Configuring the snmpd service in the operating system

Interaction with Kaspersky Web Traffic Security over SNMP is achieved using the 'snmpd' service of the operating system. The snmpd service acts as a master agent, receiving and processing requests from monitoring systems and other external consumers over SNMP. Kaspersky Web Traffic Security connects to the snmpd service as a subagent over the AgentX protocol through a UNIX™ socket.

Installing the snmpd service

If Kaspersky Web Traffic Security was installed from an ISO file, no further actions are necessary. If Kaspersky Web Traffic Security was installed from an RPM or DEB package, make sure that the snmpd service is installed in your operating system. If the service is not installed, install the appropriate packages.

To install the snmpd service and auxiliary utilities

enter the following command:

Creating a user account for access to the data

Before creating the account, stop the snmpd service.

To ensure the security of access to the data over SNMPv3 with authentication and encryption, you need to create a user account on the snmpd service side with the following information:

For security purposes, we recommend using an independent user account on each node of the Kaspersky Web Traffic Security cluster.

You can create a user account in the following ways:

To create a user account using the net-snmp-create-v3-user utility:

  1. If Kaspersky Web Traffic Security was installed from an ISO file, connect to the management console of the Kaspersky Web Traffic Security virtual machine under the root account using the SSH private key. This takes you to the Technical Support Mode.

    If Kaspersky Web Traffic Security was installed from an RPM or DEB package, start the command shell of the operating system to run commands with superuser (system administrator) permissions.

  2. Run the following command:

    net-snmp-create-v3-user -ro -a <authentication algorithm> -x <encryption algorithm> <user name>

Authentication and encryption passwords are requested interactively.

Example:

net-snmp-create-v3-user -ro -a SHA -x AES MonitoringUser

To create a user account without the utility:

  1. Start an operating system command shell to run commands with superuser (system administrator) permissions.
  2. Create the /var/lib/snmp/snmpd.conf configuration file:

    touch /var/lib/snmp/snmpd.conf

  3. Add the following line to the configuration file:

    createUser <user name> <authentication algorithm> "<authentication password>" <encryption algorithm> "<encryption password>"

    Example:

    createUser MonitoringUser SHA "MonitoringAuthSecret" AES "MonitoringPrivSecret"

Creating a user account for receiving SNMP traps

To receive SNMP traps over SNMPv3 with authentication and encryption, you need to create an account on the side of the monitoring system in the context of the corresponding service (usually the snmptrapd service).

The account must contain the following information:

For security purposes, you must use separate user accounts for access to data and for receiving SNMP traps.
We recommend creating independent user accounts for receiving SNMP traps from each node of the Kaspersky Web Traffic Security cluster.

For instructions on creating a user account for receiving SNMP traps, refer to the documentation of your monitoring system.

Configuring the snmpd service

The configuration of the snmpd service is stored in the /etc/snmp/snmpd.conf file. You must create a new configuration file and add to it the following lines in the given order.

To configure the snmpd service:

  1. If Kaspersky Web Traffic Security was deployed from an ISO file, connect to the management console of the Kaspersky Web Traffic Security virtual machine as root using the SSH private key. This takes you to the Technical Support Mode.

    If Kaspersky Web Traffic Security was installed from an RPM or DEB package, start the command shell of the operating system to run commands with superuser (system administrator) privileges.

  2. Create a new configuration file and set access permissions for it:

    mv -f /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup

    touch /etc/snmp/snmpd.conf

    chown root:root /etc/snmp/snmpd.conf

    chmod 600 /etc/snmp/snmpd.conf

  3. Specify the protocol, network interface address, and port number on which the snmpd service must listen for incoming requests.
    • If you want to listen for requests on all network interfaces, add the following lines to the configuration file:

      # Listen for incoming SNMP requests via UDP

      agentAddress udp:161

    • If you want to listen for requests only on the local network interface, for example, if the monitoring system is installed on the same machine, add the following lines:

      # Listen for incoming SNMP requests via UDP

      agentAddress udp:127.0.0.1:161

  4. Specify the path and permissions for the UNIX socket on which the snmpd service must listen for subagent connections over the AgentX protocol. To do so, add the following lines to the configuration file:

