zabbix_agentd/scripts +etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew #etc/zabbix_agentd/zabbix_agentd.d etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..dbf8aec56 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,221 @@ +#!/usr/bin/perl +############################################################################### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Based on: services.cgi by IPFire Team +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +###############################################################################

+use strict;

+# enable only the following on debugging purpose +# use warnings;

+# Maps a nice printable name to the changing part of the pid file, which +# is also the name of the program +my %servicenames =(

•    'DHCP Server' => 'dhcpd',
  

•    'Web Server' => 'httpd',
  

•    'CRON Server' => 'fcron',
  

•    'DNS Proxy Server' => 'unbound',
  

•    'Logging Server' => 'syslogd',
  

•    'Kernel Logging Server' => 'klogd',
  

•    'NTP Server' => 'ntpd',
  

•    'Secure Shell Server' => 'sshd',
  

•    'VPN' => 'charon',
  

•    'Web Proxy' => 'squid',
  

•    'Intrusion Detection System' => 'suricata',
  

•    'OpenVPN' => 'openvpn'
  

+);

You have a hard-coded list with process names here. It technically is missing add-ons but including everything would make this list very long and a lot of work to maintain...

+# Hash to overwrite the process name of a process if it differs from the launch command. +my %overwrite_exename_hash = (

•    "suricata" => "Suricata-Main"
  

+);

+my $first = 1;

+print "[";

+# Built-in services +my $key = ''; +foreach $key (sort keys %servicenames){

• print "," if not $first;
• $first = 0;
• print "{";
• print ""service":"$key",";
• my $shortname = $servicenames{$key};
• print &servicestats($shortname);
• print "}";

+}

+# Generate list of installed addon pak's +my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut -d"-" -f2`; +foreach (@pak){

• chomp($_);
• # Check which of the paks are services
• my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`;
• foreach (@svc){

• # blacklist some packages
  

• #
  

• # alsa has trouble with the volume saving and was not really stopped
  

• # mdadm should not stopped with webif because this could crash the system
  

• #
  

• chomp($_);
  

• if ( $_ eq 'squid' ) {
  

• 	next;
  

• }
  

• if ( ($_ ne "alsa") && ($_ ne "mdadm") ) {
  

Another hardcoded list due to code duplication. Not your fault, but not pretty.

• 	print ",";
  

• 	print "{";
  

• 	print "\"service\":\"Addon: $_\",";
  

• 	print "\"servicename\":\"$_\",";
  

• 	my $onboot = isautorun($_);
  

• 	print "\"onboot\":$onboot,";
  

• 	print &addonservicestats($_);
  

• 	print "}";
  

• }
  

• }

+}

+print "]";

+sub servicestats{

• my $cmd = $_[0];
• my $status = ""servicename":"$cmd","state":"0"";
• my $pid = '';
• my $testcmd = '';

•    my $exename;
  

•    my $memory;
  

• $cmd =~ /(^[a-z]+)/;
• # Check if the exename needs to be overwritten.

•    # This happens if the expected process name string
  

•    # differs from the real one. This may happened if
  

•    # a service uses multiple processes or threads.
  

•    if (exists($overwrite_exename_hash{$cmd})) {
  

•            # Grab the string which will be reported by
  

•            # the process from the corresponding hash.
  

•            $exename = $overwrite_exename_hash{$1};
  

•    } else {
  

•            # Directly expect the launched command as
  

•            # process name.
  

•            $exename = $1;
  

•    }
  

• if (open(FILE, "/var/run/${cmd}.pid")){

•            $pid = <FILE>; chomp $pid;
  

•            close FILE;
  

•            if (open(FILE, "/proc/${pid}/status")){
  

•                    while (<FILE>){
  

•                            if (/^Name:\W+(.*)/) {
  

•                                    $testcmd = $1;
  

•                            }
  

•                    }
  

•                    close FILE;
  

•            }
  

•            if (open(FILE, "/proc/${pid}/status")) {
  

•                    while (<FILE>) {
  

•                            my ($key, $val) = split(":", $_, 2);
  

•                            if ($key eq 'VmRSS') {
  

• 			$val =~ /\s*([0-9]*)\s+kB/;
  

• 			# Convert kB to B
  

•                                    $memory = $1*1024;
  

•                                    last;
  

•                            }
  

•                    }
  

•                    close(FILE);
  

•            }
  

•            if ($testcmd =~ /$exename/){
  

• 	$status = "\"servicename\":\"$cmd\",\"state\":1,\"pid\":$pid,\"memory\":$memory";
  

