diff options
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rwxr-xr-x | scripts/snmp/vyatta-snmp-v3.pl | 772 | ||||
| -rwxr-xr-x | scripts/snmp/vyatta-snmp.pl | 5 | ||||
| -rwxr-xr-x | scripts/system/vyatta_check_snmp_name.pl | 31 | ||||
| -rw-r--r-- | templates/service/snmp/node.def | 7 | ||||
| -rw-r--r-- | templates/service/snmp/v3/group/node.def | 2 | ||||
| -rw-r--r-- | templates/service/snmp/v3/node.def | 4 | ||||
| -rw-r--r-- | templates/service/snmp/v3/trap-target/node.def | 2 | ||||
| -rw-r--r-- | templates/service/snmp/v3/trap-target/node.tag/engineid/node.def | 3 | ||||
| -rw-r--r-- | templates/service/snmp/v3/tsm/local-key/node.def | 8 | ||||
| -rw-r--r-- | templates/service/snmp/v3/user/node.def | 5 | ||||
| -rw-r--r-- | templates/service/snmp/v3/user/node.tag/tsm-key/node.def | 8 | ||||
| -rw-r--r-- | templates/service/snmp/v3/view/node.def | 5 | ||||
| -rw-r--r-- | templates/service/snmp/v3/view/node.tag/oid/node.def | 2 |
14 files changed, 488 insertions, 367 deletions
diff --git a/Makefile.am b/Makefile.am index 1d7f7dee..77cdfb07 100644 --- a/Makefile.am +++ b/Makefile.am @@ -36,6 +36,7 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl +sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_hosts.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index ef93b8a1..20e50e63 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -7,483 +7,534 @@ use Getopt::Long; use Socket; use Socket6; -my $snmp_v3_level = 'service snmp v3'; -my $snmp_init = 'invoke-rc.d snmpd'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/var/run/snmpd.socket'; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; %VConfig = (); %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", - "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", - "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" + "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" ); # generate a random character hex string sub randhex { my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); + return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); } sub parse_config_file { - open (CONFIG, "$vyatta_config_file") or return; + open( CONFIG, "$vyatta_config_file" ) or return; while (<CONFIG>) { - chomp; # no newline - s/#.*//; # no comments - s/^\s+//; # no leading white - s/\s+$//; # no trailing white - next unless length; # anything left? - my ($var, $value) = split(/\s*=\s*/, $_, 2); - $VConfig{$var} = $value; + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ( $var, $value ) = split( /\s*=\s*/, $_, 2 ); + $VConfig{$var} = $value; } close(CONFIG); } sub write_config_file { - open (my $config_file, '>' , "$vyatta_config_file"); - for my $key (keys %VConfig) { - my $value = $VConfig{$key}; - print $config_file "$key=$value\n"; + open( my $config_file, '>', "$vyatta_config_file" ); + for my $key ( keys %VConfig ) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; } close $config_file; } sub snmpd_running { - open (my $pidf, '<', "/var/run/snmpd.pid") - or return; + open( my $pidf, '<', "/var/run/snmpd.pid" ) + or return; my $pid = <$pidf>; close $pidf; chomp $pid; my $exe = readlink "/proc/$pid/exe"; - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); + return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); } sub check_snmp_exit_code { - my $code = shift; - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ($code !=0 && $code != 256) { - return 1; - } else { - return 0; - } + my $code = shift; + + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ( $code != 0 && $code != 256 ) { + return 1; + } + else { + return 0; + } } sub snmpd_stop { - system("$snmp_init stop > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); + system( +"start-stop-daemon --stop --exec /usr/sbin/snmpd --oknodo -R 2 > /dev/null 2>&1" + ); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); } } sub snmpd_start { system("$snmp_init start > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not start snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not start snmpd!\n"; + exit(1); } } sub snmpd_update { system("$snmp_init reload > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); } } sub snmpd_restart { system("$snmp_init restart > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); } } sub get_version { my $version = "unknown-version"; - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; + if ( open( my $f, '<', $versionfile ) ) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; } return $version; } sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; + socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) + or return 1; close($s); return; } sub set_tsm { my $config = get_snmp_config(); - if ($config->exists("tsm")) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + if ( $config->exists("tsm") ) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system( +"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" + ); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); } } sub snmp_delete { snmpd_stop(); - @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); foreach $file (@files) { - if (-e $file) { - if (unlink($file) == 0) { - print "File $file was not deleted.