Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jwillikers/net-snmp-config

My configuration files for net-snmp
https://github.com/jwillikers/net-snmp-config

config monitoring net-snmp omada snmp snmpd snmpv3

Last synced: about 1 month ago
JSON representation

My configuration files for net-snmp

Awesome Lists containing this project

README

        

= Net-SNMP Config
Jordan Williams
:experimental:
:icons: font
ifdef::env-github[]
:tip-caption: :bulb:
:note-caption: :information_source:
:important-caption: :heavy_exclamation_mark:
:caution-caption: :fire:
:warning-caption: :warning:
endif::[]
:Net-SNMP: http://www.net-snmp.org/[Net-SNMP]

My configurations for the {Net-SNMP} agent and manager.

== Usage

This repository contains configuration files for {Net-SNMP}, both for the manager and the agent daemon.
The manager configuration files make it more convenient to interact with Net-SNMP agents.
The agent configuration files are intended for configuring the Net-SNMP agents on various systems.
The usage for the agent and the manager are described in separate sections.
These instructions are intended for Fedora Atomic systems.

. Create a `Projects` directory in the current user's home directory.
+
[,sh]
----
mkdir --parents ~/Projects
----

. Clone this repository under `~/Projects`.
+
[,sh]
----
git -C ~/Projects clone https://codeberg.org/jwillikers/net-snmp-config.git
----

. Change to the project's directory.
+
[,sh]
----
cd ~/Projects/net-snmp-config
----

=== Manager

. Install the `net-snmp-utils` package.
+
[,sh]
----
sudo rpm-ostree install net-snmp-utils
----

. Reboot to complete the installation.
+
[,sh]
----
sudo systemctl reboot
----

User::
+
.. Create the `~/.config/snmp/hosts` directory.
+
[,sh]
----
mkdir --parents ~/.config/snmp/hosts
----

.. Symlink the `~/.config/snmp` directory to `~/.snmp` where Net-SNMP will find it.
+
[,sh]
----
ln --relative --symbolic ~/.config/snmp ~/.snmp
----

.. Copy the template config files to the `~/.config/snmp/hosts` directory.
+
Bash:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/$(basename -- "$host_template" ".template"); done
----

fish:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/(basename -- "$host_template" ".template"); end
----

Nushell:::
+
[,sh]
----
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"($env.HOME)/.config/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
----

.. Make sure that the sensitive files are not world readable.
+
[,sh]
----
chmod 0640 ~/.config/snmp/hosts/*.conf
----

System::
+
.. Create the `/etc/snmp` directory.
+
[,sh]
----
sudo mkdir /etc/snmp/
----

.. Copy the template host config files to the `/etc/snmp/hosts` directory.
+
Bash:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" /etc/snmp/hosts/$(basename -- "$host_template" ".template"); done
----

fish:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" /etc//snmp/hosts/(basename -- "$host_template" ".template"); end
----

Nushell:::
+
[,sh]
----
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"/etc/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
----

.. Create an `snmp` group.
+
[,sh]
----
sudo groupadd snmp
----

.. Add the desired user to this group, such as the current user in this example.
+
[,sh]
----
sudo usermod --append --group snmp $USER
----

.. Log out and back in for the group change to take effect.

.. Change the ownership of `/etc/snmp` to be owned by the `root` user and the `snmp` group.
+
[,sh]
----
sudo chown --recursive root:snmp /etc/snmp
----

.. Restrict the permissions of the configuration files to the user and group only.
+
[,sh]
----
sudo chmod 0640 /etc/snmp/hosts/*.conf
----

. For each host file in the `/etc/snmp/hosts` or `~/.config/snmp/hosts` directory, fill-in the `defSecurityName`, `defAuthPassphrase`, and `defPrivPassphrase` fields with the correct values.
The value for these fields is omitted from the configuration for security.

. Test the configuration by querying an agent with the `snmpstatus` command.
The name of the configuration file without the `.conf` suffix maps to argument passed to the `snmpstatus` command.
+
[,sh]
----
snmpstatus cm4-01
[UDP: [100.101.69.16]:161->[0.0.0.0]:36610]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:17:29.88
Interfaces: 3, Recv/Trans packets: 52429/39127 | IP: 30919/28849
----

=== Agent

. Install lm-sensors and Net-SNMP.
+
Debian::
+
[,sh]
----
sudo apt-get --yes install lm-sensors snmp snmpd
----

Fedora::
Install the `lm_sensors`, `net-snmp`, and `net-snmp-utils` packages.
The `lm_sensors` package is used to report reading of hardware senors.
+
--
[,sh]
----
sudo rpm-ostree install lm_sensors net-snmp net-snmp-utils
----

[NOTE]
====
While the `net-snmp-utils` package is not required to run the agent or to create the initial user, it is helpful for testing things out on the host running the agent.
====
--

. Reboot to complete the installation.
+
[,sh]
----
sudo systemctl reboot
----

. Add a firewall rule to open the necessary port.
+
[,sh]
----
sudo firewall-cmd --add-service=snmp --permanent
----