• }
  

•    }
  

•    return $status;
  

+}

+sub isautorun{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`;
  

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "1";
  

•    }
  

•    $init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`;
  

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "0";
  

•    }
  

•    return $status;
  

+}

+sub addonservicestats{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $pid = '';
  

•    my $testcmd = '';
  

•    my $exename;
  

•    my @memory = (0);
  

•    $testcmd = `sudo /usr/local/bin/addonctrl $_ status 2>/dev/null`;
  

•    if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){
  

•            $status = "\"state\":1";
  

•            $testcmd =~ s/.* //gi;
  

•            $testcmd =~ s/[a-z_]//gi;
  

•            $testcmd =~ s/\[[0-1]\;[0-9]+//gi;
  

•            $testcmd =~ s/[\(\)\.]//gi;
  

•            $testcmd =~ s/  //gi;
  

•            $testcmd =~ s///gi;
  

•            my @pid = split(/\s/,$testcmd);
  

•            $status .=",\"pid\":\"$pid[0]\"";
  

•            my $memory = 0;
  

•            foreach (@pid){
  

•                    chomp($_);
  

•                    if (open(FILE, "/proc/$_/statm")){
  

•                            my $temp = <FILE>;
  

•                            @memory = split(/ /,$temp);
  

•                    }
  

•                    $memory+=$memory[0];
  

•            }
  

• $memory*=1024;
  

•            $status .=",\"memory\":$memory";
  

•    }else{
  

•            $status = "\"state\":0";
  

•    }
  

•    return $status;
  

+} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..340bb8e66 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -14,4 +14,4 @@ # Append / edit the following list of commands to fit your needs: # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping

This is absolutely impossible to give the zabbix user control to start/stop any add-on and to read and change the entire iptables ruleset.

Zabbix is listening on the network and does not have any kind of authentication. Any security vulnerabilities in Zabbix would allow to alter the firewall rules and DoS any add-ons. This is dangerous.

Are there any alternative ways to realise this functionality?

diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf b/config/zabbix_agentd/template_module_ipfire_network_stats.conf new file mode 100644 index 000000000..f1658ed07 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf @@ -0,0 +1,4 @@ +### Parameters for monitoring IPFire network statistics +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "/* $2 */" | awk '{ print $$2 }'; diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf new file mode 100644 index 000000000..5f95218e3 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_services.conf @@ -0,0 +1,2 @@ +### Parameter for monitoring IPFire services +UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfire_services.pl diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 73e08d20a..c0d28d51f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = +DEPS = "fping"

############################################################################### # Top-level Rules @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \ /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew

• install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_stats.conf \

• /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew
  

• install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services.conf \

• /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew
  

• install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \

• /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew
  
  

  # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix

diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 4248a7ec1..ced915c81 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -66,8 +66,13 @@ restore_backup ${NAME} # Put zabbix configfiles in place setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf setup_configfile /etc/sudoers.d/zabbix

+# Overwrite script if it exists as user should not modify it but it is included in backup +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl

if $review_required; then echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files." echo " They may need manual review in order to take advantage of new features" diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index 7a13880c5..ccbc8f7cf 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,6 +26,8 @@ stop_service ${NAME}

# Remove .ipfirenew files in advance so they won't be included in backup rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew +# Remove script-file as it should not have been modified by user +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl

make_backup ${NAME} remove_files -- 2.30.2

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

-Michael

Hello,

On 12 Apr 2021, at 23:16, Robin Roevens robin.roevens@disroot.org wrote:

Hi Michael

Michael Tremer schreef op ma 12-04-2021 om 11:36 [+0100]:

...

Hello,

...

On 7 Apr 2021, at 21:44, Robin Roevens robin.roevens@disroot.org wrote: ... ... diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..dbf8aec56 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,221 @@ +#!/usr/bin/perl +#################################################################### ########### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Based on: services.cgi by IPFire Team +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see < http://www.gnu.org/licenses/%3E. +# +#################################################################### ###########

+use strict;

+# enable only the following on debugging purpose +# use warnings;

+# Maps a nice printable name to the changing part of the pid file, which +# is also the name of the program +my %servicenames =(

•    'DHCP Server' => 'dhcpd',
  

•    'Web Server' => 'httpd',
  

•    'CRON Server' => 'fcron',
  

•    'DNS Proxy Server' => 'unbound',
  

•    'Logging Server' => 'syslogd',
  

•    'Kernel Logging Server' => 'klogd',
  

•    'NTP Server' => 'ntpd',
  

•    'Secure Shell Server' => 'sshd',
  

•    'VPN' => 'charon',
  

•    'Web Proxy' => 'squid',
  

•    'Intrusion Detection System' => 'suricata',
  

•    'OpenVPN' => 'openvpn'
  

+);

You have a hard-coded list with process names here. It technically is missing add-ons but including everything would make this list very long and a lot of work to maintain...