    # Listen for subagent connections via UNIX socket

    master agentx

    agentXSocket unix:/var/run/agentx-master.socket

    agentXPerms 770 770 kluser klusers

  5. If necessary, you can provide a system description, location of the system, and the contact address of the administrator. To do so, add the following lines to the configuration file:

    # Basic system information

    sysDescr <system description>

    sysLocation <system location>

    sysContact <contact address of the administrator>

    sysServices 72

  6. Specify the scope of the OID tree that you want to be available to your monitoring system via the SNMP protocol. To have access to Kaspersky Web Traffic Security data, add the following lines to the configuration file:

    # Kaspersky Web Traffic Security SNMP statistics

    view monitoring included .1.3.6.1.4.1.23668.2022

  7. If necessary, you can additionally specify the scope of the OID tree containing information about the operating system that is stored by the snmpd service. This scope will be available to your monitoring system.

    Information about the operating system includes, for example, information about CPU and RAM usage, free space on disk partitions, load of network interfaces; a list of installed software; a list of open network connections; and a list of running processes. Part of this information may be confidential.

    • If you want to allow access only to general system information and information about the usage of RAM, CPU, and disk devices, add the following lines to the configuration file:

      # SNMPv2-MIB - Basic system information

      view monitoring included .1.3.6.1.2.1.1

      # HOST-RESOURCES-MIB - CPU, Memory, Filesystems

      view monitoring included .1.3.6.1.2.1.25.1

      view monitoring included .1.3.6.1.2.1.25.2

      view monitoring included .1.3.6.1.2.1.25.3

      view monitoring included .1.3.6.1.2.1.25.5

      # UCD-SNMP-MIB - Memory and CPU usage

      view monitoring included .1.3.6.1.4.1.2021.4

      view monitoring included .1.3.6.1.4.1.2021.10

      view monitoring included .1.3.6.1.4.1.2021.11

      # UCD-SNMP-DISKIO-MIB - Block devices I/O statistics

      view monitoring included .1.3.6.1.4.1.2021.13

      # IF-MIB - Network interfaces I/O statistics

      view monitoring included .1.3.6.1.2.1.2

      view monitoring included .1.3.6.1.2.1.31

    • If you want to allow access to all system information, add the following lines to the configuration file:

      # Allow access to the whole OID tree

      view monitoring included .1

  8. Specify the access mode and scope of information for the created user account. To do so, add the following lines to the configuration file:

    # Access control for SNMPv3 monitoring system user

    rouser <user name> priv -V monitoring

  9. To send SNMP traps, specify the IP address of the monitoring system and user credentials for receiving traps. To do so, add the following lines to the configuration file:

    # Send SNMPv3 traps to the monitoring system

    trapsess -Ci -v3 -t0.1 -r1 -l authPriv -u <user name for receiving traps> -a <authentication algorithm> -A "<user password for receiving traps>" -x <encryption algorithm> -X "<encryption password>" udp:<IP address>:162

The snmpd service will be configured.

To integrate with multiple monitoring systems, create a separate user account for each system, specify the scope of available information for each user account (the 'view' and 'rouser' directives) and configure the sending of SNMP traps (the 'trapsess' directive).

Example of an snmpd service configuration file

Starting the snmpd service with the new configuration

To apply the new configuration:

  1. Restart the snmpd service:

    systemctl restart snmpd

  2. Check the status of the snmpd service:

    systemctl status snmpd

    The status must be running.

  3. Allow the service to start automatically at operating system startup:

    systemctl enable snmpd

  4. If you are using a firewall in your operating system or network equipment, add rules to let SNMP packets through.

The snmpd service is configured.

Checking the health of the snmpd service

To test the snmpd service, configure the use of SNMP in the Kaspersky Web Traffic Security web interface and request SNMP data using the 'snmpwalk' utility.

To get the scopes of SNMP data provided by Kaspersky Web Traffic Security, run the following command:

snmpwalk -v3 -l authPriv -u <user name> -a <authentication algorithm> -A "<authentication password>" -x <encryption algorithm> -X "<encryption password>" <IP address> .1.3.6.1.4.1.23668.2022

Example:

snmpwalk -v3 -l authPriv -u MonitoringUser -a SHA -A "MonitoringAuthSecret" -x AES -X "MonitoringPrivSecret" 127.0.0.1 .1.3.6.1.4.1.23668.2022

Page top