[comment]: # translation:outdated

[comment]: # ({780b1aa2-780b1aa2})
# 13 Ograniczanie sprawdzeń agentów

[comment]: # ({/780b1aa2-780b1aa2})

[comment]: # ({new-9de656b2})
#### Overview

It is possible to restrict checks on the agent side by creating an item
blacklist, a whitelist, or a combination of whitelist/blacklist.

To do that use a combination of two agent
[configuration](/manual/appendix/config/zabbix_agentd) parameters:

-   `AllowKey=<pattern>` - which checks are allowed; <pattern> is
    specified using a wildcard (\*) expression
-   `DenyKey=<pattern>` - which checks are denied; <pattern> is
    specified using a wildcard (\*) expression

Note that:

-   All `system.run[*]` items (remote commands, scripts) are disabled by
    default, even when no deny keys are specified;
-   Since Zabbix 5.0.2 the EnableRemoteCommands agent parameter is:

```{=html}
<!-- -->
```
       * deprecated by Zabbix agent
       * unsupported by Zabbix agent2

Therefore, to allow all remote commands, specify an
AllowKey=system.run\[\*\] parameter. To allow only some remote commands,
create a whitelist of specific system.run\[\] commands. To disallow
specific remote commands, add DenyKey parameters with system.run\[\]
commands before the AllowKey=system.run\[\*\] parameter.

[comment]: # ({/new-9de656b2})

[comment]: # ({new-3145c750})
#### Important rules

-   A whitelist without a deny rule is only allowed for system.run\[\*\]
    items. For all other items, AllowKey parameters are not allowed
    without a DenyKey parameter; in this case Zabbix agent **will not
    start** with only AllowKey parameters.
-   The order matters. The specified parameters are checked one by one
    according to their appearance order in the configuration file:
    -   As soon as an item key matches an allow/deny rule, the item is
        either allowed or denied; and rule checking stops. So if an item
        matches both an allow rule and a deny rule, the result will
        depend on which rule comes first.
    -   The order affects also EnableRemoteCommands parameter (if used).
-   Unlimited numbers of AllowKey/DenyKey parameters is supported.
-   AllowKey, DenyKey rules do not affect HostnameItem,
    HostMetadataItem, HostInterfaceItem configuration parameters.
-   Key pattern is a wildcard expression where the wildcard (\*)
    character matches any number of any characters in certain position.
    It might be used in both the key name and parameters.
-   If a specific item key is disallowed in the agent configuration, the
    item will be reported as unsupported (no hint is given as to the
    reason);
-   Zabbix agent with --print (-p) command line option will not show
    keys that are not allowed by configuration;
-   Zabbix agent with --test (-t) command line option will return
    "Unsupported item key." status for keys that are not allowed by
    configuration;
-   Denied remote commands will not be logged in the agent log (if
    LogRemoteCommands=1).

[comment]: # ({/new-3145c750})

[comment]: # ({new-66ec4bb8})
#### Allow/deny rule order

You can specify an unlimited number of `AllowKey` or `DenyKey` rules, though their order matters.

-   Rules are evaluated one by one, from top to bottom.
-   When an item key matches a rule, it is either allowed or denied, and rule evaluation stops.

For example, when evaluating `vfs.file.contents[/etc/passwd]`, the rules are processed as follows:

```default
AllowKey=vfs.file.contents[/tmp/app.log]    # Item key pattern does not match, agent proceeds to the next rule.
AllowKey=vfs.file.contents[/etc/passwd]     # Item key pattern matches; agent allows the item check and stops rule evaluation.
DenyKey=vfs.file.*[*]                       # Agent ignores the rule, as the evaluation has stopped.
```

The following rule order will deny the item check:

```default
DenyKey=vfs.file.*[*]                       # Item key pattern matches; agent denies the item check and stops rule evaluation.
AllowKey=vfs.file.contents[/etc/passwd]     # Agent ignores the rule, as the evaluation has stopped.
AllowKey=vfs.file.contents[/tmp/app.log]    # Agent ignores the rule, as the evaluation has stopped.
```

[comment]: # ({/new-66ec4bb8})

[comment]: # ({new-253ad144})
#### Use cases

[comment]: # ({/new-253ad144})

[comment]: # ({new-19895d10})
##### Allowing specific checks and commands

Allow only two [`vfs.file`](/manual/config/items/itemtypes/zabbix_agent#virtual-file-system-data) item checks and two [`system.run`](/manual/config/items/itemtypes/zabbix_agent#system-data) commands:

```default
AllowKey=vfs.file.contents[/tmp/app.log]
AllowKey=vfs.file.size[/tmp/app.log]
AllowKey=system.run[/usr/bin/uptime]
AllowKey=system.run[/usr/bin/df -h /]
DenyKey=vfs.file.*[*]
```

::: noteclassic
Setting `DenyKey=system.run[*]` is unnecessary, because all other `system.run` commands are denied by default.
:::

[comment]: # ({/new-19895d10})

[comment]: # ({new-3cc5f239})
##### Allowing scripts

Allow Zabbix agent to execute scripts on hosts via all available methods:

-   [Global scripts](/manual/web_interface/frontend_sections/administration/scripts) that can be executed in the frontend or via API (this method always uses the `system.run[myscript.sh]` key)
-   Remote commands from [action operations](/manual/config/notifications/action/operation#operation-details) (this method always uses the `system.run[myscript.sh,nowait]` key)
-   [`system.run`](/manual/config/items/itemtypes/zabbix_agent#system-data) Zabbix agent items with the script, for example:
    -   `system.run[myscript.sh]`
    -   `system.run[myscript.sh,wait]`
    -   `system.run[myscript.sh,nowait]`

```default
AllowKey=system.run[myscript.sh,*]
```

To control the `wait`/`nowait` parameter, you must set a different rule.
For example, you can allow only `system.run[myscript.sh,wait]` items, thus excluding other methods:

```default
AllowKey=system.run[myscript.sh,wait]
```

[comment]: # ({/new-3cc5f239})

[comment]: # ({new-1965a7d7})
##### Securing allow/deny rules

This example shows how to secure overly permissive `AllowKey` or `DenyKey` rules.