As explained in my previous mail, I don't currently know of a method to get a list of mandatory IPFire specific services. So this list is a straight copy out of services.cgi minus the translation. The add-on services are looked up below, exactly like it is done in services.cgi.

What list are you looking for? Just all processes that are running?

...

...

+# Hash to overwrite the process name of a process if it differs from the launch command. +my %overwrite_exename_hash = (

•    "suricata" => "Suricata-Main"
  

+);

+my $first = 1;

+print "[";

+# Built-in services +my $key = ''; +foreach $key (sort keys %servicenames){

•   print "," if not $first;
  

•   $first = 0;
  

•   print "{";
  

•   print "\"service\":\"$key\",";
  

•   my $shortname = $servicenames{$key};
  

•   print &servicestats($shortname);
  

•   print "}";
  

+}

+# Generate list of installed addon pak's +my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut - d"-" -f2`; +foreach (@pak){

•   chomp($_);
  

•   # Check which of the paks are services
  

•   my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`;
  

•   foreach (@svc){
  

•           # blacklist some packages
  

•           #
  

•           # alsa has trouble with the volume saving and was not
  

really stopped

•           # mdadm should not stopped with webif because this
  

could crash the system

•           #
  

•           chomp($_);
  

•           if ( $_ eq 'squid' ) {
  

•                   next;
  

•           }
  

•           if ( ($_ ne "alsa") && ($_ ne "mdadm") ) {
  

Another hardcoded list due to code duplication. Not your fault, but not pretty.

Indeed, as is probably clear by now, I too would prefer a more clean way of generating a list of services.

Currently seeing this piece of code again.. I think this blacklist in services.cgi only exists so the user can't stop/start the service using the webgui.. But there is no such functionality in this script.. so I think I can skip this blacklist, and also provide service state of alsa and mdadm.. (not sure why squid is here, is there an addon that also provides squid, maybe squid-accounting?)

The code seemed to have some trouble with hyphenated package names, that is why those checks were introduced.

It is pretty bad code and we should rework it some time, but definitely not copy it if we can avoid it.

...

...

•                   print ",";
  

•                   print "{";
  

•                   print "\"service\":\"Addon: $_\",";
  

•                   print "\"servicename\":\"$_\",";
  

•                   my $onboot = isautorun($_);
  

•                   print "\"onboot\":$onboot,";
  

•                   print &addonservicestats($_);
  

•                   print "}";
  

•           }
  

•   }
  

+}

+print "]";

+sub servicestats{

•   my $cmd = $_[0];
  

•   my $status = "\"servicename\":\"$cmd\",\"state\":\"0\"";
  

•   my $pid = '';
  

•   my $testcmd = '';
  

•    my $exename;
  

•    my $memory;
  

•   $cmd =~ /(^[a-z]+)/;
  

•   # Check if the exename needs to be overwritten.
  

•    # This happens if the expected process name string
  

•    # differs from the real one. This may happened if
  

•    # a service uses multiple processes or threads.
  

•    if (exists($overwrite_exename_hash{$cmd})) {
  

•            # Grab the string which will be reported by
  

•            # the process from the corresponding hash.
  

•            $exename = $overwrite_exename_hash{$1};
  

•    } else {
  

•            # Directly expect the launched command as
  

•            # process name.
  