. Apply the new rule.
+
[,sh]
----
sudo firewall-cmd --reload
----

. Unfortunately, SELinux doesn't want to allow execution of the `systemctl` command from the `snmpd_t` context.
This is allowed to check if a systemd service has failed.
A typical process check won't work in cases where the systemd unit runs at intervals.
Disable SELinux from enforcing the `snmpd_t` context to allow this functionality.
I wasn't able to get this working with a custom SELinux module.
Ideally, this workaround would be less permissive but I haven't figured out a way to do that yet.
+
[,sh]
----
sudo semanage permissive -a snmpd_t
----

. Ensure that the `snmpd` daemon is stopped.
+
[,sh]
----
sudo systemctl stop snmpd
----

. Copy the `snmpd.conf` file from the `etc/snmp/` directory for the desired host to `/etc/snmp/snmpd.conf`.
+
[,sh]
----
sudo cp etc/snmp/$(hostname --short).conf /etc/snmp/snmpd.conf
----

. Ensure that the `/etc/snmp/snmpd.conf` file is labelled correctly for SELinux.
+
[,sh]
----
sudo restorecon /etc/snmp/snmpd.conf
----

. Create an SNMPv3 template user.
When prompted, enter the authentication and privacy passphrases.
+
[,sh]
----
sudo net-snmp-create-v3-user -a SHA-256 -x AES128 templateshaaes
Enter authentication pass-phrase:
****
Enter encryption pass-phrase:
[press return to reuse the authentication pass-phrase]
****
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser templateshaaes SHA-256 "****" AES128 "****"
adding the following line to /etc/snmp/snmpd.conf:
rwuser templateshaaes
----

. Start the `snmpd` service to initialize the new user.
+
[,sh]
----
sudo systemctl enable --now snmpd
----

. Test the new template user with a query.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpstatus -v 3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 localhost
[UDP: [127.0.0.1]:161->[0.0.0.0]:51886]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:00:43.90
Interfaces: 3, Recv/Trans packets: 43650/32565 | IP: 26560/24381
----

. Create a new user, `monitor` as an example here, based off of the template user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 \
localhost create monitor templateshaaes
User successfully created.
----

. Set the authentication passphrase for the new user.
Substitute `newAuthPassword` with the desired passphrase and `monitor` with the appropriate user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Ca \
localhost passwd 'authPassword' 'newAuthPassword' monitor
SNMPv3 Key(s) successfully changed.
----

. Set the encryption passphrase for the new user.
Substitute `newEncryptionPassword` with the desired passphrase and `monitor` with the appropriate user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Cx \
localhost passwd 'encryptionPassword' 'newEncryptionPassword' monitor
SNMPv3 Key(s) successfully changed.
----

. Verify the new user is available in the user table.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmptable -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Cb \
localhost usmUserTable
SNMP table: SNMP-USER-BASED-SM-MIB::usmUserTable

SecurityName CloneFrom AuthProtocol AuthKeyChange OwnAuthKeyChange PrivProtocol PrivKeyChange OwnPrivKeyChange Public StorageType Status
monitor SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active
templateshaaes SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active
----

. Delete any sensitive data that may now be in your shell's history.
+
Bash:: For Bash, just delete all history to be safe.
+
[,sh]
----
history -cw
----

fish:: The following command deletes fish shell's history for any of the `snmptable` and `snmpusm` commands.
It will prompt you for which entries should be deleted.
Enter `all` to delete all matches.
+
[,sh]
----
history delete snmptable snmpusm
----

Nushell:: For Nushell, wipe all history.
+
[,sh]
----
history --clear
----

=== Create a New Agent Config

A new agent configuration can be generated with the `snmpconf` command.

. Change to a directory where a config file doesn't usually reside, such as the repository's directory.
+
[,sh]
----
cd ~/Projects/net-snmp-config
----

. Generate a new config.
+
[,sh]
----
snmpconf -g basic_setup
----

. Move the new config to this repository's `etc/snmp` directory, and rename it according to the host.
+
[,sh]
----
mv snmpd.conf etc/snmp/cm4-02.snmpd.conf
----

. Add a corresponding manager configuration file for the new agent in the `etc/snmp/hosts` directory, using the desired name to use to refer to the agent as the name of the file followed by the suffix `.conf`.
It's probably easiest to copy an existing configuration file and tweak it as necessary.
+
--
[CAUTION]
====
Leave the placeholder values for the `defSecurityName`, `defAuthPassphrase`, and `defPrivPassphrase` fields to avoid leaking secrets in this public Git repository.
====

[,sh]
----
cp etc/snmp/hosts/cm4-01.conf etc/snmp/hosts/cm4-02.conf
----
--

== References

* https://bookshop.org/p/books/snmp-mastery-michael-w-lucas/14394929[SNMP Mastery] by Michael W. Lucas
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-system_monitoring_tools#sect-System_Monitoring_Tools-Net-SNMP[Red Hat Enterprise Linux 7 System Administrator's Guide - 21.7. Monitoring Performance with Net-SNMP]

== Code of Conduct

Please refer to the project's link:CODE_OF_CONDUCT.adoc[Code of Conduct].

== License

This repository is licensed under the https://www.gnu.org/licenses/gpl-3.0.html[GPLv3].
Please refer to the bundled link:LICENSE.adoc[license].

== Copyright

© 2023-2024 Jordan Williams

== Authors

mailto:{email}[{author}]