UNIX System Administration Handbook - Evi Nemeth [380]
There are only four basic SNMP operations: get, get-next, set, and trap.
Get and set are the basic operations for reading and writing data to a node identified by a specific OID. Get-next is used to step through a MIB hierarchy, as well as to read the contents of tables.
A trap is an unsolicited, asynchronous notification from server (agent) to client (manager) that reports the occurrence of an interesting event or condition. Several standard traps are defined, including “I’ve just come up” notifications, traps that report the failure or recovery of a network link, and traps for various routing and authentication problems. Many other not-so-standard traps are in common use, including some that simply watch the values of other SNMP variables and fire off a message when a specified range is exceeded. The mechanism by which the destinations of trap messages are specified depends on the implementation of the agent.
Since SNMP messages can potentially modify configuration information, some security mechanism is needed. The simplest version of SNMP security is based on the concept of an SNMP “community name,” which is really just a horribly obfuscated way of saying “password.” There’s usually one community name for read-only access and another that allows writing.
Version 3 of the SNMP standard introduced access control methods with higher security. Although support for these schemes is still somewhat limited in production network hardware, it is reasonable to expect this situation to change soon.
RMON: remote monitoring MIB
The RMON MIB permits the collection of generic network performance data (that is, data not tied to any one particular device). Network sniffers or “probes” can be deployed around the network to gather information about utilization and performance. Once a useful amount of data has been collected, statistics and interesting information about the data can be shipped back to a central management station for analysis and presentation. Many probes have a packet capture buffer and can provide a sort of remote tcpdump facility.
RMON is defined in RFC1757, which became a draft standard in 1995. The MIB is broken up into nine “RMON groups.” Each group contains a different set of network statistics. If you have a large network with many WAN connections, you should consider buying probes to reduce the SNMP traffic across your WAN links. Once you have access to statistical summaries from the RMON probes, there’s usually no need to gather raw data remotely. Many switches and routers support RMON and will store at least some network statistics.
20.8 SNMP AGENTS
Many OS and network hardware vendors ship their products with SNMP agents that can run right out of the box. The read-only community string is usually set to “public,” and the write community string is occasionally set to “private” or “secret”. We recently saw a list of dozens of vendors that follow this practice. Although it can be handy for system administrators, it is equally useful for hackers. If you decide to enable SNMP, be sure to configure your agents to use hard-to-guess community strings for both write and read access.
Solaris and HP-UX are shipped with decent SNMP agents. FreeBSD includes UCD SNMP in the /usr/ports/net/ucd-snmp directory. Red Hat Linux has no SNMP support in its standard distribution.
In the following sections we first describe the Solaris and HP-UX agents. We then talk a bit about the UCD SNMP package, which we recommend for systems that do not come with their own agent.
SNMP on Solaris
Solaris comes with respectable management support. In addition to a rather comprehensive SNMP agent, it also provides DMI support.
The main SNMP agent is /usr/lib/snmp/snmpdx, which reads its configuration from the file /etc/snmp/conf/snmpd.conf. In this file, you can specify the values of many MIB variables and also set the agent’s general configuration. For example, you can set the system description string (sysdescr), the trap host or hosts (trap), and the community strings (read-community, write-community). After