•            $exename = $1;
  

•    }
  

•   if (open(FILE, "/var/run/${cmd}.pid")){
  

•            $pid = <FILE>; chomp $pid;
  

•            close FILE;
  

•            if (open(FILE, "/proc/${pid}/status")){
  

•                    while (<FILE>){
  

•                            if (/^Name:\W+(.*)/) {
  

•                                    $testcmd = $1;
  

•                            }
  

•                    }
  

•                    close FILE;
  

•            }
  

•            if (open(FILE, "/proc/${pid}/status")) {
  

•                    while (<FILE>) {
  

•                            my ($key, $val) = split(":", $_, 2);
  

•                            if ($key eq 'VmRSS') {
  

•                                   $val =~ /\s*([0-9]*)\s+kB/;
  

•                                   # Convert kB to B
  

•                                    $memory = $1*1024;
  

•                                    last;
  

•                            }
  

•                    }
  

•                    close(FILE);
  

•            }
  

•            if ($testcmd =~ /$exename/){
  

•                   $status =
  

""servicename":"$cmd","state":1,"pid":$pid,"memory":$memory ";

•           }
  

•    }
  

•    return $status;
  

+}

+sub isautorun{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`;
  

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "1";
  

•    }
  

•    $init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`;
  

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "0";
  

•    }
  

•    return $status;
  

+}

+sub addonservicestats{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $pid = '';
  

•    my $testcmd = '';
  

•    my $exename;
  

•    my @memory = (0);
  

•    $testcmd = `sudo /usr/local/bin/addonctrl $_ status
  

2>/dev/null`;

•    if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\
  

running/){

•            $status = "\"state\":1";
  

•            $testcmd =~ s/.* //gi;
  

•            $testcmd =~ s/[a-z_]//gi;
  

•            $testcmd =~ s/\[[0-1]\;[0-9]+//gi;
  

•            $testcmd =~ s/[\(\)\.]//gi;
  

•            $testcmd =~ s/  //gi;
  

•            $testcmd =~ s///gi;
  

•            my @pid = split(/\s/,$testcmd);
  

•            $status .=",\"pid\":\"$pid[0]\"";
  

•            my $memory = 0;
  

•            foreach (@pid){
  

•                    chomp($_);
  

•                    if (open(FILE, "/proc/$_/statm")){
  

•                            my $temp = <FILE>;
  

•                            @memory = split(/ /,$temp);
  

•                    }
  

•                    $memory+=$memory[0];
  

•            }
  

•           $memory*=1024;
  

•            $status .=",\"memory\":$memory";
  

•    }else{
  

•            $status = "\"state\":0";
  

•    }
  

•    return $status;
  

+} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..340bb8e66 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -14,4 +14,4 @@ # Append / edit the following list of commands to fit your needs: # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping

This is absolutely impossible to give the zabbix user control to start/stop any add-on and to read and change the entire iptables ruleset.

Zabbix is listening on the network and does not have any kind of authentication. Any security vulnerabilities in Zabbix would allow to alter the firewall rules and DoS any add-ons. This is dangerous.

There is some level of security:

I agree that it is *some*, but is it enough?

• the agent will only respond on requests from the configured Zabbix

server (which the user has to configure in the zabbix agentd conf-file, and defaults to 127.0.0.1 as we can't possibly know the ip of the user's server, so by default the agent responds to no one)

Host-based ACLs are not really a thing. On the local network faking a source IP address is one of the easiest jobs.

• By default remote commands (as in requests to the agent to execute

any command given) are disabled so the only way to make the agent call those binaries is to request a predefined userparameter that in turn will execute such a command with predefined params (see the additional template_...conf-files) and on top of that, the user can add additional security by configuring encryption in the agent main configfile

Encryption is not authentication.

And the predefined parameters might be a thing, but my view is that zabbix can execute quite serious commands if it is being exploited.

The Zabbix Agent had exactly one of these vulnerabilities in 2009 where an attacker could execute arbitrary commands:

https://www.cvedetails.com/cve/CVE-2009-4502/

But as you point out, a possible vulnerability of some sort may indeed still pose risks this way.

I just find this risk insanely large. I am not going to tell people what software they can use and what not, but I want to avoid that the default configuration is adding major security issues to the entire system. And adding those sudo rules by default does exactly this.

What would a monitoring tool do with a dump of the iptables ruleset? I do not even understand where the use of this is.

...

Are there any alternative ways to realise this functionality?

As sudo is not able to allow commands with variable parameters together with fixed parameters, a popular solution is using wrapper scripts, not writable by the user, denying the user direct access to the commands in question.

/usr/local/bin/addonctrl is only called from within the ipfire_services.pl script I provide, in the form of "addonctrl <service> status". So I could add /etc/zabbix_agentd/scripts/ipfire_services.pl to the sudo list instead so that the zabbix user won't be able to call addonctrl directly. (making sure zabbix user has no write permission on that script)

The same goes for iptables. This is only called by the predefined userparameter "ipfire.net.fw.hits[*]" defined in template_module_ipfire_network_stats.conf in the form "/sbin/iptables - vnxL $1 | grep "/* $2 */" | awk '{ print $$2 }';" where $1 (chain) and $2 (rule) are parameters that have to be supplied to the agent when requesting that item. Here I can also supply a wrapper-script to be called by sudo /etc/zabbix_agentd/scripts/firewall_hits.sh that accepts those parameters, and checks them for validity and against abuse.

