Security Review: Securing SNMP on Solaris
Information Systems and Technology
University of Waterloo

Recommendation

To configure public SNMP services on a Solaris 8 server and restrict the service to a short list of managers we recommend:
  1. First, make sure you have configured syslogd(1M) to be far more verbose about logging what's happening. We recommend a very verbose audit (at least during the install): 

    [2:39 wally] grep /syslog /etc/syslog.conf
#mail.debug          ifdef(`LOGHOST', /var/log/syslog, @loghost)
*.debug              ifdef(`LOGHOST', /var/log/syslog, @loghost)

    The default configuration is to log everything wrt. mail services at the debug level to the file /var/log/syslog. We recommend you log everything to the same file. When things go wrong, as they sometimes do, a good audit trail will be important.

  2. Stop the vendor provided SNMP and DMI services on your system: 

    [2:40pm wally]# cd /etc/init.d
[2:40pm wally]# ./init.dmi stop
[2:40pm wally]# ./init.snmpdx stop

    If you want to restart those services run the shell scripts with a "start" option instead. You may find these scripts with different names on other versions of Solaris (but I suspect not).

  3. Configure the boot sequence so the vendor provided SNMP and DMI services aren't restarted at next reboot: 

    [2:41pm wally]# cd /etc/rc3.d
[2:41pm wally]# mv S76snmpdx No.S76snmpdx
[2:41pm wally]# mv S77dmi No.S77dmi

    Renaming the startup scripts effectively removes them from the boot sequence. You may find these scripts with different names on other versions of Solaris (but I suspect not).

  4. Configure the "managers" that can send SNMP requests to the mibiisa(1) server -- edit the snmpd.conf file. Here's what we use (note that we've filled in the "system" information, restricted the service to only "public" information, tossed anything to do with "traps" and restricted the managers to just ratbert): 

    [2:43pm wally]# cd /etc/snmp/conf
[2:43pm wally]# egrep -v '^$|^#' snmpd.conf 
sysdescr        Sun SNMP Agent, SPARCstation-10
syscontact      dilbert@ist.uwaterloo.ca
sysLocation     IST Machine Room, Rack 4, Tray 3
system-group-read-community     public 
read-community  public 
managers        ratbert

    The "grep" in the example tosses all commentary and empty lines -- there's not much to the file. Note the configuration shown only allows ratbert to query wally. It's a very simple configuration -- we've even tossed the traps that we didn't need. We've updated the "system" information so we can find the system (it's physical location) and the support person.

  5. Configure your boot sequence to bring up only the mibiisa(1M) daemon and none of the others. Make sure you bring it up in read-only mode. Here's a sample configuration you might wish to use: 

    #!/sbin/sh
#
# $ Id: S99mibiisa,v 1.4 2001/04/05 19:10:12 reggers Exp $
#
# Start the minimal SNMP services required for select managers to get public
# data. Install as /etc/rc3.d/S99mibiisa (or insert into your favorite local
# boottime script). Make sure you disable S76snmpdx and S77dmi in the same
# directory.
#
# Reg Quinton <reggers@ist.uwaterloo.ca>; 5-Oct-2000

case "$1" in
'start')
	/usr/lib/snmp/mibiisa -r </dev/null >/dev/null 2>&1 &
	;;

'stop')
	/usr/bin/pkill -9 -x -u 0 'mibiisa'
	;;

*)
	echo "Usage: $0 { start | stop }"
	exit 1
	;;
esac
exit 0

    The script should be installed in /etc/rc3.d and made executable.

  6. Finally, you can start the daemon by hand (it will be started automatically at next reboot if you installed the script in /etc/rc3.d): 

    [2:45pm wally]# ./S99mibiisa start
[2:45pm wally]# ps -ef | grep mibiisa
    root 19762     1  0 11:55:35 ?        0:00 /usr/lib/snmp/mibiisa -r
[2:45pm wally]# lsof -i | grep snmp
mibiisa   19762    root    2u  IPv4 0x300011f8660       0t0  UDP *:snmp (Idle)

    If the daemon fails to start you should check the audit trail in /var/log/syslog.

If you follow these recommendations you will have eliminated three daemons (snmpdx(1M), dmispd(1M) and snmpXdmid(1M)) and nine network entry points. You'll now have only one daemon (mibiisa(1M)) and one network entry point -- the snmp port serviced by that daemon. You will have made your system more secure.
NB: Caution: We suspect that this configuration may not answer as many SNMP requests as the default vendor configuration -- no doubt there are some requests which were answered in the vendor configuration by querying the DMI daemons we have eliminated. There may be additional security provided by the snmpdx(1M) daemon which we have eliminated!

Reg Quinton, Information Systems and Technology
2000/10/04 - 2002/07/02