diff options
| author | James Davidson <james.davidson@vyatta.com> | 2013-02-12 13:02:11 -0800 |
|---|---|---|
| committer | James Davidson <james.davidson@vyatta.com> | 2013-02-12 13:02:11 -0800 |
| commit | 1d917be739f1db7b1ff1d26a0238322d7fd475c5 (patch) | |
| tree | ac3bdbdcd28f0bd0f9f16477a384e6ccd53970cd /scripts | |
| parent | 34f23c48bf38c6c88f3c74e958a084bf30380bd6 (diff) | |
| download | vyatta-cfg-system-1d917be739f1db7b1ff1d26a0238322d7fd475c5.tar.gz vyatta-cfg-system-1d917be739f1db7b1ff1d26a0238322d7fd475c5.zip | |
Initial SNMPv3 support
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/snmp/vyatta-snmp-v3.pl | 527 | ||||
| -rwxr-xr-x | scripts/snmp/vyatta-snmp.pl | 22 |
2 files changed, 536 insertions, 13 deletions
diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl new file mode 100755 index 00000000..ef93b8a1 --- /dev/null +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -0,0 +1,527 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use File::Copy; +use Getopt::Long; +use Socket; +use Socket6; + +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; +my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; +my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; +%VConfig = (); + +%OIDs = ( + "md5", ".1.3.6.1.6.3.10.1.1.2", + "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", + "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" +); + +# generate a random character hex string +sub randhex { + my $length = shift; + return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); +} + +sub parse_config_file { + open (CONFIG, "$vyatta_config_file") or return; + while (<CONFIG>) { + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ($var, $value) = split(/\s*=\s*/, $_, 2); + $VConfig{$var} = $value; + } + close(CONFIG); +} + +sub write_config_file { + open (my $config_file, '>' , "$vyatta_config_file"); + for my $key (keys %VConfig) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; + } + close $config_file; +} + +sub snmpd_running { + open (my $pidf, '<', "/var/run/snmpd.pid") + or return; + my $pid = <$pidf>; + close $pidf; + + chomp $pid; + my $exe = readlink "/proc/$pid/exe"; + + return (defined($exe) && $exe eq "/usr/sbin/snmpd"); +} + +sub check_snmp_exit_code { + my $code = shift; + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ($code !=0 && $code != 256) { + return 1; + } else { + return 0; + } +} + +sub snmpd_stop { + system("$snmp_init stop > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); + } +} + +sub snmpd_start { + system("$snmp_init start > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not start snmpd!\n"; + exit(1); + } +} + +sub snmpd_update { + system("$snmp_init reload > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); + } +} + +sub snmpd_restart { + system("$snmp_init restart > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); + } +} + +sub get_version { + my $version = "unknown-version"; + + if (open (my $f, '<', $versionfile)) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; + } + return $version; +} + +sub ipv6_disabled { + socket ( my $s, PF_INET6, SOCK_DGRAM, 0) + or return 1; + close($s); + return; +} + +sub set_tsm { + my $config = get_snmp_config(); + if ($config->exists("tsm")) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + } +} + +sub snmp_delete { + snmpd_stop(); + + @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + foreach $file (@files) { + if (-e $file) { + if (unlink($file) == 0) { + print "File $file was not deleted.\n"; + } else { + print "File $file deleted successfully.\n"; + } + } else { + print "File $file does not exist\n"; + } + } +} + +sub get_snmp_config() { + my $config = new Vyatta::Config; + $config->setLevel($snmp_v3_level); + return $config; +} + +sub set_views() { + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ($config->listNodes("view")) { + foreach my $oid ($config->listNodes("view $view oid")) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ($config->exists("view $view oid $oid exclude")) { + print "view $view excluded .$oid $mask\n"; + } else { + print "view $view included .$oid $mask\n"; + } + } + } + print "\n"; +} + +sub set_groups() { + print "#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ($config->listNodes("group")) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ($mode eq "ro") { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } + } + print "\n"; +} + +sub set_users_in_etc() { + + print "#group\n"; + + my $config = get_snmp_config(); + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("group")) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ($config->exists("tsm-key")) { + my $cert = $config->returnValue("tsm-key"); + #TODO magic number 10 + print "certSecName 10 $cert --sn $user\n"; + } + } + + print "\n"; +} + +sub set_users_to_other() { + open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open (my $var_conf, '>>', $snmpd_var_conf_tmp) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ($config->exists("tsm")) { + $needTsm = 1; + } + + my %trap_users=(); + + foreach my $trap ($config->listNodes("trap-target")) { + $trap_users{$config->returnValue("trap-target $trap user")} = 1; + } + + foreach my $user ($config->listNodes("user")) { + delete $trap_users{$user}; + $config->setLevel($snmp_v3_level." user $user"); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ($config->exists("auth")) { + if ($config->exists("auth plaintext-key")) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ($priv_type_oid, $priv_key_hex); + if ($config->exists("privacy")) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = $config->returnValue("privacy encrypted-key"); + } else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ($config->exists("privacy")) { + $end = "priv"; + } + print $usr_conf $mode."user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode."user -s tsm $user $end\n"; + } + } + + foreach my $user (keys %trap_users) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth"; + } + + print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; + print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + + close $usr_conf; + close $var_conf; +} + +sub get_printable_name { + my $name = shift; + if ($name =~ /-/) { + my @array=unpack('C*', $name); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf ("%lx", $c); + } + return $stringHex; + } else { + return "\"$name\""; + } +} + +sub update_users_vyatta_conf() { + %VConfig = (); + open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while (my $line = <$var_conf>) { + if ($line =~ /^setserialno (.