Regards Robin

-Michael

...

...

diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf b/config/zabbix_agentd/template_module_ipfire_network_stats.conf new file mode 100644 index 000000000..f1658ed07 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf @@ -0,0 +1,4 @@ +### Parameters for monitoring IPFire network statistics +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "/* $2 */" | awk '{ print $$2 }'; diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf new file mode 100644 index 000000000..5f95218e3 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_services.conf @@ -0,0 +1,2 @@ +### Parameter for monitoring IPFire services +UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfire_serv ices.pl diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 73e08d20a..c0d28d51f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = +DEPS = "fping"

##################################################################### ########## # Top-level Rules @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \ /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfi re.conf.ipfirenew

•   install -v -m 644
  

$(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_stats. conf \

•           /etc/zabbix_agentd/zabbix_agentd.d/template_module_ip
  

fire_network_stats.conf.ipfirenew

•   install -v -m 644
  

$(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services.conf \

•           /etc/zabbix_agentd/zabbix_agentd.d/template_module_ip
  

fire_services.conf.ipfirenew

•   install -v -m 755
  

$(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \

•           /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfiren
  

ew

    # Create directory for additional agent modules
    -mkdir -pv /usr/lib/zabbix

diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 4248a7ec1..ced915c81 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -66,8 +66,13 @@ restore_backup ${NAME} # Put zabbix configfiles in place setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_sta ts.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.co nf setup_configfile /etc/sudoers.d/zabbix

+# Overwrite script if it exists as user should not modify it but it is included in backup +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl

if $review_required; then echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files." echo " They may need manual review in order to take advantage of new features" diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index 7a13880c5..ccbc8f7cf 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,6 +26,8 @@ stop_service ${NAME}

# Remove .ipfirenew files in advance so they won't be included in backup rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew +# Remove script-file as it should not have been modified by user +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl

make_backup ${NAME} remove_files -- 2.30.2

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

-Michael

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Hello,

On 15 Apr 2021, at 14:12, Robin Roevens robin.roevens@disroot.org wrote:

Hi Michael

Michael Tremer schreef op do 15-04-2021 om 12:21 [+0100]:

...

Hello,

...

On 12 Apr 2021, at 23:16, Robin Roevens < robin.roevens@disroot.org

...

wrote:

Hi Michael

Michael Tremer schreef op ma 12-04-2021 om 11:36 [+0100]:

...

Hello,

...

On 7 Apr 2021, at 21:44, Robin Roevens < robin.roevens@disroot.org

...

wrote: ... ... diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..dbf8aec56 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,221 @@ +#!/usr/bin/perl +############################################################## ###### ########### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Based on: services.cgi by IPFire Team +# Copyright (C) 2007-2021 IPFire Team < info@ipfire.org

...

+# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see < http://www.gnu.org/licenses/

...

.

+# +############################################################## ###### ###########

+use strict;

+# enable only the following on debugging purpose +# use warnings;

+# Maps a nice printable name to the changing part of the pid file, which +# is also the name of the program +my %servicenames =(

•    'DHCP Server' => 'dhcpd',
  

•    'Web Server' => 'httpd',
  

•    'CRON Server' => 'fcron',
  

•    'DNS Proxy Server' => 'unbound',
  

•    'Logging Server' => 'syslogd',
  

•    'Kernel Logging Server' => 'klogd',
  

•    'NTP Server' => 'ntpd',
  

•    'Secure Shell Server' => 'sshd',
  

•    'VPN' => 'charon',
  

•    'Web Proxy' => 'squid',
  

•    'Intrusion Detection System' => 'suricata',
  

•    'OpenVPN' => 'openvpn'
  

+);

You have a hard-coded list with process names here. It technically is missing add-ons but including everything would make this list very long and a lot of work to maintain...

As explained in my previous mail, I don't currently know of a method to get a list of mandatory IPFire specific services. So this list is a straight copy out of services.cgi minus the translation. The add-on services are looked up below, exactly like it is done in services.cgi.

What list are you looking for? Just all processes that are running?

