My configurations for the Net-SNMP agent and manager.
This repository contains configuration files for Net-SNMP, both for the manager and the agent daemon. The manager configuration files make it more convenient to interact with Net-SNMP agents. The agent configuration files are intended for configuring the Net-SNMP agents on various systems. The usage for the agent and the manager are described in separate sections. These instructions are intended for Fedora Atomic systems.
-
Create a
Projects
directory in the current user’s home directory.mkdir --parents ~/Projects
-
Clone this repository under
~/Projects
.git -C ~/Projects clone https://codeberg.org/jwillikers/net-snmp-config.git
-
Change to the project’s directory.
cd ~/Projects/net-snmp-config
-
Install the
net-snmp-utils
package.sudo rpm-ostree install net-snmp-utils
-
Reboot to complete the installation.
sudo systemctl reboot
- User
-
-
Create the
~/.config/snmp/hosts
directory.mkdir --parents ~/.config/snmp/hosts
-
Symlink the
~/.config/snmp
directory to~/.snmp
where Net-SNMP will find it.ln --relative --symbolic ~/.config/snmp ~/.snmp
-
Copy the template config files to the
~/.config/snmp/hosts
directory.- Bash
-
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/$(basename -- "$host_template" ".template"); done
- fish
-
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" ~/.config/snmp/hosts/(basename -- "$host_template" ".template"); end
- Nushell
-
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"($env.HOME)/.config/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
-
Make sure that the sensitive files are not world readable.
chmod 0640 ~/.config/snmp/hosts/*.conf
-
- System
-
-
Create the
/etc/snmp
directory.sudo mkdir /etc/snmp/
-
Copy the template host config files to the
/etc/snmp/hosts
directory.- Bash
-
for host_template in etc/snmp/hosts/*.conf.template; do cp --no-clobber -- "$host_template" /etc/snmp/hosts/$(basename -- "$host_template" ".template"); done
- fish
-
for host_template in etc/snmp/hosts/*.conf.template; cp --no-clobber -- "$host_template" /etc//snmp/hosts/(basename -- "$host_template" ".template"); end
- Nushell
-
for host_template in (glob "etc/snmp/hosts/*.conf.template") { cp --no-clobber $host_template $"/etc/snmp/hosts/($host_template | path basename | path parse | reject extension | path join)" }
-
Create an
snmp
group.sudo groupadd snmp
-
Add the desired user to this group, such as the current user in this example.
sudo usermod --append --group snmp $USER
-
Log out and back in for the group change to take effect.
-
Change the ownership of
/etc/snmp
to be owned by theroot
user and thesnmp
group.sudo chown --recursive root:snmp /etc/snmp
-
Restrict the permissions of the configuration files to the user and group only.
sudo chmod 0640 /etc/snmp/hosts/*.conf
-
-
For each host file in the
/etc/snmp/hosts
or~/.config/snmp/hosts
directory, fill-in thedefSecurityName
,defAuthPassphrase
, anddefPrivPassphrase
fields with the correct values. The value for these fields is omitted from the configuration for security. -
Test the configuration by querying an agent with the
snmpstatus
command. The name of the configuration file without the.conf
suffix maps to argument passed to thesnmpstatus
command.snmpstatus cm4-01 [UDP: [100.101.69.16]:161->[0.0.0.0]:36610]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:17:29.88 Interfaces: 3, Recv/Trans packets: 52429/39127 | IP: 30919/28849
-
Install lm-sensors and Net-SNMP.
- Debian
-
sudo apt-get --yes install lm-sensors snmp snmpd
- Fedora
-
Install the
lm_sensors
,net-snmp
, andnet-snmp-utils
packages. Thelm_sensors
package is used to report reading of hardware senors.sudo rpm-ostree install lm_sensors net-snmp net-snmp-utils
ℹ️While the
net-snmp-utils
package is not required to run the agent or to create the initial user, it is helpful for testing things out on the host running the agent.
-
Reboot to complete the installation.
sudo systemctl reboot
-
Add a firewall rule to open the necessary port.
sudo firewall-cmd --add-service=snmp --permanent
-
Apply the new rule.
sudo firewall-cmd --reload
-
Unfortunately, SELinux doesn’t want to allow execution of the
systemctl
command from thesnmpd_t
context. This is allowed to check if a systemd service has failed. A typical process check won’t work in cases where the systemd unit runs at intervals. Disable SELinux from enforcing thesnmpd_t
context to allow this functionality. I wasn’t able to get this working with a custom SELinux module. Ideally, this workaround would be less permissive but I haven’t figured out a way to do that yet.sudo semanage permissive -a snmpd_t
-
Ensure that the
snmpd
daemon is stopped.sudo systemctl stop snmpd
-
Copy the
snmpd.conf
file from theetc/snmp/
directory for the desired host to/etc/snmp/snmpd.conf
.sudo cp etc/snmp/$(hostname --short).conf /etc/snmp/snmpd.conf
-
Ensure that the
/etc/snmp/snmpd.conf
file is labelled correctly for SELinux.sudo restorecon /etc/snmp/snmpd.conf
-
Create an SNMPv3 template user. When prompted, enter the authentication and privacy passphrases.
