snmp-formula
snmp-formula copied to clipboard
saltstack-formulas
Security issue when adding a snmpv3 user with the formula
When adding a SNMPv3 user according the formula:
rwusers:
- username: '<user>'
authpassphrase: '<authpassphrase>'
view: all
authproto: 'SHA'
privproto: 'AES'
privpassphrase: '<privpassphrase>'
The formula adds two lines to the snmpd.conf file:
rwuser <user> auth -V all
createUser <user> SHA <authpassphrase> AES <privpassphrase>
The last line is what causes the security issue. When adding an SNMPv3 user by using net-snmp-create-v3-user the first line is added in the file snmpd.conf file located in /etc/snmp/snmpd. The second line is added in another file snmpd.conf file located in: /var/lib/net-snmp/. When the line is read from the snmpd.conf file located in /var/lib/net-snmp/, the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it. Source: man page snmpd.conf
In the current situation, the formula adds the createUser line in the snmpd.conf file located in /etc/snmp/. Therefore the line will not be removed and the passwords are visible to anyone that can access that snmpd.conf file.
I have a workaround... essentially, what I am doing here is running a script: (this is Suse Linux)
run_snmpv3_config:
pkg.installed:
- pkgs:
- net-snmp
service.running:
- name: snmpd
- enable: true
- require:
- pkg: run_snmpv3_config
cmd.script:
- name: salt://run_snmpv3_config_cmd.sh
- creates: /var/run/suma_run_snmpv3_config.state
- require:
- service: snmpd
#!/bin/bash
set -e
cfg1=/var/lib/net-snmp/snmpd.conf
cfg2=/usr/share/snmp/snmpd.conf
service snmpd stop
sed -i '/usmUser/d' $cfg1
sed -i '/createUser/d' $cfg1
sed -i '/rouser/d' $cfg2
/usr/bin/net-snmp-create-v3-user -ro -a SHA -A authpass -x AES -X privpass myrouser >/dev/null
service snmpd start
touch /var/run/suma_run_snmpv3_config.state
This is probably not a very "salted" approach but it does the trick.
