Configuring access control (snmp.conf)

Red Hat Enterprise Linux 9.2 LPAR mode z/VM guest

To start successfully, the subagent requires at least read access to the standard MIB-II on the local node.

About this task

During subagent startup or when network interfaces are added or removed, the subagent must query OIDs from the interfaces group of the standard MIB-II.

Given here is an example of how you can use the snmpd.conf and snmp.conf configuration files to assign access rights with the View-Based Access Control Mechanism (VACM). The following access rights are assigned on the local node:
  • General read access for the scope of the standard MIB-II
  • Write access for the scope of the OSA-Express MIB
  • Public local read access for the scope of the interfaces MIB

The example is intended for illustration purposes only. Depending on the security requirements of your installation, you might need to define your access differently. See the snmpd man page for a more information about assigning access rights to snmpd.

Procedure

  1. See the Red Hat® Enterprise Linux® 9.2 documentation to find out where you must place the snmpd.conf file.
    Some of the possible locations are:
    • /etc
    • /etc/snmp
  2. Open snmpd.conf with your preferred text editor. There might be a sample in usr/share/doc/packages/net-snmp/EXAMPLE.conf
  3. Find the security name section and include a line of this form to map a community name to a security name:
    com2sec <security-name> <source> <community-name>
    where:
    <security-name>
    is given access rights through further specifications within snmpd.conf.
    <source>
    is the IP-address or DNS-name of the accessing system, typically a Network Management Station.
    <community-name>
    is the community string used for basic SNMP password protection.
    Example:
    #       sec.name    source       community
    com2sec osasec      default      osacom
    com2sec pubsec      localhost    public
  4. Find the group section.
    Use the security name to define a group with different versions of the master agent for which you want to grant access rights. Include a line of this form for each master agent version:
    group <group-name> <security-model> <security-name>
    where:
    <group-name>
    is a group name of your choice.
    <security-model>
    is the security model of the SNMP version.
    <security-name>
    is the same as in step 3.
    Example:
    #        groupName    securityModel    securityName
    group    osagroup     v1               osasec
    group    osagroup     v2c              osasec
    group    osagroup     usm              osasec
    group    osasnmpd     v2c              pubsec

    Group osasnmpd with community public is required by osasnmpd to determine the number of network interfaces.

  5. Find the view section and define your views.
    A view is a subset of all OIDs. Include lines of this form:
    view  <view-name>  <included|excluded>   <scope>
    where:
    <view-name>
    is a view name of your choice.
    <included|excluded>
    indicates whether the following scope is an inclusion or an exclusion statement.
    <scope>
    specifies a subtree in the OID tree.
    Example:
    #    name       incl/excl    subtree                 mask(optional)
    view allview    included     .1
    view osaview    included     .1.3.6.1.4.1.2
    view ifmibview  included     interfaces
    view ifmibview  included     system

    View allview encompasses all OIDs while osaview is limited to IBM® OIDs. The numeric OID provided for the subtree is equivalent to the textual OID .iso.org.dod.internet.private.enterprises.ibm View ifmibview is required by osasnmpd to determine the number of network interfaces.

    Tip: Specifying the subtree with a numeric OID leads to better performance than using the corresponding textual OID.
  6. Find the access section and define access rights. Include lines of this form:
    access <group-name> "" any noauth exact <read-view> <write-view> none
    where:
    <group-name>
    is the group you defined in step 4.
    <read-view>
    is a view for which you want to assign read-only rights.
    <write-view>
    is a view for which you want to assign read-write rights.
    Example:
    #      group    context sec.model sec.level prefix read      write   notif
    access osagroup ""      any       noauth    exact  allview   osaview none
    access osasnmpd ""      v2c       noauth    exact  ifmibview none    none

    The access line of the example gives read access to the allview view and write access to the osaview. The second access line gives read access to the ifmibview.

  7. Also include the following line to enable the AgentX support:
    master agentx

    AgentX support is compiled into the net-snmp master agent.

  8. Save and close snmpd.conf.
    Example of an snmpd.conf file:
    
    #       sec.name       source        community
    com2sec osasec         default       osacom
    com2sec pubsec         localhost     public
    #       groupName      securityModel securityName
    group   osagroup       v1            osasec
    group   osagroup       v2c           osasec
    group   osagroup       usm           osasec
    group   osasnmpd       v2c           pubsec
    #       name          incl/excl  subtree        mask(optional)
    view    allview       included   .1
    view    osaview       included   .1.3.6.1.4.1.2
    view    ifmibview     included   interfaces
    view    ifmibview     included      system
    #       group          context sec.model sec.level prefix read       write    notif
    access  osagroup       ""      any       noauth    exact  allview    osaview  none
    access  osasnmpd       ""      v2c       noauth    exact  ifmibview  none     none
    master  agentx
  9. Open ~/.snmp/snmp.conf with your preferred text editor.
    Tip: See man snmp.conf for possible locations of snmp.conf.
  10. Include a line of this form to specify the directory to be searched for MIBs:
    mibdirs +<mib-path>
    Example:
    mibdirs +/usr/share/snmp/mibs
  11. Include a line of this form to make the OSA-Express MIB available to the master agent:
    mibs +<mib-name>
    where <mib-name> is the stem of the MIB file name you assigned in Downloading the IBM OSA-Express MIB.
    Example: mibs +IBM-OSA-MIB
  12. Define defaults for the version and community to be used by the snmp commands. Add lines of this form:
    defVersion   <version>
    defCommunity <community-name>
    where <version> is the SNMP protocol version and <community-name> is the community you defined in step 3.
    Example:
    defVersion   2c
    defCommunity osacom

    These default specifications simplify issuing master agent commands.

  13. Save and close ~/.snmp/snmp.conf.