*)$/) { + $VConfig{"serialno"} = $1; + } + if ($line =~ /^oldEngineID (.*)$/) { + $VConfig{"oldEngineID"} = $1; + } + if ($line =~ /^usmUser /) { + my @values = split(/ /, $line); + my $name = $values[4]; + if ($name =~ /^"(.*)"$/) { + $name = $1; + } else { + $name = pack('H*', $name); + } + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ($config->exists("user $name")) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); + if ($values[10] ne "\"\"" && $values[10] ne "0x") { + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); + } + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); + } + } + } +} + +sub set_hosts() { + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ($config->listNodes("trap-target")) { + $config->setLevel($snmp_v3_level." trap-target $target"); + my $auth_key = ''; + if ($config->exists("auth plaintext-key")) { + $auth_key = "-A ".$config->returnValue("auth plaintext-key"); + } else { + $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = ''; + $inform_flag = '-Ci' if ($type eq 'inform'); + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ($config->exists("privacy")) { + my $priv_key = ''; + if ($config->exists("privacy plaintext-key")) { + $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); + } else { + $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ($target =~ /:/) { + $target_print = "[$target]"; + $protocol = $protocol."6"; + } + print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; + } + print "\n"; +} + +sub check_user_auth_changes() { + my $config = get_snmp_config(); + if ($config->isChanged("user")) { + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("auth")) { + if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { + $haveError = 1; + print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); + if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ($config->exists("privacy")) { + my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); + if ($isPrivChanged && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { + $haveError = 1; + print "Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } else { + if ($config->exists("privacy")) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } + } +} + +sub check_relation() { + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + if ($config->exists("user $user group")) { + my $group = $config->returnValue("user $user group"); + if (! $config->exists("group $group")) { + $haveError = 1; + print "Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ($config->listNodes("group")) { + my $view = $config->returnValue("group $group view"); + if (! $config->exists("view $view")) { + $haveError = 1; + print "Please, create view \"$view\". It's need for group \"$group\"\n"; + } + } + if ($haveError) { + exit(1); + } +} + +sub check_tsm_port { + my $config = get_snmp_config(); + if ($config->isChanged("tsm port")) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line (split(/\n/,$output)) { + if ($line =~ /$reg/) { + print "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } + } +} + +sub copy_conf_to_tmp() { + # these files already contain SNMPv2 configuration + copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; +} + +sub snmp_update { + + check_user_auth_changes(); + check_relation(); + check_tsm_port(); + + copy_conf_to_tmp(); + + set_tsm(); + + open (my $fh, '>>', $snmpd_conf_tmp) + or die "Couldn't open $snmpd_conf_tmp - $!"; + + select $fh; + + set_views(); + set_groups(); + set_hosts(); + set_users_in_etc(); + + close $fh; + select STDOUT; + + move($snmpd_conf_tmp, $snmpd_conf) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + + my $config = get_snmp_config(); + + if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move($snmpd_usr_conf_tmp, $snmpd_usr_conf) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move($snmpd_var_conf_tmp, $snmpd_var_conf) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_restart(); + update_users_vyatta_conf(); + write_config_file(); + } else { + snmpd_start(); + } +} + +my $update_snmp; +my $delete_snmp; + +GetOptions("update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp); + +snmp_update() if ($update_snmp); +snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index d473e7fa..a4ea9e27 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -64,6 +64,8 @@ sub snmp_stop { } sub snmp_start { + # we must stop snmpd first for creating vyatta user + system("$snmp_init stop > /dev/null 2>&1"); open (my $fh, '>', $snmp_tmp) or die "Couldn't open $snmp_tmp - $!"; @@ -78,12 +80,6 @@ sub snmp_start { move($snmp_tmp, $snmp_conf) or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; - - if (snmp_running()) { - system("$snmp_init restart > /dev/null 2>&1 &"); - } else { - system("$snmp_init start > /dev/null 2>&1 &"); - } } sub get_version { @@ -235,9 +231,6 @@ sub snmp_get_traps { my $config = new Vyatta::Config; $config->setLevel($snmp_level); - my @trap_targets = $config->listNodes("trap-target"); - return unless @trap_targets; - # linkUp/Down configure the Event MIB tables to monitor # the ifTable for network interfaces being taken up or down # for making internal queries to retrieve any necessary information @@ -257,6 +250,9 @@ monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 EOF + my @trap_targets = $config->listNodes("trap-target"); + return unless @trap_targets; + foreach my $trap_target (@trap_targets) { my $port = $config->returnValue("trap-target $trap_target port"); my $community @@ -290,8 +286,9 @@ sub snmp_create_snmpv3_user { my $vyatta_user = shift; my $passphrase = randhex(32); + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; + open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; } @@ -299,9 +296,8 @@ sub snmp_create_snmpv3_user { sub snmp_write_snmpv3_user { my $vyatta_user = shift; - my $user = "rouser $vyatta_user\n"; - system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf 2>/dev/null;"); - open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + my $user = "rwuser $vyatta_user\n"; + open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; print $fh $user; close $fh; } |