Consider the following rules:

```default
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat*"]
DenyKey=vfs.file.*
DenyKey=system.cpu.load[*]
```

::: noteclassic
On Windows, you must escape spaces in the path using a caret (`^`).
:::

These rules contain a wildcard (`*`), which can be misused:

-   The `test.bat` script can be executed with any arguments, including unintended ones.
-   The `vfs.file.*` pattern matches only item keys without parameters; however, all [`vfs.file`](/manual/config/items/itemtypes/zabbix_agent#virtual-file-system-data) items require parameters.
-   The `system.cpu.load[*]` pattern matches only item keys with parameters; however [`system.cpu.load`](/manual/config/items/itemtypes/zabbix_agent#system-data) items do not require parameters.

To secure these rules, explicitly allow executing `test.bat` only with specific arguments, and deny correct item key patterns; for example:

```default
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat status"]
AllowKey=system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat version"]
DenyKey=vfs.file.*[*]
DenyKey=system.cpu.load
DenyKey=system.cpu.load[*]
```

You can test the rules by running the following commands, which will return `ZBX_NOTSUPPORTED`.

```bash
cd "C:\Program Files\Zabbix Agent 2"
zabbix_agent2.exe -t system.run["C:\Program^ Files\Zabbix^ Agent^ 2\scripts\test.bat debug"]
zabbix_agent2.exe -t vfs.file.size["C:\ProgramData\MyApp\config.ini"]
zabbix_agent2.exe -t vfs.file.contents["C:\Windows\System32\drivers\etc\hosts"]
zabbix_agent2.exe -t system.cpu.load
zabbix_agent2.exe -t system.cpu.load[all,avg1]
```

[comment]: # ({/new-1965a7d7})

[comment]: # ({new-16bccaff})
#### Pattern examples

|Pattern|Description|Matches|No match|
|-------|-----------|-------|--------|
|*\**|Matches all possible keys with or without parameters.|Any|None|
|*vfs.file.contents*|Matches `vfs.file.contents` without parameters.|vfs.file.contents|vfs.file.contents\[/etc/passwd\]|
|*vfs.file.contents\[\]*|Matches `vfs.file.contents` with empty parameters.|vfs.file.contents\[\]|vfs.file.contents|
|*vfs.file.contents\[\*\]*|Matches `vfs.file.contents` with any parameters; will not match `vfs.file.contents` without square brackets.|vfs.file.contents\[\]<br>vfs.file.contents\[/path/to/file\]|vfs.file.contents|
|*vfs.file.contents\[/etc/passwd,\*\]*|Matches `vfs.file.contents` with first parameters matching /etc/passwd and all other parameters having any value (also empty).|vfs.file.contents\[/etc/passwd,\]<br>vfs.file.contents\[/etc/passwd,utf8\]|vfs.file.contents\[/etc/passwd\]<br>vfs.file.contents\[/var/log/zabbix\_server.log\]<br>vfs.file.contents\[\]|
|*vfs.file.contents\[\*passwd\*\]*|Matches `vfs.file.contents` with first parameter matching \*passwd\* and no other parameters.|vfs.file.contents\[/etc/passwd\]|vfs.file.contents\[/etc/passwd,\]<br>vfs.file.contents\[/etc/passwd, utf8\]|
|*vfs.file.contents\[\*passwd\*,\*\]*|Matches `vfs.file.contents` with only first parameter matching \*passwd\* and all following parameters having any value (also empty).|vfs.file.contents\[/etc/passwd,\]<br>vfs.file.contents\[/etc/passwd, utf8\]|vfs.file.contents\[/etc/passwd\]<br>vfs.file.contents\[/tmp/test\]|
|*vfs.file.contents\[/var/log/zabbix\_server.log,\*,abc\]*|Matches `vfs.file.contents` with first parameter matching /var/log/zabbix\_server.log, third parameter matching 'abc' and any (also empty) second parameter.|vfs.file.contents\[/var/log/zabbix\_server.log,,abc\]<br>vfs.file.contents\[/var/log/zabbix\_server.log,utf8,abc\]|vfs.file.contents\[/var/log/zabbix\_server.log,,abc,def\]|
|*vfs.file.contents\[/etc/passwd,utf8\]*|Matches `vfs.file.contents` with first parameter matching /etc/passwd, second parameter matching 'utf8' and no other arguments.|vfs.file.contents\[/etc/passwd,utf8\]|vfs.file.contents\[/etc/passwd,\]<br>vfs.file.contents\[/etc/passwd,utf16\]|
|*vfs.file.\**|Matches any keys starting with `vfs.file.` without any parameters.|vfs.file.contents<br>vfs.file.size|vfs.file.contents\[\]<br>vfs.file.size\[/var/log/zabbix\_server.log\]|
|*vfs.file.\*\[\*\]*|Matches any keys starting with `vfs.file.` with any parameters.|vfs.file.size.bytes\[\]<br>vfs.file.size\[/var/log/zabbix\_server.log, utf8\]|vfs.file.size.bytes|
|*vfs.\*.contents*|Matches any key starting with `vfs.` and ending with `.contents` without any parameters.|vfs.mount.point.file.contents<br>vfs..contents|vfs.contents|

[comment]: # ({/new-16bccaff})