Versions Compared

Version Old Version 2 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Table of Contents

Proof of Concept

Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can . We do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.

...

  • SNMP doesn't require us to open up shell access to a broad population of machines
  • SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)

Linux

On Linux/net-snmp 5 here's one way to do extensions (there are several)

...

Platforms

Platform

Agent

Extensions

AIX

perzl has net-snmp v5+ RPMs

exec, extend

Solaris

solaris 10+ ships with net-snmp v5.09+

exec, extend, perl, shared

RHEL 3,4,5

netsnmp v5.0.9+

exec, extend, perl, shared

Windows

net-snmp or native service

shared

Phones

none, would have to push traps... pie in the sky.

n/a

Probes to Replace

  • ? (will get list when Discovery is available

...

.

  • Use "exec" to add an extension to snmpd.conf
    No Format
    
exec echotest /bin/cat /etc/motd
  • Restart snmpd and do a GET against a view which can see the extended MIBs
    Code Block
    
snmpget -v2c localhost -c public 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."echotest"'

...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.

Rewiring of Discovery

  • make sure SSH discovery doesn't happen
    • no credentials
    • configure the behavior of the MID server to skip SSH
  • Expand the stock Linux classifier for SNMP so that it runs additional Explore-phase probes

Write SNMP Hooks & Custom MIB

  • scripts to call from net-snmp extend directives. Put logic in these as opposed to SN... hides information, gives the discovery targets maximum control over the process.
  • custom MIB will aid in probe & sensor clarity

Probe Replacement

There are a couple of steps:

  • create a probe that gets the desires SNMP object(s)
  • add that probe to the "Triggers Probes" section of the Linux SNMP classifier
  • write a replacement sensor (next section)

Sensor Replacement

  • replace the sensor
    You can probably do this with XML field mapping as well, but here is a very simple scripted sensor that works from an SNMP probe payload:
    Code Block
    
/*
 * sensor for SNMP Distribution discovery (Yale SNMP Discovery)
 * 
 * william.west@yale.edu
 */

new DiscoverySensor({
    process: function() {
        //
        // XML should be in var payload (a global)
        var element = XMLUtil.getText(payload, '//unk_111');
        var rows = element.split('\n'); //expecting multiple lines

        current.os         = rows[0];
        current.os_version = rows[1];
    },
        
    type: 'DiscoverySensor'
});
  • list the new sensor in the "Sensors" section of the appropriate probe record

Identifying Which Probes/Sensors to Replace

The most complete approach here is:

  • narrow down the sensors to those that apply to our asset types
  • look at which ci_ tables are being edited by those and combine sensors with the same function
  • generate a list of probes from those sensors
  • generate a list of data needed by SNMP
  • find out what standard MIBs provide the data
  • generate a list of needed extensions for data not covered above