[Ref: OpenBSD 5.0, net-snmp 5.7, OpenBSD SNMP MIBs]
Table of Contents
From net-snmp:
Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.
These guides are for using OpenBSD, so we’re interested in using Packet Mischief’s collection of MIBs for OpenBSD
To simplify your ability to maintain your system installations, Packet Mischief’s instructions incorporate the MIBs into a packages to install from:
Packet Mischief’s SNMP MIBs
Follow the instructions for install the correct version of the ports system (i.e. 5.0 for our instructions.) There are patches to the RELEASE 5.0 port, so make sure you’ve checked the OpenBSD SNMP MIBs for the patch, or have downloaded the STABLE 5.0 ports.
# mkdir -p /usr/ports/mystuff/net
# cd /usr/ports/mystuff/net
# cp -R /usr/ports/net/net-snmp .
# cd net-snmp
# ftp http://www.packetmischief.ca/files/openbsd/snmp/obsd-mibs50.tar
# tar -xf obsd-mibs50.tar
# patch < obsd-mibs.diff
# make install
The following new rcscripts were installed: /etc/rc.d/netsnmpd /etc/rc.d/netsnmptrapd See rc.d(8) for details
Note: The port stores configuration files in /etc/snmp/snmpd.conf whereas the base snmp configuration is stored in /etc/snmpd.conf.
There’s a readme file for SNMPv3. We want to use SNMPv3 exclusively, so let’s just do it that way, read the docs.
[Ref: snmpd.conf(5)]
The default configurations for NET-SNMPD is stored in /etc/snmp/snmpd.conf. By default, the service is configured to only listen on localhost:
File extract: /etc/snmp/snmpd.conf
agentAddress udp:127.0.0.1:161
Start net-snmpd using the rc.d(8) script:
/etc/rc.d/netsnmpd start
netsnmpd(ok)
[Ref: [snmpconf(5)](http://www.net-snmp.org/docs/man/snmpd.conf.html], snmpconf]
Create a basic configuration for you system using snmpconf, backup
Configuration files are stored in:
Data files are stored variously in:
[Ref: README.snmpv3, net-snmp-config(1)]
We don’t want random network users accessing our SNMPD processes, to protect our data we want to use encryption and authentication.
There are two methods for authentication through user accounts for SNMPv3
Managing accounts through net-snmp-config requires no running snmp daemons. This works well when initially installing your agent, but obviously has problems if you want to create accounts without disabling your snmpd agent.
WARNING: Deleting users requires manually editing configuration files
STOP net-snmpd using the rc.d(8) script:
/etc/rc.d/netsnmpd stop
netsnmpd(ok)
CREATE the user rwUserName with read-write privileges:
# net-snmp-config --create-snmpv3-user -a "rwUserPassword" rwUserName
adding the following line to /var/net-snmp/snmpd.conf createUser rwUserName MD5 "rwUserPassword" DES adding the following line to /usr/local/share/snmp/snmpd.conf rwuser rwUserName
Remember the warning about configuration files, we can verify that our user account has been created by viewing the configuration files mentioned:
File extract: /var/net-snmp/snmpd.conf
usmUser 1 3 0xHEX "rwUserName" "rwUserName" NULL ... 0xHEX
File extract: /usr/local/share/snmpd/snmpd.conf
rwuser rwUserName
From the manpage: net-snmp-config(1)
--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES] [-A MD5|SHA] [username]
Create the user roUserName with read-only privileges:
# net-snmp-config --create-snmpv3-user -ro -a "roUserPassword" roUserName
adding the following line to /var/net-snmp/snmpd.conf createUser roUserName MD5 "roUserPassword" DES adding the following line to /usr/local/share/snmp/snmpd.conf rouser roUserName
File extract: /usr/local/share/snmpd/snmpd.conf
rwuser rwUserName rouser roUserName
[Ref: snmpusm(1)]
snmpusm is another tool for creating and maintaining SNMPv3 users.
snmpusm is an SNMP application that can be used to do simple maintenance on the users known to an SNMP agent, by manipulating the agent’s User-based Security Module (USM) table. The user needs write access to the usmUserTable MIB table. This tool can be used to create, delete, and change the passphrase of users configured on a running SNMP agent.
Refer to the documentation how you may use this command.
Our first test is straight from the documentation, getting the *sysUpTime"
# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost sysUpTime.0
SNMPv2-MIB:sysUpTime.0 = Timeticks: (16504) 0:02:45:04
From the manpage:
-v 1 | 2c | 3 Specifies the protocol version to use: 1 (RFCs 1155-1157), 2c (RFCs 1901-1908), or 3 (RFCs 2571-2574). The default is typically version 3. Overrides the defVersion token in the snmp.conf file. -u secName Set the securityName used for authenticated SNMPv3 messages. Overrides the defSecurityName token in the snmp.conf file. -l secLevel Set the securityLevel used for SNMPv3 messages (noAuthNoPriv|authNoPriv|authPriv). Appropriate pass phrase(s) must provided when using any level higher than noAuthNoPriv. Overrides the defSecurityLevel token in the snmp.conf file. -a authProtocol Set the authentication protocol (MD5 or SHA) used for authenticated SNMPv3 messages. Overrides the defAuthType token in the snmp.conf file. -A authPassword Set the authentication pass phrase used for authenticated SNMPv3 messages. Overrides the defAuthPassphrase token in the snmp.conf file. It is insecure to specify pass phrases on the command line, see snmp.conf(5).