The purpose of my extension to the default is that a user can easily configure Zabbix to monitor "IPFire"-specific functionalities. Generic Linux metrics can be monitored by default Zabbix templates and agent built-in functionality eventually extended with user-defined scripts or modules.

Yes, and I am absolutely for it. The Zabbix Agent alone is not very useful when it does not understand the special metrics that IPFire has and exports them in some way or another.

That said, there is obviously always the problem that if a third person gains access to the monitoring system, they would have a full map of the entire network and loads of other metrics that are helpful to see whether their attack is effective and/or detected. That is something that is out of scope of this project and a risk that people need to evaluate elsewhere. Obviously no monitoring at all is not a solution either.

The IPFire webgui has a nice overview of all vital IPFire services and their state, as well as for addon-services. A user can browse the status pages of the WebGUI to have a view of how their IPFire machine is running This is exactly what I want to provide to the Zabbix user, hence my copy of services.cgi-code.

Understood. Since the services.cgi code is a bit ugly, we might want to rethink how we solve this.

I would be in favour of a file that every add-on brings with it and that makes it show up on the services.cgi table as well as bringing some more meta information like the name of the initscript (if there is one) which you could then call by using addonctrl status.

Alternatively, I could 'parse' the output of the services-page of the webserver. But that is rather something one would do when trying to monitor a black-box.

That is going to break as soon as we touch any of the markup.

...

...

...

...

+# Hash to overwrite the process name of a process if it differs from the launch command. +my %overwrite_exename_hash = (

•    "suricata" => "Suricata-Main"
  

+);

+my $first = 1;

+print "[";

+# Built-in services +my $key = ''; +foreach $key (sort keys %servicenames){

•   print "," if not $first;
  

•   $first = 0;
  

•   print "{";
  

•   print "\"service\":\"$key\",";
  

•   my $shortname = $servicenames{$key};
  

•   print &servicestats($shortname);
  

•   print "}";
  

+}

+# Generate list of installed addon pak's +my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut - d"-" -f2`; +foreach (@pak){

•   chomp($_);
  

•   # Check which of the paks are services
  

•   my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/"
  

-f4`;

•   foreach (@svc){
  

•           # blacklist some packages
  

•           #
  

•           # alsa has trouble with the volume saving and
  

was not really stopped

•           # mdadm should not stopped with webif because
  

this could crash the system

•           #
  

•           chomp($_);
  

•           if ( $_ eq 'squid' ) {
  

•                   next;
  

•           }
  

•           if ( ($_ ne "alsa") && ($_ ne "mdadm") ) {
  

Another hardcoded list due to code duplication. Not your fault, but not pretty.

Indeed, as is probably clear by now, I too would prefer a more clean way of generating a list of services.

Currently seeing this piece of code again.. I think this blacklist in services.cgi only exists so the user can't stop/start the service using the webgui.. But there is no such functionality in this script.. so I think I can skip this blacklist, and also provide service state of alsa and mdadm.. (not sure why squid is here, is there an addon that also provides squid, maybe squid-accounting?)

The code seemed to have some trouble with hyphenated package names, that is why those checks were introduced.

It is pretty bad code and we should rework it some time, but definitely not copy it if we can avoid it.

...

...

...

•                   print ",";
  

•                   print "{";
  

•                   print "\"service\":\"Addon: $_\",";
  

•                   print "\"servicename\":\"$_\",";
  

•                   my $onboot = isautorun($_);
  

•                   print "\"onboot\":$onboot,";
  

•                   print &addonservicestats($_);
  

•                   print "}";
  

•           }
  

•   }
  

+}

+print "]";

+sub servicestats{

•   my $cmd = $_[0];
  

•   my $status =
  

""servicename":"$cmd","state":"0"";

•   my $pid = '';
  

•   my $testcmd = '';
  

•    my $exename;
  

•    my $memory;
  

•   $cmd =~ /(^[a-z]+)/;
  

•   # Check if the exename needs to be overwritten.
  

•    # This happens if the expected process name string
  

•    # differs from the real one. This may happened if
  

•    # a service uses multiple processes or threads.
  

•    if (exists($overwrite_exename_hash{$cmd})) {
  

•            # Grab the string which will be reported by
  

•            # the process from the corresponding hash.
  

•            $exename = $overwrite_exename_hash{$1};
  

•    } else {
  

•            # Directly expect the launched command as
  

•            # process name.
  

