1498979 – changing the snmp community string does not disable access from default community string

Bug 1498979 - changing the snmp community string does not disable access from default community string

Summary: changing the snmp community string does not disable access from default commu...

Keywords:
Status:	CLOSED DUPLICATE of bug 1496672
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	10.0 (Newton)
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Angus Thomas
QA Contact:	Amit Ugol
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-05 17:27 UTC by Jack Waterworth
Modified:	2022-08-16 11:53 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-06 19:12:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-4714	0	None	None	None	2022-08-16 11:53:42 UTC

Description Jack Waterworth 2017-10-05 17:27:26 UTC

Description of problem:

After adding the following options to the overcloud templates, the default community string (public) is not disabled.

-------------------
parameter_defaults:
  ExtraConfig:
    snmp::ro_community: mysecurestring
    snmp::ro_community6: myv6securestring
-------------------

-------------------
[root@overcloud-controller-0 ~]# snmpwalk -Os -c public -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# snmpwalk -Os -c mysecurestring -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
-------------------
[stack@undercloud-1 ~]$ snmpwalk -Os -c public -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
-------------------

Version-Release number of selected component (if applicable):
OSP 10


How reproducible:
Every Time

Steps to Reproduce:
1. Add optinos to template
2. deploy
3. try to access snmp via public community string

Actual results:
results are returned


Expected results:
results should not be returned.


Additional info:

--------------------
[root@overcloud-controller-0 ~]# grep secure /etc/snmp/snmpd.conf
rocommunity mysecurestring 127.0.0.1
rocommunity6 myv6securestring ::1
--------------------
[root@overcloud-controller-0 ~]# snmpwalk -Os -c public -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# snmpwalk -Os -c mysecurestring -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# exit
logout
[heat-admin@overcloud-controller-0 ~]$ exit
logout
Connection to 192.0.2.15 closed.
[stack@undercloud-1 ~]$ snmpwalk -Os -c mysecurestring -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
Timeout: No Response from 192.0.2.15
[stack@undercloud-1 ~]$ snmpwalk -Os -c public -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[stack@undercloud-1 ~]$ 
--------------------

Comment 1 Jack Waterworth 2017-10-05 17:28:10 UTC

full snmpd.conf configuration here:

cat /etc/snmp/snmpd.conf
###
### File managed by Puppet
###

################################################################################
# AGENT BEHAVIOUR

agentaddress udp:161,udp6:[::1]:161

################################################################################
# ACCESS CONTROL

# ------------------------------------------------------------------------------
# Traditional Access Control
rocommunity mysecurestring 127.0.0.1
rocommunity6 myv6securestring ::1

# ------------------------------------------------------------------------------
# VACM Configuration
#       sec.name       source        community
com2sec notConfigUser  default       public

com2sec6 notConfigUser  default       public

#       groupName      securityModel securityName
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

#       name          incl/excl  subtree             mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1

#       group          context sec.model sec.level prefix read       write notif
access  notConfigGroup ""      any       noauth    exact  systemview none  none

# ------------------------------------------------------------------------------
# Typed-View Configuration

################################################################################
# SYSTEM INFORMATION

# ------------------------------------------------------------------------------
# System Group
sysLocation Unknown
sysContact Unknown
sysServices 72
sysName overcloud-controller-0.localdomain

################################################################################
# EXTENDING AGENT FUNCTIONALITY


###############################################################################
## Logging
##

## We do not want annoying "Connection from UDP: " messages in syslog.
## If the following option is set to 'no', snmpd will print each incoming
## connection, which can be useful for debugging.

dontLogTCPWrappersConnects no

################################################################################
# OTHER CONFIGURATION

createUser ro_snmp_user MD5 "4bcb98e88e6f5d385ab5c0f9f42bdb571d20fea5"
rouser ro_snmp_user
proc  cron
includeAllDisks  10%
master agentx
trapsink localhost public
iquerySecName internalUser
rouser internalUser
defaultMonitors yes
linkUpDownNotifications yes

Comment 3 Emilien Macchi 2017-10-06 19:12:25 UTC

Closing this bug as we're already fixing it here https://bugzilla.redhat.com/show_bug.cgi?id=1496672 and I'm actually working on this as I'm writing these words.

*** This bug has been marked as a duplicate of bug 1496672 ***

Note You need to log in before you can comment on or make changes to this bug.