| Message ID | 20210407204455.450-2-robin.roevens@disroot.org |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FFxJN5ryyz3yBV for <patchwork@web04.haj.ipfire.org>; Wed, 7 Apr 2021 20:46:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxJN2JvyztS; Wed, 7 Apr 2021 20:46:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FFxJN1Wkkz2xkF; Wed, 7 Apr 2021 20:46:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FFxJL0Tlyz2xBf for <development@lists.ipfire.org>; Wed, 7 Apr 2021 20:46:26 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxJK2J7SzfQ for <development@lists.ipfire.org>; Wed, 7 Apr 2021 20:46:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id A832450D7D for <development@lists.ipfire.org>; Wed, 7 Apr 2021 22:46:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLqvLy9G7e75 for <development@lists.ipfire.org>; Wed, 7 Apr 2021 22:46:22 +0200 (CEST) Received: from amaterasu.sicho.home ([192.168.0.1] helo=chojin.sicho.home) by filekeeper.sicho.home with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <robin.roevens@disroot.org>) id 1lUF3Y-0003Zi-GH; Wed, 07 Apr 2021 22:45:44 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1617828355; bh=JHXSWDV5mjgS6P5eg2EiNTkN4hqcoiTJinURDNw61Ig=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gQQ1qctqt7e7snRpoRkCQW+YhPi43cJmodFA8ua6YyHVa95mjG9AvYZlPudBAHUL1 sf5faiwO5KDT/OazVY3nA2L1pnPZ4fc6KECvjYeBtkzJSil666XND/qpwBjM9QuTxV Jp/JuiRmOwaMLsSbD7Myemw3Wj3zs4ykvfx+a3YBpn1YKnR4DciOE2z0y/Xk/G9GBh rxiBJ7wfreECpxyecvx87BOEUJmfUIbEgnshV1qS1m8VWY6AEt2dOgXQeY4kDpbpAT POs8lE+BTnBNYls0Su9hYRE1QEf/EcAJJwXualfJfMAa6tVa9OKjBdLihBuCm9kNdB x1UZ3u4uDgJPw== From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH 1/4] [V2] zabbix_agentd: Update to v5.0.10 (LTS) Date: Wed, 7 Apr 2021 22:44:53 +0200 Message-Id: <20210407204455.450-2-robin.roevens@disroot.org> In-Reply-To: <20210407204455.450-1-robin.roevens@disroot.org> References: <20210407204455.450-1-robin.roevens@disroot.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-filekeeper-MailScanner-ID: 1lUF3Y-0003Zi-GH X-filekeeper-MailScanner: Found to be clean X-filekeeper-MailScanner-From: robin.roevens@disroot.org X-filekeeper-MailScanner-Watermark: 1618433146.85515@eu9dBQLZKxuD37B+gBNoBw ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1617828385; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=phBX7X6+j+OYYV0I0egMhyPDrk8oU/3TApLZ98KjMTY=; b=OPtb6AC6R5zxvNFyEqXBuAj2VPI3lq2LjTnDa4sdU9QTBQ8gYLh18M1cxzDX6Ac7VQZAsQ JAbnD4u7ZQnisG3hENgyoJ4MCSP9Mo9XMuBUPqtafvirquLr7p+i3qLKdJ2fIDH6yVHHg8 VDFKNrd+AHNnTOVlqBavxEX6gYh3cKwS83DXnTVFtRJkTjM5yJv62rQISDUnhMdI2J5WcC Q6Pznmsg9S/7DHzmaWiHtSCF7iN+Kmb46+K5eO+0LFUUxbNAp2pwL1b3zjQhVpPst67mP8 wWQrV4aEIAv36KQbmgsygBRAMUH58VWX2Auc+XDEIAlrgS23iKs1SkvZ3uvm6A== ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1617828385; a=rsa-sha256; cv=none; b=lnH7S9kHHYtcJK9InyEYwQ6BxW5g9yZ4noEu8OwKEUnXCbNIAEDmy96kIzo8i4+eiWYafq tBGr5TCU+DYYpxCRDHuXkAKFzRobosXmVsgvqxd1HKm7MiNt26FtAvwR4b6PbV370pKz4r bKxkTITzfN1p58N01CVlY7OA2+oO6tkJDHgN9E6ksB0t93+JgNnhOYqJ5DItQGXvHnBwXX 8ziMKD+350tbK1KVQcnpM+i+EtwcgWhloETbkYrGDy+iD9uznOxsIrrMyMJoKY4C7cmMef OFO5+x37biVB1YWAuHxb0tBsQAByKiCMI3nFwzM+AINRqQRkmiBBd4AGfwRrHQ== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=gQQ1qctq; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Queue-Id: 4FFxJK2J7SzfQ Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=gQQ1qctq; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-4.76 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; REPLY(-4.00)[]; BROKEN_CONTENT_TYPE(1.50)[]; R_MISSING_CHARSET(2.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_REPUTATION_HAM(-2.26)[asn: 50673(-0.32), country: NL(-0.01), ip: 178.21.23.139(-0.80)]; DKIM_TRACE(0.00)[disroot.org:+]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; BAYES_HAM(-3.00)[99.99%] X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series | zabbix_agentd: new maintainer/summary | |
Commit Message
Robin Roevens
April 7, 2021, 8:44 p.m. UTC
- Update from 4.2.6 to latest LTS version 5.0.10
See release notes: https://www.zabbix.com/rn/rn5.0.10
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
---
config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
lfs/zabbix_agentd | 11 ++-
2 files changed, 121 insertions(+), 14 deletions(-)
Comments
Hi Robin, I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done. The lfs file changes look perfect to me. A general comment I would make is that when you want to do a v2 version then if you enter git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3]. Note it is lower case v Regards, Adolf On 07/04/2021 22:44, Robin Roevens wrote: > - Update from 4.2.6 to latest LTS version 5.0.10 > See release notes: https://www.zabbix.com/rn/rn5.0.10 > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > --- > config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- > lfs/zabbix_agentd | 11 ++- > 2 files changed, 121 insertions(+), 14 deletions(-) > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf > index 21b8e0122..4d6c4c154 100644 > --- a/config/zabbix_agentd/zabbix_agentd.conf > +++ b/config/zabbix_agentd/zabbix_agentd.conf > @@ -63,14 +63,33 @@ LogFileSize=0 > # Default: > # SourceIP= > > -### Option: EnableRemoteCommands > -# Whether remote commands from Zabbix server are allowed. > -# 0 - not allowed > -# 1 - allowed > +### Option: AllowKey > +# Allow execution of item keys matching pattern. > +# Multiple keys matching rules may be defined in combination with DenyKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# > +# Mandatory: no > + > +### Option: DenyKey > +# Deny execution of items keys matching pattern. > +# Multiple keys matching rules may be defined in combination with AllowKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. > # > # Mandatory: no > # Default: > -# EnableRemoteCommands=0 > +# DenyKey=system.run[*] > + > +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead > +# Internal alias for AllowKey/DenyKey parameters depending on value: > +# 0 - DenyKey=system.run[*] > +# 1 - AllowKey=system.run[*] > +# > +# Mandatory: no > > ### Option: LogRemoteCommands > # Enable logging of executed shell commands as warnings. > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > # Default: > # HostMetadataItem= > > +### Option: HostInterface > +# Optional parameter that defines host interface. > +# Host interface is used at host auto-registration process. > +# An agent will issue an error and not start if the value is over limit of 255 characters. > +# If not defined, value will be acquired from HostInterfaceItem. > +# > +# Mandatory: no > +# Range: 0-255 characters > +# Default: > +# HostInterface= > + > +### Option: HostInterfaceItem > +# Optional parameter that defines an item used for getting host interface. > +# Host interface is used at host auto-registration process. > +# During an auto-registration request an agent will log a warning message if > +# the value returned by specified item is over limit of 255 characters. > +# This option is only used when HostInterface is not defined. > +# > +# Mandatory: no > +# Default: > +# HostInterfaceItem= > + > ### Option: RefreshActiveChecks > # How often list of active checks is refreshed, in seconds. > # > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > - > ####### USER-DEFINED MONITORED PARAMETERS ####### > > ### Option: UnsafeUserParameters > @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > # > # Mandatory: no > # Default: > -# LoadModulePath=/usr/lib/modules > +# LoadModulePath=${libdir}/modules > > LoadModulePath=/usr/lib/zabbix > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > # TLSCRLFile= > > ### Option: TLSServerCertIssuer > -# Allowed server certificate issuer. > +# Allowed server certificate issuer. > # > # Mandatory: no > # Default: > # TLSServerCertIssuer= > > ### Option: TLSServerCertSubject > -# Allowed server certificate subject. > +# Allowed server certificate subject. > # > # Mandatory: no > # Default: > @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix > # Mandatory: no > # Default: > # TLSPSKFile= > + > +####### For advanced users - TLS ciphersuite selection criteria ####### > + > +### Option: TLSCipherCert13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert13= > + > +### Option: TLSCipherCert > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert= > + > +### Option: TLSCipherPSK13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example: > +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK13= > + > +### Option: TLSCipherPSK > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL > +# Example for OpenSSL: > +# kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK= > + > +### Option: TLSCipherAll13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example: > +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll13= > + > +### Option: TLSCipherAll > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll= > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index c69643a54..2d57b0dbe 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 4.2.6 > +VER = 5.0.10 > > THISAPP = zabbix-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = zabbix_agentd > -PAK_VER = 4 > +PAK_VER = 5 > DEPS = > > ############################################################################### > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 > > install : $(TARGET) > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > --prefix=/usr \ > --enable-agent \ > --sysconfdir=/etc/zabbix_agentd \ > - --with-openssl > + --with-openssl \ > + --with-libcurl > > cd $(DIR_APP) && make > cd $(DIR_APP) && make install
Hi Adolf Thanks for your review. I didn't know about the -v2 parameter. Will use that in the future. The conf file changes in this patch actually only reflect the changes in the upstream source default zabbix_agentd.conf-file which I merged with the customizations previously introduced by Alex. Robin Adolf Belka schreef op vr 09-04-2021 om 21:25 [+0200]: > Hi Robin, > > I am not knowledgeable enough about zabbix to make any comment about > the conf file changes other than that I could follow your > explanations of why they were being done. > > The lfs file changes look perfect to me. > > A general comment I would make is that when you want to do a v2 > version then if you enter > > git patch-format -v2 -o ..... then the patches will be created > automatically as [PATCH v2 1/3]. > > Note it is lower case v > > Regards, > > Adolf > > On 07/04/2021 22:44, Robin Roevens wrote: > > - Update from 4.2.6 to latest LTS version 5.0.10 > > See release notes: https://www.zabbix.com/rn/rn5.0.10 > > > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > > --- > > config/zabbix_agentd/zabbix_agentd.conf | 124 > > ++++++++++++++++++++++-- > > lfs/zabbix_agentd | 11 ++- > > 2 files changed, 121 insertions(+), 14 deletions(-) > > > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf > > b/config/zabbix_agentd/zabbix_agentd.conf > > index 21b8e0122..4d6c4c154 100644 > > --- a/config/zabbix_agentd/zabbix_agentd.conf > > +++ b/config/zabbix_agentd/zabbix_agentd.conf > > @@ -63,14 +63,33 @@ LogFileSize=0 > > # Default: > > # SourceIP= > > > > -### Option: EnableRemoteCommands > > -# Whether remote commands from Zabbix server are allowed. > > -# 0 - not allowed > > -# 1 - allowed > > +### Option: AllowKey > > +# Allow execution of item keys matching pattern. > > +# Multiple keys matching rules may be defined in combination > > with DenyKey. > > +# Key pattern is wildcard expression, which support "*" > > character to match any number of any characters in certain > > position. It might be used