From 5ce634898173c0e3417469b6bf4a9ac32ae70942 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 17:53:13 -0500 Subject: [PATCH 01/12] style(*): added vim modelines adding simple vim modelines for convenience. --- snmp/conf.sls | 2 ++ snmp/conftrap.sls | 2 ++ snmp/default.sls | 2 ++ snmp/init.sls | 2 ++ snmp/options.sls | 2 ++ snmp/optionstrap.sls | 2 ++ snmp/trap.sls | 2 ++ snmp/utils.sls | 2 ++ 8 files changed, 16 insertions(+) diff --git a/snmp/conf.sls b/snmp/conf.sls index 0f5706e..7594423 100644 --- a/snmp/conf.sls +++ b/snmp/conf.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} {% from "snmp/conf.jinja" import conf with context -%} diff --git a/snmp/conftrap.sls b/snmp/conftrap.sls index 1261c46..63e437a 100644 --- a/snmp/conftrap.sls +++ b/snmp/conftrap.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} include: diff --git a/snmp/default.sls b/snmp/default.sls index e48de2d..aa83006 100644 --- a/snmp/default.sls +++ b/snmp/default.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} include: diff --git a/snmp/init.sls b/snmp/init.sls index 9ae6ff4..505fbff 100644 --- a/snmp/init.sls +++ b/snmp/init.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} snmp: diff --git a/snmp/options.sls b/snmp/options.sls index d8da8cd..c75b05c 100644 --- a/snmp/options.sls +++ b/snmp/options.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} include: diff --git a/snmp/optionstrap.sls b/snmp/optionstrap.sls index 624787e..3e9bbe5 100644 --- a/snmp/optionstrap.sls +++ b/snmp/optionstrap.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} include: diff --git a/snmp/trap.sls b/snmp/trap.sls index 67c97e1..234aef1 100644 --- a/snmp/trap.sls +++ b/snmp/trap.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} include: diff --git a/snmp/utils.sls b/snmp/utils.sls index b37c435..fdbb074 100644 --- a/snmp/utils.sls +++ b/snmp/utils.sls @@ -1,3 +1,5 @@ +# vim: ft=sls + {% from "snmp/map.jinja" import snmp with context %} snmp-utils: From e9738d2449283b4a9b82bd8a010955ca2d29fcca Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 17:54:19 -0500 Subject: [PATCH 02/12] fix(utils.sls): check to catch missing pkgutils Gentoo is the only one affected, but this is technically a timebomb. --- snmp/utils.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/snmp/utils.sls b/snmp/utils.sls index fdbb074..1715641 100644 --- a/snmp/utils.sls +++ b/snmp/utils.sls @@ -2,6 +2,8 @@ {% from "snmp/map.jinja" import snmp with context %} -snmp-utils: +{% if 'pkgutils' in snmp -%} +snmp_utils: pkg.installed: - name: {{ snmp.pkgutils }} +{% endif -%} \ No newline at end of file From 39910b2ed1875c39e599786eb079e23b2cacb2da Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:04:11 -0500 Subject: [PATCH 03/12] fix(init,conf): correcting reverse watch * `init.sls` - This will now enable the service, restarting on config changes normally. * `conf.sls` - Having the watch_in:service on the file.managed state will cause issues if any additional states follow `snmp_conf`. --- snmp/conf.sls | 2 -- snmp/init.sls | 7 +++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/snmp/conf.sls b/snmp/conf.sls index 7594423..d9c4357 100644 --- a/snmp/conf.sls +++ b/snmp/conf.sls @@ -17,5 +17,3 @@ snmp_conf: - user: root - group: {{ snmp.rootgroup }} - mode: 644 - - watch_in: - - service: {{ snmp.service }} diff --git a/snmp/init.sls b/snmp/init.sls index 505fbff..6476772 100644 --- a/snmp/init.sls +++ b/snmp/init.sls @@ -5,11 +5,14 @@ snmp: pkg.installed: - name: {{ snmp.pkg }} - service.running: + service.enabled: - name: {{ snmp.service }} - - enable: true - require: - pkg: {{ snmp.pkg }} + service.running: + - name: {{ snmp.service }} + - watch: + - file: {{ snmp.config }} {% if grains['os_family'] == 'Debian' and grains['osmajorrelease'] < 9 %} include: From f6852a7925a827664925d7a27fc90f042ee84e73 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:07:41 -0500 Subject: [PATCH 04/12] refactor(*): added default for SALT_MANAGED lines Added a generic default message to avoid an awkward blank line. --- snmp/files/snmpd.conf | 2 +- snmp/files/snmpd.conf.minimal | 2 +- snmp/files/snmpd.default | 2 +- snmp/files/snmpd.options | 2 +- snmp/files/snmptrapd.conf | 2 +- snmp/files/snmptrapd.options | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/snmp/files/snmpd.conf b/snmp/files/snmpd.conf index beb6705..3cdd689 100644 --- a/snmp/files/snmpd.conf +++ b/snmp/files/snmpd.conf @@ -3,7 +3,7 @@ ############################################################################### # -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # diff --git a/snmp/files/snmpd.conf.minimal b/snmp/files/snmpd.conf.minimal index a34edd5..ebbf3fc 100644 --- a/snmp/files/snmpd.conf.minimal +++ b/snmp/files/snmpd.conf.minimal @@ -1,7 +1,7 @@ {% from "snmp/conf.jinja" import conf with context -%} {% from "snmp/macros.jinja" import v12c_communities with context -%} -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # diff --git a/snmp/files/snmpd.default b/snmp/files/snmpd.default index f415018..cdb7d89 100644 --- a/snmp/files/snmpd.default +++ b/snmp/files/snmpd.default @@ -1,4 +1,4 @@ -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # diff --git a/snmp/files/snmpd.options b/snmp/files/snmpd.options index 64c5066..45f985a 100644 --- a/snmp/files/snmpd.options +++ b/snmp/files/snmpd.options @@ -1,4 +1,4 @@ -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # diff --git a/snmp/files/snmptrapd.conf b/snmp/files/snmptrapd.conf index 67ddf1e..f2572a0 100644 --- a/snmp/files/snmptrapd.conf +++ b/snmp/files/snmptrapd.conf @@ -1,4 +1,4 @@ -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # diff --git a/snmp/files/snmptrapd.options b/snmp/files/snmptrapd.options index 00be8e5..a3a1273 100644 --- a/snmp/files/snmptrapd.options +++ b/snmp/files/snmptrapd.options @@ -1,4 +1,4 @@ -# {{ salt['pillar.get']('SALT_MANAGED') }} +# {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # # DO NOT EDIT # From 2f74a39d655990958ce897b5b9efb089263aa81e Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:17:22 -0500 Subject: [PATCH 05/12] feat(secure-v3-users): secure user creation * `map.jinja` - Adding the file path for persistent configs. These files will hold the actual createUser strings before they're consumed. * `conf.sls` - New users' createUser strings will be placed in the `persistentconfig` files, which will consumed on snmp daemon start. The process is stop snmpd, add createUser to the `persistentconfig` file, and then start snmpd back up. This somewhat opinionated choice to stop & start per user avoided a significantly large and needlessly complex alternative. * `snmpd.conf` - Allow defaults/blanks for access entries, where appropriate. Changed `location` to `sysLocation` and `syscontact` to `sysContact` to match snmpd.conf options identically. Changed `logconnects` to `dontLogTCPWrappersConnects` for the same reason and readability. * `snmpd.conf.minimal` - Almost identical changes. * `macros.jinja` - added macro for the createUser string. BREAKING CHANGE: `location` is no longer accepted and has been replaced with `sysLocation` to match the snmpd.conf standard. BREAKING CHANGE: `syscontact` is no longer accepted and has been replaced with `sysContact` to match the snmpd.conf standard. BREAKING CHANGE: `logconnects` is no longer accepted and has been replaced with `dontLogTCPWrappersConnects` to match the snmpd.conf standard, as well as removing less than intuitive boolean. --- snmp/conf.sls | 33 ++++++++++++++++++++++++++++++++- snmp/files/snmpd.conf | 29 ++++++++++++----------------- snmp/files/snmpd.conf.minimal | 25 ++++++++++--------------- snmp/macros.jinja | 10 +++++++--- snmp/map.jinja | 2 ++ 5 files changed, 63 insertions(+), 36 deletions(-) diff --git a/snmp/conf.sls b/snmp/conf.sls index d9c4357..eeee06d 100644 --- a/snmp/conf.sls +++ b/snmp/conf.sls @@ -1,7 +1,8 @@ # vim: ft=sls {% from "snmp/map.jinja" import snmp with context %} -{% from "snmp/conf.jinja" import conf with context -%} +{% from "snmp/conf.jinja" import conf with context %} +{% from "snmp/macros.jinja" import v3_createUser_string with context -%} include: - snmp @@ -17,3 +18,33 @@ snmp_conf: - user: root - group: {{ snmp.rootgroup }} - mode: 644 + +{% if 'persistentconfig' in snmp %} +{% for groups in ['rousers', 'rwusers'] %} +{% for user in conf.get(groups, []) %} +{% set securitylevel = 'authPriv' if user.get('securitylevel') == 'priv' else 'authNoPriv' %} +{# if test fails, stop snmpd, add user to persistent config file, restart snmpd #} +snmpv3 creating {{ user.username }} step 1 of 3: + service.dead: + - name: {{ snmp.service }} + - unless: + - "snmpget -v3 -l {{ securitylevel }} -u {{ user.username }} -a {{ user.get('authproto', 'SHA') }} -A {{ user.authpassphrase }} -x {{ user.get('privproto', 