•            $exename = $1;
  

•    }
  

•   if (open(FILE, "/var/run/${cmd}.pid")){
  

•            $pid = <FILE>; chomp $pid;
  

•            close FILE;
  

•            if (open(FILE, "/proc/${pid}/status")){
  

•                    while (<FILE>){
  

•                            if (/^Name:\W+(.*)/) {
  

•                                    $testcmd = $1;
  

•                            }
  

•                    }
  

•                    close FILE;
  

•            }
  

•            if (open(FILE, "/proc/${pid}/status")) {
  

•                    while (<FILE>) {
  

•                            my ($key, $val) = split(":",
  

$_, 2);

•                            if ($key eq 'VmRSS') {
  

•                                   $val =~ /\s*([0-
  

9]*)\s+kB/;

•                                   # Convert kB to B
  

•                                    $memory = $1*1024;
  

•                                    last;
  

•                            }
  

•                    }
  

•                    close(FILE);
  

•            }
  

•            if ($testcmd =~ /$exename/){
  

•                   $status =
  

""servicename":"$cmd","state":1,"pid":$pid,"memory":$ memory ";

•           }
  

•    }
  

•    return $status;
  

+}

+sub isautorun{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $init = `find /etc/rc.d/rc3.d/S??${cmd}
  

2>/dev/null`;

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "1";
  

•    }
  

•    $init = `find /etc/rc.d/rc3.d/off/S??${cmd}
  

2>/dev/null`;

•    chomp ($init);
  

•    if ($init ne ''){
  

•            $status = "0";
  

•    }
  

•    return $status;
  

+}

+sub addonservicestats{

•    my $cmd = $_[0];
  

•    my $status = "0";
  

•    my $pid = '';
  

•    my $testcmd = '';
  

•    my $exename;
  

•    my @memory = (0);
  

•    $testcmd = `sudo /usr/local/bin/addonctrl $_ status
  

2>/dev/null`;

•    if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\
  

not\ running/){

•            $status = "\"state\":1";
  

•            $testcmd =~ s/.* //gi;
  

•            $testcmd =~ s/[a-z_]//gi;
  

•            $testcmd =~ s/\[[0-1]\;[0-9]+//gi;
  

•            $testcmd =~ s/[\(\)\.]//gi;
  

•            $testcmd =~ s/  //gi;
  

•            $testcmd =~ s///gi;
  

•            my @pid = split(/\s/,$testcmd);
  

•            $status .=",\"pid\":\"$pid[0]\"";
  

•            my $memory = 0;
  

•            foreach (@pid){
  

•                    chomp($_);
  

•                    if (open(FILE, "/proc/$_/statm")){
  

•                            my $temp = <FILE>;
  

•                            @memory = split(/ /,$temp);
  

•                    }
  

•                    $memory+=$memory[0];
  

•            }
  

•           $memory*=1024;
  

•            $status .=",\"memory\":$memory";
  

•    }else{
  

•            $status = "\"state\":0";
  

•    }
  

•    return $status;
  

+} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..340bb8e66 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -14,4 +14,4 @@ # Append / edit the following list of commands to fit your needs: # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping

This is absolutely impossible to give the zabbix user control to start/stop any add-on and to read and change the entire iptables ruleset.

Zabbix is listening on the network and does not have any kind of authentication. Any security vulnerabilities in Zabbix would allow to alter the firewall rules and DoS any add-ons. This is dangerous.

There is some level of security:

I agree that it is *some*, but is it enough?

...

• the agent will only respond on requests from the configured

Zabbix server (which the user has to configure in the zabbix agentd conf- file, and defaults to 127.0.0.1 as we can't possibly know the ip of the user's server, so by default the agent responds to no one)

Host-based ACLs are not really a thing. On the local network faking a source IP address is one of the easiest jobs.

...

• By default remote commands (as in requests to the agent to

execute any command given) are disabled so the only way to make the agent call those binaries is to request a predefined userparameter that in turn will execute such a command with predefined params (see the additional template_...conf-files) and on top of that, the user can add additional security by configuring encryption in the agent main configfile

Encryption is not authentication.

And the predefined parameters might be a thing, but my view is that zabbix can execute quite serious commands if it is being exploited.

The Zabbix Agent had exactly one of these vulnerabilities in 2009 where an attacker could execute arbitrary commands:

https://www.cvedetails.com/cve/CVE-2009-4502/

...

But as you point out, a possible vulnerability of some sort may indeed still pose risks this way.

I just find this risk insanely large. I am not going to tell people what software they can use and what not, but I want to avoid that the default configuration is adding major security issues to the entire system. And adding those sudo rules by default does exactly this.