sudo net-snmp-create-v3-user -a SHA-256 -x AES128 templateshaaes Enter authentication pass-phrase: **** Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] **** adding the following line to /var/lib/net-snmp/snmpd.conf: createUser templateshaaes SHA-256 "****" AES128 "****" adding the following line to /etc/snmp/snmpd.conf: rwuser templateshaaes
-
Start the
snmpd
service to initialize the new user.sudo systemctl enable --now snmpd
-
Test the new template user with a query. Replace
authPassword
with the authentication passphrase andencryptionPassword
with the privacy passphrase for the template user.snmpstatus -v 3 -l priv -u templateshaaes \ -A 'authPassword' -a SHA-256 \ -X 'encryptionPassword' -x AES128 localhost [UDP: [127.0.0.1]:161->[0.0.0.0]:51886]=>[Linux cm4-01.jwillikers.io 6.6.7-200.fc39.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 22:08:35 UTC 2023 aarch64] Up: 0:00:43.90 Interfaces: 3, Recv/Trans packets: 43650/32565 | IP: 26560/24381
-
Create a new user,
monitor
as an example here, based off of the template user. ReplaceauthPassword
with the authentication passphrase andencryptionPassword
with the privacy passphrase for the template user.snmpusm -v3 -l priv -u templateshaaes \ -A 'authPassword' -a SHA-256 \ -X 'encryptionPassword' -x AES128 \ localhost create monitor templateshaaes User successfully created.
-
Set the authentication passphrase for the new user. Substitute
newAuthPassword
with the desired passphrase andmonitor
with the appropriate user. ReplaceauthPassword
with the authentication passphrase andencryptionPassword
with the privacy passphrase for the template user.snmpusm -v3 -l priv -u templateshaaes \ -A 'authPassword' -a SHA-256 \ -X 'encryptionPassword' -x AES128 -Ca \ localhost passwd 'authPassword' 'newAuthPassword' monitor SNMPv3 Key(s) successfully changed.
-
Set the encryption passphrase for the new user. Substitute
newEncryptionPassword
with the desired passphrase andmonitor
with the appropriate user. ReplaceauthPassword
with the authentication passphrase andencryptionPassword
with the privacy passphrase for the template user.snmpusm -v3 -l priv -u templateshaaes \ -A 'authPassword' -a SHA-256 \ -X 'encryptionPassword' -x AES128 -Cx \ localhost passwd 'encryptionPassword' 'newEncryptionPassword' monitor SNMPv3 Key(s) successfully changed.
-
Verify the new user is available in the user table. Replace
authPassword
with the authentication passphrase andencryptionPassword
with the privacy passphrase for the template user.snmptable -v3 -l priv -u templateshaaes \ -A 'authPassword' -a SHA-256 \ -X 'encryptionPassword' -x AES128 -Cb \ localhost usmUserTable SNMP table: SNMP-USER-BASED-SM-MIB::usmUserTable SecurityName CloneFrom AuthProtocol AuthKeyChange OwnAuthKeyChange PrivProtocol PrivKeyChange OwnPrivKeyChange Public StorageType Status monitor SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active templateshaaes SNMPv2-SMI::zeroDotZero SNMP-FRAMEWORK-MIB::snmpAuthProtocols.5 "" "" SNMP-FRAMEWORK-MIB::snmpPrivProtocols.4 "" "" "" nonVolatile active
-
Delete any sensitive data that may now be in your shell’s history.
- Bash
-
For Bash, just delete all history to be safe.
history -cw
- fish
-
The following command deletes fish shell’s history for any of the
snmptable
andsnmpusm
commands. It will prompt you for which entries should be deleted. Enterall
to delete all matches.history delete snmptable snmpusm
- Nushell
-
For Nushell, wipe all history.
history --clear
A new agent configuration can be generated with the snmpconf
command.
-
Change to a directory where a config file doesn’t usually reside, such as the repository’s directory.
cd ~/Projects/net-snmp-config
-
Generate a new config.
snmpconf -g basic_setup
-
Move the new config to this repository’s
etc/snmp
directory, and rename it according to the host.mv snmpd.conf etc/snmp/cm4-02.snmpd.conf
-
Add a corresponding manager configuration file for the new agent in the
etc/snmp/hosts
directory, using the desired name to use to refer to the agent as the name of the file followed by the suffix.conf
. It’s probably easiest to copy an existing configuration file and tweak it as necessary.🔥Leave the placeholder values for the
defSecurityName
,defAuthPassphrase
, anddefPrivPassphrase
fields to avoid leaking secrets in this public Git repository.cp etc/snmp/hosts/cm4-01.conf etc/snmp/hosts/cm4-02.conf
Please refer to the project’s Code of Conduct.