zabbix干货分享——zabbix_server配置文件详解
4996Zabbix Server是一个用于监控和管理IT设备的开源监控系统。zabbix_server.conf是Zabbix Server的主配置文件,包含了大量的配置项,可以用来优化Zabbix Server...
View detailsSearch the whole station
日前,zabbix官方公告发现了2个安全漏洞,涉及多个版本,漏洞代号如下:
据了解,高危漏洞CVE-2023-32725的CVSS评分高达9.6分。CVE-2023-32725漏洞出现在仪表板中,当用户使用带有 URL 小部件的仪表板的Scheduled reports时,将会造成zbx_session cookie 泄漏。具体来说,在配置或生成Scheduled reports时,URL 小部件中配置的网站将收到会话 cookie。攻击者可以使用cookie冒充创建报告的zabbix用户,并在zabbix前端中以该用户的权限向自己授权。
CVE-2023-32725漏洞所涉及到的相关版本包括:
6.0.0 – 6.0.21
6.4.0 – 6.4.6
7.0.0alpha1 – 7.0.0alpha3
中等漏洞CVE-2023-32727是一个icmpping() 代码执行漏洞,CVSS评分为6.8分。具有配置 zabbix 项目权限的攻击者可以使用函数 icmpping() 以及函数包含的恶意命令在当前 zabbix 服务器上执行任意代码。
CVE-2023-32727漏洞涉及到的相关版本包括:
4.0.0 – 4.0.49
5.0.0 – 5.0.38
6.0.0 – 6.0.22
6.4.0 – 6.4.7
7.0.0alpha0 – 7.0.0alpha6
截至目前,zabbix官方未发布针对以上两项漏洞的补丁,但可以通过版本升级的方式修复漏洞。以下将介绍详细修复方案,包括编译升级与免编译替换升级方式。
该操作方案适用于,通过升级平台zabbix次要版本,修复当前版本中存在的已知漏洞
高危漏洞CVE-2023-32725
一般漏洞CVE-2023-32727
以中等漏洞CVE-2023-32727为例,影响版本及修复版本分别如下,
如当前平台运行版本为5.0.9,则需要升级至次要版本5.0.39+;
如当前平台运行版本为6.0.20,则需要升级至次要版本6.0.23rc1+。
具体漏洞检查及修复方案操作,参考2、3、4章节。
如下方案中,编译升级操作是以zabbix版本5.0.9环境为例,免编译替换升级操作是以zabbix版本6.0.20环境为例。
/itops/zabbix/sbin/zabbix_server -V
# 返回结果如下
zabbix_server (zabbix) 5.0.9
Revision 4d07aaafe2 22 February 2021, compilation time: Mar 18 2021 23:50:53
Copyright (C) 2021 zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 1.0.2k-fips 26 Jan 2017
Running with OpenSSL 1.0.2k-fips 26 Jan 2017
根据返回信息可判断当前版本5.0.9,在漏洞影响范围版本内。
翻查之前的编译路径,以当前环境5.0.9为例,全盘find 目录 zabbix-5.0.9
find / -name zabbix-5.0.9
# 返回结果如下
/root/packages/LWSetup/packages/zabbix-5.0.9
# 进入目录下查看config.log文件
cd /root/packages/LWSetup/packages/zabbix-5.0.9
grep ‘/configure’ config.log# 返回结果如下# $ ./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap# Configured with: ../configure –prefix=/usr –mandir=/usr/share/man –infodir=/usr/share/info –with-bugurl=http://bugzilla.redhat.com/bugzilla –enable-bootstrap –enable-shared –enable-threads=posix –enable-checking=release –with-system-zlib –enable-__cxa_atexit –disable-libunwind-exceptions –enable-gnu-unique-object –enable-linker-build-id –with-linker-hash-style=gnu –enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto –enable-plugin –enable-initfini-array –disable-libgcj –with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install –with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install –enable-gnu-indirect-function –with-tune=generic –with-arch_32=x86-64 –build=x86_64-redhat-linux
可以获取到编译参数为:./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
由漏洞公告情况可知,需要升级到哪些版本才能避免漏洞风险,可从zabbix官网获取编译包。如下操作以5.0.40版本zabbix为例
cp -rp /itops/zabbix/ /itops/zabbix-5.0.9/
tar xf zabbix-5.0.40.tar.gz
cd zabbix-5.0.40
./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
make install
# 编译成功返回如下
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database/sqlite3′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Nothing to be done for `install-exec-am’.
make[3]: Nothing to be done for `install-data-am’.
make[3]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
Making install in man
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Nothing to be done for `install-exec-am’.
/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man1’
/usr/bin/install -c -m 644 ‘zabbix_get.man’ ‘/itops/zabbix/share/man/man1/zabbix_get.1’
/usr/bin/install -c -m 644 ‘zabbix_sender.man’ ‘/itops/zabbix/share/man/man1/zabbix_sender.1’
/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man8’
/usr/bin/install -c -m 644 ‘zabbix_agentd.man’ ‘/itops/zabbix/share/man/man8/zabbix_agentd.8’
/usr/bin/install -c -m 644 ‘zabbix_server.man’ ‘/itops/zabbix/share/man/man8/zabbix_server.8’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
Making install in misc
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
configure 编译参数报错
报错:configure: error: Invalid Net-SNMP directory – unable to find net-snmp-config
处理:yum install -y net-snmp-devel
service zabbix_server restart
service zabbix_agentd restart
上述漏洞未涉及proxy部分,可不予升级操作,主要版本一致即可,次要版本有差异不影响。
如有升级必要,参考server编译操作,基本一致
mv /itops/zabbix/ /itops/zabbix-5.0.40
mv /itops/zabbix-5.0.9/ /itops/zabbix/
service zabbix_server restart
使用乐维社区发布的免编译tar.xz包进行解压替换
· 上传新解压即用包至server服务器
从附件中下载程序包及lib包
注意:该包仅支持centos/redhat7.4-7.9环境
· 备份原server目录
cp -rp /itops/zabbix/ /itops/bakzbx-6.0.20
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.20
· 解压文件
tar xf zabbix-6.0.25.tar.xz -C /tmp
tar xf zabbix-lib.tar.xz -C /usr/lib/itops
· 替换原启动文件及依赖库
mv -f /tmp/zabbix/sbin/zabbix_server /itops/zabbix/sbin/zabbix_server
mv -f /tmp/zabbix/sbin/zabbix_agentd /itops/zabbix/sbin/zabbix_agentd
chmod +x /itops/zabbix/sbin/zabbix*
chown itops: /itops/zabbix/sbin/zabbix*
chown -R itops: /usr/lib/itops/zabbix
service zabbix_server restart
service zabbix_agentd restart
service zabbix_server stop
mv /itops/zabbix/ /itops/zabbix-6.0.25
mv /itops/bakzbx-6.0.20 /itops/zabbix/
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.25
mv /usr/lib/itops/zabbix-6.0.20 /usr/lib/itops/zabbix
service zabbix_server start
至此,漏洞修复完成。
以上漏洞修复方案由乐维社区提供。乐维社区是国内较大的专业运维监控技术交流平台,致力于为广大运维人员提供运维技术交流互助空间,更多zabbix技术知识欢迎加入乐维社区。此外,更多zabbix部署问题、zabbix开发问题等也欢迎到乐维社区留言。
Zabbix Server是一个用于监控和管理IT设备的开源监控系统。zabbix_server.conf是Zabbix Server的主配置文件,包含了大量的配置项,可以用来优化Zabbix Server...
View details从Zabbix 4.0版本开始,官方提供了一种新的HTTP代理(HTTP agent)的健康方式,通过HTTP协议采集数据,它由Zabbix server或者Zabbix proxy发起,并且不需要安...
View details