A colleague expressed some concern about my hardening of the SNMP service:"Without tons of experimentation, we don't know if what you did locks down too tight, and for a large company using a vendorware SNMP management station, you might have broken monitoring in favour of hardening" -- Patrick Matlock, 10/10/2000.Patrick suggested that we explore the SNMP service with a tool snmpwalk(1) -- to see what variables are available before hardening and what remains after hardening. That tool is part of the UCDavis SNMP Suite which we have installed on some systems (you won't find any vendor provided tools on Solaris to query the service unless you've installed some value added packages). Here's an example of how you can use it to find out about "system" values:The arguments to the command are the system (eg. "dilbert" is a computer name), the community (eg. "public" and "private" are the defaults), and the optional objectId (ie. the thing(s) you want to know about). I understand that the "objectId's" are all strings that begin with one of these: "at", "icmp", "interfaces" "ip", "snmp", "system", "tcp" and "udp".[1:38pm wally] snmpwalk dilbert public system system.sysDescr.0 = Sun SNMP Agent, SPARCstation-20 system.sysObjectID.0 = OID: enterprises.42.2.1.1 system.sysUpTime.0 = Timeticks: (619954285) 71 days, 18:05:42.85 system.sysContact.0 = dilbert@ist.uwaterloo.ca system.sysName.0 = dilbert system.sysLocation.0 = Machine Room, UW/IST, MC system.sysServices.0 = 72We discovered, and this came as quite a surprise to me, that we had not lost any SNMP values through hardening. Here's how we determined that:
If system-a has a vendor configured service and system-b has a hardened service (as above but also configured to let wally be a "manager" for the system) then each of them returns the same 150 things. I'm very confident (touch wood) that we've not sacrificed any data by hardening.[1:39pm wally] snmpwalk system-a public | \ sed -e 's/[0-9.]* =.*//' | sort -fu > /tmp/system-a [1:40pm wally] snmpwalk system-b public | \ sed -e 's/[0-9.]* =.*//' | sort -fu > /tmp/system-b [1:40pm wally] diff /tmp/system-a /tmp/system-bThe "private" things returned in an snmpwalk is a very small list (7 things) and again that's not any different pre/post-hardening.