The next query is to test whether we can get some of the OpenBSD specific details, such as whether pf is running.
# export MIB="+/usr/local/share/snmp/mibs/OPENBSD-PF-MIB.txt"
# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost \
.enterprises.openBSD.pfMIBObjects.info.running.0
OPENBSD-PF-MIB::running.0 = INTEGER: true(1)
OK, we’ve introduced some magic cookies above, so we’ll just investigate it as a noob and see whether we can get some direction on how to use and get these magic cookies.
From the hint of the above export MIB="" line, we can look at the OPENBSD-PF-MIB.txt for object definitions to our above queries:
The OPENBSD-PF-MIB File Definitions import from OPENBSD-BASE-MIB and defines a MODULE-IDENTITY pfMIBObjects which is linked i.e. ::= { openBSD 1 }
The openBSD MODULE-IDENTITY is defined in the MIB file OPENBSD-BASE-MIB.txt and is defined as linked to enterprises i.e. ::= { enterprises 64512 }
It looks like enterprises is imported/and defined in SNMPv2-SMI.txt as private ::= { private 1 } and at the root level.
MIB File Defines sections/objects including info (shown above) and stateTable (what we’ll look at further down.)
Now, we can read through the MIB file and look at the object stateTable, find further definitions of the object and come up with stateTable.count to find out whether we can read that value as well:
# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword localhost \
.enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2
which we can then compare with
# pfctl -si
Status: Enabled for ... State Table Total current entries 2
[Ref: snmpcmd(1)]
To encrypt the transmission of the data between the client and server, add the commandline options -x privProtocol -X privPassword:
# snmpget -v 3 -u rwUserName -l authNoPriv -a MD5 -A rwUserPassword -X rwUserPassword localhost \
.enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2
# snmpget -v 3 -u rwUserName -l authPriv -a MD5 -A rwUserPassword -X rwUserPassword localhost \
.enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2
From the manpage:
-x privProtocol Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. Overrides the defPrivType token in the snmp.conf file. This option is only valid if the Net-SNMP software was build to use OpenSSL. -X privPassword Set the privacy pass phrase used for encrypted SNMPv3 messages. Overrides the defPrivPassphrase token in the snmp.conf file. It is insecure to specify pass phrases on the command line, see snmp.conf(5).
From the manpage: snmp.conf(5)
defPrivPassphrase STRING define the default authentication and privacy pass phrases to use for SNMPv3 requests. These can be overriden using the -A and -X options respectively. The defPassphrase value will be used for authentication and/or privacy pass phrases if either of the other directives are not specified. defPrivType DES|AES define the default authentication and privacy protocols to use for SNMPv3 requests. These can be overriden using the -a and -x options respectively. If not specified, SNMPv3 requests will default to MD5 authentication and DES encryption. Note: If the software has not been compiled to use the OpenSSL libraries, then only MD5 authentication is supported. Neither SHA authentication nor any form of encryption will be available.
Of course, it’s nice to have snmpd running on your localhost, but you could have grabbed all that information in more straight forward manner. The key value is to be able to get at this information from outside your box.
The default OpenBSD port configuration, is to listen only on localhost:
agentAddress udp:127.0.0.1:161
[Ref: snmpd.conf(5)]
We need the snmpd agent to listen on external connections.
File extract: /etc/snmp/snmp.conf
agentAddress udp:161,udp6:[::1]:161
The above change tells the agent to listen on all interfaces, all IP Addresses. The agent listens on IPv4 UDP port 161, and IPv6 UDP port 161.
You can obviously narrow that down on multi-interface hosts (such as to listen only on a specific ip-address.)
From the manpage:
agentaddress [<transport-specified>:]<transport-address>[,...] defines a list of listening addresses, on which to receive incoming SNMP requests. See the section LISTENING ADDRESSES in the snmpd(8) manual page for more information about the format of listening addresses. The default behaviour is to listen on UDP port 161 on all IPv4 interfaces.
Stop and start net-snmpd using the rc.d(8) script:
/etc/rc.d/netsnmpd stop
/etc/rc.d/netsnmpd start
netsnmpd(ok)
The daemon is listening, but you obviously still have to make sure that your firewall is not blocking access from the client you want to test with.
If our above sample agent is on host 10.9.0.25, then the following will connect and query snmp.
# snmpget -v 3 -u rwUserName -l authPriv -a MD5 -A rwUserPassword -X rwUserPassword 10.9.0.25 \
.enterprises.openBSD.pfMIBObjects.stateTable.count.0
OPENBSD-PF-MIB::count.0 = Gauge32: 2