SNMP agents
Many OS and network hardware vendors ship their products with SNMP agents that can run right out of the box. The read-only community string is usually set to "public," and the write community string is occasionally set to "private" or "secret." We recently saw a list of dozens of vendors that follow this practice. Although it can be handy for system administrators, it is equally useful for hackers. If you decide to enable SNMP, be sure to configure your agents to use hard-to-guess community strings for both write and read access.
Solaris and HP-UX are shipped with decent SNMP agents. FreeBSD includes UCD SNMP in the /usr/ports/net/ucd-snmp directory. Red Hat Linux has no SNMP support in its standard distribution.
In the following sections we first describe the Solaris and HP-UX agents. We then talk a bit about the UCD SNMP package, which we recommend for systems that do not come with their own agent.
SNMP on Solaris
Solaris comes with respectable management support. In addition to a rather comprehensive SNMP agent, it also provides DMI support.
The main SNMP agent is /usr/lib/snmp/snmpdx, which reads its configuration from the file /etc/snmp/conf/snmpd.conf. In this file, you can specify the values of many MIB variables and also set the agent's general configuration. For example, you can set the system description string (sysdescr), the trap host or hosts (trap), and the community strings (read-community, write-community). After you modify this file, kill and restart snmpdx to force your changes to take effect.
snmpdx also reads security information from /etc/snmp/conf/snmpdx.acl. In this file, you can list the IP addresses of hosts that should be allowed access to the local SNMP agent. Each set of hosts can have its own read and write community names. These features can dramatically increase the security of SNMP; unfortunately, all restrictions are turned off by default.
An off-the-shelf Solaris installation boots with two DMI-related processes. The first of these is /usr/lib/dmi/dmispd, which answers DMI queries directly. The second is /usr/lib/dmi/snmpXdmid, which translates SNMP requests into DMI requests and passes them on to dmispd. Once dmispd responds, snmpXdmid passes the responses back to the SNMP server, snmpdx. SNMP/DMI translations are defined by files in the /var/dmi/map directory. Only two variable translations are defined by default, so unless you are planning on adding more, you should really have no reason to run snmpXdmid.
If you don't have DMI management software or don't plan on using it, you can prevent both DMI processes from starting at boot time by renaming /etc/rc3.d/S77dmi to /etc/rc3.d/s77dmi. If you just want to disable snmpXdmid, you should rename its configuration file from snmpXdmid.conf to snmpXdmid.conf.orig.
SNMP on HP-UX
One of HP's most successful software ventures is an enterprise network management tool called HP OpenView. Since HP is a leader in the network management space, it shouldn't be much of a surprise that HP-UX ships with an SNMP agent. Instead of providing a single, monolithic agent, HP's system employs a number of specialized subagents. This design allows HP to add subagents for new hardware or software without changing the overall system.
The master agent is /usr/sbin/snmpdm, but it should never be run directly. Use the shell script /usr/sbin/snmpd instead. In addition to starting snmpdm, the snmpd script starts the subagents that are responsible for gathering data.
The agent reads its configuration from /etc/SnmpAgent.d/snmpd.conf. Configuration information can also be specified on the snmpd command line.
Only five keywords can be used within snmpd.conf. They're illustrated in the following example:
# SNMP configuration for disaster.xor.com
get-community-name: ro-community
set-community-name: D8j4kL.2nG
trap-dest: jaguar.xor.com
trap-dest: ov.xor.com
location: First floor lab machine room
contact: root@disaster.xor.com
The get-community-name and set-community-name keywords set the SNMP community strings (aka passwords) that a client must provide to read and write data values. There can be more than one instance of each. However, access control cannot be subdivided: any name listed in any set-community-name statement is valid for any supported operation.
The trap-dest keyword specifies the name or IP address of an SNMP client that is to receive trap notifications. There can be several trap destinationsâ€" all traps are sent to all destinations.
The location and contact keywords set the values of the MIB-II sysLocation and sysContact OIDs.
You can control the amount of logging that snmpd generates with the -m flag:
snmpd -m logmask
The logmask should be a bitwise OR of your choice of the option flags in Table 20.2.
Table 20.2 Option flag values for HP-UX snmpd
| Flag | Meaning | Flag | Meaning |
|---|---|---|---|
| 0 | Disable logging | 8 | Log SNMP transactions |
| 1 | Log authentication failures | 16 | Log added objects |
| 2 | Log errors | 32 | Dump all packets in hex |
| 4 | Log configuration requests | 64 | Log trace messages |
Unfortunately, HP's SNMP agent does not use syslog. You can specify the location of its log file with -l log; the default is /var/adm/snmpd.log.
The UCD SNMP agent
When SNMP was first standardised, Carnegie Mellon University and MIT both produced implementations. CMU's implementation was more complete and quickly became the de facto standard for UNIX systems. When active development at CMU died down, researchers at UC Davis took over the software.
The UCD distribution is now the authoritative free SNMP implementation for UNIX. We recommend it highly for systems with no SNMP implementation of their own. It includes an SNMP agent, some command-line tools, and even a library for developing SNMP-aware applications. We discuss the agent in some detail here and take a look at the command-line tools later in the chapter. The latest version is available from the Web at ucd-snmp.ucdavis.edu.
As in other implementations, the agent collects information about the local host and serves it to SNMP managers across the network. The default installation includes MIBs for network interface, memory, disk, process, and CPU statistics. The agent is easily extensible since it can execute an arbitrary UNIX command and return the command's output as an SNMP response. You can use this feature to monitor almost anything on your system with SNMP.
By default, the agent is installed as /usr/sbin/snmpd. It is usually started at boot time and reads its configuration information from files in the /etc/snmp directory. The most important of these files is snmpd.conf, which contains most of the configuration information and comes shipped with a bunch of sample data collection methods enabled. Although the intention of the UCD authors seems to have been for users to edit only the snmpd.local.conf file, you must edit the snmpd.conf file at least once to disable any default data collection methods that you do not plan to use.
The UCD SNMP configure script lets you specify a default log file and a couple of other local settings. You can use snmpd -l to specify an alternate log file or -s to direct log messages to syslog. Table 20.3 shows a list of snmpd's most important flags. We recommend that you always use the -a flag. For debugging, you should use the -V, -d, or -D flags, each of which gives progressively more information.
Table 20.3 Useful flags for UCD's snmpd
| Flag | Function |
|---|---|
| -l logfile | Logs information to logfile |
| -a | Logs the addresses of all SNMP connections |
| -d | Logs the contents of every SNMP packet |
| -V | Enables verbose logging |
| -D | Logs debugging information (lots of it) |
| -h | Displays all arguments to snmpd |
| -H | Displays all configuration file directives |
| -A | Appends to the log file instead of overwriting it |
| -s | to syslog (uses the daemon facility) |
It's worth mentioning that many useful SNMP-related Perl modules are available. Look on CPAN 7 for the latest information if you are interested in writing your own network management scripts. (Note: CPAN, the Comprehensive Perl Archive Network, is an amazing collection of useful Perl modules. Check it out at www.cpan.org.)
7%
3%