\n"; - } else { - print "File $file deleted successfully.\n"; - } - } else { - print "File $file does not exist\n"; - } + if ( -e $file ) { + unlink($file); + } } } sub get_snmp_config() { - my $config = new Vyatta::Config; + my $config = new Vyatta::Config; $config->setLevel($snmp_v3_level); - return $config; + return $config; } sub set_views() { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ($config->listNodes("view")) { - foreach my $oid ($config->listNodes("view $view oid")) { - my $mask = $config->returnValue("view $view oid $oid mask"); - if ($config->exists("view $view oid $oid exclude")) { - print "view $view excluded .$oid $mask\n"; - } else { - print "view $view included .$oid $mask\n"; - } + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ( $config->listNodes("view") ) { + foreach my $oid ( $config->listNodes("view $view oid") ) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ( $config->exists("view $view oid $oid exclude") ) { + print "view $view excluded .$oid $mask\n"; + } + else { + print "view $view included .$oid $mask\n"; + } + } } - } - print "\n"; + print "\n"; } sub set_groups() { - print "#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ($config->listNodes("group")) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - if ($mode eq "ro") { - print "access $group \"\" usm auth exact $view none none\n"; - print "access $group \"\" tsm auth exact $view none none\n"; - } else { - print "access $group \"\" usm auth exact $view $view none\n"; - print "access $group \"\" tsm auth exact $view $view none\n"; + print +"#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ( $config->listNodes("group") ) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ( $mode eq "ro" ) { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } + else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } } - } - print "\n"; + print "\n"; } sub set_users_in_etc() { - print "#group\n"; - - my $config = get_snmp_config(); - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("group")) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; + print "#group\n"; + my $tsm_counter = 0; + my $config = get_snmp_config(); + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("group") ) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ( $config->exists("tsm-key") ) { + my $cert = $config->returnValue("tsm-key"); + $tsm_counter++; + print "certSecName $tsm_counter $cert --sn $user\n"; + } } - if ($config->exists("tsm-key")) { - my $cert = $config->returnValue("tsm-key"); - #TODO magic number 10 - print "certSecName 10 $cert --sn $user\n"; - } - } - print "\n"; + print "\n"; } sub set_users_to_other() { - open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open (my $var_conf, '>>', $snmpd_var_conf_tmp) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ($config->exists("tsm")) { - $needTsm = 1; - } - - my %trap_users=(); - - foreach my $trap ($config->listNodes("trap-target")) { - $trap_users{$config->returnValue("trap-target $trap user")} = 1; - } - - foreach my $user ($config->listNodes("user")) { - delete $trap_users{$user}; - $config->setLevel($snmp_v3_level." user $user"); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ($config->exists("auth")) { - if ($config->exists("auth plaintext-key")) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = $config->returnValue("privacy plaintext-key"); - print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } else { - my $name_print = get_printable_name($user); - my $EngineID = $VConfig{"User.$user.EngineID"}; - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - local ($priv_type_oid, $priv_key_hex); - if ($config->exists("privacy")) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = $config->returnValue("privacy encrypted-key"); - } else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } + open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open( my $var_conf, '>>', $snmpd_var_conf_tmp ) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ( $config->exists("tsm") ) { + $needTsm = 1; } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ($config->exists("privacy")) { - $end = "priv"; + + my %trap_users = (); + + foreach my $trap ( $config->listNodes("trap-target") ) { + $trap_users{ $config->returnValue("trap-target $trap user") } = 1; } - print $usr_conf $mode."user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode."user -s tsm $user $end\n"; + + foreach my $user ( $config->listNodes("user") ) { + delete $trap_users{$user}; + $config->setLevel( $snmp_v3_level . " user $user" ); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ( $config->exists("auth") ) { + if ( $config->exists("auth plaintext-key") ) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf +"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } + else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ( $priv_type_oid, $priv_key_hex ); + if ( $config->exists("privacy") ) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = + $config->returnValue("privacy encrypted-key"); + } + else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf +"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ( $config->exists("privacy") ) { + $end = "priv"; + } + print $usr_conf $mode . "user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode . "user -s tsm $user $end\n"; + } } - } - foreach my $user (keys %trap_users) { - $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth"; - } + foreach my $user ( keys %trap_users ) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x" + . randhex(26) + . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" + . randhex(32) + . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth\n"; + } - print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; - print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + print $var_conf "setserialno " . $VConfig{"serialno"} . "\n" + if exists $VConfig{"serialno"}; + print $var_conf "oldEngineID " . $VConfig{"oldEngineID"} . "\n" + if exists $VConfig{"oldEngineID"}; - close $usr_conf; - close $var_conf; + close $usr_conf; + close $var_conf; } sub get_printable_name { - my $name = shift; - if ($name =~ /-/) { - my @array=unpack('C*', $name); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf ("%lx", $c); + my $name = shift; + if ( $name =~ /-/ ) { + my @array = unpack( 'C*', $name ); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf( "%lx", $c ); + } + return $stringHex; + } + else { + return "\"$name\""; } - return $stringHex; - } else { - return "\"$name\""; - } } sub update_users_vyatta_conf() { - %VConfig = (); - open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while (my $line = <$var_conf>) { - if ($line =~ /^setserialno (.*)$/) { - $VConfig{"serialno"} = $1; - } - if ($line =~ /^oldEngineID (.*)$/) { - $VConfig{"oldEngineID"} = $1; - } - if ($line =~ /^usmUser /) { - my @values = split(/ /, $line); - my $name = $values[4]; - if ($name =~ /^"(.*)"$/) { - $name = $1; - } else { - $name = pack('H*', $name); - } - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ($config->exists("user $name")) { - $VConfig{"User.$name.EngineID"} = $values[3]; - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); - if ($values[10] ne "\"\"" && $values[10] ne "0x") { - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); - } - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); - } + %VConfig = (); + open( my $var_conf, '<', $snmpd_var_conf ) + or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while ( my $line = <$var_conf> ) { + if ( $line =~ /^setserialno (.*)$/ ) { + $VConfig{"serialno"} = $1; + } + if ( $line =~ /^oldEngineID (.*)$/ ) { + $VConfig{"oldEngineID"} = $1; + } + if ( $line =~ /^usmUser / ) { + my @values = split( / /, $line ); + my $name = $values[4]; + if ( $name =~ /^"(.*)"$/ ) { + $name = $1; + } + else { + $name = pack( 'H*', $name ); + } + + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ( $config->exists("user $name") ) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" + ); + if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" + ); + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" + ); + } + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" + ); + } + } } - } + close $var_conf; } sub set_hosts() { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ($config->listNodes("trap-target")) { - $config->setLevel($snmp_v3_level." trap-target $target"); - my $auth_key = ''; - if ($config->exists("auth plaintext-key")) { - $auth_key = "-A ".