diff options
author | James Davidson <james.davidson@vyatta.com> | 2013-06-05 09:18:52 -0700 |
---|---|---|
committer | James Davidson <james.davidson@vyatta.com> | 2013-06-05 09:18:52 -0700 |
commit | 94a4abcf0bf5c8f301a151658a92718f75b61448 (patch) | |
tree | a5e094b35e931827d1a1be61b10551cb9b13a004 /scripts/snmp/vyatta-snmp-v3.pl | |
parent | 317c693d721d7fd8878942b1aaebeef6922db71d (diff) | |
download | vyatta-cfg-system-94a4abcf0bf5c8f301a151658a92718f75b61448.tar.gz vyatta-cfg-system-94a4abcf0bf5c8f301a151658a92718f75b61448.zip |
SNMP: Group secLevel check. Fix 'delete priv on user'
Diffstat (limited to 'scripts/snmp/vyatta-snmp-v3.pl')
-rwxr-xr-x | scripts/snmp/vyatta-snmp-v3.pl | 60 |
1 files changed, 50 insertions, 10 deletions
diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index ca648477..465c4719 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -53,8 +53,8 @@ sub randhex { } sub parse_config_file { - open( my $cfg, '<', $vyatta_config_file ) - or return; + open( my $cfg, '<', $vyatta_config_file ) + or return; while (<$cfg>) { chomp; # no newline s/#.*//; # no comments @@ -192,7 +192,8 @@ sub set_views { foreach my $view ( $config->listNodes("view") ) { foreach my $oid ( $config->listNodes("view $view oid") ) { my $mask = ''; - $mask = $config->returnValue("view $view oid $oid mask") if $config->exists("view $view oid $oid mask"); + $mask = $config->returnValue("view $view oid $oid mask") + if $config->exists("view $view oid $oid mask"); if ( $config->exists("view $view oid $oid exclude") ) { print "view $view excluded .$oid $mask\n"; } @@ -209,8 +210,8 @@ sub set_groups { "#access\n# context sec.model sec.level match read write notif\n"; my $config = get_snmp_config(); foreach my $group ( $config->listNodes("group") ) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); my $secLevel = $config->returnValue("group $group seclevel"); if ( $mode eq "ro" ) { print "access $group \"\" usm $secLevel exact $view none none\n"; @@ -275,7 +276,8 @@ sub set_users_to_other { if ( $config->exists("auth plaintext-key") ) { my $auth_key = $config->returnValue("auth plaintext-key"); my $priv_key = ''; - $priv_key = $config->returnValue("privacy plaintext-key") if $config->exists("privacy plaintext-key"); + $priv_key = $config->returnValue("privacy plaintext-key") + if $config->exists("privacy plaintext-key"); print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; } @@ -451,8 +453,11 @@ sub check_user_auth_changes { foreach my $user ( $config->listNodes("user") ) { $config->setLevel( $snmp_v3_level . " user $user" ); if ( $config->exists("auth") ) { - if ( $config->isChanged("auth encrypted-key") - || $config->isChanged("privacy encrypted-key") ) + if ( + $config->isChanged("auth encrypted-key") + || ( $config->exists("privacy") + && $config->isChanged("privacy encrypted-key") ) + ) { $haveError = 1; print @@ -528,8 +533,8 @@ sub check_relation { sub check_tsm_port { my $config = get_snmp_config(); if ( $config->isChanged("tsm port") ) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; my $output = `netstat -anltup | awk '{print \$4}'`; foreach my $line ( split( /\n/, $output ) ) { if ( $line =~ /$reg/ ) { @@ -541,6 +546,40 @@ sub check_tsm_port { } } +sub check_seclevel { + my $config = get_snmp_config(); + my $haveError = 0; + if ( $config->isChanged("user") || $config->isChanged("group") ) { + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( $config->isChanged("user $user") + || $config->isChanged("group $group") ) + { + my $group_seclevel = + $config->returnValue("group $group seclevel"); + if ( $config->exists("user $user privacy") ) { + if ( $group_seclevel eq "auth" ) { + print +"User \"$user\" have privacy, but group \"$group\" have \"auth\" as seclevel. So auth and priv work both.\n"; + } + } + else { + if ( $group_seclevel eq "priv" ) { + print +"User \"$user\" will not work, because he haven't privacy, but group \"$group\" have \"priv\" as seclevel.\n"; + $haveError = 1; + } + } + } + } + } + } + if ($haveError) { + exit(1); + } +} + sub copy_conf_to_tmp { # these files already contain SNMPv2 configuration @@ -595,6 +634,7 @@ sub snmp_check { check_user_auth_changes(); check_relation(); check_tsm_port(); + check_seclevel(); } my $check_config; |