Skip to content

Zabbix plugin

Vulners Zabbix plugin transforms your Zabbix monitoring system into vulnerability, risk, and security management tool.

How it works

The plugin provides Zabbix with information about vulnerabilities existing in your infrastructure and suggests easy remediation steps.

The information displayed in Zabbix includes the following:

  • Maximum CVSS scoring for each server.
  • A command for fixing all detected vulnerabilities for each server.
  • A list of security bulletins with descriptions for vulnerable packages valid for your infrastructure.
  • A list of all vulnerable packages in your infrastructure.

The information in the security bulletins and packages includes the following:

  • The impact index for the infrastructure.
  • A CVSS score of a package or a bulletin.
  • The number of affected servers.
  • A detailed list of affected hosts.
  • A hyperlink to the description of a bulletin.

Sometimes it is impossible to update all packages on all servers to a version that would fix the existing vulnerabilities. The proposed representation permits you to selectively update servers or packages.

This approach enables different strategies to fixing the vulnerabilities:

  • all vulnerabilities on a specific server;
  • a single vulnerability in the entire infrastructure.

This can be done directly from Zabbix (using its standard functionality) either on the administrator's command or automatically.

Plugin process steps

  • Using the Zabbix API, the plugin receives lists of installed packages, names, and versions of the OS from all the servers in the infrastructure (if the "Vulners OS-Report" template is linked with them);
  • transmits the data to Vulners;
  • receives information on the vulnerabilities for each server;
  • processes the received information, aggregates it and sends it back to Zabbix via zabbix-sender;
  • finally, the result is displayed in Zabbix.

Requirements

On zabbix-server host:

  • Python 3 (only for ztc scripts).
  • Python modules: pyzabbix, jpath, requests, vulners.
  • Zabbix version 3.4 is required to create a custom dashboard and a custom polling schedule.
  • Zabbix-sender utility for sending data to zabbix-server.
  • Zabbix-get utility for sending a command to fix vulnerabilities on the server.

On all the servers that require a vulnerability scan:

  • Zabbix-agent to collect data and run scripts.

Installation

RHEL, CentOS and other RPM-based operating systems

rpm -Uhv https://repo.vulners.com/redhat/vulners-repo.rpm

On zabbix-server host:

yum install zabbix-threat-control-main zabbix-threat-control-host

On all the servers that require a vulnerability scan:

yum install zabbix-threat-control-host

Debian and other Debian-based operating systems

wget https://repo.vulners.com/vulners-repo-py3.deb
dpkg -i vulners-repo-py3.deb

On zabbix-server host:

apt-get update && apt-get install zabbix-threat-control-main zabbix-threat-control-host

On all the servers that require a vulnerability scan:

apt-get update && apt-get install zabbix-threat-control-host

From source

On zabbix-server host:

git clone https://github.com/vulnersCom/zabbix-threat-control.git
mkdir -p /opt/monitoring/zabbix-threat-control
cp zabbix-threat-control/*.py /opt/monitoring/zabbix-threat-control/
cp zabbix-threat-control/*.conf /opt/monitoring/zabbix-threat-control/
chown -R zabbix:zabbix /opt/monitoring/zabbix-threat-control
chmod 640 /opt/monitoring/zabbix-threat-control/*.conf
touch /var/log/zabbix-threat-control.log
chown zabbix:zabbix /var/log/zabbix-threat-control.log
chmod 664 /var/log/zabbix-threat-control.log

On all the servers that require a vulnerability scan:

git clone https://github.com/vulnersCom/zabbix-threat-control.git
mkdir -p /opt/monitoring/
cp -R zabbix-threat-control/os-report /opt/monitoring/
chown -R zabbix:zabbix /opt/monitoring/os-report

Configuration

The configuration file is located here: /opt/monitoring/zabbix-threat-control/ztc.conf

Vulners credentials

To use Vulners API, you need an API key. To generate an API key, log in to Vulners, go to the userinfo space and click on the API KEYS tab. In the "Scope" field, select "scan", then click SAVE. The result should look something like this:

RGB9YPJG7CFAXP35PMDVYFFJPGZ9ZIRO1VGO9K9269B0K86K6XQQQR32O6007NUK

Now you need to add the Vulners API key into your configuration file (parameter VulnersApiKey).

VulnersApiKey = RGB9YPJG7CFAXP35PMDVYFFJPGZ9ZIRO1VGO9K9269B0K86K6XQQQR32O6007NUK

Zabbix credentials

In order to connect to Zabbix, specify the following in the configuration file:

  • the URL, username and password. Note that the user should have rights to create groups, hosts, and templates in Zabbix,
  • the domain name and port of the zabbix-server for pushing data using the zabbix-sender.

Below is an example of a valid config file: 

ZabbixApiUser = yourlogin
ZabbixApiPassword = yourpassword
ZabbixFrontUrl = https://zabbixfront.yourdomain.com

ZabbixServerFQDN = zabbixserver.yourdomain.com
ZabbixServerPort = 10051

Zabbix entity

  1. To create all the necessary objects in Zabbix, run the prepare.py script with parameters.
    /opt/monitoring/zabbix-threat-control/prepare.py -uvtda
    It will verify that zabbix-agent and zabbix-get utilities are configured correctly and create the following objects using Zabbix API:
  2. A template used to collect data from servers.
  3. Zabbix hosts for obtaining data on vulnerabilities.
  4. An action to run the command for fixing the vulnerability.
  5. A dashboard for displaying results.
  6. While using the Zabbix web interface, it is necessary to link the "Vulners OS-Report" template with the hosts that you are doing a vulnerabilities scan on.

Servers that require a vulnerability scan

Zabbix-agent must be able to execute remote commands. For this, change the parameters in the zabbix-agent configuration file /etc/zabbix/zabbix_agentd.conf:

EnableRemoteCommands=1
LogRemoteCommands=1

Zabbix-agent must be able to update packages as root. For this, add a line to the file /etc/sudoers:

zabbix ALL=(ALL) NOPASSWD: /usr/bin/yum -y update *
zabbix ALL=(ALL) NOPASSWD: /usr/bin/apt-get --assume-yes install --only-upgrade *

Execution

  • /opt/monitoring/os-report/report.py
    The plugin transfers the name, version, and installed packages of the operating system to Zabbix.
    Runs with zabbix-agent on all hosts to which the template "Vulners OS-Report" is linked.

  • /opt/monitoring/zabbix-threat-control/scan.py
    Processes raw data from Zabbix and Vulners and pushes it to the monitoring system using zabbix-sender.
    Runs a zabbix-agent on the zabbix-server via the item "Service item" on the host "Vulners - Statistics".

The above scripts are run once a day. The start-up time is selected randomly during the installation and does not change during operation.

  • /opt/monitoring/zabbix-threat-control/fix.py
    Runs commands to fix vulnerabilities on servers. It is executed as a remote command in the action "Vunlers" in Zabbix.
Back to top