$config->returnValue("auth plaintext-key"); - } else { - $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = ''; - $inform_flag = '-Ci' if ($type eq 'inform'); - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ($config->exists("privacy")) { - my $priv_key = ''; - if ($config->exists("privacy plaintext-key")) { - $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); - } else { - $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - # TODO - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - my $target_print = $target; - if ($target =~ /:/) { - $target_print = "[$target]"; - $protocol = $protocol."6"; + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ( $config->listNodes("trap-target") ) { + $config->setLevel( $snmp_v3_level . " trap-target $target" ); + my $auth_key = ''; + if ( $config->exists("auth plaintext-key") ) { + $auth_key = "-A " . $config->returnValue("auth plaintext-key"); + } + else { + $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = '-Ci'; + $inform_flag = '-Ci' if ( $type eq 'inform' ); + + if ( $type eq 'trap' ) { + $inform_flag = '-e ' . $config->returnValue("engineid"); + } + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ( $config->exists("privacy") ) { + my $priv_key = ''; + if ( $config->exists("privacy plaintext-key") ) { + $priv_key = + "-X " . $config->returnValue("privacy plaintext-key"); + } + else { + $priv_key = + "-3M " . $config->returnValue("privacy encrypted-key"); + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ( $target =~ /:/ ) { + $target_print = "[$target]"; + $protocol = $protocol . "6"; + } + print +"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; } - print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; + print "\n"; } sub check_user_auth_changes() { - my $config = get_snmp_config(); - if ($config->isChanged("user")) { - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("auth")) { - if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { - $haveError = 1; - print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); - if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if ($config->exists("privacy")) { - my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); - my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); - if ($isPrivChanged && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { - $haveError = 1; - print "Please, set privacy plaintext-key for user \"$user\"\n"; - } - } - } else { - if ($config->exists("privacy")) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); + my $config = get_snmp_config(); + if ( $config->isChanged("user") ) { + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("auth") ) { + if ( $config->isChanged("auth encrypted-key") + || $config->isChanged("privacy encrypted-key") ) + { + $haveError = 1; + print +"Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet.\n"; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged + || $config->isChanged("auth type"); + if ( ( $isAuthChanged || $config->isDeleted("privacy") ) + && !$isAuthKeyChanged ) + { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( $config->exists("privacy") ) { + my $isPrivKeyChanged = + $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged + || $config->isChanged("privacy type"); + if ( $isPrivChanged && !$isAuthKeyChanged ) { + $haveError = 1; + print + "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( ( $isAuthChanged || $isPrivChanged ) + && !$isPrivKeyChanged ) + { + $haveError = 1; + print +"Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } + else { + if ( $config->exists("privacy") ) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } } - } } sub check_relation() { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - if ($config->exists("user $user group")) { - my $group = $config->returnValue("user $user group"); - if (! $config->exists("group $group")) { - $haveError = 1; - print "Please, create group \"$group\". It's need for user \"$user\"\n"; - } + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( !$config->exists("group $group") ) { + $haveError = 1; + print +"Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ( $config->listNodes("group") ) { + my $view = $config->returnValue("group $group view"); + if ( !$config->exists("view $view") ) { + $haveError = 1; + print + "Please, create view \"$view\". It's need for group \"$group\"\n"; + } } - } - foreach my $group ($config->listNodes("group")) { - my $view = $config->returnValue("group $group view"); - if (! $config->exists("view $view")) { - $haveError = 1; - print "Please, create view \"$view\". It's need for group \"$group\"\n"; + if ($haveError) { + exit(1); } - } - if ($haveError) { - exit(1); - } } sub check_tsm_port { - my $config = get_snmp_config(); - if ($config->isChanged("tsm port")) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line (split(/\n/,$output)) { - if ($line =~ /$reg/) { - print "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } + my $config = get_snmp_config(); + if ( $config->isChanged("tsm port") ) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line ( split( /\n/, $output ) ) { + if ( $line =~ /$reg/ ) { + print + "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } } - } } sub copy_conf_to_tmp() { - # these files already contain SNMPv2 configuration - copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; + + # these files already contain SNMPv2 configuration + copy( $snmpd_conf, $snmpd_conf_tmp ) + or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) + or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) + or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; } sub snmp_update { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - copy_conf_to_tmp(); set_tsm(); - open (my $fh, '>>', $snmpd_conf_tmp) - or die "Couldn't open $snmpd_conf_tmp - $!"; + open( my $fh, '>>', $snmpd_conf_tmp ) + or die "Couldn't open $snmpd_conf_tmp - $!"; select $fh; @@ -495,33 +546,42 @@ sub snmp_update { close $fh; select STDOUT; - move($snmpd_conf_tmp, $snmpd_conf) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + move( $snmpd_conf_tmp, $snmpd_conf ) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; my $config = get_snmp_config(); - if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { - parse_config_file(); - snmpd_stop(); - set_users_to_other(); - move($snmpd_usr_conf_tmp, $snmpd_usr_conf) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move($snmpd_var_conf_tmp, $snmpd_var_conf) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - snmpd_start(); - snmpd_restart(); - update_users_vyatta_conf(); - write_config_file(); - } else { - snmpd_start(); - } + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move( $snmpd_var_conf_tmp, $snmpd_var_conf ) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_stop(); + snmpd_start(); + update_users_vyatta_conf(); + write_config_file(); + } +sub snmp_check() { + check_user_auth_changes(); + check_relation(); + check_tsm_port(); +} + +my $check_config; my $update_snmp; my $delete_snmp; -GetOptions("update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp); +GetOptions( + "check-config!" => \$check_config, + "update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp +); +snmp_check() if ($check_config); snmp_update() if ($update_snmp); snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index a4ea9e27..073e7c5a 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -44,6 +44,7 @@ my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; my $local_agent = 'unix:/var/run/snmpd.socket'; +my $password_file = '/config/snmp/superuser_pass'; my $snmp_level = 'service snmp'; @@ -291,6 +292,10 @@ sub snmp_create_snmpv3_user { open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; + + open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; + print $pass_file $passphrase; + close $pass_file; } sub snmp_write_snmpv3_user { diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl new file mode 100755 index 00000000..599fe398 --- /dev/null +++ b/scripts/system/vyatta_check_snmp_name.pl @@ -0,0 +1,31 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +foreach my $name (@ARGV) { + die "$name : illegal characters in name\n" + if (!($name =~ /^[a-zA-Z0-9]*$/)); + + # Usernames may only be up to 32 characters long. + die "$name: name may only be up to 32 characters long\n" + if (length($name) > 32); +} + +exit 0; diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 8047121f..9fb161dc 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -3,6 +3,7 @@ help: Simple Network Management Protocol (SNMP) commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" || $VAR(v3/) != "" \ ; "must configure a community or community6 or v3" +create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] then @@ -10,6 +11,12 @@ end:if [ -f "/tmp/snmp.$PPID" ] rm /tmp/snmp.$PPID; sudo rm -f /etc/snmp/snmpd.conf; else + if [ -n "$VAR(v3/)" ]; then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --check-config; + if [ $? != 0 ]; then + exit 1; + fi + fi sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp; if [ -n "$VAR(v3/)" ] then diff --git a/templates/service/snmp/v3/group/node.def b/templates/service/snmp/v3/group/node.def index bcfe6795..13579174 100644 --- a/templates/service/snmp/v3/group/node.def +++ b/templates/service/snmp/v3/group/node.def @@ -1,5 +1,7 @@ tag: type: txt help: Specifies the group with name groupname +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" commit:expression: $VAR(view/) != "" ; "must specify view" commit:expression: $VAR(mode/) != "" ; "must specify mode" diff --git a/templates/service/snmp/v3/node.def b/templates/service/snmp/v3/node.def index 756a156f..f89d2328 100644 --- a/templates/service/snmp/v3/node.def +++ b/templates/service/snmp/v3/node.def @@ -1,7 +1,6 @@ help: Simple Network Management Protocol (SNMP) v3 -create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi - if [ ! -d "/config/snmp/tls" ]; then +create: if [ ! -d "/config/snmp/tls" ]; then sudo mkdir /config/snmp/tls ; if [ -d "/etc/snmp/tls" ] ; then sudo mv /etc/snmp/tls/* /config/snmp/tls > /dev/null 2>&1; @@ -18,6 +17,7 @@ create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi fi begin: if [ -d "/config/snmp/tls" ]; then + sudo chown -R snmp /config/snmp/tls; sudo chmod -R 600 /config/snmp/tls; fi diff --git a/templates/service/snmp/v3/trap-target/node.def b/templates/service/snmp/v3/trap-target/node.def index d6203e9b..6c2717a8 100644 --- a/templates/service/snmp/v3/trap-target/node.def +++ b/templates/service/snmp/v3/trap-target/node.def @@ -7,6 +7,8 @@ commit:expression: $VAR(auth/) != ""; "must specify auth" commit:expression: $VAR(protocol/) != ""; "must specify protocol" commit:expression: $VAR(user/) != ""; "must specify user" commit:expression: $VAR(port/) != ""; "must specify port" +commit:expression: $VAR(type/@) == "inform" || ( $VAR(type/@) == "trap" && $VAR(engineid/) != "" ); \ + "must specify engineid if type is 'trap'" val_help: <x.x.x.x>; IP address of trap target val_help: <h:h:h:h:h:h:h:h>; IPv6 address of trap target
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def b/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def new file mode 100644 index 00000000..7a621af6 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the engineID. (needs for trap) +syntax:expression: pattern $VAR(@) "^([0-9a-f][0-9a-f]){1,16}$" ; "id must contain from 2 to 32 hex digits"
\ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/local-key/node.def b/templates/service/snmp/v3/tsm/local-key/node.def index d238d310..4bc3d07b 100644 --- a/templates/service/snmp/v3/tsm/local-key/node.def +++ b/templates/service/snmp/v3/tsm/local-key/node.def @@ -1,8 +1,12 @@ type: txt help: Defines the server certificate fingerprint or key-file name. -allowed: sudo ls /etc/snmp/tls/certs +allowed: if sudo [ -d /etc/snmp/tls/certs ]; then + sudo ls /etc/snmp/tls/certs 2> /dev/null + else + sudo ls /config/snmp/tls/certs 2> /dev/null + fi syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || - exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + exec "if sudo [ -f /etc/snmp/tls/certs/$VAR(@) -o -f /config/snmp/tls/certs/$VAR(@) ]; \ then \ exit 0; \ else \ diff --git a/templates/service/snmp/v3/user/node.def b/templates/service/snmp/v3/user/node.def index e6a8bc87..32e0f61f 100644 --- a/templates/service/snmp/v3/user/node.def +++ b/templates/service/snmp/v3/user/node.def @@ -1,6 +1,7 @@ tag: type: txt help: Specifies the user with name username -syntax:expression: pattern $VAR(@) "^[^-]*$" ; "characters '-' in name is not supported yet" +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" commit:expression: $VAR(auth/) != "" || $VAR(tsm-key/) != ""; "must specify auth or tsm-key" -commit:expression: $VAR(mode/) != ""; "must specify mode"
\ No newline at end of file +commit:expression: $VAR(mode/) != ""; "must specify mode" diff --git a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def index e9f55a5f..b41be079 100644 --- a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def +++ b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def @@ -1,8 +1,12 @@ type: txt help: Specifies finger print or file name of TSM certificate. -allowed: sudo ls /etc/snmp/tls/certs +allowed: if sudo [ -d /etc/snmp/tls/certs ]; then + sudo ls /etc/snmp/tls/certs 2> /dev/null + else + sudo ls /config/snmp/tls/certs 2> /dev/null + fi syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || - exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + exec "if sudo [ -f /etc/snmp/tls/certs/$VAR(@) -o -f /config/snmp/tls/certs/$VAR(@) ]; \ then \ exit 0; \ else \ diff --git a/templates/service/snmp/v3/view/node.def b/templates/service/snmp/v3/view/node.def index a83c978b..1fa589ae 100644 --- a/templates/service/snmp/v3/view/node.def +++ b/templates/service/snmp/v3/view/node.def @@ -1,5 +1,6 @@ tag: type: txt help: Specifies the view with name viewname - -commit:expression: $VAR(oid/) != ""; "must configure an oid"
\ No newline at end of file +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" +commit:expression: $VAR(oid/) != ""; "must configure an oid" diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.def index beed3274..ca2a5c5d 100644 --- a/templates/service/snmp/v3/view/node.tag/oid/node.def +++ b/templates/service/snmp/v3/view/node.tag/oid/node.def @@ -1,4 +1,4 @@ tag: type: txt help: Specifies the oid -syntax:expression: pattern $VAR(@) "^[0-9]+(\.[0-9]+)*$" ; "oid must start from a number" +syntax:expression: pattern $VAR(@) "^[0-9]+(\\.[0-9]+)*$" ; "oid must start from a number" |