Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jwillikers/net-snmp-config
My configuration files for net-snmp
https://github.com/jwillikers/net-snmp-config
config monitoring net-snmp omada snmp snmpd snmpv3
Last synced: about 1 month ago
JSON representation
My configuration files for net-snmp
- Host: GitHub
- URL: https://github.com/jwillikers/net-snmp-config
- Owner: jwillikers
- License: other
- Created: 2023-12-29T15:06:11.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2024-05-10T22:27:51.000Z (8 months ago)
- Last Synced: 2024-05-10T23:22:33.358Z (8 months ago)
- Topics: config, monitoring, net-snmp, omada, snmp, snmpd, snmpv3
- Homepage:
- Size: 91.8 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.adoc
- License: LICENSE.adoc
- Code of conduct: CODE_OF_CONDUCT.adoc
Awesome Lists containing this project
README
= Net-SNMP Config
Jordan Williams
:experimental:
:icons: font
ifdef::env-github[]
:tip-caption: :bulb:
:note-caption: :information_source:
:important-caption: :heavy_exclamation_mark:
:caution-caption: :fire:
:warning-caption: :warning:
endif::[]
:Net-SNMP: http://www.net-snmp.org/[Net-SNMP]My configurations for the {Net-SNMP} agent and manager.
== Usage
This repository contains configuration files for {Net-SNMP}, both for the manager and the agent daemon.
The manager configuration files make it more convenient to interact with Net-SNMP agents.
The agent configuration files are intended for configuring the Net-SNMP agents on various systems.
The usage for the agent and the manager are described in separate sections.
These instructions are intended for Fedora Atomic systems.. Create a `Projects` directory in the current user's home directory.
+
[,sh]
----
mkdir --parents ~/Projects
----. Clone this repository under `~/Projects`.
+
[,sh]
----
git -C ~/Projects clone https://codeberg.org/jwillikers/net-snmp-config.git
----. Change to the project's directory.
+
[,sh]
----
cd ~/Projects/net-snmp-config
----=== Manager
. Install the `net-snmp-utils` package.
+
[,sh]
----
sudo rpm-ostree install net-snmp-utils
----. Reboot to complete the installation.
+
[,sh]
----
sudo systemctl reboot
----User::
+
.. Create the `~/.config/snmp/hosts` directory.
+
[,sh]
----
mkdir --parents ~/.config/snmp/hosts
----.. Symlink the `~/.config/snmp` directory to `~/.snmp` where Net-SNMP will find it.
+
[,sh]
----
ln --relative --symbolic ~/.config/snmp ~/.snmp
----.. Copy the template config files to the `~/.config/snmp/hosts` directory.
+
Bash:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/$(basename -- "$host_template" ".template"); done
----fish:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/(basename -- "$host_template" ".template"); end
----Nushell:::
+
[,sh]
----
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"($env.HOME)/.config/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
----.. Make sure that the sensitive files are not world readable.
+
[,sh]
----
chmod 0640 ~/.config/snmp/hosts/*.conf
----System::
+
.. Create the `/etc/snmp` directory.
+
[,sh]
----
sudo mkdir /etc/snmp/
----.. Copy the template host config files to the `/etc/snmp/hosts` directory.
+
Bash:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" /etc/snmp/hosts/$(basename -- "$host_template" ".template"); done
----fish:::
+
[,sh]
----
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" /etc//snmp/hosts/(basename -- "$host_template" ".template"); end
----Nushell:::
+
[,sh]
----
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"/etc/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
----.. Create an `snmp` group.
+
[,sh]
----
sudo groupadd snmp
----.. Add the desired user to this group, such as the current user in this example.
+
[,sh]
----
sudo usermod --append --group snmp $USER
----.. Log out and back in for the group change to take effect.
.. Change the ownership of `/etc/snmp` to be owned by the `root` user and the `snmp` group.
+
[,sh]
----
sudo chown --recursive root:snmp /etc/snmp
----.. Restrict the permissions of the configuration files to the user and group only.
+
[,sh]
----
sudo chmod 0640 /etc/snmp/hosts/*.conf
----. For each host file in the `/etc/snmp/hosts` or `~/.config/snmp/hosts` directory, fill-in the `defSecurityName`, `defAuthPassphrase`, and `defPrivPassphrase` fields with the correct values.
The value for these fields is omitted from the configuration for security.. Test the configuration by querying an agent with the `snmpstatus` command.
The name of the configuration file without the `.conf` suffix maps to argument passed to the `snmpstatus` command.
+
[,sh]
----
snmpstatus cm4-01
[UDP: [100.101.69.16]:161->[0.0.0.0]:36610]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:17:29.88
Interfaces: 3, Recv/Trans packets: 52429/39127 | IP: 30919/28849
----=== Agent
. Install lm-sensors and Net-SNMP.
+
Debian::
+
[,sh]
----
sudo apt-get --yes install lm-sensors snmp snmpd
----Fedora::
Install the `lm_sensors`, `net-snmp`, and `net-snmp-utils` packages.
The `lm_sensors` package is used to report reading of hardware senors.
+
--
[,sh]
----
sudo rpm-ostree install lm_sensors net-snmp net-snmp-utils
----[NOTE]
====
While the `net-snmp-utils` package is not required to run the agent or to create the initial user, it is helpful for testing things out on the host running the agent.
====
--. Reboot to complete the installation.
+
[,sh]
----
sudo systemctl reboot
----. Add a firewall rule to open the necessary port.
+
[,sh]
----
sudo firewall-cmd --add-service=snmp --permanent
----. Apply the new rule.
