Re: How to create a VACM view that blocks particular rows in a table
On 10 September 2012 09:39, Suresh kumar wrote: > We created the following view in snmpd.conf logic given below but its not > working > > > > view myVacm included .1.3.6.1.6.3.15.1.2.2 > view myVacm excluded > .1.3.6.1.6.3.15.1.2.2.1.0.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.0.100.101.102.97.117.108.1160x:ff:ef:ff:f7:ff I hope that there is a space between "116" and "0x:ff" ? I also don't believe you need the colon after "0x" >> .1.3.6.1.6.3.15.1.2.2.1.0. >> 17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0. >> 0.100.101.102.97.117.108.116 The second line of this OID contains 18 values (the length subidentifier '17', plus 17 octets) The third line of this OID contains 8 values (the placeholder for the length, plus 7 octets "default") > Mask: > 1110 > > 0111 The second line of the mask only contains 16 bits (not 18) The third line of the mask contains 12 bits (not 8) You've got the right idea, but you need to be more careful about matching the masking bits against the OID subidentifiers And if the mask doesn't end on an eight-bit boundary (which it won't), then you need to pad it out with 0 bits rather than 1 bits. Try again Dave -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
RE: How to create a VACM view that blocks particular rows in a table
; = "" SNMP-USER-BASED-SM-MIB::usmUserPublic.".°+IP"."defaultUserMD5" = "" SNMP-USER-BASED-SM-MIB::usmUserPublic.".....°+....IP...."."defaultUserSHA" = "" SNMP-USER-BASED-SM-MIB::usmUserStorageType.".°+IP"."deepti" = INTEGER: nonVolatile(3) SNMP-USER-BASED-SM-MIB::usmUserStorageType.".°+IP"."deepti1" = INTEGER: nonVolatile(3) SNMP-USER-BASED-SM-MIB::usmUserStorageType.".°+IP"."defaultUserMD5" = INTEGER: nonVolatile(3) SNMP-USER-BASED-SM-MIB::usmUserStorageType.".°+IP"."defaultUserSHA" = INTEGER: nonVolatile(3) SNMP-USER-BASED-SM-MIB::usmUserStatus.".°+IP"."deepti" = INTEGER: active(1) SNMP-USER-BASED-SM-MIB::usmUserStatus.".°+IP"."deepti1" = INTEGER: active(1) SNMP-USER-BASED-SM-MIB::usmUserStatus.".°+IP"."defaultUserMD5" = INTEGER: active(1) SNMP-USER-BASED-SM-MIB::usmUserStatus.".°+IP"."defaultUserSHA" = INTEGER: active(1) ~Suresh > Date: Fri, 7 Sep 2012 11:10:35 +0100 > Subject: Re: How to create a VACM view that blocks particular rows in a table > From: d.t.shi...@liverpool.ac.uk > To: skjaiswa...@hotmail.com > CC: net-snmp-users@lists.sourceforge.net > > On 7 September 2012 07:30, Suresh kumar wrote: > > Hi Dave Please find out of > > snmpwalk -v 2c -c public -On 172.16.3.151 1.3.6.1.6.3.15.1.2.2.1 > > > > .1.3.6.1.6.3.15.1.2.2.1.3. > > 17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0. > > 14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 > > = STRING: defaultUserMD5 > > OK - That gives you the information you need to determine the OID > to put in the 'view' directive > > Turn the last number in the first line into a 0 > (because you'll want to match all column objects) > Turn the first number in the third line into a 0 > (because you'll want to match varying length usernames) > Delete 85.115. from the third name > (just leaving the prefix "default") > > Use the resulting OID in the view directive. > > > As for the mask, write down a string of 1 bits, > one for each number in this OID. > Then take the two subidentifiers that you set to 0 above, > and turn the corresponding bits in this list to 0 as well. > That gives you the mask to use (in binary) > So just convert that to hex, and you're done. > > OK? > > Dave -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: How to create a VACM view that blocks particular rows in a table
On 7 September 2012 07:30, Suresh kumar wrote: > Hi Dave Please find out of > snmpwalk -v 2c -c public -On 172.16.3.151 1.3.6.1.6.3.15.1.2.2.1 > .1.3.6.1.6.3.15.1.2.2.1.3. > 17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0. > 14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 > = STRING: defaultUserMD5 OK - That gives you the information you need to determine the OID to put in the 'view' directive Turn the last number in the first line into a 0 (because you'll want to match all column objects) Turn the first number in the third line into a 0 (because you'll want to match varying length usernames) Delete 85.115. from the third name (just leaving the prefix "default") Use the resulting OID in the view directive. As for the mask, write down a string of 1 bits, one for each number in this OID. Then take the two subidentifiers that you set to 0 above, and turn the corresponding bits in this list to 0 as well. That gives you the mask to use (in binary) So just convert that to hex, and you're done. OK? Dave -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
RE: How to create a VACM view that blocks particular rows in a table
