SNMP configuration on NMIS server

This document considers the following variables that should be replaced by real values:

  • 192.168.10.0/24 : Network IP address and subnet mask in CIDR format corresponding to the local area network.
  • password : Any password good enough.
  • nmis.support.latam.lab : Host name of the system where the service is being configured.
  • nmis-support-latam-lab@some-domain.net : Server administrator email account.
  • 192.168.10.254 : IP address of the server.

Configuration file /etc/snmp/snmpd.conf.

Access control lists.

You should create access control lists ( ACLs or A ccess C ontrol L ist) corresponding to the file /etc/snmp/snmpd.conf , which serve to define what you will have access to the service snmpd . One of these lists will be granted read and write access permission, for whatever is necessary in relation to administration, and the other will be given read-only. For security reasons only interface 127.0.0.1 will be in the read write list. Read-only access permission will be granted to a network or an IP address in the other access control list.


Considering the above, a couple of lines could be added like the following:


com2sec local 127.0.0.1/32 password
com2sec MyLocalNetwork  192.168.10.0/24  password


####
# First, map the community name "public" into a "security name"
#       sec.name  source          community 
com2sec notConfigUser  default       public


snmp community configuration definition

# This community string has full SNMP view to access all the goodness
com2sec trustedUser  default      nmisGig8
####


Definition of groups.

At least two groups are created: MyRWGroup and MyROGroup . The first will be a group that will be assigned read-write permissions later, and the second will be a group that will later be assigned read-only permissions . For each group, three lines are assigned that specify the type of access that will be allowed at any given time to a particular group. That is, MyRWGroup is associated with local and MyROGroup to MyLocalRed .

# Second, map the security name into a group name:
#       groupName      securityModel securityName
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
group   trustedGroup v2c          trustedUser
####

#A assigned to the group writing reading 
group MiGrupoRW v1 Local 
group MiGrupoRW v2c Local 
group MiGrupoRW usm Local 
#A assigns MiRedLocal to the group read - only 
group MiGrupoRO v1 MiRedLocal 
group MiGrupoRO v2c MiRedLocal 
group MiGrupoRO usm MiRedLocal

Branches allowed.

The branches to be allowed to see through the service are specified. The most common, for example to be used with MRTG , is the following:

# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1
view    fullview    included   .1

## name   incl/excl subtree   mask(optional)
view all  included  .1        80

Assigning permissions to groups.

You must specify what permissions the two groups, MyGroupRO and MyGroupRW, will have . The last columns are of special interest.

# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix 		read   		write  notif
access  notConfigGroup ""      any       noauth    exact  		systemview 	none 	none
access  trustedGroup   ""      any       noauth    exact  		fullview 	none 	none
access 	MiGrupoRO 	   ""      any       noauth    exact  		all    		none  	none
access	 MiGrupoRW 	   ""      any       noauth    exact  		all    		all   	all

Informational options.

Two informational options are defined so that when using client applications such as MRTG , some information is included about which system is being accessed

syslocation  Linux server on CDMX LATAM
syscontact Administrator support@opmantek.com latam@opmantek.com

A working configuration example.

The example shown below is used on all computers owned by the author at home and in the office. You just have to replace the value redlocal with whatever you consider appropriate and replace the value 192.168.10.0/24 with the value of the network or the IP address from which access is required with a snmp client , such as NMIS8 or NMIS9.



######
# Access Control Lists (ACLs)
# First, map the community name "public" into a "security name"
#       sec.name  source          community
com2sec notConfigUser  default       public
com2sec local 127.0.0.1/32 password 
com2sec MyLocalNetwork  192.168.10.0/24  password

######
# This community string has full SNMP view to access all the goodness
com2sec trustedUser  default      nmisGig8

######
# ACL is assigned to group read write
# Second, map the security name into a group name:
#       groupName      securityModel securityName
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
group   trustedGroup v2c          trustedUser

######
# Third, create a view for us to let the group have rights to:
# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1
view    fullview      included   .1
view     all            included   .1        80

######
# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix read   write  notif
access  notConfigGroup ""       any       noauth    exact  systemview none none
access  trustedGroup   ""       any       noauth    exact  fullview none none
access  MiGrupoRO        ""       any       noauth    exact  all    none  none
access  MiGrupoRW        ""       any       noauth    exact  all    all   all

######
# System contact information
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation  Linux server on CDMX LATAM
syscontact      Administrator support@opmantek.com latam@opmantek.com





Activate, start, stop and restart the service.

Run the following to activate the service at all runlevels:

chkconfig snmpd on

Run the following to run the service for the first time:

service snmpd start

Run the following to restart the service and apply changes made to the configuration:

service snmpd restart

Run the following to stop the service:

service snmpd stop

Checks.

Considering, as an example , to be sign as password password on a system whose IP address is 192.168.1.254 , to test whether the configuration works, you just have to run the following two commands to verify that return information about the queried system.

## V1 
snmpwalk -v 1 <ip_device> -c <community_SNMP> system
## V2 
snmpwalk -v2c -c <community_SNMP> <ip_device> system
## V3 
snmpwalk -v3  -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>]  [-x DES] [-X <privaphrase>] <ipaddress>[:<dest_port>] [oid]  system