from:
http://forums.cacti.net/viewtopic.php?f=12&t=6657
http://tosian.blogspot.tw/2008/08/snmp-on-linux-server.html
http://linux.die.net/man/8/snmpd_selinux
https://access.redhat.com/solutions/892923
=================================================================================================
洋蔥爸的工作雜記:SNMP on LINUX server 實作
1.首先找一下 com2sec notConfigUser default public 這一段,然後改成如下所示:(其中 10.16.25.25 是 SNMP server 的 IP address)
#com2sec notConfigUser default public2. 再來是找 group notConfigGroup v1 notConfigUser 這一段,然後改成如下所示:
com2sec local localhost public
com2sec mynetwork 10.16.25.25 public
#group notConfigGroup v1 notConfigUser3. 接著是找 view all included .1 80 這一段,然後改成如下所示:(把前面的 # 去掉)
#group notConfigGroup v2c notConfigUser
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
## incl/excl subtree mask4. 找到 #access MyROGroup "" any noauth 0 all none none 這一段,改成如下所示:
view all included .1 80
#access MyROGroup "" any noauth 0 all none none5. 再找一下 syslocation Unknown (configure /etc/snmp/snmp.conf)這一段,改成如下所示:(其中 syslocation 用來告知你機器所在的位置)
#access MyRWGroup "" any noauth 0 all all all
access MyROGroup "" any noauth prefix all none none
access MyRWGroup "" any noauth prefix all all all
syslocation GangShan
syscontact Root (configure /etc/snmp/snmp.local.conf)
=================================================================================================
from:Walkthrough on Postifx monitoring with Cacti
download:http://forums.cacti.net/download/file.php?id=4091
Installation:
1) Configure SNMP agent on Mail server and make sure it is set up right.
2) Unzip fetch_mail_statistics.pl script in place of your choice. (I used /usr/local/bin)
3) Check that your perl path in script points to perl executable
4) Add following line in snmpd.conf file
Code:pass .1.3.6.1.4.1.2021.255 /usr/local/bin/fetch_mail_statistics.pl /var/log/mail.log /var/log/mailstats.db .1.3.6.1.4.1.2021.255
5) Adjust your maillog filename and path corresponding to your system. mailstats.db are used for internal script data storage, place it anywhere.
6) Import template in cacti.
==================================================================================================
in /var/log/audit/audit.log:
type=AVC msg=audit(1430250421.774:158725): avc: denied { read } for pid=22972 comm="fetch_mail_stat" name="maillog" dev=dm-0 ino=1444277 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=fileHOW DO I FIX(SKIP) this security Deny?
type=SYSCALL msg=audit(1430250421.774:158725): arch=c000003e syscall=2 success=no exit=-13 a0=1813590 a1=0 a2=1b6 a3=7f65bb021d50 items=0 ppid=2219 pid=22972 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21015 comm="fetch_mail_stat" exe="/usr/bin/perl" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1430250421.781:158726): avc: denied { read } for pid=22973 comm="fetch_mail_stat" name="maillog" dev=dm-0 ino=1444277 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Let's find the GOOGLE (YA!....... )
=================================================================================================
from SELinux denial when running a script from snmp.conf that needs to create files in the /var/log/ directory
=================================================================================================
- The snmpd process only has access to files in /var/log labeled snmpd_log_t. The fix is to label the the file it needs to access correctly
- If its a single file then change the label on the file it needs to access. If its multiple files, then put these files in the /var/log/snmpd directory
# chcon -t snmpd_log_t /path/to/file
from:snmpd_selinux(8) - Linux man page
Process Types
SELinux defines process types (domains) for each process running on the system
You can see the context of a process using the -Z option to ps
Policy governs the access confined processes have to files. SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
The following process types are defined for snmpd:
snmpd_t
Note: semanage permissive -a snmpd_t
can be used to make the process type snmpd_t permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
File Contexts
SELinux requires files to have an extended attribute to define the file type.
You can see the context of a file using the -Z option to ls
Policy governs the access confined processes have to these files. SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
The following file types are defined for snmpd:
snmpd_exec_t
- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain.
snmpd_initrc_exec_t
- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain.
snmpd_log_t
- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory.
snmpd_var_lib_t
- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory.
snmpd_var_run_t
- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run directory.
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the semanage fcontext command. This will modify the SELinux labeling database. You will need to use restorecon to apply the labels.
=================================================================================================
finally work:
[root@ECserver log]# ls -aZ mailstats.db
-rw-r--r--. root root unconfined_u:object_r:snmpd_log_t:s0 mailstats.db
[root@ECserver log]# ls -aZ /usr/local/bin/fetch_mail_statistics.pl
-rwxrwxr-x. otaku119 otaku119 unconfined_u:object_r:bin_t:s0 /usr/local/bin/fetch_mail_statistics.pl
[root@ECserver log]# chcon -R -t snmpd_exec_t /usr/local/bin/fetch_mail_statistics.pl
[root@ECserver log]# ls -aZ /usr/local/bin/fetch_mail_statistics.pl
-rwxrwxr-x. otaku119 otaku119 unconfined_u:object_r:snmpd_exec_t:s0 /usr/local/bin/fetch_mail_statistics.pl
沒有留言:
張貼留言