--- elwix/config/etc/default/snmpd.config 2011/07/05 23:43:00 1.1 +++ elwix/config/etc/default/snmpd.config 2013/01/28 01:47:35 1.2 @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/snmpd.config,v 1.10 2010/07/26 16:20:52 syrinx Exp $ +# $FreeBSD: src/etc/snmpd.config,v 1.14 2012/11/17 01:49:02 svnexp Exp $ # # Example configuration file for bsnmpd(1). # @@ -12,6 +12,15 @@ system := 1 # FreeBSD traphost := localhost trapport := 162 +# +# Set the SNMP engine ID. +# +# The snmpEngineID object required from the SNMPv3 Framework. If not explicitly set via +# this configuration file, an ID is assigned based on the value of the +# kern.hostid variable +# engine := 0x80:0x10:0x08:0x10:0x80:0x25 +# snmpEngineID = $(engine) + # Change this! read := "public" # Uncomment begemotSnmpdCommunityString.0.2 below that sets the community @@ -20,6 +29,49 @@ write := "geheim" trap := "mytrap" # +# Declarations for SNMP-USER-BASED-SM-MIB authentication and privacy options +# + +NoAuthProtocol := 1.3.6.1.6.3.10.1.1.1 +HMACMD5AuthProtocol := 1.3.6.1.6.3.10.1.1.2 +HMACSHAAuthProtocol := 1.3.6.1.6.3.10.1.1.3 +NoPrivProtocol := 1.3.6.1.6.3.10.1.2.1 +DESPrivProtocol := 1.3.6.1.6.3.10.1.2.2 +AesCfb128Protocol := 1.3.6.1.6.3.10.1.2.4 + +# +# Enumerations from SNMP-FRAMEWORK-MIB +# + +# Security models +securityModelAny := 0 +securityModelSNMPv1 := 1 +securityModelSNMPv2c := 2 +securityModelUSM := 3 + +# Message Processing models +MPmodelSNMPv1 := 0 +MPmodelSNMPv2c := 1 +MPmodelSNMPv3 := 3 + +# Security levels +noAuthNoPriv := 1 +authNoPriv := 2 +authPriv := 3 + + +# SNMPv3 USM User definition +# +# The localized hex password for a user may be obtained by setting SNMPUSER, SNMPPASSWD, +# SNMPAUTH and SNMPPRIV environment variables to the desired parameters and invoking +# 'bsnmpget -v 3 -D -K -o verbose' against the running bsnmpd(1). For other +# usages refer to the bsnmpget(1) manual page. The following lines define a user "bsnmp" +# with a private password "bsnmptest", localized for the above engine ID. +# +#user1 := "bsnmp" +#user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60 + +# # Configuration # %snmpd @@ -61,9 +113,156 @@ sysObjectId = 1.3.6.1.4.1.12325.1.1.2.1.$(system) snmpEnableAuthenTraps = 2 # +# SNMPv3 User-based security module - must be loaded for SNMPv3 USM +# +#begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so" + +# +# SNMPv3 USM User definition. +# + +#%usm + +# +# The following block creates a user with name "bsnmp" and sets privacy +# and encryption options to SHA256 message digests and AES encryption +# for this user. +# +# usmUserStatus.$(engine).$(user1) = 5 +# usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol) +# usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol) +# usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserStatus.$(engine).$(user1) = 1 +# + +# +# The following block creates a user with name "public" with no authentication +# or encryption options. +# +# usmUserStatus.$(engine).$(read) = 5 +# usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol) +# usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol) +# usmUserStatus.$(engine).$(read) = 1 +# + +# +# SNMPv3 View-based Access Control module +# +#begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so" + +# +# Definition of view-based access control entries. +# +#%vacm + +# Definition of a SNMPv1 group +# vacmSecurityToGroupStatus.$(securityModelSNMPv1).$(read) = 4 +# vacmGroupName.$(securityModelSNMPv1).$(read) = $(read) + +# Definition of SNMPv2 group +# vacmSecurityToGroupStatus.$(securityModelSNMPv2c).$(write) = 4 +# vacmGroupName.$(securityModelSNMPv2c).$(write) = $(write) + +# Definition of SNMPv3 group with users "bsnmp" and "public" +# vacmSecurityToGroupStatus.$(securityModelUSM).$(user1) = 4 +# vacmGroupName.$(securityModelUSM).$(user1) = $(write) +# vacmSecurityToGroupStatus.$(securityModelUSM).$(read) = 4 +# vacmGroupName.$(securityModelUSM).$(read) = $(write) + +# +# The OID of the .iso.org.dod.internet subtree +# +# internetoid := 1.3.6.1 +# internetoidlen := 4 + +# +# Definitions of two views +# +# vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4 +# vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4 + +# +# Access control +# + +# +# Read-only access for SNMPv1 users +# +# vacmAccessStatus.$(read)."".$(securityModelSNMPv1).$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(read)."".$(securityModelSNMPv1).$(noAuthNoPriv) = "internet" + +# +# Read-write access for SNMPv2 users +# +# vacmAccessStatus.$(write)."".$(securityModelSNMPv2c).$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(write)."".$(securityModelSNMPv2c).$(noAuthNoPriv) = "internet" +# vacmAccessWriteViewName.$(write)."".$(securityModelSNMPv2c).$(noAuthNoPriv) = "internet" + +# +# Read-write-notify access for SNMPv3 USM users with noAuthNoPriv +# +# vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(write)."".$(securityModelUSM).$(noAuthNoPriv) = "internet" +# vacmAccessWriteViewName.$(write)."".$(securityModelUSM).$(noAuthNoPriv) = "internet" +# vacmAccessNotifyViewName.$(write)."".$(securityModelUSM).$(noAuthNoPriv) = "internet" + +# +#Read-write-notify access to restricted for SNMPv3 USM users with authPriv +# +# vacmAccessStatus.$(write)."".3.$(authPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted" + +# +# SNMPv3 Notification Targets +# +# begemotSnmpdModulePath."target" = "/usr/lib/snmp_target.so" + +#%target +# Send notifications to target tag "test" +# tag := "test" +# snmpNotifyRowStatus.$(tag) = 4 +# snmpNotifyTag.$(tag) = $(tag) + +# tagremote := "testremote" +# snmpNotifyRowStatus.$(tagremote) = 4 +# snmpNotifyTag.$(tagremote) = $(tagremote) + +# +# Specify the target parameters for the notifications - send with the credentials +# of user "bsnmp" +# +# snmpTargetParamsRowStatus.$(tag) = 5 +# snmpTargetParamsMPModel.$(tag) = $(MPmodelSNMPv3) +# snmpTargetParamsSecurityModel.$(tag) = $(securityModelUSM) +# snmpTargetParamsSecurityName.$(tag) = $(user1) +# snmpTargetParamsSecurityLevel.$(tag) = $(authPriv) +# snmpTargetParamsRowStatus.$(tag) = 1 + +# +# Define the notifications' target address - port 162 on localhost +# +# snmpTargetAddrRowStatus.$(tag) = 5 +# snmpTargetAddrTAddress.$(tag) = 0x7f:0x0:0x0:0x1:0x0:0xa2 +# snmpTargetAddrTagList.$(tag) = "test notification" +# snmpTargetAddrParams.$(tag) = $(tag) +# snmpTargetAddrRowStatus.$(tag) = 1 + +# +# Define the notifications' target address - port 162 on 10.0.0.1 +# +# snmpTargetAddrRowStatus.$(tagremote) = 5 +# snmpTargetAddrTAddress.$(tagremote) = 0x0a:0x00:0x00:0x1:0x0:0xa2 +# snmpTargetAddrTagList.$(tagremote) = $(tagremote) +# snmpTargetAddrParams.$(tagremote) = $(tag) +# snmpTargetAddrRowStatus.$(tagremote) = 1 + +# # Load MIB-2 module # -begemotSnmpdModulePath."mibII" = "/usr/lib/snmp_mibII.so.6" +begemotSnmpdModulePath."mibII" = "/usr/lib/snmp_mibII.so" # Force a polling rate for the 64-bit interface counters in case # the automatic computation is wrong (which may be the case if an interface @@ -71,10 +270,10 @@ begemotSnmpdModulePath."mibII" = "/usr/lib/snmp_mibII. #%mibII #begemotIfForcePoll = 2000 -# + # Netgraph module # -#begemotSnmpdModulePath."netgraph" = "/usr/lib/snmp_netgraph.so.6" +#begemotSnmpdModulePath."netgraph" = "/usr/lib/snmp_netgraph.so" # #%netgraph #begemotNgControlNodeName = "snmpd" @@ -82,22 +281,22 @@ begemotSnmpdModulePath."mibII" = "/usr/lib/snmp_mibII. # # pf(4) module # -#begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so.6" +#begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so" # # Host resources module # This requires the mibII module. # -#begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so.6" +#begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so" # # Bridge module # This requires the mibII module. # -#begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so.6" +#begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so" # # Wireless module # This requires the mibII module. # -#begemotSnmpdModulePath."wlan" = "/usr/lib/snmp_wlan.so.6" +#begemotSnmpdModulePath."wlan" = "/usr/lib/snmp_wlan.so"