in both key name and key arguments. > > +# Parameters are processed one by one according their > > appearance order. > > +# If no AllowKey or DenyKey rules defined, all keys are > > allowed. > > +# > > +# Mandatory: no > > + > > +### Option: DenyKey > > +# Deny execution of items keys matching pattern. > > +# Multiple keys matching rules may be defined in combination > > with AllowKey. > > +# Key pattern is wildcard expression, which support "*" > > character to match any number of any characters in certain > > position. It might be used in both key name and key arguments. > > +# Parameters are processed one by one according their > > appearance order. > > +# If no AllowKey or DenyKey rules defined, all keys are > > allowed. > > +# Unless another system.run[*] rule is specified > > DenyKey=system.run[*] is added by default. > > # > > # Mandatory: no > > # Default: > > -# EnableRemoteCommands=0 > > +# DenyKey=system.run[*] > > + > > +### Option: EnableRemoteCommands - Deprecated, use > > AllowKey=system.run[*] or DenyKey=system.run[*] instead > > +# Internal alias for AllowKey/DenyKey parameters depending on > > value: > > +# 0 - DenyKey=system.run[*] > > +# 1 - AllowKey=system.run[*] > > +# > > +# Mandatory: no > > > > ### Option: LogRemoteCommands > > # Enable logging of executed shell commands as warnings. > > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > > # Default: > > # HostMetadataItem= > > > > +### Option: HostInterface > > +# Optional parameter that defines host interface. > > +# Host interface is used at host auto-registration process. > > +# An agent will issue an error and not start if the value is > > over limit of 255 characters. > > +# If not defined, value will be acquired from > > HostInterfaceItem. > > +# > > +# Mandatory: no > > +# Range: 0-255 characters > > +# Default: > > +# HostInterface= > > + > > +### Option: HostInterfaceItem > > +# Optional parameter that defines an item used for getting > > host interface. > > +# Host interface is used at host auto-registration process. > > +# During an auto-registration request an agent will log a > > warning message if > > +# the value returned by specified item is over limit of 255 > > characters. > > +# This option is only used when HostInterface is not defined. > > +# > > +# Mandatory: no > > +# Default: > > +# HostInterfaceItem= > > + > > ### Option: RefreshActiveChecks > > # How often list of active checks is refreshed, in seconds. > > # > > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > - > > ####### USER-DEFINED MONITORED PARAMETERS ####### > > > > ### Option: UnsafeUserParameters > > @@ -299,7 +339,7 @@ > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > # > > # Mandatory: no > > # Default: > > -# LoadModulePath=/usr/lib/modules > > +# LoadModulePath=${libdir}/modules > > > > LoadModulePath=/usr/lib/zabbix > > > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > > # TLSCRLFile= > > > > ### Option: TLSServerCertIssuer > > -# Allowed server certificate issuer. > > +# Allowed server certificate issuer. > > # > > # Mandatory: no > > # Default: > > # TLSServerCertIssuer= > > > > ### Option: TLSServerCertSubject > > -# Allowed server certificate subject. > > +# Allowed server certificate subject. > > # > > # Mandatory: no > > # Default: > > @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix > > # Mandatory: no > > # Default: > > # TLSPSKFile= > > + > > +####### For advanced users - TLS ciphersuite selection criteria > > ####### > > + > > +### Option: TLSCipherCert13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > certificate-based encryption. > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherCert13= > > + > > +### Option: TLSCipherCert > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > certificate-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- > > ALL:+CTYPE-X.509 > > +# Example for OpenSSL: > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherCert= > > + > > +### Option: TLSCipherPSK13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > PSK-based encryption. > > +# Example: > > +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherPSK13= > > + > > +### Option: TLSCipherPSK > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > PSK-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- > > ALL > > +# Example for OpenSSL: > > +# kECDHEPSK+AES128:kPSK+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherPSK= > > + > > +### Option: TLSCipherAll13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > certificate- and PSK-based encryption. > > +# Example: > > +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > > :TLS_AES_128_GCM_SHA256 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherAll13= > > + > > +### Option: TLSCipherAll > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > certificate- and PSK-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- > > PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE- > > ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > > +# Example for OpenSSL: > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: > > kPSK+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherAll= > > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > > index c69643a54..2d57b0dbe 100644 > > --- a/lfs/zabbix_agentd > > +++ b/lfs/zabbix_agentd > > @@ -1,7 +1,7 @@ > > > > ################################################################### > > ############ > > > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2019 IPFire Team > > <info@ipfire.org> # > > +# Copyright (C) 2007-2021 IPFire Team > > <info@ipfire.org> # > > > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as > > published by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 4.2.6 > > +VER = 5.0.10 > > > > THISAPP = zabbix-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = zabbix_agentd > > -PAK_VER = 4 > > +PAK_VER = 5 > > DEPS = > > > > > > ################################################################### > > ############ > > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > > +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 > > > > install : $(TARGET) > > > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > --prefix=/usr \ > > --enable-agent \ > > --sysconfdir=/etc/zabbix_agentd \ > > - --with-openssl > > + --with-openssl \ > > + --with-libcurl > > > > cd $(DIR_APP) && make > > cd $(DIR_APP) && make install >
