Skip to content
This repository has been archived by the owner on Oct 12, 2024. It is now read-only.

jwillikers/net-snmp-config

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.vscode
.vscode
 
 
etc/snmp
etc/snmp
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.adoc
CODE_OF_CONDUCT.adoc
 
 
LICENSE.adoc
LICENSE.adoc
 
 
README.adoc
README.adoc
 
 

Repository files navigation

Net-SNMP Config

My configurations for the Net-SNMP agent and manager.

Usage

This repository contains configuration files for Net-SNMP, both for the manager and the agent daemon. The manager configuration files make it more convenient to interact with Net-SNMP agents. The agent configuration files are intended for configuring the Net-SNMP agents on various systems. The usage for the agent and the manager are described in separate sections. These instructions are intended for Fedora Atomic systems.

  1. Create a Projects directory in the current user’s home directory.

    mkdir --parents ~/Projects

  2. Clone this repository under ~/Projects.

    git -C ~/Projects clone https://codeberg.org/jwillikers/net-snmp-config.git

  3. Change to the project’s directory.

    cd ~/Projects/net-snmp-config

Manager

  1. Install the net-snmp-utils package.

    sudo rpm-ostree install net-snmp-utils

  2. Reboot to complete the installation.

    sudo systemctl reboot
    User

    1. Create the ~/.config/snmp/hosts directory.

      mkdir --parents ~/.config/snmp/hosts

    2. Symlink the ~/.config/snmp directory to ~/.snmp where Net-SNMP will find it.

      ln --relative --symbolic ~/.config/snmp ~/.snmp

    3. Copy the template config files to the ~/.config/snmp/hosts directory.

      Bash
      for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/$(basename -- "$host_template" ".template"); done
      fish
      for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/(basename -- "$host_template" ".template"); end
      Nushell
      for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"($env.HOME)/.config/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }

    4. Make sure that the sensitive files are not world readable.

      chmod 0640 ~/.config/snmp/hosts/*.conf
    System

    1. Create the /etc/snmp directory.

      sudo mkdir /etc/snmp/

    2. Copy the template host config files to the /etc/snmp/hosts directory.

      Bash
      for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" /etc/snmp/hosts/$(basename -- "$host_template" ".template"); done
      fish
      for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" /etc//snmp/hosts/(basename -- "$host_template" ".template"); end
      Nushell
      for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"/etc/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }

    3. Create an snmp group.

      sudo groupadd snmp

    4. Add the desired user to this group, such as the current user in this example.

      sudo usermod --append --group snmp $USER

    5. Log out and back in for the group change to take effect.

    6. Change the ownership of /etc/snmp to be owned by the root user and the snmp group.

      sudo chown --recursive root:snmp /etc/snmp

    7. Restrict the permissions of the configuration files to the user and group only.

      sudo chmod 0640 /etc/snmp/hosts/*.conf

  3. For each host file in the /etc/snmp/hosts or ~/.config/snmp/hosts directory, fill-in the defSecurityName, defAuthPassphrase, and defPrivPassphrase fields with the correct values. The value for these fields is omitted from the configuration for security.

  4. Test the configuration by querying an agent with the snmpstatus command. The name of the configuration file without the .conf suffix maps to argument passed to the snmpstatus command.

    snmpstatus cm4-01
[UDP: [100.101.69.16]:161->[0.0.0.0]:36610]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:17:29.88
Interfaces: 3, Recv/Trans packets: 52429/39127 | IP: 30919/28849

Agent

  1. Install lm-sensors and Net-SNMP.

    Debian
    sudo apt-get --yes install lm-sensors snmp snmpd
    Fedora

    Install the lm_sensors, net-snmp, and net-snmp-utils packages. The lm_sensors package is used to report reading of hardware senors.

    sudo rpm-ostree install lm_sensors net-snmp net-snmp-utils
    ℹ️

    While the net-snmp-utils package is not required to run the agent or to create the initial user, it is helpful for testing things out on the host running the agent.

  2. Reboot to complete the installation.

    sudo systemctl reboot

  3. Add a firewall rule to open the necessary port.

    sudo firewall-cmd --add-service=snmp --permanent

  4. Apply the new rule.

    sudo firewall-cmd --reload

  5. Unfortunately, SELinux doesn’t want to allow execution of the systemctl command from the snmpd_t context. This is allowed to check if a systemd service has failed. A typical process check won’t work in cases where the systemd unit runs at intervals. Disable SELinux from enforcing the snmpd_t context to allow this functionality. I wasn’t able to get this working with a custom SELinux module. Ideally, this workaround would be less permissive but I haven’t figured out a way to do that yet.

