NET-SNMP - NET Simple Network Management Protocol

[Ref: OpenBSD 5.0, net-snmp 5.7, OpenBSD SNMP MIBs]

From net-snmp:

Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.

These guides are for using OpenBSD, so we're interested in using Packet Mischief's collection of MIBs for OpenBSD

Installation

To simplify your ability to maintain your system installations, Packet Mischief's instructions incorporate the MIBs into a packages to install from:

Packet Mischief's SNMP MIBs

  1. Install the ports system
  2. Download and extract the packetmischief patches
  3. Patch the port
  4. Install the port

Follow the instructions for install the correct version of the ports system (i.e. 5.0 for our instructions.) There are patches to the RELEASE 5.0 port, so make sure you've checked the OpenBSD SNMP MIBs for the patch, or have downloaded the STABLE 5.0 ports.

# mkdir -p /usr/ports/mystuff/net
# cd /usr/ports/mystuff/net
# cp -R /usr/ports/net/net-snmp .
# cd net-snmp
# ftp http://www.packetmischief.ca/files/openbsd/snmp/obsd-mibs50.tar
# tar -xf obsd-mibs50.tar
# patch < obsd-mibs.diff
# make install
The following new rcscripts were installed: /etc/rc.d/netsnmpd /etc/rc.d/netsnmptrapd
See rc.d(8) for details

Note: The port stores configuration files in /etc/snmp/snmpd.conf whereas the base snmp configuration is stored in /etc/snmpd.conf.

README.snmpv3

There's a readme file for SNMPv3. We want to use SNMPv3 exclusively, so let's just do it that way, read the docs.

Start/Re-Start SNMPD

[Ref: snmpd.conf(5)]

The default configurations for NET-SNMPD is stored in /etc/snmp/snmpd.conf. By default, the service is configured to only listen on localhost:

File extract: /etc/snmp/snmpd.conf

agentAddress udp:127.0.0.1:161

Start net-snmpd using the rc.d(8) script:

/etc/rc.d/netsnmpd start
netsnmpd(ok)

Configuration

[Ref: snmpconf(5)]

Create a basic configuration for you system using snmpconf, backup

Configuration files are stored in:

  • /etc/snmp/snmpd.conf

Data files are stored variously in:

  • /var/net-snmpd/
  • /usr/local/share/snmp/

User Accounts

[Ref: README.snmpv3, net-snmp-config(1)]

We don't want random network users accessing our SNMPD processes, to protect our data we want to use encryption and authentication.

There are two methods for authentication through user accounts for SNMPv3

  1. net-snmp-config --create-snmpv3-user requires snmpd daemon not be running
  2. snmpusm

net-snmp-config

Managing accounts through net-snmp-config requires no running snmp daemons. This works well when initially installing your agent, but obviously has problems if you want to create accounts without disabling your snmpd agent.

WARNING: Deleting users requires manually editing configuration files

STOP net-snmpd using the rc.d(8) script:

/etc/rc.d/netsnmpd stop
netsnmpd(ok)

CREATE the user rwUserName with read-write privileges:

# net-snmp-config --create-snmpv3-user -a "rwUserPassword" rwUserName
adding the following line to /var/net-snmp/snmpd.conf
   createUser rwUserName MD5 "rwUserPassword" DES
adding the following line to /usr/local/share/snmp/snmpd.conf
   rwuser rwUserName

Remember the warning about configuration files, we can verify that our user account has been created by viewing the configuration files mentioned:

File extract: /var/net-snmp/snmpd.conf

usmUser 1 3 0xHEX "rwUserName" "rwUserName" NULL ... 0xHEX

File extract: /usr/local/share/snmpd/snmpd.conf

rwuser rwUserName

From the manpage: net-snmp-config(1)

--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES]
[-A MD5|SHA] [username] 

Create the user roUserName with read-only privileges:

# net-snmp-config --create-snmpv3-user -ro -a "roUserPassword" roUserName
adding the following line to /var/net-snmp/snmpd.conf
   createUser roUserName MD5 "roUserPassword" DES
adding the following line to /usr/local/share/snmp/snmpd.conf
   rouser roUserName

File extract: /usr/local/share/snmpd/snmpd.conf

rwuser rwUserName
rouser roUserName

snmpusm

[Ref: snmpusm(1)]

snmpusm is another tool for creating and maintaining SNMPv3 users.

snmpusm is an SNMP application that can be used to do simple maintenance on the users known to an SNMP agent, by manipulating the agent's User-based Security Module (USM) table. The user needs write access to the usmUserTable MIB table. This tool can be used to create, delete, and change the passphrase of users configured on a running SNMP agent.

Refer to the documentation how you may use this command.

Basic Queries

Our first test is straight from the documentation, getting the *sysUpTime"

# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost sysUpTime.0
SNMPv2-MIB:sysUpTime.0 = Timeticks: (16504) 0:02:45:04

From the manpage:

-v 1 | 2c | 3 
    Specifies the protocol version to use: 1 (RFCs 1155-1157), 2c (RFCs 1901-1908), or 3 
    (RFCs 2571-2574). The default is typically version 3. Overrides the defVersion token in 
    the snmp.conf file. 
-u secName 
    Set the securityName used for authenticated SNMPv3 messages. Overrides the defSecurityName 
    token in the snmp.conf file. 
-l secLevel 
    Set the securityLevel used for SNMPv3 messages (noAuthNoPriv|authNoPriv|authPriv). 
    Appropriate pass phrase(s) must provided when using any level higher than noAuthNoPriv. 
    Overrides the defSecurityLevel token in the snmp.conf file. 
-a authProtocol 
    Set the authentication protocol (MD5 or SHA) used for authenticated SNMPv3 messages. 
    Overrides the defAuthType token in the snmp.conf file. 
-A authPassword 
    Set the authentication pass phrase used for authenticated SNMPv3 messages. Overrides 
    the defAuthPassphrase token in the snmp.conf file. It is insecure to specify pass phrases 
    on the command line, see snmp.conf(5). 
  • localhost is the AGENT, network entity (127.0.0.1 for localhost, or an IP Address for an external agent.)
  • sysUpTime.0 is the parameter we pass (query) the agent.