Hello, This looks all fine. -Michael > On 7 Apr 2021, at 21:44, Robin Roevens <robin.roevens@disroot.org> wrote: > > - Update from 4.2.6 to latest LTS version 5.0.10 > See release notes: https://www.zabbix.com/rn/rn5.0.10 > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > --- > config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- > lfs/zabbix_agentd | 11 ++- > 2 files changed, 121 insertions(+), 14 deletions(-) > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf > index 21b8e0122..4d6c4c154 100644 > --- a/config/zabbix_agentd/zabbix_agentd.conf > +++ b/config/zabbix_agentd/zabbix_agentd.conf > @@ -63,14 +63,33 @@ LogFileSize=0 > # Default: > # SourceIP= > > -### Option: EnableRemoteCommands > -# Whether remote commands from Zabbix server are allowed. > -# 0 - not allowed > -# 1 - allowed > +### Option: AllowKey > +# Allow execution of item keys matching pattern. > +# Multiple keys matching rules may be defined in combination with DenyKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# > +# Mandatory: no > + > +### Option: DenyKey > +# Deny execution of items keys matching pattern. > +# Multiple keys matching rules may be defined in combination with AllowKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. > # > # Mandatory: no > # Default: > -# EnableRemoteCommands=0 > +# DenyKey=system.run[*] > + > +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead > +# Internal alias for AllowKey/DenyKey parameters depending on value: > +# 0 - DenyKey=system.run[*] > +# 1 - AllowKey=system.run[*] > +# > +# Mandatory: no > > ### Option: LogRemoteCommands > # Enable logging of executed shell commands as warnings. > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > # Default: > # HostMetadataItem= > > +### Option: HostInterface > +# Optional parameter that defines host interface. > +# Host interface is used at host auto-registration process. > +# An agent will issue an error and not start if the value is over limit of 255 characters. > +# If not defined, value will be acquired from HostInterfaceItem. > +# > +# Mandatory: no > +# Range: 0-255 characters > +# Default: > +# HostInterface= > + > +### Option: HostInterfaceItem > +# Optional parameter that defines an item used for getting host interface. > +# Host interface is used at host auto-registration process. > +# During an auto-registration request an agent will log a warning message if > +# the value returned by specified item is over limit of 255 characters. > +# This option is only used when HostInterface is not defined. > +# > +# Mandatory: no > +# Default: > +# HostInterfaceItem= > + > ### Option: RefreshActiveChecks > # How often list of active checks is refreshed, in seconds. > # > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > - > ####### USER-DEFINED MONITORED PARAMETERS ####### > > ### Option: UnsafeUserParameters > @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > # > # Mandatory: no > # Default: > -# LoadModulePath=/usr/lib/modules > +# LoadModulePath=${libdir}/modules > > LoadModulePath=/usr/lib/zabbix > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > # TLSCRLFile= > > ### Option: TLSServerCertIssuer > -# Allowed server certificate issuer. > +# Allowed server certificate issuer. > # > # Mandatory: no > # Default: > # TLSServerCertIssuer= > > ### Option: TLSServerCertSubject > -# Allowed server certificate subject. > +# Allowed server certificate subject. > # > # Mandatory: no > # Default: > @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix > # Mandatory: no > # Default: > # TLSPSKFile= > + > +####### For advanced users - TLS ciphersuite selection criteria ####### > + > +### Option: TLSCipherCert13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert13= > + > +### Option: TLSCipherCert > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert= > + > +### Option: TLSCipherPSK13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example: > +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK13= > + > +### Option: TLSCipherPSK > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL > +# Example for OpenSSL: > +# kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK= > + > +### Option: TLSCipherAll13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example: > +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll13= > + > +### Option: TLSCipherAll > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll= > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index c69643a54..2d57b0dbe 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 4.2.6 > +VER = 5.0.10 > > THISAPP = zabbix-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = zabbix_agentd > -PAK_VER = 4 > +PAK_VER = 5 > DEPS = > > ############################################################################### > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 > > install : $(TARGET) > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > --prefix=/usr \ > --enable-agent \ > --sysconfdir=/etc/zabbix_agentd \ > - --with-openssl > + --with-openssl \ > + --with-libcurl > > cd $(DIR_APP) && make > cd $(DIR_APP) && make install > -- > 2.30.2 > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >
Hello Adolf, You can use the Reviewed-by: tag to mark a patch as reviewed by you: https://wiki.ipfire.org/devel/git/tags -Michael > On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Robin, > > I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done. > > The lfs file changes look perfect to me. > > A general comment I would make is that when you want to do a v2 version then if you enter > > git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3]. > > Note it is lower case v > > Regards, > > Adolf > > On 07/04/2021 22:44, Robin Roevens wrote: >> - Update from 4.2.6 to latest LTS version 5.0.10 >> See release notes: https://www.zabbix.com/rn/rn5.0.10 >> >> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >> --- >> config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- >> lfs/zabbix_agentd | 11 ++- >> 2 files changed, 121 insertions(+), 14 deletions(-) >> >> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf >> index 21b8e0122..4d6c4c154 100644 >> --- a/config/zabbix_agentd/zabbix_agentd.conf >> +++ b/config/zabbix_agentd/zabbix_agentd.conf >> @@ -63,14 +63,33 @@ LogFileSize=0 >> # Default: >> # SourceIP= >> -### Option: EnableRemoteCommands >> -# Whether remote commands from Zabbix server are allowed. >> -# 0 - not allowed >> -# 1 - allowed >> +### Option: AllowKey >> +# Allow execution of item keys matching pattern. >> +# Multiple keys matching rules may be defined in combination with DenyKey. >> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >> +# Parameters are processed one by one according their appearance order. >> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >> +# >> +# Mandatory: no >> + >> +### Option: DenyKey >> +# Deny execution of items keys matching pattern. >> +# Multiple keys matching rules may be defined in combination with AllowKey. >> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >> +# Parameters are processed one by one according their appearance order. >> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >> +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. >> # >> # Mandatory: no >> # Default: >> -# EnableRemoteCommands=0 >> +# DenyKey=system.run[*] >> + >> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead >> +# Internal alias for AllowKey/DenyKey parameters depending on value: >> +# 0 - DenyKey=system.run[*] >> +# 1 - AllowKey=system.run[*] >> +# >> +# Mandatory: no >> ### Option: LogRemoteCommands >> # Enable logging of executed shell commands as warnings. >> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >> # Default: >> # HostMetadataItem= >> +### Option: HostInterface >> +# Optional parameter that defines host interface. >> +# Host interface is used at host auto-registration process. >> +# An agent will issue an error and not start if the value is over limit of 255 characters. >> +# If not defined, value will be acquired from HostInterfaceItem. >> +# >> +# Mandatory: no >> +# Range: 0-255 characters >> +# Default: >> +# HostInterface= >> + >> +### Option: HostInterfaceItem >> +# Optional parameter that defines an item used for getting host interface. >> +# Host interface is used at host auto-registration process. >> +# During an auto-registration request an agent will log a warning message if >> +# the value returned by specified item is over limit of 255 characters. >> +# This option is only used when HostInterface is not defined. >> +# >> +# Mandatory: no >> +# Default: >> +# HostInterfaceItem= >> + >> ### Option: RefreshActiveChecks >> # How often list of active checks is refreshed, in seconds. >> # >> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >> - >> ####### USER-DEFINED MONITORED PARAMETERS ####### >> ### Option: UnsafeUserParameters >> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >> # >> # Mandatory: no >> # Default: >> -# LoadModulePath=/usr/lib/modules >> +# LoadModulePath=${libdir}/modules >> LoadModulePath=/usr/lib/zabbix >> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >> # TLSCRLFile= >> ### Option: TLSServerCertIssuer >> -# Allowed server certificate issuer. >> +# Allowed server certificate issuer. >> # >> # Mandatory: no >> # Default: >> # TLSServerCertIssuer= >> ### Option: TLSServerCertSubject >> -# Allowed server certificate subject. >> +# Allowed server certificate subject. >> # >> # Mandatory: no >> # Default: >> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix >> # Mandatory: no >> # Default: >> # TLSPSKFile= >> + >> +####### For advanced users - TLS ciphersuite selection criteria ####### >> + >> +### Option: TLSCipherCert13 >> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >> +# Override the default ciphersuite selection criteria for certificate-based encryption. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherCert13= >> + >> +### Option: TLSCipherCert >> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >> +# Override the default ciphersuite selection criteria for certificate-based encryption. >> +# Example for GnuTLS: >> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >> +# Example for OpenSSL: >> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherCert= >> + >> +### Option: TLSCipherPSK13 >> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >> +# Override the default ciphersuite selection criteria for PSK-based encryption. >> +# Example: >> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherPSK13= >> + >> +### Option: TLSCipherPSK >> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >> +# Override the default ciphersuite selection criteria for PSK-based encryption. >> +# Example for GnuTLS: >> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL >> +# Example for OpenSSL: >> +# kECDHEPSK+AES128:kPSK+AES128 >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherPSK= >> + >> +### Option: TLSCipherAll13 >> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >> +# Example: >> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherAll13= >> + >> +### Option: TLSCipherAll >> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >> +# Example for GnuTLS: >> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >> +# Example for OpenSSL: >> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCipherAll= >> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >> index c69643a54..2d57b0dbe 100644 >> --- a/lfs/zabbix_agentd >> +++ b/lfs/zabbix_agentd >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,7 +24,7 @@ >> include Config >> -VER = 4.2.6 >> +VER = 5.0.10 >> THISAPP = zabbix-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >> DIR_APP = $(DIR_SRC)/$(THISAPP) >> TARGET = $(DIR_INFO)/$(THISAPP) >> PROG = zabbix_agentd >> -PAK_VER = 4 >> +PAK_VER = 5 >> DEPS = >> ############################################################################### >> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 >> install : $(TARGET) >> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> --prefix=/usr \ >> --enable-agent \ >> --sysconfdir=/etc/zabbix_agentd \ >> - --with-openssl >> + --with-openssl \ >> + --with-libcurl >> cd $(DIR_APP) && make >> cd $(DIR_APP) && make install
Hi Michael, On 12/04/2021 12:27, Michael Tremer wrote: > Hello Adolf, > > You can use the Reviewed-by: tag to mark a patch as reviewed by you: > > https://wiki.ipfire.org/devel/git/tags I wasn't sure if I was OK for me to use the reviewed tag or if it was limited to specific people. I will use it in future now when I do a review of a patch. Regards, Adolf. > > -Michael > >> On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> Hi Robin, >> >> I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done. >> >> The lfs file changes look perfect to me. >> >> A general comment I would make is that when you want to do a v2 version then if you enter >> >> git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3]. >> >> Note it is lower case v >> >> Regards, >> >> Adolf >> >> On 07/04/2021 22:44, Robin Roevens wrote: >>> - Update from 4.2.6 to latest LTS version 5.0.10 >>> See release notes: https://www.zabbix.com/rn/rn5.0.10 >>> >>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >>> --- >>> config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- >>> lfs/zabbix_agentd | 11 ++- >>> 2 files changed, 121 insertions(+), 14 deletions(-) >>> >>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf >>> index 21b8e0122..4d6c4c154 100644 >>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>> @@ -63,14 +63,33 @@ LogFileSize=0 >>> # Default: >>> # SourceIP= >>> -### Option: EnableRemoteCommands >>> -# Whether remote commands from Zabbix server are allowed. >>> -# 0 - not allowed >>> -# 1 - allowed >>> +### Option: AllowKey >>> +# Allow execution of item keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination with DenyKey. >>> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >>> +# Parameters are processed one by one according their appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>> +# >>> +# Mandatory: no >>> + >>> +### Option: DenyKey >>> +# Deny execution of items keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination with AllowKey. >>> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >>> +# Parameters are processed one by one according their appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>> +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. >>> # >>> # Mandatory: no >>> # Default: >>> -# EnableRemoteCommands=0 >>> +# DenyKey=system.run[*] >>> + >>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead >>> +# Internal alias for AllowKey/DenyKey parameters depending on value: >>> +# 0 - DenyKey=system.run[*] >>> +# 1 - AllowKey=system.run[*] >>> +# >>> +# Mandatory: no >>> ### Option: LogRemoteCommands >>> # Enable logging of executed shell commands as warnings. >>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >>> # Default: >>> # HostMetadataItem= >>> +### Option: HostInterface >>> +# Optional parameter that defines host interface. >>> +# Host interface is used at host auto-registration process. >>> +# An agent will issue an error and not start if the value is over limit of 255 characters. >>> +# If not defined, value will be acquired from HostInterfaceItem. >>> +# >>> +# Mandatory: no >>> +# Range: 0-255 characters >>> +# Default: >>> +# HostInterface= >>> + >>> +### Option: HostInterfaceItem >>> +# Optional parameter that defines an item used for getting host interface. >>> +# Host interface is used at host auto-registration process. >>> +# During an auto-registration request an agent will log a warning message if >>> +# the value returned by specified item is over limit of 255 characters. >>> +# This option is only used when HostInterface is not defined. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# HostInterfaceItem= >>> + >>> ### Option: RefreshActiveChecks >>> # How often list of active checks is refreshed, in seconds. >>> # >>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> - >>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>> ### Option: UnsafeUserParameters >>> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> # >>> # Mandatory: no >>> # Default: >>> -# LoadModulePath=/usr/lib/modules >>> +# LoadModulePath=${libdir}/modules >>> LoadModulePath=/usr/lib/zabbix >>> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >>> # TLSCRLFile= >>> ### Option: TLSServerCertIssuer >>> -# Allowed server certificate issuer. >>> +# Allowed server certificate issuer. >>> # >>> # Mandatory: no >>> # Default: >>> # TLSServerCertIssuer= >>> ### Option: TLSServerCertSubject >>> -# Allowed server certificate subject. >>> +# Allowed server certificate subject. >>> # >>> # Mandatory: no >>> # Default: >>> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix >>> # Mandatory: no >>> # Default: >>> # TLSPSKFile= >>> + >>> +####### For advanced users - TLS ciphersuite selection criteria ####### >>> + >>> +### Option: TLSCipherCert13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for certificate-based encryption. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert13= >>> + >>> +### Option: TLSCipherCert >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for certificate-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert= >>> + >>> +### Option: TLSCipherPSK13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for PSK-based encryption. >>> +# Example: >>> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK13= >>> + >>> +### Option: TLSCipherPSK >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for PSK-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL >>> +# Example for OpenSSL: >>> +# kECDHEPSK+AES128:kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK= >>> + >>> +### Option: TLSCipherAll13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >>> +# Example: >>> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll13= >>> + >>> +### Option: TLSCipherAll >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll= >>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>> index c69643a54..2d57b0dbe 100644 >>> --- a/lfs/zabbix_agentd >>> +++ b/lfs/zabbix_agentd >>> @@ -1,7 +1,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -24,7 +24,7 @@ >>> include Config >>> -VER = 4.2.6 >>> +VER = 5.0.10 >>> THISAPP = zabbix-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> PROG = zabbix_agentd >>> -PAK_VER = 4 >>> +PAK_VER = 5 >>> DEPS = >>> ############################################################################### >>> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >>> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 >>> install : $(TARGET) >>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> --prefix=/usr \ >>> --enable-agent \ >>> --sysconfdir=/etc/zabbix_agentd \ >>> - --with-openssl >>> + --with-openssl \ >>> + --with-libcurl >>> cd $(DIR_APP) && make >>> cd $(DIR_APP) && make install >
Hello, No, if you have reviewed it you can add the tag. Just anywhere in an email and Patchwork will parse and add credit. The reason why we are doing the tags is: * To give credit (because it very often is not only one person who has worked on something, but Git only allows one author field) * We know what has been reviewed * And if something is broken, there is a list of people who have been working on this who can be shot… joking… who can be consulted about why something was solved in a certain way, etc. You can also use Tested-by which is very helpful, too. Best, -Michael > On 12 Apr 2021, at 12:23, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > On 12/04/2021 12:27, Michael Tremer wrote: >> Hello Adolf, >> You can use the Reviewed-by: tag to mark a patch as reviewed by you: >> https://wiki.ipfire.org/devel/git/tags > I wasn't sure if I was OK for me to use the reviewed tag or if it was limited to specific people. I will use it in future now when I do a review of a patch. > > Regards, > Adolf. >> -Michael >>> On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> Hi Robin, >>> >>> I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done. >>> >>> The lfs file changes look perfect to me. >>> >>> A general comment I would make is that when you want to do a v2 version then if you enter >>> >>> git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3]. >>> >>> Note it is lower case v >>> >>> Regards, >>> >>> Adolf >>> >>> On 07/04/2021 22:44, Robin Roevens wrote: >>>> - Update from 4.2.6 to latest LTS version 5.0.10 >>>> See release notes: https://www.zabbix.com/rn/rn5.0.10 >>>> >>>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >>>> --- >>>> config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- >>>> lfs/zabbix_agentd | 11 ++- >>>> 2 files changed, 121 insertions(+), 14 deletions(-) >>>> >>>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf >>>> index 21b8e0122..4d6c4c154 100644 >>>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>>> @@ -63,14 +63,33 @@ LogFileSize=0 >>>> # Default: >>>> # SourceIP= >>>> -### Option: EnableRemoteCommands >>>> -# Whether remote commands from Zabbix server are allowed. >>>> -# 0 - not allowed >>>> -# 1 - allowed >>>> +### Option: AllowKey >>>> +# Allow execution of item keys matching pattern. >>>> +# Multiple keys matching rules may be defined in combination with DenyKey. >>>> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >>>> +# Parameters are processed one by one according their appearance order. >>>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>>> +# >>>> +# Mandatory: no >>>> + >>>> +### Option: DenyKey >>>> +# Deny execution of items keys matching pattern. >>>> +# Multiple keys matching rules may be defined in combination with AllowKey. >>>> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. >>>> +# Parameters are processed one by one according their appearance order. >>>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>>> +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. >>>> # >>>> # Mandatory: no >>>> # Default: >>>> -# EnableRemoteCommands=0 >>>> +# DenyKey=system.run[*] >>>> + >>>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead >>>> +# Internal alias for AllowKey/DenyKey parameters depending on value: >>>> +# 0 - DenyKey=system.run[*] >>>> +# 1 - AllowKey=system.run[*] >>>> +# >>>> +# Mandatory: no >>>> ### Option: LogRemoteCommands >>>> # Enable logging of executed shell commands as warnings. >>>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >>>> # Default: >>>> # HostMetadataItem= >>>> +### Option: HostInterface >>>> +# Optional parameter that defines host interface. >>>> +# Host interface is used at host auto-registration process. >>>> +# An agent will