Hi Dave Please find out of snmpwalk -v 2c -c public -On 172.16.3.151 1.3.6.1.6.3.15.1.2.2.1 C:\SnmpUtility>snmpwalk -v 2c -c public -On 172.16.3.151 1.3.6.1.6.3.15.1.2.2.1 .1.3.6.1.6.3.15.1.2.2.1.3.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = STRING: deepti1 .1.3.6.1.6.3.15.1.2.2.1.3.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = STRING: defaultUserMD5 .1.3.6.1.6.3.15.1.2.2.1.3.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = STRING: defaultUserSHA .1.3.6.1.6.3.15.1.2.2.1.4.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = OID: .0.0 .1.3.6.1.6.3.15.1.2.2.1.4.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = OID: .0.0 .1.3.6.1.6.3.15.1.2.2.1.4.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = OID: .0.0 .1.3.6.1.6.3.15.1.2.2.1.5.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = OID: .1.3.6.1.6.3.10.1.1.2 .1.3.6.1.6.3.15.1.2.2.1.5.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = OID: .1.3.6.1.6.3.10.1.1.2 .1.3.6.1.6.3.15.1.2.2.1.5.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = OID: .1.3.6.1.6.3.10.1.1.3 .1.3.6.1.6.3.15.1.2.2.1.6.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = "" .1.3.6.1.6.3.15.1.2.2.1.6.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = "" .1.3.6.1.6.3.15.1.2.2.1.6.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = "" .1.3.6.1.6.3.15.1.2.2.1.7.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = "" .1.3.6.1.6.3.15.1.2.2.1.7.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = "" .1.3.6.1.6.3.15.1.2.2.1.7.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = "" .1.3.6.1.6.3.15.1.2.2.1.8.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = OID: .1.3.6.1.6.3.10.1.2.1 .1.3.6.1.6.3.15.1.2.2.1.8.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = OID: .1.3.6.1.6.3.10.1.2.1 .1.3.6.1.6.3.15.1.2.2.1.8.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = OID: .1.3.6.1.6.3.10.1.2.1 .1.3.6.1.6.3.15.1.2.2.1.9.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = "" .1.3.6.1.6.3.15.1.2.2.1.9.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = "" .1.3.6.1.6.3.15.1.2.2.1.9.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = "" .1.3.6.1.6.3.15.1.2.2.1.10.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = "" .1.3.6.1.6.3.15.1.2.2.1.10.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = "" .1.3.6.1.6.3.15.1.2.2.1.10.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = "" .1.3.6.1.6.3.15.1.2.2.1.11.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = "" .1.3.6.1.6.3.15.1.2.2.1.11.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = "" .1.3.6.1.6.3.15.1.2.2.1.11.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = "" .1.3.6.1.6.3.15.1.2.2.1.12.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = INTEGER: nonVolatile(3) .1.3.6.1.6.3.15.1.2.2.1.12.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = INTEGER: nonVolatile(3) .1.3.6.1.6.3.15.1.2.2.1.12.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = INTEGER: nonVolatile(3) .1.3.6.1.6.3.15.1.2.2.1.13.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.7.100.101.101.112.116.105.49 = INTEGER: active(1) .1.3.6.1.6.3.15.1.2.2.1.13.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.77.68.53 = INTEGER: active(1) .1.3.6.1.6.3.15.1.2.2.1.13.17.128.0.31.136.128.176.43.0.0.5.141.73.80.0.0.0.0.14.100.101.102.97.117.108.116.85.115.101.114.83.72.65 = INTEGER: active(1) Regards Suresh > Date: Thu, 6 Sep 2012 09:21:30 +0100 > Subj
Re: How to create a VACM view that blocks particular rows in a table
On 6 September 2012 07:23, Suresh kumar wrote: > We created the following configuration in snmpd.conf. The engine ID is > 0x80001f8880606307655045efc8; however the below configuration is not > working. > > Please let us know if the engine ID used is correct? No - that is almost certainly not correct. What is the output of snmpwalk -v 2c -c public -On 172.16.3.151 1.3.6.1.6.3.15.1.2.2.1 ? Dave -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
RE: How to create a VACM view that blocks particular rows in a table
Hi Dave
We created the following configuration in snmpd.conf. The engine ID is
0x80001f8880606307655045efc8; however the below configuration is not working.
Please let us know if the engine ID used is correct? How do we verify the mask?
createUser deepti MD5 net-snmp
#VACM Configuration
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
#com2sec custom_sec 192.168.10.0/24 public
view myVacm included .1.3.6.1.6.3.15.1.2.2
view myVacm excluded
.1.3.6.1.6.3.15.1.2.2.1.0.17.80001f8880606307655045efc8.0.100.101.102.97.117.108.116
0xff:e0:00:01:fa
rouser deepti auth -V myVacm
Thanks
~Suresh
> Date: Tue, 4 Sep 2012 11:09:16 +0100
> Subject: Re: How to create a VACM view that blocks particular rows in a table
> From: d.t.shi...@liverpool.ac.uk
> To: skjaiswa...@hotmail.com
> CC: net-snmp-users@lists.sourceforge.net
>
> On 4 September 2012 09:37, Suresh kumar wrote:
> > But anyone who has
> > rw/ro access to the Snmpusm table will be able to view these internal users
> > starting with “default” as well. We want that when any operator accesses
> > SNMPUSM table, he should be able to view users that are created ( for
> > example deepti1 in the below case) but not the internal users/default users
> > ( starting with “defaultX”).