+
[,sh]
----
sudo firewall-cmd --reload
----. Unfortunately, SELinux doesn't want to allow execution of the `systemctl` command from the `snmpd_t` context.
This is allowed to check if a systemd service has failed.
A typical process check won't work in cases where the systemd unit runs at intervals.
Disable SELinux from enforcing the `snmpd_t` context to allow this functionality.
I wasn't able to get this working with a custom SELinux module.
Ideally, this workaround would be less permissive but I haven't figured out a way to do that yet.
+
[,sh]
----
sudo semanage permissive -a snmpd_t
----. Ensure that the `snmpd` daemon is stopped.
+
[,sh]
----
sudo systemctl stop snmpd
----. Copy the `snmpd.conf` file from the `etc/snmp/` directory for the desired host to `/etc/snmp/snmpd.conf`.
+
[,sh]
----
sudo cp etc/snmp/$(hostname --short).conf /etc/snmp/snmpd.conf
----. Ensure that the `/etc/snmp/snmpd.conf` file is labelled correctly for SELinux.
+
[,sh]
----
sudo restorecon /etc/snmp/snmpd.conf
----. Create an SNMPv3 template user.
When prompted, enter the authentication and privacy passphrases.
+
[,sh]
----
sudo net-snmp-create-v3-user -a SHA-256 -x AES128 templateshaaes
Enter authentication pass-phrase:
****
Enter encryption pass-phrase:
[press return to reuse the authentication pass-phrase]
****
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser templateshaaes SHA-256 "****" AES128 "****"
adding the following line to /etc/snmp/snmpd.conf:
rwuser templateshaaes
----. Start the `snmpd` service to initialize the new user.
+
[,sh]
----
sudo systemctl enable --now snmpd
----. Test the new template user with a query.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpstatus -v 3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 localhost
[UDP: [127.0.0.1]:161->[0.0.0.0]:51886]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:00:43.90
Interfaces: 3, Recv/Trans packets: 43650/32565 | IP: 26560/24381
----. Create a new user, `monitor` as an example here, based off of the template user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 \
localhost create monitor templateshaaes
User successfully created.
----. Set the authentication passphrase for the new user.
Substitute `newAuthPassword` with the desired passphrase and `monitor` with the appropriate user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Ca \
localhost passwd 'authPassword' 'newAuthPassword' monitor
SNMPv3 Key(s) successfully changed.
----. Set the encryption passphrase for the new user.
Substitute `newEncryptionPassword` with the desired passphrase and `monitor` with the appropriate user.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmpusm -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Cx \
localhost passwd 'encryptionPassword' 'newEncryptionPassword' monitor
SNMPv3 Key(s) successfully changed.
----. Verify the new user is available in the user table.
Replace `authPassword` with the authentication passphrase and `encryptionPassword` with the privacy passphrase for the template user.
+
[,sh]
----
snmptable -v3 -l priv -u templateshaaes \
-A 'authPassword' -a SHA-256 \
-X 'encryptionPassword' -x AES128 -Cb \
localhost usmUserTable
SNMP table: SNMP-USER-BASED-SM-MIB::usmUserTableSecurityName CloneFrom AuthProtocol AuthKeyChange OwnAuthKeyChange PrivProtocol PrivKeyChange OwnPrivKeyChange Public StorageType Status
monitor SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active
templateshaaes SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active
----. Delete any sensitive data that may now be in your shell's history.
+
Bash:: For Bash, just delete all history to be safe.
+
[,sh]
----
history -cw
----fish:: The following command deletes fish shell's history for any of the `snmptable` and `snmpusm` commands.
It will prompt you for which entries should be deleted.
Enter `all` to delete all matches.
+
[,sh]
----
history delete snmptable snmpusm
----Nushell:: For Nushell, wipe all history.
+
[,sh]
----
history --clear
----=== Create a New Agent Config
A new agent configuration can be generated with the `snmpconf` command.
. Change to a directory where a config file doesn't usually reside, such as the repository's directory.
+
[,sh]
----
cd ~/Projects/net-snmp-config
----. Generate a new config.
+
[,sh]
----
snmpconf -g basic_setup
----. Move the new config to this repository's `etc/snmp` directory, and rename it according to the host.
+
[,sh]
----
mv snmpd.conf etc/snmp/cm4-02.snmpd.conf
----. Add a corresponding manager configuration file for the new agent in the `etc/snmp/hosts` directory, using the desired name to use to refer to the agent as the name of the file followed by the suffix `.conf`.
It's probably easiest to copy an existing configuration file and tweak it as necessary.
+
--
[CAUTION]
====
Leave the placeholder values for the `defSecurityName`, `defAuthPassphrase`, and `defPrivPassphrase` fields to avoid leaking secrets in this public Git repository.
====[,sh]
----
cp etc/snmp/hosts/cm4-01.conf etc/snmp/hosts/cm4-02.conf
----
--== References
* https://bookshop.org/p/books/snmp-mastery-michael-w-lucas/14394929[SNMP Mastery] by Michael W. Lucas
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-system_monitoring_tools#sect-System_Monitoring_Tools-Net-SNMP[Red Hat Enterprise Linux 7 System Administrator's Guide - 21.7. Monitoring Performance with Net-SNMP]== Code of Conduct
Please refer to the project's link:CODE_OF_CONDUCT.adoc[Code of Conduct].
== License
This repository is licensed under the https://www.gnu.org/licenses/gpl-3.0.html[GPLv3].
Please refer to the bundled link:LICENSE.adoc[license].== Copyright
© 2023-2024 Jordan Williams
== Authors
mailto:{email}[{author}]