The next query is to test whether we can get some of the OpenBSD specific details, such as whether pf is running.

# export MIB="+/usr/local/share/snmp/mibs/OPENBSD-PF-MIB.txt"
# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost \
  .enterprises.openBSD.pfMIBObjects.info.running.0
OPENBSD-PF-MIB::running.0 = INTEGER: true(1)

Magic Cookies ?

OK, we've introduced some magic cookies above, so we'll just investigate it as a noob and see whether we can get some direction on how to use and get these magic cookies.

From the hint of the above export MIB="" line, we can look at the OPENBSD-PF-MIB.txt for object definitions to our above queries:

The OPENBSD-PF-MIB File Definitions import from OPENBSD-BASE-MIB and defines a MODULE-IDENTITY pfMIBObjects which is linked i.e. ::= { openBSD 1 }

  • openBSD->pfMIBObjects->

The openBSD MODULE-IDENTITY is defined in the MIB file OPENBSD-BASE-MIB.txt and is defined as linked to enterprises i.e. ::= { enterprises 64512 }

  • enterprises->openBSD->pfMIBObjects

It looks like enterprises is imported/and defined in SNMPv2-SMI.txt as private ::= { private 1 } and at the root level.

  • .private->enterprises->openBSD->pfMIBObjects
  • which in practise is equivalent to .enterprises->openBSD->pfMIBObjects

MIB File Defines sections/objects including info (shown above) and stateTable (what we'll look at further down.)

  • .enterprises->openBSD->pfMIBObjects->info
  • .enterprises->openBSD->pfMIBObjects->stateTable

Now, we can read through the MIB file and look at the object stateTable, find further definitions of the object and come up with stateTable.count to find out whether we can read that value as well:

# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost \
  .enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2

which we can then compare with

# pfctl -si
Status: Enabled for ...

State Table                 Total
  current entries               2

Encrypting

[Ref: snmpcmd(1)]

To encrypt the transmission of the data between the client and server, add the commandline options -x privProtocol -X privPassword:

# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword -X rwUserPassword localhost \
  .enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2
# snmpget -v 3 -u rwUserName -l authPriv -a MD5 -A rwUserPassword -X rwUserPassword localhost \
  .enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2

From the manpage:

-x privProtocol
    Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. Overrides the 
    defPrivType token in the snmp.conf file. This option is only valid if the Net-SNMP software 
    was build to use OpenSSL. 
-X privPassword
    Set the privacy pass phrase used for encrypted SNMPv3 messages. Overrides the defPrivPassphrase 
    token in the snmp.conf file. It is insecure to specify pass phrases on the command line, 
    see snmp.conf(5). 

From the manpage: snmp.conf(5)

defPrivPassphrase STRING
    define the default authentication and privacy pass phrases to use for SNMPv3 requests. These
    can be overriden using the -A and -X options respectively.
    The defPassphrase value will be used for authentication and/or privacy pass phrases
    if either of the other directives are not specified.
defPrivType DES|AES
    define the default authentication and privacy protocols to use for SNMPv3 requests. These can 
    be overriden using the -a and -x options respectively.
    If not specified, SNMPv3 requests will default to MD5 authentication and DES encryption.
       Note: If the software has not been compiled to use the OpenSSL libraries, then
       only MD5 authentication is supported. Neither SHA authentication nor any form
       of encryption will be available.

Remote Access

Of course, it's nice to have snmpd running on your localhost, but you could have grabbed all that information in more straight forward manner. The key value is to be able to get at this information from outside your box.

The default OpenBSD port configuration, is to listen only on localhost:

agentAddress udp:127.0.0.1:161

Allow Connection

[Ref: snmpd.conf(5)]

We need the snmpd agent to listen on external connections.

File extract: /etc/snmp/snmp.conf

agentAddress udp:161,udp6:[::1]:161

The above change tells the agent to listen on all interfaces, all IP Addresses. The agent listens on IPv4 UDP port 161, and IPv6 UDP port 161.

You can obviously narrow that down on multi-interface hosts (such as to listen only on a specific ip-address.)

From the manpage:

agentaddress [<transport-specified>:]<transport-address>[,...]
    defines a list of listening addresses, on which to receive incoming SNMP requests. 
    See the section LISTENING ADDRESSES in the snmpd(8) manual page for more information 
    about the format of listening addresses. 
    The default behaviour is to listen on UDP port 161 on all IPv4 interfaces. 

Stop and start net-snmpd using the rc.d(8) script:

/etc/rc.d/netsnmpd stop
/etc/rc.d/netsnmpd start
netsnmpd(ok)

The daemon is listening, but you obviously still have to make sure that your firewall is not blocking access from the client you want to test with.

Sample

If our above sample agent is on host 10.9.0.25, then the following will connect and query snmp.

# snmpget -v 3 -u rwUserName -l authPriv -a MD5 -A rwUserPassword -X rwUserPassword 10.9.0.25 \
  .enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2