>
> OK - I see what you mean.
>
> > In VACM terms, this implies creating a view
> > where particular rows belonging to a table can be accessed while some can be
> > blocked.
>
> Exactly.
>
> > We want a sample VACM configuration for the same.
>
> Not tested, but try something like the following:
>
> view myVacm included .1.3.6.1.6.3.15.1.2.2
> view myVacm excluded
> .1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
> 0xff:ef:ff:fd:fa
> rouser {operator} auth -V myVacm
>
> or
>
> view myVacm included .1.3.6.1.6.3.15.1.2.2
> view myVacm excluded
> .1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
> 0xff:e0:00:01:fa
> rouser {operator} auth -V myVacm
>
>
> You'll need to insert the (numeric) value of your SNMP Engine ID where
> indicated.
> Try running the same "snmpwalk" command as before but with the option '-On' to
> see the appropriate values.
>
> Note that the mask is crafted based on a 17-octet engineID (which seems to
> be what you're using). If that's not correct, then you'll need to
> tweak the OID
> and mask accordingly.
> The difference between the two sample above are whether the engine ID is
> explicitly matched, or ignored. It shouldn't make any real
> difference which you use.
> But the length of the engineID *is* significant, as this affects the
> masking bits
> that are applied to the username.
>
>
> Dave
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: How to create a VACM view that blocks particular rows in a table
On 4 September 2012 09:37, Suresh kumar wrote:
> But anyone who has
> rw/ro access to the Snmpusm table will be able to view these internal users
> starting with “default” as well. We want that when any operator accesses
> SNMPUSM table, he should be able to view users that are created ( for
> example deepti1 in the below case) but not the internal users/default users
> ( starting with “defaultX”).
OK - I see what you mean.
> In VACM terms, this implies creating a view
> where particular rows belonging to a table can be accessed while some can be
> blocked.
Exactly.
> We want a sample VACM configuration for the same.
Not tested, but try something like the following:
view myVacm included .1.3.6.1.6.3.15.1.2.2
view myVacm excluded
.1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
0xff:ef:ff:fd:fa
rouser {operator} auth -V myVacm
or
view myVacm included .1.3.6.1.6.3.15.1.2.2
view myVacm excluded
.1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
0xff:e0:00:01:fa
rouser {operator} auth -V myVacm
You'll need to insert the (numeric) value of your SNMP Engine ID where
indicated.
Try running the same "snmpwalk" command as before but with the option '-On' to
see the appropriate values.
Note that the mask is crafted based on a 17-octet engineID (which seems to
be what you're using). If that's not correct, then you'll need to
tweak the OID
and mask accordingly.
The difference between the two sample above are whether the engine ID is
explicitly matched, or ignored. It shouldn't make any real
difference which you use.
But the length of the engineID *is* significant, as this affects the
masking bits
that are applied to the username.
Dave
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
RE: How to create a VACM view that blocks particular rows in a table
Hi Dave
The default users have been added to snmpusm table for V3 user creation/cloning
which is internal to the SNMP Agent. But anyone who has rw/ro access to the
Snmpusm table will be able to view these internal users starting with
“default” as well. We want that when any operator accesses SNMPUSM table,
he should be able to view users that are created ( for example deepti1 in the
below case) but not the internal users/default users ( starting with
“defaultX”). In VACM terms, this implies creating a view where particular
rows belonging to a table can be accessed while some can be blocked. We want a
sample VACM configuration for the same.
Regards
Suresh
> Date: Tue, 4 Sep 2012 08:25:29 +0100
> Subject: Re: How to block read-write access to the default v3 users only
> From: d.t.shi...@liverpool.ac.uk
> To: skjaiswa...@hotmail.com
> CC: net-snmp-users@lists.sourceforge.net
>
> On 4 September 2012 08:15, Suresh kumar wrote:
> > We have added around 2 default users in the snmp persist file to enable v3
> > user creation/cloning through snmpusm utility.
>
> > What VACM configuration should go into snmpd.conf to block
> > read-write access to the default users ONLY?
>
> That's looking at things the wrong way.
> You don't need any VACM configuration settings to block access.
> You need VACM configuration settings to *grant* access.
>
>
> > The user for example “deepti1” should be
> > accessible but not the users starting with “defaultXXX”.
>
> So use either
> rouser deepti1
> or
> rwuser deepti1
>
> (depending on whether this user should have read-only vs read-write)
>
> If there's no similar r{o,w}user line that refers to the default
> users (or an equivalent 'group' setting), then they won't have any access.
>
> Dave
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
