Implementation

Leveraging SNMP requires the following changes:

1. Allowing SNMP traffic to traverse the software firewall (configuring the firewall)
2. Setting the initialization parameters for the SNMP daemon
3. Host configuration
4. For desired configuration options in the SNMP daemon ACL. (You need to follow only one step; either 4a or 4b)

1) Configuring the Firewall

# cd /etc/sysconfig/

# vi iptables

** In VI search for 161

/161

** You will see 2 rules you need to uncomment as below remove the #

[0:0] -A INPUT -i ssg_eth0 -p tcp -m tcp --dport 161 -j ACCEPT
[0:0] -A INPUT -i ssg_eth0 -p udp -m udp --dport 161 -j ACCEPT

** Save the file

2) Setting the initialization parameters

A configuration file prevents the SNMP daemon from listening on any interface besides the loopback interface via UDP. Execute the following procedure to bind the daemon to all interfaces over UDP:

1. Log in to the Gateway appliance as the ssgconfig user
2. Select Option #3: Use a privileged shell (root)
3. Open the SNMP daemon parameters file in a text editor: vi /etc/sysconfig/snmpd
4. Modify the existing line to read as follows: OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid"
5. Save the file and exit the editor

An example configuration file is illustrated as follows:
# snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"

3) Host configuration

Allowing external requestors to access the SNMP daemon

Access to the SNMP daemon is restricted by an access control list. This list must be modified to allow external hosts access to this daemon.

1. Log in to the Gateway appliance as the ssgconfig user
2. Select Option #3: Use a privileged shell (root)
3. Open the SNMP daemon parameters file in a text editor: vi /etc/hosts.allow
4. Modify the snmpd line to read as follows: snmpd: ALL
5. Save the file and exit the editor

An abridged configuration file is illustrated as follows:
snmpd: ALL
sshd: ALL

4) Setting desired configuration options

NOTE: Only 4a OR 4b is required and it's strongly suggested just to use method 4a. 

4a) Simple setup

# vi /etc/snmp/snmpd.conf

** search for ro

/rocom

*** Remove 127.0.0.1 from the rocommunity as below as it's an acl that only allows localhost to authenticate.

rocommunity layer7

*** Note this community as it is the password in the SNMP walk command.

**** Reboot for all changes to take effect.

# reboot -n

**** After reboot validate you can snmpwalk using eth0

#  snmpwalk -v 1 -Ou <YourHostnameHere> -c layer7 1

4b) Complex setup with privileged separation

Several configuration options should be set to secure the SNMP implementation on the Gateway appliance. It consists of the following goals:

1. Specifying an acceptable IP address or IP range
2. Attaching the address or range to a security group
3. Allowing the security group to access a particular view
4. Permitting read-only access to that specific view

To make these changes, open up the SNMP daemon configuration file (located at /etc/snmp/snmpd.conf) in a text editor. The applicable portions of an example configuration file are displayed below with the applicable changes in boldface.

Specifying an acceptable IP address or range

SNMP requires specifying an IP address or IP range (in CIDR notation) and assigning it to a community. The values of sec.name, source, and community can be modified. An example is as follows:

# First, map the community name "public" into a "security name"
#       sec.name        source          community
#com2sec notConfigUser   default         public
com2sec  myNetwork       172.16/12   ca

Attaching the address or range to a security group

A named security group must be created that specifies the SNMP security version to use and assign a named IP address or range to the group. The values of groupName and securityModel can be modified. The value of securityName should reflect the value of sec.name set previously. An example is as follows:

# Second, map the security name into a group name:
#       groupName       securityModel   securityName
#group   notConfigGroup  v1              notConfigUser
#group   notConfigGroup  v2c             notConfigUser
group   myGroup         v1              myNetwork
group   myGroup         v2c             myNetwork

Allowing the security group to access a particular view

A view specifies a container restricting what system information can be accessed. This section permits a group to access a specific view. The values of the name and subtree mask can be modified but should be set as follows. An example is as follows:

# Third, create a view for us to let the group have rights to:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
#       name            incl/excl       subtree mask(optional)
#view    roview          included        .1
#view    rwview          included        system.sysContact
#view    rwview          included        system.sysName
#view    rwview          included        system.sysLocation
view          systemview               included                   system
view          systemview               included                   .1.3.6.1.4.1.17304

Note that in this step you should add to the view the root nodes for the MIBs you want to be able to view. In the above example, the CA APIM MIB is added to the view in the second uncommented line. If you also want to see the subtree containing system information (CPU, Memory, disk usage) add the following subtree mask to the view: .1.3.6.1.4.1.2021.

Permitting read-only access to that view

A relationship must be configured between a security group and a view. This relationship controls what information is accessible by which entities. The value of the group should reflect the value of the groupName set previously. The value of read should reflect the value of the name set in the previous step. An example is as follows:

# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix read   write  notif
#access  notConfigGroup ""      any       noauth    exact  roview rwview none
access  myGroup        ""      any       noauth    exact   systemview none none

Completing the configuration

All configuration files that have been modified should be saved after they are edited. The Gateway appliance should be restarted after saving. The changes will manifest after the restart completes and the SNMP daemon initializes.