issue an error and not start if the value is over limit of 255 characters. >>>> +# If not defined, value will be acquired from HostInterfaceItem. >>>> +# >>>> +# Mandatory: no >>>> +# Range: 0-255 characters >>>> +# Default: >>>> +# HostInterface= >>>> + >>>> +### Option: HostInterfaceItem >>>> +# Optional parameter that defines an item used for getting host interface. >>>> +# Host interface is used at host auto-registration process. >>>> +# During an auto-registration request an agent will log a warning message if >>>> +# the value returned by specified item is over limit of 255 characters. >>>> +# This option is only used when HostInterface is not defined. >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# HostInterfaceItem= >>>> + >>>> ### Option: RefreshActiveChecks >>>> # How often list of active checks is refreshed, in seconds. >>>> # >>>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >>>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>> - >>>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>>> ### Option: UnsafeUserParameters >>>> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>> # >>>> # Mandatory: no >>>> # Default: >>>> -# LoadModulePath=/usr/lib/modules >>>> +# LoadModulePath=${libdir}/modules >>>> LoadModulePath=/usr/lib/zabbix >>>> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >>>> # TLSCRLFile= >>>> ### Option: TLSServerCertIssuer >>>> -# Allowed server certificate issuer. >>>> +# Allowed server certificate issuer. >>>> # >>>> # Mandatory: no >>>> # Default: >>>> # TLSServerCertIssuer= >>>> ### Option: TLSServerCertSubject >>>> -# Allowed server certificate subject. >>>> +# Allowed server certificate subject. >>>> # >>>> # Mandatory: no >>>> # Default: >>>> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix >>>> # Mandatory: no >>>> # Default: >>>> # TLSPSKFile= >>>> + >>>> +####### For advanced users - TLS ciphersuite selection criteria ####### >>>> + >>>> +### Option: TLSCipherCert13 >>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>> +# Override the default ciphersuite selection criteria for certificate-based encryption. >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherCert13= >>>> + >>>> +### Option: TLSCipherCert >>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>>> +# Override the default ciphersuite selection criteria for certificate-based encryption. >>>> +# Example for GnuTLS: >>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>>> +# Example for OpenSSL: >>>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherCert= >>>> + >>>> +### Option: TLSCipherPSK13 >>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>> +# Override the default ciphersuite selection criteria for PSK-based encryption. >>>> +# Example: >>>> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherPSK13= >>>> + >>>> +### Option: TLSCipherPSK >>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>>> +# Override the default ciphersuite selection criteria for PSK-based encryption. >>>> +# Example for GnuTLS: >>>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL >>>> +# Example for OpenSSL: >>>> +# kECDHEPSK+AES128:kPSK+AES128 >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherPSK= >>>> + >>>> +### Option: TLSCipherAll13 >>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >>>> +# Example: >>>> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherAll13= >>>> + >>>> +### Option: TLSCipherAll >>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>>> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. >>>> +# Example for GnuTLS: >>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>>> +# Example for OpenSSL: >>>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 >>>> +# >>>> +# Mandatory: no >>>> +# Default: >>>> +# TLSCipherAll= >>>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>>> index c69643a54..2d57b0dbe 100644 >>>> --- a/lfs/zabbix_agentd >>>> +++ b/lfs/zabbix_agentd >>>> @@ -1,7 +1,7 @@ >>>> ############################################################################### >>>> # # >>>> # IPFire.org - A linux based firewall # >>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>>> # # >>>> # This program is free software: you can redistribute it and/or modify # >>>> # it under the terms of the GNU General Public License as published by # >>>> @@ -24,7 +24,7 @@ >>>> include Config >>>> -VER = 4.2.6 >>>> +VER = 5.0.10 >>>> THISAPP = zabbix-$(VER) >>>> DL_FILE = $(THISAPP).tar.gz >>>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>>> TARGET = $(DIR_INFO)/$(THISAPP) >>>> PROG = zabbix_agentd >>>> -PAK_VER = 4 >>>> +PAK_VER = 5 >>>> DEPS = >>>> ############################################################################### >>>> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >>>> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 >>>> install : $(TARGET) >>>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> --prefix=/usr \ >>>> --enable-agent \ >>>> --sysconfdir=/etc/zabbix_agentd \ >>>> - --with-openssl >>>> + --with-openssl \ >>>> + --with-libcurl >>>> cd $(DIR_APP) && make >>>> cd $(DIR_APP) && make install
diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..4d6c4c154 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - ####### USER-DEFINED MONITORED PARAMETERS ####### ### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules LoadModulePath=/usr/lib/zabbix @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c69643a54..2d57b0dbe 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.2.6 +VER = 5.0.10 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS = ############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212 install : $(TARGET) @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \ - --with-openssl + --with-openssl \ + --with-libcurl cd $(DIR_APP) && make cd $(DIR_APP) && make install