Back
Featured image of post Using sudo for zabbix checks with some specific commands without password prompt

Using sudo for zabbix checks with some specific commands without password prompt

Avoid to run zabbix agent as root by using sudo with specific commands (cat, grep..) without password requirement.

Pratical example

Requirement

Let’s say, we would like to monitor the number of connections on a OpenVPN server using the following command :

cat /var/log/openvpn/openvpn-status.log | sed -n '/Connected Since/,/ROUTING/p' | sed -e '1d' -e '$d' | wc -l

To avoid to have our agent to run as root, let’s use sudo.

Zabbix configuration

Let’s create a configuration file for this specific example :

vim /etc/zabbix/zabbix_agentd.d/openvpn.conf

With the following content :

UserParameter=num_user.openvpn,sudo cat /var/log/openvpn/openvpn-status.log | sed -n '/Connected Since/,/ROUTING/p' | sed -e '1d' -e '$d' | wc -l

It won’t run out of the box as sudo will require a password when the command will be executed.

Sudo configuration

Edit the sudo configuration file :

sudo vim /etc/sudoers

Add and adjust the following line :

zabbix  ALL=NOPASSWD: /usr/bin/cat, /usr/bin/grep, /usr/bin/sed

Results

All done, should work as expected :

Example of an Openvpn monitoring using sudo without password
Example of an Openvpn monitoring using sudo without password

Built with Hugo
Theme Stack designed by Jimmy