The SNMP Agent snmpd
SNMP is the de facto standard for gathering information from network devices. Many different devices from many different vendors support SNMP as a management protocol.
OpenBSD includes an SNMP agent, snmpd(8), which supports all of the usual SNMP functions, and also offers visibility into OpenBSD-specific features such as packet filtering.
SNMP works according to the standard client/server model. The SNMP client (usually a server performing network management or monitoring) queries the SNMP server (or agent) running on a network device. The SNMP agent, snmpd, gathers information from the local system and returns it to the client.
In traditional SNMP, an SNMP client with the correct privileges can also request that the SNMP agent modify its device. Most Unix-like operating systems are designed to be configured at the command line and generally don’t accept write requests from SNMP. OpenBSD follows this trend, and we will focus specifically on read-only SNMP.
In addition to having an SNMP agent answer requests from an SNMP client, the agent can transmit SNMP traps to a trap receiver somewhere on the network. SNMP traps are much like syslogd(8) messages, except that they follow a specific format required by SNMP.
Note
OpenBSD does not include an SNMP trap receiver. If you need one, check out snmptrapd in the net-snmp package.
SNMP MIBs
SNMP manages information via a Management Information Base (MIB), which is a tree-like structure that contains hierarchical information in ASN.1 format. Each SNMP agent has a list of information it can extract from the local system, arranged in a hierarchical SNMP MIB with very general main categories, such as network, physical, programs, and so on.
Think of the MIB tree as a well-organized filing cabinet, where individual drawers hold specific information, and files within drawers hold particular facts. Similarly, the uppermost MIB contains a list of MIBs beneath it.
MIB References
MIBs can be referred to by name or number. For example, here’s a MIB pulled from an OpenBSD test machine:
interfaces.ifTable.ifEntry.ifDescr.1 = STRING: "em0"
The first term in this MIB, interfaces, tells us that we’re looking at this machine’s network interfaces. If this machine had no interfaces, this category would not even exist (although an OpenBSD machine will always have at least a loopback interface). The ifTable is the interface table, which is a list of all network interfaces on the system. The field ifEntry shows one particular entry, and ifDescr means that we’re looking at a description of this interface. This MIB could be expressed as “Interface number 1 on this machine is called em0.”
MIBs can also be expressed as numbers, and most SNMP clients do their work natively in numerical MIBs. Your management tool should be able to translate between numbers and names, but just so you’re not terribly surprised, here’s the earlier example in numerical form:
.1.3.6.1.2.1.2.2.1.2.1 = STRING: "em0"
Expressed in words, this MIB has five parts separated by dots. Expressed in numbers, the MIB has 11 parts. Aren’t they supposed to be the same thing? Well, the numerical MIB is longer because it includes the default address .1.3.6.1.2.1, which translates to .iso.org.dod.internet.mgmt.mib-2, the standard subset of MIBs used on the Internet. Most SNMP MIBs start with this string, so the management tools no longer bother printing out this name.
MIB Definitions
OpenBSD supports two groups of MIBs:
-
The standard host MIBs, which every network management system understands. This information includes network and disk space utilization, software running on the system, and so on.
-
MIBs for OpenBSD-specific functions, such as the packet filter, network failover, bridging, and so on. Most network management systems will not understand the OpenBSD-specific MIBs out of the box, so you’ll want to teach your management system about OpenBSD’s MIBs.
MIBs are defined according to a very strict syntax documented in MIB files. For example, snmpd includes MIB files for the OpenBSD-specific functions in /usr/share/snmp/mibs. These files are written in plaintext, in the very stilted and formal ASN.1 syntax. While you can read and interpret them with nothing more than your brain, I highly recommend copying them to your network management workstation and using an SNMP client to examine them.
MIB browsers interpret MIB files and present them in their full tree-like splendor, complete with definitions of each part of the tree and descriptions of each MIB, taken from the MIB files. Generally speaking, you enter a MIB in the MIB browser, which displays its numerical and word descriptions, and offers the ability to query an SNMP agent for that MIB.
If you don’t already have a MIB browser on your OpenBSD workstation, use the mbrowse package. If you don’t want a graphical interface, use the net-snmp package for a full assortment of command-line SNMP client tools, but be prepared to type some long command lines.
SNMP Security
The most common alternate acronym for SNMP is “Security? Not My Problem!” This is unkind, but true. You should use SNMP only behind firewalls or on trusted networks. If you must use SNMP on the naked Internet, employ packet filtering to keep the public from querying your SNMP service. SNMP agents run on UDP port 161, so allow your management hosts access to that port on only your SNMP hosts.
SNMP provides basic security through communities. If you read the SNMP documentation, you’ll see all kinds of explanations of why a community is not the same as a password, but as far as a sysadmin is concerned, a community is a password.
Most SNMP agents have two communities by default: public (read-only access) and private (read-write access). OpenBSD’s snmpd daemon supports both of these communities by default. One of your first tasks will be to change these community names to something that the whole world doesn’t know. Just like passwords, community names should be hard for intruders to guess and easy for you to remember.
As you might expect, there have been various versions of SNMP. Version 1 was the first attempt. Version 2c (SNMPv2c) is the more commonly deployed update. Version 3 (SNMPv3) uses encryption to protect data on the wire, and it includes strong authentication. In practice, few vendors actually use it because it’s very complicated. The snmpd daemon has partial support for SNMPv3. Here, we’ll focus on the completely supported SNMPv2c.
Configuring snmpd
Configure snmpd in /etc/snmpd.conf. The configuration format is a series of text statements. Defining new community strings overrides the defaults of public and private.
We start by defining new read-only and read-write community strings, as follows:
read-only community hansteen read-write community henning
In general, most snmpd configuration statements look like these two. The snmpd.conf(5) man page lists all valid snmpd.conf configuration statements.
Every SNMP system is expected to list a contact, a description, and a location, as in this example:
system contact "[email protected]" system description "Web server" system location "Rack Row 9, Cabinet 6, Under the Meal Replacement Bars"
Many network management systems will automatically pull in this information to populate the database. Here, I’ve defined these values for my system. Make similar entries for your system.
The default snmpd.conf listens to only the localhost IP address, 127.0.0.1, so outside hosts cannot contact the SNMP daemon. If you want to listen on all available addresses, comment out the lines, like the following, that specify an address.
listen_addr="127.0.0.1" listen on $listen_addr
Alternatively, you can give an interface IP address to have snmpd listen to a specific external IP address for those machines with many addresses.
listen_addr="192.0.2.5"
With this configuration, snmpd can provide information about your system. Enable it in /etc/rc.conf.local.
snmpd_flags=""
This will start snmpd at boot, or you can run /etc/rc.d/snmpd.
Debugging snmpd
SNMP can be an annoying protocol to debug. For one, because it’s UDP, there’s no easy way to test connectivity to the agent. Also, it runs fairly silently, in that it doesn’t log queries.
To verify that queries from your network management system are reaching your server, try running snmpd in verbose mode and with debugging.
# snmpd -vd
startup
snmpe_bind: binding to address 0.0.0.0:161
When an SNMP query reaches your server, you should see the server parse the requests. By the same token, snmpd is very good about telling you why it can’t provide an answer.
snmpe_parse: 192.0.2.197: wrong read community
Errors, like the following, that arise from requests for a nonexistent MIB are a little more difficult to understand.
snmpe_parse: 192.0.2.197: SNMPv1 'henning' context 1 request 1141724535 snmpe_parse: 192.0.2.197: oid iso.org.dod.internet.private.enterprises.2041 snmpe_parse: 192.0.2.197: SNMPv1 'henning' context 0 request 1141724536 snmpe_parse: 192.0.2.197: oid iso.org.dod.internet.private.enterprises.2041 snmpe_parse: 192.0.2.197: invalid varbind element, error index 1
Here, the MIB request is trying to find the object identifier (OID) iso.org.dod.internet.private.enterprises.2041, but OpenBSD’s snmpd does not support that. (It does support 202
1, part of the Net-SNMP MIB.) The SNMP client is requesting an invalid MIB.
This example shows a successful request and the MIB that snmpd sends in response:
snmpe_parse: 192.0.2.197: SNMPv1 'henning' context 1 request 1531862688 snmpe_parse: 192.0.2.197: oid iso.org.dod.internet.private.enterprises.ucDavis
By reading the output carefully, you should be able to see why snmpd is not answering requests as expected.
Getting snmpd Information
The most important feature of SNMP is that it lets you read statistics from the operating system and/or software. In addition to the usual features supported by SNMP, such as resource utilization and processes, snmpd lets you grab OpenBSD-specific system information. You can get information about the packet filter, sensor data, interface memory, and Command Address Redundancy Protocol (CARP). All of this appears under the .1.3.6.1.4.1.30155 MIB, OpenBSD’s private (enterprise) MIB tree.
The PF SNMP MIB
The OpenBSD packet filtering feature keeps a lot of statistics, and everything I’ve ever wanted is available through the PF MIB. You’ll find information such as the following:
-
Whether PF is on, and how long has it been running (in hundredths of a second)
-
The number of packets that have matched filter rules
-
The number of fragments and reassembled packets
-
The number of packets dropped because of memory problems, internal packet-filtering problems, overfilling the state tables, and so on
-
The number of states added and removed from the state table
-
The number of timeouts of various protocols
-
The amount of traffic blocked on each interface
-
Packet filtering table usage, number of addresses in each table
And there’s more. The PF SNMP MIB gives you more useful visibility into packet filtering. Point your MIB browser at the .1.3.6.1.4.1.30155.1 MIB to see everything.
Sensors
You can view the same kernel values processed by sensorsd(8) (see Chapter 15) via snmpd, including a list of sensors on this device, the value reported by the sensor, and whether each sensor is in an alarm state. This means you can use snmpd instead of sensorsd to monitor your hardware.
To view sensor data via SNMP, examine the MIB tree .1.3.6.1.4.1.30155.2.
Interface Memory
You can view the amount of memory used by an interface, and how often (if ever) an interface was starved for memory as a result of system load. View the MIB tree .1.3.6.1.4.1.30155.5 to see these values.
CARP
CARP is an OpenBSD invention for sharing one address between two or more machines. It was designed to provide highly available IP services. The snmpd daemon exposes CARP’s innards, including these items:
-
The name of each CARP interface
-
CARP configuration values (preemption,
advskew, and so on) -
The number of IPv4 and IPv6 packets received
-
The number of packets discarded for various reasons
-
The number of times the host has become master
To see the CARP MIB tree, view .1.3.6.1.4.1.30155.6.
Other MIBs
The snmpd daemon is constantly being expanded. According to the MIB files, they’ve reserved space for IPsec and relayd(8). Check /usr/share/snmp/mibs for additional MIB files, and use your MIB browser to see what your specific version of OpenBSD supports. The OpenBSD team adds MIBs as they’re needed and as code is contributed. If you need IPsec MIBs, feel free to write and submit the code.