I totally agree, I was only pointing out the *some* security there is, but that will indeed never be sufficient to allow full access to iptables or addonctrl by default.

I could live with the information leak (that is pretty much what Zabbix is designed for), but I cannot live with the possibility that breaking in the agent allows changing the iptables ruleset. Definitely not in the default configuration.

A user could, on his own risk, do that to maybe have the agent execute firewall-actions as a reaction to a detected network attack or so.. But that is not something we should provide by default.

...

What would a monitoring tool do with a dump of the iptables ruleset? I do not even understand where the use of this is.

The same as IPFire webgui currently does on netother.cgi?fwhits?day by calling /sbin/iptables -vnxL <chain> | grep "/* <rule> */" | awk '{ print $2 }';: keep history of and eventually react on the number of firewall-hits.

We have the following SUID binary:

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/misc-progs/getipstat.c...

It isn’t pretty, but dumps the entire iptables ruleset into files which you can then read.

This allows exposing the ruleset without giving the agent the option to run the iptables command as root.

But you are completely right that access to iptables should be restricted to just that what we want to get from it, which can be achieved with a wrapper script as explained below in my previous mail.

-Michael

Regards

Robin

...

...

...

Are there any alternative ways to realise this functionality?

As sudo is not able to allow commands with variable parameters together with fixed parameters, a popular solution is using wrapper scripts, not writable by the user, denying the user direct access to the commands in question.

/usr/local/bin/addonctrl is only called from within the ipfire_services.pl script I provide, in the form of "addonctrl <service> status". So I could add /etc/zabbix_agentd/scripts/ipfire_services.pl to the sudo list instead so that the zabbix user won't be able to call addonctrl directly. (making sure zabbix user has no write permission on that script) The same goes for iptables. This is only called by the predefined userparameter "ipfire.net.fw.hits[*]" defined in template_module_ipfire_network_stats.conf in the form "/sbin/iptables - vnxL $1 | grep "/* $2 */" | awk '{ print $$2 }';" where $1 (chain) and $2 (rule) are parameters that have to be supplied to the agent when requesting that item. Here I can also supply a wrapper-script to be called by sudo /etc/zabbix_agentd/scripts/firewall_hits.sh that accepts those parameters, and checks them for validity and against abuse.

Regards Robin

-Michael

...

...

...

diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.con f b/config/zabbix_agentd/template_module_ipfire_network_stats.con f new file mode 100644 index 000000000..f1658ed07 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.con f @@ -0,0 +1,4 @@ +### Parameters for monitoring IPFire network statistics +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "/* $2 */" | awk '{ print $$2 }'; diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf new file mode 100644 index 000000000..5f95218e3 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_services.conf @@ -0,0 +1,2 @@ +### Parameter for monitoring IPFire services +UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfir e_serv ices.pl diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 73e08d20a..c0d28d51f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = +DEPS = "fping"

############################################################### ###### ########## # Top-level Rules @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \ /etc/zabbix_agentd/zabbix_agentd.d/template_app _pakfi re.conf.ipfirenew

•   install -v -m 644
  

$(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_ stats. conf \

•           /etc/zabbix_agentd/zabbix_agentd.d/template_mod
  

ule_ip fire_network_stats.conf.ipfirenew

•   install -v -m 644
  

$(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services .conf \

•           /etc/zabbix_agentd/zabbix_agentd.d/template_mod
  

ule_ip fire_services.conf.ipfirenew

•   install -v -m 755
  

$(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \

•           /etc/zabbix_agentd/scripts/ipfire_services.pl.i
  

pfiren ew

   # Create directory for additional agent modules
   -mkdir -pv /usr/lib/zabbix

diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 4248a7ec1..ced915c81 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -66,8 +66,13 @@ restore_backup ${NAME} # Put zabbix configfiles in place setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_netwo rk_sta ts.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_servi ces.co nf setup_configfile /etc/sudoers.d/zabbix

+# Overwrite script if it exists as user should not modify it but it is included in backup +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl

if $review_required; then echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files." echo " They may need manual review in order to take advantage of new features" diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index 7a13880c5..ccbc8f7cf 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,6 +26,8 @@ stop_service ${NAME}

# Remove .ipfirenew files in advance so they won't be included in backup rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew +# Remove script-file as it should not have been modified by user +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl

make_backup ${NAME} remove_files -- 2.30.2

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

-Michael

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.