diff options
author | syrinx <syrinx@FreeBSD.org> | 2010-12-08 17:27:59 +0000 |
---|---|---|
committer | syrinx <syrinx@FreeBSD.org> | 2010-12-08 17:27:59 +0000 |
commit | ae67436c3a99cb8c52edb1b9c9be3da5642ac59a (patch) | |
tree | a03879a2fa6a074e2f90292724df0fa44d48a303 /etc/snmpd.config | |
parent | 69401abe0aeeccf7f8c7b47372cd678170307abe (diff) | |
download | FreeBSD-src-ae67436c3a99cb8c52edb1b9c9be3da5642ac59a.zip FreeBSD-src-ae67436c3a99cb8c52edb1b9c9be3da5642ac59a.tar.gz |
Add (disabled) sample configurations needed to enable the snmp_usm and
snmp_vacm modules and minimal user/view configurations needed to for
the modules to work properly.
Sponsored by: The FreeBSD Foundation
Reviewed by: philip@ (mostly)
Approved by: philip@
Diffstat (limited to 'etc/snmpd.config')
-rw-r--r-- | etc/snmpd.config | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/etc/snmpd.config b/etc/snmpd.config index b212f24..7e73b5c 100644 --- a/etc/snmpd.config +++ b/etc/snmpd.config @@ -12,6 +12,15 @@ system := 1 # FreeBSD traphost := localhost trapport := 162 +# +# Set the SNMP engine ID. +# +# The snmpEngineID object required from the SNMPv3 Framework. If not explicitly set via +# this configuration file, an ID is assigned based on the value of the +# kern.hostid variable +# engine := 0x80:0x10:0x08:0x10:0x80:0x25 +# snmpEngineID = $(engine) + # Change this! read := "public" # Uncomment begemotSnmpdCommunityString.0.2 below that sets the community @@ -19,6 +28,26 @@ read := "public" write := "geheim" trap := "mytrap" +# Declarations for SNMP-USER-BASED-SM-MIB authentication and privacy options +NoAuthProtocol := 1.3.6.1.6.3.10.1.1.1 +HMACMD5AuthProtocol := 1.3.6.1.6.3.10.1.1.2 +HMACSHAAuthProtocol := 1.3.6.1.6.3.10.1.1.3 +NoPrivProtocol := 1.3.6.1.6.3.10.1.2.1 +DESPrivProtocol := 1.3.6.1.6.3.10.1.2.2 +AesCfb128Protocol := 1.3.6.1.6.3.10.1.2.4 + +# +# SNMPv3 USM User definition +# +# The localized hex password for a user may be obtained by setting SNMPUSER, SNMPPASSWD, +# SNMPAUTH and SNMPPRIV environment variables to the desired parameters and invoking +# 'bsnmpget -v 3 -D -K -o verbose' against the running bsnmpd(1). For other +# usages refer to the bsnmpget(1) manual page. The following lines define a user "bsnmp" +# which a private password "bsnmp", localized for the above engine ID. +# +# user1 := "bsnmp" +# user1passwd := 0x1b:0x6d:0x9e:0x94:0xbe:0x19:0x17:0xfb:0xde:0x60:0x46:0xfe:0x59:0x6f:0x61:0x95:0xf2:0xc9:0x57:0x1f + # # Configuration # @@ -72,6 +101,113 @@ begemotSnmpdModulePath."mibII" = "/usr/lib/snmp_mibII.so" #begemotIfForcePoll = 2000 # +# SNMPv3 User-based security module - must be loaded for SNMPv3 USM +# +#begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so" + +# +# SNMPv3 USM User definition. +# + +#%usm + +# +# The following block creates a user with name "bsnmp" and sets privacy +# and encryption options to SHA256 message digests and AES encryption +# for this user. +# +# usmUserStatus.$(engine).$(user1) = 5 +# usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol) +# usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol) +# usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserStatus.$(engine).$(user1) = 1 +# + +# +# The following block creates a user with name "public" with no authentication +# or encyption options. +# +# usmUserStatus.$(engine).$(read) = 5 +# usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol) +# usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol) +# usmUserStatus.$(engine).$(read) = 1 +# + +# +# SNMPv3 View-based Access Control module +# +#begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so" + +# +# Definition of view-based access control entries. +# +#%vacm + +# Definition of a SNMPv1 group +# vacmSecurityToGroupStatus.1.$(read) = 4 +# vacmGroupName.1.$(read) = $(read) + +# Definition of SNMPv2 group +# vacmSecurityToGroupStatus.2.$(write) = 4 +# vacmGroupName.2.$(write) = $(write) + +# Definition of SNMPv3 group with users "bsnmp" and "public" +# vacmSecurityToGroupStatus.3.$(user1) = 4 +# vacmGroupName.3.$(user1) = $(write) +# vacmSecurityToGroupStatus.3.$(read) = 4 +# vacmGroupName.3.$(read) = $(write) + +# +# The OID of the .iso.org.dod.internet subtree +# +# internetoid := 1.3.6.1 +# internetoidlen := 4 + +# Enumerated values for the privacy options +# noAuthNoPriv := 1 +# authNoPriv := 2 +# authPriv := 3 + +# +# Definitions of two views +# +# vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4 +# vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4 + +# +# Access control +# + +# +# Read-only access for SNMPv1 users +# +# vacmAccessStatus.$(read)."".1.1 = 4 +# vacmAccessReadViewName.$(read)."".1.1 = "internet" + +# +# Read-write access for SNMPv2 users +# +# vacmAccessStatus.$(write)."".2.1 = 4 +# vacmAccessReadViewName.$(write)."".2.1 = "internet" +# vacmAccessWriteViewName.$(write)."".2.1 = "internet" + +# +# Read-write-notify access for SNMPv3 USM users with noAuthNoPriv +# +# vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessWriteViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessNotifyViewName.$(write)."".3.$(noAuthNoPriv) = "internet" + +# +#Read-write-notify access to restricted for SNMPv3 USM users with authPriv +# +# vacmAccessStatus.$(write)."".3.$(authPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted" + # Netgraph module # #begemotSnmpdModulePath."netgraph" = "/usr/lib/snmp_netgraph.so" |