diff options
author | James Davidson <james.davidson@vyatta.com> | 2013-03-06 10:16:06 -0800 |
---|---|---|
committer | James Davidson <james.davidson@vyatta.com> | 2013-03-06 10:16:06 -0800 |
commit | e4c3ae81d2d1f040a8ad363928302d72f8431ef9 (patch) | |
tree | d410550ca2c900fb0f4bea49e4ddd9f4ce25f960 /scripts/snmp | |
parent | c7b44a6b38f3f47f6d34efead35a9873688ad5eb (diff) | |
download | vyatta-cfg-system-e4c3ae81d2d1f040a8ad363928302d72f8431ef9.tar.gz vyatta-cfg-system-e4c3ae81d2d1f040a8ad363928302d72f8431ef9.zip |
Sync up SNMPv3 support
SNMP-135 store SNMP superuser password to config file
SNMP-130 add engineId for trap-target
SNMP-134 use 'stop' and 'start' instead of 'restart'
SNMP-141 change engineID syntax checking
SNMP-136 Users are lost after changing TSM port
SNMP-149 TLS Error: Permission denied
SNMP-147 Not correct priority in TSM users
SNMP-148 Configuring already use port for TSM is destroying users.
SNMP-151 Errors in logs after first snmp configuration
SNMP-152 Hide 'No such file or directory' error message
SNMP-153 Debug messages after 'delete service snmp'
SNMP-157 Run Perltidy for all Perl scripts
SNMP-158 change syntax of trap-target engineID
SNMP-163: added script to check name, apply it for user, group and view names
SNMP-161 Faulty configuration with many trap-target
SNMP-160 Look for TSM keys in /config folder
SNMP-162 CLI permit not correct oid
SNMP-163: typo in script
SNMP-160 Look for TSM keys in /config folder
SNMP-163: added support of upper case for names in the script
SNMP-163: create rule for names, permit only a-zA-Z0-9
SNMP-163: typo
Diffstat (limited to 'scripts/snmp')
-rwxr-xr-x | scripts/snmp/vyatta-snmp-v3.pl | 772 | ||||
-rwxr-xr-x | scripts/snmp/vyatta-snmp.pl | 5 |
2 files changed, 421 insertions, 356 deletions
diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index ef93b8a1..20e50e63 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -7,483 +7,534 @@ use Getopt::Long; use Socket; use Socket6; -my $snmp_v3_level = 'service snmp v3'; -my $snmp_init = 'invoke-rc.d snmpd'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/var/run/snmpd.socket'; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; %VConfig = (); %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", - "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", - "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" + "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" ); # generate a random character hex string sub randhex { my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); + return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); } sub parse_config_file { - open (CONFIG, "$vyatta_config_file") or return; + open( CONFIG, "$vyatta_config_file" ) or return; while (<CONFIG>) { - chomp; # no newline - s/#.*//; # no comments - s/^\s+//; # no leading white - s/\s+$//; # no trailing white - next unless length; # anything left? - my ($var, $value) = split(/\s*=\s*/, $_, 2); - $VConfig{$var} = $value; + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ( $var, $value ) = split( /\s*=\s*/, $_, 2 ); + $VConfig{$var} = $value; } close(CONFIG); } sub write_config_file { - open (my $config_file, '>' , "$vyatta_config_file"); - for my $key (keys %VConfig) { - my $value = $VConfig{$key}; - print $config_file "$key=$value\n"; + open( my $config_file, '>', "$vyatta_config_file" ); + for my $key ( keys %VConfig ) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; } close $config_file; } sub snmpd_running { - open (my $pidf, '<', "/var/run/snmpd.pid") - or return; + open( my $pidf, '<', "/var/run/snmpd.pid" ) + or return; my $pid = <$pidf>; close $pidf; chomp $pid; my $exe = readlink "/proc/$pid/exe"; - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); + return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); } sub check_snmp_exit_code { - my $code = shift; - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ($code !=0 && $code != 256) { - return 1; - } else { - return 0; - } + my $code = shift; + + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ( $code != 0 && $code != 256 ) { + return 1; + } + else { + return 0; + } } sub snmpd_stop { - system("$snmp_init stop > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); + system( +"start-stop-daemon --stop --exec /usr/sbin/snmpd --oknodo -R 2 > /dev/null 2>&1" + ); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); } } sub snmpd_start { system("$snmp_init start > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not start snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not start snmpd!\n"; + exit(1); } } sub snmpd_update { system("$snmp_init reload > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); } } sub snmpd_restart { system("$snmp_init restart > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); } } sub get_version { my $version = "unknown-version"; - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; + if ( open( my $f, '<', $versionfile ) ) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; } return $version; } sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; + socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) + or return 1; close($s); return; } sub set_tsm { my $config = get_snmp_config(); - if ($config->exists("tsm")) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + if ( $config->exists("tsm") ) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system( +"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" + ); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); } } sub snmp_delete { snmpd_stop(); - @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); foreach $file (@files) { - if (-e $file) { - if (unlink($file) == 0) { - print "File $file was not deleted.