Open-Future is Zabbix certified training center! Not really hot news anymore because we are for some years now. But we recently renewed our certification, once more!
Red Hat reports a flow in sudo. They found a heap-based buffer overflow in the way sudo parses command line arguments. This flaw is exploitable by any local user. Counts for normal users and system users, sudo-ers and non-sudo-ers, without authentication. Meaning: the attacker does not need to know the user’s password. Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Recently, Whatsapp pushed their new privacy policy where they announced to share more data with Facebook, causing an exodus to other platforms, where Signal is one of the more popular ones, among Telegram. Both are great alternatives, but I prefer Signal due to the open-source part, end to end encryption, and last but not least: their business model (living on donations instead of selling your data) and not to forget: we can use Zabbix getting your notifications via Signal.
Typically, Zabbix is sending notifications to whatever medium you’ve chosen if a problem is detected. We all know the Email messages, the various webhook integrations with Slack/MS Teams/ Jira, etc, perhaps even some text message integrations and such. Now, if we’re migrating to Signal, we suddenly have access to the Signal API and can utilize it to receive Zabbix notifications. Nice!
There is only one drawback. You need a separate phone number to register against Signal. Don’t use your own phone number – unless you want to lose the ability to use Signal ;(
There are various ways to get a phone number for this purpose:
Use the phone number of your current SMS gateway
Use the company phone number (a lot of cloud PBX are providing the option to receive the verification email)
You just need to receive one text message, the rest of the communications will go via the internet
Time to get rid of Whatsapp and move to Signal! But… How to use Signal to get your notifications?
Signal-cli
Although we could built everything from scratch, talking to the API of Signal, there is a nice implementation available in order to talk to Signal within a few minutes: Signal-cli
Although this github page is very comprehensive in order to get Signal-cli installed, but of course it is not doing anything with Zabbix.
Configuration tasks
For this guide, we’re using:
Centos 8
Zabbix 5.2
signal-cli installation
First, lets install the Signal-cli utility, and in order to do so we need to resolve the dependency of Java by installing the openjdk application:
dnf -y install java-11-openjdk-devel.x86_64
After this installation, we should be good to continue with the installation of signal-cli. According to their installation guide, this should be sufficient:
At the time of writing, the most recent version is 0.7.3, and that’s what we’re installing here. If in the future a new version is released, of course you should install that!
If everything went as expected, we should be able to register ourself to Signal.
signal-cli registration
Since we want to execute these commands by Zabbix, we must make sure the registration is done with the correct user on the Zabbix server, otherwise you will get the following error message:
(ERROR App – User +19293771253 is not registered.)
In order to prevent this error, lets do the authentication against Signal as Zabbix user:
Important: The USERNAME (your phone number) must include the country calling code, i.e. the number must start with a “+” sign and you must replace everything between the < > in the following examples with your own values
You will see the message id as output. Simply ignore it, since it’s not relevant at this point.
Within seconds:
It works! Great.
So now we’ve got this part covered, time to get the AlertScript set up, before heading to the frontend.
Zabbix AlertScript setup
Ok, so now we’ve got the registration done, we need to make sure Zabbix can utilise it. In order to do so, we use a very old method. Although it would’ve made more sense to use the webhook option, that means I had to built the communication with Signal from scratch.
So AlertScripts it is. In your terminal/SSH session with the Zabbix server open a new file with this command: vi /usr/lib/zabbix/alertscripts/signal.sh and insert the following contents:
don’t forget to configure some Message templates as well (second tab in the Mediatype configuration). You can just use the defaults if you click on ‘add’
Zabbix media configuration
Next step. Navigate to Administration -> Users (or just open your own user profile) and create a new media:
Type: Signal
Sendto: <your number>
When active / severity as per needs
Important: The USERNAME (your phone number) must include the country calling code, i.e. the number must start with a “+” sign
We’re almost there, just some configuration on the actions
Zabbix action configuration
This step is only needed if you are sending notifications right now via a specific mediatype. If you configured the ‘send only to’ option to ‘- All -‘ there is nothing to change, and it will work straight away!
Otherwise, navigate to Configuration -> Actions and find the action you want to change, and in the Operations, Recovery operations and Update operations change the ‘send only to’ option to ‘Signal’
Save your action and it’s time to test – Generate some problem to confirm the implementation actually works.
Wrap up
That’s it. By now you should have a working implementation where Zabbix is sending notifications to Signal. The setup was extremely straight forward and easy to configure. Nevertheless, if you need help getting this going, we (Opensource ICT Solutions) offer consultancy services as well, and are more than happy to help you out!
Managing windows with Puppet, not possible? Puppet manages over 2.2 million Windows servers across the world!
There is a lot more to effectively managing Windows than Group Policy and SCCM, and Puppet is here to help.
Join Puppet on 25 February 2021 from 10:00am SGT | 1:00pm AEDT for our upcoming webinar to find out the richness of our ecosystem for managing Windows with Puppet. Click here to register.
Open-Future invests since many years in being a top level partner of Red Hat. Linux and Open Source solutions are the key elements of our go to market. So we are all proud te be a Red Hat Container Platform Specialist. Thanks to all our consultants that made this possible!
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. Explore the new official template for Microsoft Exchange Server 2016.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.