| Table of Contents |
|---|
Proof of Concept
Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can . We do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.
...
- SNMP doesn't require us to open up shell access to a broad population of machines
- SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)
Platforms
Platform | Agent | Extensions |
|---|---|---|
AIX | perzl has net-snmp v5+ RPMs | exec, extend |
Solaris | solaris 10+ ships with net-snmp v5.09+ | exec, extend, perl, shared |
RHEL 3,4,5 | netsnmp v5.0.9+ | exec, extend, perl, shared |
Windows | net-snmp or native service | shared |
Phones | none, would have to push traps... pie in the sky. | n/a |
Probes to Replace
- ? (will get list when Discovery is available
Proof of Concept
Linux
On Linux/net-snmp 5 here's one way to do extensions (there are several).
- Use "exec" to add an extension to snmpd.conf
No Format exec echotest /bin/cat /etc/motd
- Restart snmpd and do a GET against a view which can see the extended MIBs
Code Block snmpget -v2c localhost -c public 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."echotest"'
...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.
Rewiring of Discovery
- make sure SSH discovery doesn't happen
- no credentials
- configure the behavior of the MID server to skip SSH
- Expand the stock Linux classifier for SNMP so that it runs additional Explore-phase probes
Write SNMP Hooks & Custom MIB
- scripts to call from net-snmp extend directives. Put logic in these as opposed to SN... hides information, gives the discovery targets maximum control over the process.
- custom MIB will aid in probe & sensor clarity
Probe Replacement
There are a couple of steps:
- create a probe that gets the desires SNMP object(s)
- add that probe to the "Triggers Probes" section of the Linux SNMP classifier
- write a replacement sensor (next section)
Sensor Replacement
- replace the sensor
You can probably do this with XML field mapping as well, but here is a very simple scripted sensor that works from an SNMP probe payload:Code Block /* * sensor for SNMP Distribution discovery (Yale SNMP Discovery) * * william.west@yale.edu */ new DiscoverySensor({ process: function() { // // XML should be in var payload (a global) var element = XMLUtil.getText(payload, '//unk_111'); var rows = element.split('\n'); //expecting multiple lines current.os = rows[0]; current.os_version = rows[1]; }, type: 'DiscoverySensor' });
- list the new sensor in the "Sensors" section of the appropriate probe record
Identifying Which Probes/Sensors to Replace
The most complete approach here is:
- narrow down the sensors to those that apply to our asset types
- look at which ci_ tables are being edited by those and combine sensors with the same function
- generate a list of probes from those sensors
- generate a list of data needed by SNMP
- find out what standard MIBs provide the data
- generate a list of needed extensions for data not covered above