    sudo semanage permissive -a snmpd_t

  6. Ensure that the snmpd daemon is stopped.

    sudo systemctl stop snmpd

  7. Copy the snmpd.conf file from the etc/snmp/ directory for the desired host to /etc/snmp/snmpd.conf.

    sudo cp etc/snmp/$(hostname --short).conf /etc/snmp/snmpd.conf

  8. Ensure that the /etc/snmp/snmpd.conf file is labelled correctly for SELinux.

    sudo restorecon /etc/snmp/snmpd.conf

  9. Create an SNMPv3 template user. When prompted, enter the authentication and privacy passphrases.

    sudo net-snmp-create-v3-user -a SHA-256 -x AES128 templateshaaes
Enter authentication pass-phrase:
****
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]
****
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser templateshaaes SHA-256 "****" AES128 "****"
adding the following line to /etc/snmp/snmpd.conf:
   rwuser templateshaaes

  10. Start the snmpd service to initialize the new user.

    sudo systemctl enable --now snmpd

  11. Test the new template user with a query. Replace authPassword with the authentication passphrase and encryptionPassword with the privacy passphrase for the template user.

    snmpstatus -v 3 -l priv -u templateshaaes \
  -A 'authPassword' -a SHA-256 \
  -X 'encryptionPassword' -x AES128 localhost
[UDP: [127.0.0.1]:161->[0.0.0.0]:51886]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:00:43.90
Interfaces: 3, Recv/Trans packets: 43650/32565 | IP: 26560/24381

  12. Create a new user, monitor as an example here, based off of the template user. Replace authPassword with the authentication passphrase and encryptionPassword with the privacy passphrase for the template user.

    snmpusm -v3 -l priv -u templateshaaes \
  -A 'authPassword' -a SHA-256 \
  -X 'encryptionPassword' -x AES128 \
  localhost create monitor templateshaaes
User successfully created.

  13. Set the authentication passphrase for the new user. Substitute newAuthPassword with the desired passphrase and monitor with the appropriate user. Replace authPassword with the authentication passphrase and encryptionPassword with the privacy passphrase for the template user.

    snmpusm -v3 -l priv -u templateshaaes \
  -A 'authPassword' -a SHA-256 \
  -X 'encryptionPassword' -x AES128 -Ca \
  localhost passwd 'authPassword' 'newAuthPassword' monitor
SNMPv3 Key(s) successfully changed.

  14. Set the encryption passphrase for the new user. Substitute newEncryptionPassword with the desired passphrase and monitor with the appropriate user. Replace authPassword with the authentication passphrase and encryptionPassword with the privacy passphrase for the template user.

    snmpusm -v3 -l priv -u templateshaaes \
  -A 'authPassword' -a SHA-256 \
  -X 'encryptionPassword' -x AES128 -Cx \
  localhost passwd 'encryptionPassword' 'newEncryptionPassword' monitor
SNMPv3 Key(s) successfully changed.

  15. Verify the new user is available in the user table. Replace authPassword with the authentication passphrase and encryptionPassword with the privacy passphrase for the template user.

    snmptable -v3 -l priv -u templateshaaes \
  -A 'authPassword' -a SHA-256 \
  -X 'encryptionPassword' -x AES128 -Cb \
  localhost usmUserTable
SNMP table: SNMP-USER-BASED-SM-MIB::usmUserTable

   SecurityName               CloneFrom                            AuthProtocol AuthKeyChange OwnAuthKeyChange                            PrivProtocol PrivKeyChange OwnPrivKeyChange Public StorageType Status
        monitor SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5            ""               "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4            ""               ""     "" nonVolatile active
 templateshaaes SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5            ""               "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4            ""               ""     "" nonVolatile active

  16. Delete any sensitive data that may now be in your shell’s history.

    Bash

    For Bash, just delete all history to be safe.

    history -cw
    fish

    The following command deletes fish shell’s history for any of the snmptable and snmpusm commands. It will prompt you for which entries should be deleted. Enter all to delete all matches.

    history delete snmptable snmpusm
    Nushell

    For Nushell, wipe all history.

    history --clear

Create a New Agent Config

A new agent configuration can be generated with the snmpconf command.

  1. Change to a directory where a config file doesn’t usually reside, such as the repository’s directory.

    cd ~/Projects/net-snmp-config

  2. Generate a new config.

    snmpconf -g basic_setup

  3. Move the new config to this repository’s etc/snmp directory, and rename it according to the host.

    mv snmpd.conf etc/snmp/cm4-02.snmpd.conf

  4. Add a corresponding manager configuration file for the new agent in the etc/snmp/hosts directory, using the desired name to use to refer to the agent as the name of the file followed by the suffix .conf. It’s probably easiest to copy an existing configuration file and tweak it as necessary.

    🔥

    Leave the placeholder values for the defSecurityName, defAuthPassphrase, and defPrivPassphrase fields to avoid leaking secrets in this public Git repository.

    		 
    cp etc/snmp/hosts/cm4-01.conf etc/snmp/hosts/cm4-02.conf

Code of Conduct

Please refer to the project’s Code of Conduct.

License

This repository is licensed under the GPLv3. Please refer to the bundled license.

Copyright

© 2023-2024 Jordan Williams

Authors

About

My configuration files for net-snmp

codeberg.org/jwillikers/net-snmp-config

Topics

config monitoring snmp snmpv3 snmpd net-snmp omada

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository