Agent allow-list for checks and handlers without limiting the parameters

Hey folks, I want to use the check allow list for agents to only allow specific scripts for execution.

Is it possible to only restrict the scripts with no limitation of the parameters? My first tests with this are unsuccessful, therefore I assume it is not possible - but maybe I am doing something wrong.

I can specify several variations of the parameters and the check execution is successful when one of these match. That means, I need to maintain and deploy the allow-list with every possible variation of parameters that could possibly run respectively an admin is willing to execute.

In case of a plugin like for example “check_load” I need to define and allow every possible combination for 1,5,15 minute load average (i.e. “-w 3,2,1”,"-w 4,3,2","-w 5,4,3","-c 4,3,2","-c 5,4,3","-c 6,5,4" …).

I understand the sense of allowing only specific parameters in this case and maybe without this limitation a user can breakout using an semicolon ("; /another/ x y z"). Maybe a solution for this can be defining forbidden characters (e.g. “;” , “$” , “&” , “#” , …).

Is there a possibility to limit only the scripts but not the parameters?

Thanks in advance,

1 Like

Unfortunately it doesn’t appear that this is currently possible. Your best recourse will be to submit a GitHub issue.