TechQA.

Cacti extend snmp by a custom script

2.2k views Asked by At

I have created a graph on Cacti about time to access to a specific page on our infrastructure with cacti and net-snmp.

I have extended the capability with adding two new lines in file /etc/snmp/snmpd.conf :

extend stat_page1 /usr/local/bin/cacti/access_page.sh context1
extend stat_page2 /usr/local/bin/cacti/access_page.sh context2

I have restarted the daemon snmpd to load this configuration.

The script called is describe below, with other value, because for some reason, i can show this.

#!/bin/bash

domain="mydomain"
cookie_name="myCookie"
token="myToken"
if [ $# -eq 1 ]
    then

        if [ "$1" = "context1" ]
                then

                        target_url="https://${domain}/${1}/page1.html"
                        TIME=$(curl  -s -w "%{time_total}" -o /dev/null  --cookie \"${cookie_name}=${token}\" ${target_url})
        echo "$TIME"
        elif [ "$1" = "context2" ]
                then
                        target_url="https://${domain}/${1}/page2.html"
                        TIME=$(curl  -s -w "%{time_total}" -o /dev/null  --cookie \"${cookie_name}=${token}\" ${target_url})
        echo "$TIME"
        fi

If I launch the script manually i have this 

$ /usr/local/bin/cacti/access_page.sh context2
0.061
$ /usr/local/bin/cacti/access_page.sh context1
0.041

When I launch the script with snmpget, I have this result:

snmpwalk -v2c -c myCommunity localhost NET-SNMP-EXTEND-MIB::nsExtendOutput2Table 
NET-SNMP-EXTEND-MIB::nsExtendOutLine."stat_page1".1 = STRING: 0.000
NET-SNMP-EXTEND-MIB::nsExtendOutLine."stat_page2".1 = STRING: 0.000

All time, I get 0.000 value by snmp command and manually a real value.

Could you help me about it?, please

linux bash net-snmp cacti
Original Q&A
2

There are 2 answers

0
user7364588 On

Recently i had an issue with snmp and the execution script that call the curl command.

This post was the closest of the problem when i searched some solutions.

I found a solution without disabling SELinux.

I am a newbie in SELinux but i solved this issue with some SELinux configuration, that could interest someone in the future.

Context :

  • Centos 7

  • Content of the configuration file for SNMP /etc/snmp/snmpd.conf :

#       sec.name    source      community
com2sec myuser      default     public
#       groupName   securityModel   securityName
group   mygroup     v2c     pad
#       name        incl/excl   subtree         mask(optional)
view    systemview  included    .1.3.6.1.4
view    systemview  included    .1.3.6.1.4.1
view    systemview  included    .1.3.6.1.4.1.1234
view    systemview  included    .1.3.6.1.4.1.1234.1
#       group   context sec.model   sec.level   prefix  read        write   notif
access  mygroup ""  any     noauth      exact   systemview  none    none
perl do "/appli/snmp_scripts/agent.pl"
  • SNMAP agent agent.pl :
#!/usr/bin/perl

use NetSNMP::agent (':all');
use NetSNMP::ASN qw(ASN_OCTET_STR ASN_INTEGER);

sub handler {
  my ($handler, $registration_info, $request_info, $requests) = @_;
  my $request;

  for($request = $requests; $request; $request = $request->next()) {
    my $oid = $request->getOID();
    if ($request_info->getMode() == MODE_GET) {
      if ($oid == new NetSNMP::OID(".1.3.6.1.4.1.1581.1.6.2.1.5")) {
    $request->setValue(ASN_OCTET_STR,`/path/to/myscript`);
      }
    }
  }
}

my $AGENT_OID = ".1.3.6.1.4.1.1234";
$agent->register("MYAGENT", ".1.3.6.1.4.1.1234",
                 \&handler);

Solution:

When i looked for trace of the execution, with sudo systemctl status snmpd, some trace of curl were display :

snmpd: curl: (7) Failed to connect to 127.0.0.1:8081 Permission denied

However, the server was running well at this port and the script executed outside SNMP worked well.

SELinux errors have been generated in audit logs :

$> sudo grep snmp /var/log/audit/audit.log | audit2allow -w -a
type=AVC msg=audit(1528188940.802:2025): avc:  denied  { name_connect } for  pid=26809 comm="curl" dest=8081 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

$> sudo grep snmp /var/log/audit/audit.log | audit2allow -M mysnmpmodule

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i snmpdcanopensocket.pp

Follow the step told by audit2allow comm apply to SELinux the new created module for snmp_t. The audit2allow -M command generated two files snmpdcanopensocket.pp snmpdcanopensocket.te in your current directory. SELinux needs the .pp file to remap it's security rules.

$> semodule -i snmpdcanopensocket.pp

Restart the SNMP service with sudo systemctl restart snmp

Now the curl in the script executed by SNMP behaves well and does not quit with a (7) error code.

0
Armali On

I have done this test and when i call the script i have permission denied when I do this : line 34: /tmp/echo-curl: Permission denied, and I have done a script with just id to be sure that is launched with privilege user.

I have find the source of the problem, which is probably due to enforcing of SELinux – user3249935

Related Questions in LINUX

Related Questions in BASH

Related Questions in NET-SNMP

Related Questions in CACTI

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions