| Table of Contents |
|---|
Proof of Concept
Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can . We do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.
...
- SNMP doesn't require us to open up shell access to a broad population of machines
- SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)
Platforms
Platform | Agent | Extensions |
|---|---|---|
AIX | perzl has net-snmp v5+ RPMs | exec, extend |
Solaris | solaris 10+ ships with net-snmp v5.09+ | exec, extend, perl, shared |
RHEL 3,4,5 | netsnmp v5.0.9+ | exec, extend, perl, shared |
Windows | net-snmp or native service | shared |
Printers | built-in + MIBS | n/a |
IP Phones | built-in + MIBS | n/a |
Cell Phones | n/a, but could sink traps... pie in the sky, should just say no. | n/a |
Probes to Replace
- ? (will get list when Discovery is available
Proof of Concept (UNIX)
Linux
On Linux/net-snmp 5 here's one way to do extensions (there are several).
...
...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.
Proof of Concept (Windows)
It's not yet clear which way to go. There is a possible benefit to going SNMP for all discovery. However, it is not clear that the benefits outweigh the costs, because it might be possible to do WMI discovery without granting privilege by properly securing the WMI namespace... this might be much easier than porting another set of custom SNMP probes for Windows.
...
Rewiring of Discovery
- make sure SSH discovery doesn't happen
- no credentials
- configure the behavior of the MID server to skip SSH
- Expand the stock Linux classifier for SNMP so that it runs additional Explore-phase probes
Write SNMP Hooks & Custom MIB
- scripts to call from net-snmp extend directives. Put logic in these as opposed to SN... hides information, gives the discovery targets maximum control over the process.
- custom MIB will aid in probe & sensor clarity
Probe Replacement
There are a couple of steps:
- create a probe that gets the desires SNMP object(s)
- add that probe to the "Triggers Probes" section of the Linux SNMP classifier
- write a replacement sensor (next section)
Sensor Replacement
- replace the sensor
You can probably do this with XML field mapping as well, but here is a very simple scripted sensor that works from an SNMP probe payload:Code Block /* * sensor for SNMP Distribution discovery (Yale SNMP Discovery) * * william.west@yale.edu */ new DiscoverySensor({ process: function() { // // XML should be in var payload (a global) var element = XMLUtil.getText(payload, '//unk_111'); var rows = element.split('\n'); //expecting multiple lines current.os = rows[0]; current.os_version = rows[1]; }, type: 'DiscoverySensor' }); - list the new sensor in the "Sensors" section of the appropriate probe record
Identifying Which Probes/Sensors to Replace
The most complete approach here is:
- narrow down the sensors to those that apply to our asset types
- look at which ci_ tables are being edited by those and combine sensors with the same function
- generate a list of probes from those sensors
- generate a list of data needed by SNMP
- find out what standard MIBs provide the data
- generate a list of needed extensions for data not covered above