\n"; - } else { - print "File $file deleted successfully.\n"; - } - } else { - print "File $file does not exist\n"; - } + if ( -e $file ) { + unlink($file); + } } } sub get_snmp_config() { - my $config = new Vyatta::Config; + my $config = new Vyatta::Config; $config->setLevel($snmp_v3_level); - return $config; + return $config; } sub set_views() { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ($config->listNodes("view")) { - foreach my $oid ($config->listNodes("view $view oid")) { - my $mask = $config->returnValue("view $view oid $oid mask"); - if ($config->exists("view $view oid $oid exclude")) { - print "view $view excluded .$oid $mask\n"; - } else { - print "view $view included .$oid $mask\n"; - } + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ( $config->listNodes("view") ) { + foreach my $oid ( $config->listNodes("view $view oid") ) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ( $config->exists("view $view oid $oid exclude") ) { + print "view $view excluded .$oid $mask\n"; + } + else { + print "view $view included .$oid $mask\n"; + } + } } - } - print "\n"; + print "\n"; } sub set_groups() { - print "#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ($config->listNodes("group")) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - if ($mode eq "ro") { - print "access $group \"\" usm auth exact $view none none\n"; - print "access $group \"\" tsm auth exact $view none none\n"; - } else { - print "access $group \"\" usm auth exact $view $view none\n"; - print "access $group \"\" tsm auth exact $view $view none\n"; + print +"#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ( $config->listNodes("group") ) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ( $mode eq "ro" ) { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } + else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } } - } - print "\n"; + print "\n"; } sub set_users_in_etc() { - print "#group\n"; - - my $config = get_snmp_config(); - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("group")) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; + print "#group\n"; + my $tsm_counter = 0; + my $config = get_snmp_config(); + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("group") ) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ( $config->exists("tsm-key") ) { + my $cert = $config->returnValue("tsm-key"); + $tsm_counter++; + print "certSecName $tsm_counter $cert --sn $user\n"; + } } - if ($config->exists("tsm-key")) { - my $cert = $config->returnValue("tsm-key"); - #TODO magic number 10 - print "certSecName 10 $cert --sn $user\n"; - } - } - print "\n"; + print "\n"; } sub set_users_to_other() { - open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open (my $var_conf, '>>', $snmpd_var_conf_tmp) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ($config->exists("tsm")) { - $needTsm = 1; - } - - my %trap_users=(); - - foreach my $trap ($config->listNodes("trap-target")) { - $trap_users{$config->returnValue("trap-target $trap user")} = 1; - } - - foreach my $user ($config->listNodes("user")) { - delete $trap_users{$user}; - $config->setLevel($snmp_v3_level." user $user"); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ($config->exists("auth")) { - if ($config->exists("auth plaintext-key")) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = $config->returnValue("privacy plaintext-key"); - print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } else { - my $name_print = get_printable_name($user); - my $EngineID = $VConfig{"User.$user.EngineID"}; - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - local ($priv_type_oid, $priv_key_hex); - if ($config->exists("privacy")) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = $config->returnValue("privacy encrypted-key"); - } else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } + open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open( my $var_conf, '>>', $snmpd_var_conf_tmp ) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ( $config->exists("tsm") ) { + $needTsm = 1; } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ($config->exists("privacy")) { - $end = "priv"; + + my %trap_users = (); + + foreach my $trap ( $config->listNodes("trap-target") ) { + $trap_users{ $config->returnValue("trap-target $trap user") } = 1; } - print $usr_conf $mode."user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode."user -s tsm $user $end\n"; + + foreach my $user ( $config->listNodes("user") ) { + delete $trap_users{$user}; + $config->setLevel( $snmp_v3_level . " user $user" ); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ( $config->exists("auth") ) { + if ( $config->exists("auth plaintext-key") ) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf +"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } + else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ( $priv_type_oid, $priv_key_hex ); + if ( $config->exists("privacy") ) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = + $config->returnValue("privacy encrypted-key"); + } + else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf +"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ( $config->exists("privacy") ) { + $end = "priv"; + } + print $usr_conf $mode . "user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode . "user -s tsm $user $end\n"; + } } - } - foreach my $user (keys %trap_users) { - $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth"; - } + foreach my $user ( keys %trap_users ) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x" + . randhex(26) + . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" + . randhex(32) + . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth\n"; + } - print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; - print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + print $var_conf "setserialno " . $VConfig{"serialno"} . "\n" + if exists $VConfig{"serialno"}; + print $var_conf "oldEngineID " . $VConfig{"oldEngineID"} . "\n" + if exists $VConfig{"oldEngineID"}; - close $usr_conf; - close $var_conf; + close $usr_conf; + close $var_conf; } sub get_printable_name { - my $name = shift; - if ($name =~ /-/) { - my @array=unpack('C*', $name); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf ("%lx", $c); + my $name = shift; + if ( $name =~ /-/ ) { + my @array = unpack( 'C*', $name ); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf( "%lx", $c ); + } + return $stringHex; + } + else { + return "\"$name\""; } - return $stringHex; - } else { - return "\"$name\""; - } } sub update_users_vyatta_conf() { - %VConfig = (); - open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while (my $line = <$var_conf>) { - if ($line =~ /^setserialno (.*)$/) { - $VConfig{"serialno"} = $1; - } - if ($line =~ /^oldEngineID (.*)$/) { - $VConfig{"oldEngineID"} = $1; - } - if ($line =~ /^usmUser /) { - my @values = split(/ /, $line); - my $name = $values[4]; - if ($name =~ /^"(.*)"$/) { - $name = $1; - } else { - $name = pack('H*', $name); - } - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ($config->exists("user $name")) { - $VConfig{"User.$name.EngineID"} = $values[3]; - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); - if ($values[10] ne "\"\"" && $values[10] ne "0x") { - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); - } - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); - } + %VConfig = (); + open( my $var_conf, '<', $snmpd_var_conf ) + or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while ( my $line = <$var_conf> ) { + if ( $line =~ /^setserialno (.*)$/ ) { + $VConfig{"serialno"} = $1; + } + if ( $line =~ /^oldEngineID (.*)$/ ) { + $VConfig{"oldEngineID"} = $1; + } + if ( $line =~ /^usmUser / ) { + my @values = split( / /, $line ); + my $name = $values[4]; + if ( $name =~ /^"(.*)"$/ ) { + $name = $1; + } + else { + $name = pack( 'H*', $name ); + } + + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ( $config->exists("user $name") ) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" + ); + if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" + ); + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" + ); + } + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" + ); + } + } } - } + close $var_conf; } sub set_hosts() { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ($config->listNodes("trap-target")) { - $config->setLevel($snmp_v3_level." trap-target $target"); - my $auth_key = ''; - if ($config->exists("auth plaintext-key")) { - $auth_key = "-A ".$config->returnValue("auth plaintext-key"); - } else { - $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = ''; - $inform_flag = '-Ci' if ($type eq 'inform'); - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ($config->exists("privacy")) { - my $priv_key = ''; - if ($config->exists("privacy plaintext-key")) { - $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); - } else { - $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - # TODO - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - my $target_print = $target; - if ($target =~ /:/) { - $target_print = "[$target]"; - $protocol = $protocol."6"; + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ( $config->listNodes("trap-target") ) { + $config->setLevel( $snmp_v3_level . " trap-target $target" ); + my $auth_key = ''; + if ( $config->exists("auth plaintext-key") ) { + $auth_key = "-A " . $config->returnValue("auth plaintext-key"); + } + else { + $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = '-Ci'; + $inform_flag = '-Ci' if ( $type eq 'inform' ); + + if ( $type eq 'trap' ) { + $inform_flag = '-e ' . $config->returnValue("engineid"); + } + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ( $config->exists("privacy") ) { + my $priv_key = ''; + if ( $config->exists("privacy plaintext-key") ) { + $priv_key = + "-X " . $config->returnValue("privacy plaintext-key"); + } + else { + $priv_key = + "-3M " . $config->returnValue("privacy encrypted-key"); + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ( $target =~ /:/ ) { + $target_print = "[$target]"; + $protocol = $protocol . "6"; + } + print +"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; } - print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; + print "\n"; } sub check_user_auth_changes() { - my $config = get_snmp_config(); - if ($config->isChanged("user")) { - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("auth")) { - if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { - $haveError = 1; - print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); - if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if ($config->exists("privacy")) { - my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); - my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); - if ($isPrivChanged && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { - $haveError = 1; - print "Please, set privacy plaintext-key for user \"$user\"\n"; - } - } - } else { - if ($config->exists("privacy")) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); + my $config = get_snmp_config(); + if ( $config->isChanged("user") ) { + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("auth") ) { + if ( $config->isChanged("auth encrypted-key") + || $config->isChanged("privacy encrypted-key") ) + { + $haveError = 1; + print +"Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet.\n"; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged + || $config->isChanged("auth type"); + if ( ( $isAuthChanged || $config->isDeleted("privacy") ) + && !$isAuthKeyChanged ) + { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( $config->exists("privacy") ) { + my $isPrivKeyChanged = + $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged + || $config->isChanged("privacy type"); + if ( $isPrivChanged && !$isAuthKeyChanged ) { + $haveError = 1; + print + "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( ( $isAuthChanged || $isPrivChanged ) + && !$isPrivKeyChanged ) + { + $haveError = 1; + print +"Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } + else { + if ( $config->exists("privacy") ) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } } - } } sub check_relation() { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - if ($config->exists("user $user group")) { - my $group = $config->returnValue("user $user group"); - if (! $config->exists("group $group")) { - $haveError = 1; - print "Please, create group \"$group\". It's need for user \"$user\"\n"; - } + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( !$config->exists("group $group") ) { + $haveError = 1; + print +"Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ( $config->listNodes("group") ) { + my $view = $config->returnValue("group $group view"); + if ( !$config->exists("view $view") ) { + $haveError = 1; + print + "Please, create view \"$view\". It's need for group \"$group\"\n"; + } } - } - foreach my $group ($config->listNodes("group")) { - my $view = $config->returnValue("group $group view"); - if (! $config->exists("view $view")) { - $haveError = 1; - print "Please, create view \"$view\". It's need for group \"$group\"\n"; + if ($haveError) { + exit(1); } - } - if ($haveError) { - exit(1); - } } sub check_tsm_port { - my $config = get_snmp_config(); - if ($config->isChanged("tsm port")) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line (split(/\n/,$output)) { - if ($line =~ /$reg/) { - print "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } + my $config = get_snmp_config(); + if ( $config->isChanged("tsm port") ) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line ( split( /\n/, $output ) ) { + if ( $line =~ /$reg/ ) { + print + "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } } - } } sub copy_conf_to_tmp() { - # these files already contain SNMPv2 configuration - copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; + + # these files already contain SNMPv2 configuration + copy( $snmpd_conf, $snmpd_conf_tmp ) + or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) + or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) + or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; } sub snmp_update { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - copy_conf_to_tmp(); set_tsm(); - open (my $fh, '>>', $snmpd_conf_tmp) - or die "Couldn't open $snmpd_conf_tmp - $!"; + open( my $fh, '>>', $snmpd_conf_tmp ) + or die "Couldn't open $snmpd_conf_tmp - $!"; select $fh; @@ -495,33 +546,42 @@ sub snmp_update { close $fh; select STDOUT; - move($snmpd_conf_tmp, $snmpd_conf) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + move( $snmpd_conf_tmp, $snmpd_conf ) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; my $config = get_snmp_config(); - if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { - parse_config_file(); - snmpd_stop(); - set_users_to_other(); - move($snmpd_usr_conf_tmp, $snmpd_usr_conf) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move($snmpd_var_conf_tmp, $snmpd_var_conf) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - snmpd_start(); - snmpd_restart(); - update_users_vyatta_conf(); - write_config_file(); - } else { - snmpd_start(); - } + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move( $snmpd_var_conf_tmp, $snmpd_var_conf ) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_stop(); + snmpd_start(); + update_users_vyatta_conf(); + write_config_file(); + } +sub snmp_check() { + check_user_auth_changes(); + check_relation(); + check_tsm_port(); +} + +my $check_config; my $update_snmp; my $delete_snmp; -GetOptions("update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp); +GetOptions( + "check-config!" => \$check_config, + "update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp +); +snmp_check() if ($check_config); snmp_update() if ($update_snmp); snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index a4ea9e27..073e7c5a 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -44,6 +44,7 @@ my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; my $local_agent = 'unix:/var/run/snmpd.socket'; +my $password_file = '/config/snmp/superuser_pass'; my $snmp_level = 'service snmp'; @@ -291,6 +292,10 @@ sub snmp_create_snmpv3_user { open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; + + open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; + print $pass_file $passphrase; + close $pass_file; } sub snmp_write_snmpv3_user { |