'AES') }} {% if securitylevel == "authPriv" %}-X {{ user.privpassphrase }}{% endif %} 127.0.0.1 1.3.6.1.2.1.1.5.0 -On" + +snmpv3 creating {{ user.username }} step 2 of 3: + file.line: + - name: {{ snmp.persistentconfig }} + - mode: insert + - location: end + - content: {{ v3_createUser_string(user) }} + - show_changes: False + - require: + - snmpv3 creating {{ user.username }} step 1 of 3 + +snmpv3 creating {{ user.username }} step 3 of 3: + service.running: + - name: {{ snmp.service }} + - require: + - snmpv3 creating {{ user.username }} step 2 of 3 +{% endfor %} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/snmp/files/snmpd.conf b/snmp/files/snmpd.conf index 3cdd689..00b1fc6 100644 --- a/snmp/files/snmpd.conf +++ b/snmp/files/snmpd.conf @@ -1,5 +1,6 @@ {% from "snmp/conf.jinja" import conf with context -%} -{% from "snmp/macros.jinja" import v12c_communities with context -%} +{% from "snmp/map.jinja" import snmp with context -%} +{% from "snmp/macros.jinja" import v12c_communities,v3_createUser_string with context -%} ############################################################################### # @@ -76,7 +77,7 @@ view {{ entry.name }} {{ entry.type }} {{ entry.oid }} {{ entry.mask if 'mask' i # group context sec.model sec.level prefix read write notif {%- for entry in conf.get('access', []) %} -access {{ entry.name }} {{ entry.context }} {{ entry.match }} {{ entry.level }} {{ entry.prefix }} {{ entry.read }} {{ entry.write }} {{ entry.notify }} +access {{ entry.name }} {{ entry.context or '""' }} {{ entry.match }} {{ entry.level }} {{ entry.prefix }} {{ entry.read or 'none' }} {{ entry.write or 'none' }} {{ entry.notify or 'none' }} {%- endfor %} # ----------------------------------------------------------------------------- @@ -121,7 +122,7 @@ access {{ entry.name }} {{ entry.context }} {{ entry.match }} {{ entry.level }} # snmpd daemon from any source! To avoid this use different names for your # community or split out the write access to a different community and # restrict it to your local network. -# Also remember to comment the syslocation and syscontact parameters later as +# Also remember to comment the sysLocation and sysContact parameters later as # otherwise they are still read only (see FAQ for net-snmp). # @@ -183,8 +184,8 @@ access {{ entry.name }} {{ entry.context }} {{ entry.match }} {{ entry.level }} # It is also possible to set the sysContact and sysLocation system # variables through the snmpd.conf file: -syslocation {{ conf.get('location', 'Unknown (add saltstack pillar)') }} -syscontact {{ conf.get('syscontact', 'Root (add saltstack pillar)') }} +sysLocation {{ conf.get('sysLocation', 'Unknown (add saltstack pillar)') }} +sysContact {{ conf.get('sysContact', 'Root (add saltstack pillar)') }} # Example output of snmpwalk: # % snmpwalk -v 1 localhost -c public system @@ -205,13 +206,7 @@ syscontact {{ conf.get('syscontact', 'Root (add saltstack pilla # If the following option is commented out, snmpd will print each incoming # connection, which can be useful for debugging. -{% if conf.get('logconnects') is not none %} -{%- if conf.get('logconnects') %} -# dontLogTCPWrappersConnects yes -{%- else %} -dontLogTCPWrappersConnects yes -{%- endif %} -{% endif %} +dontLogTCPWrappersConnects {{ 'no' if 'dontLogTCPWrappersConnects' in conf and not conf.get('dontLogTCPWrappersConnects')|to_bool else 'yes' }} # ----------------------------------------------------------------------------- @@ -469,7 +464,7 @@ disk {{ disk }} # # Example: (see the script for details) # (commented out here since it requires that you place the -# script in the right location. (its not installed by default)) +# script in the right location. (it's not installed by default)) # pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest @@ -500,13 +495,13 @@ disk {{ disk }} # Version 3 users {%- for user in conf.get('rousers', '') %} -rouser {{ user.username }} {{ user.get('securitylevel', 'auth') }} -V {{ user.view }} -createUser {{ user.username }} {{ user.get('authproto', 'MD5') }} {{ user.get('authpassphrase', user.passphrase) }} {{ user.get('privproto', 'AES') }} {{ user.get('privpassphrase', user.passphrase) }} +rouser {{ user.username }} {% if user.get('view') %}{{ user.get('securitylevel', 'auth') }} -V {{ user.view }}{% endif %} +{% if 'persistentconfig' in snmp %}# createUser string will be added to {{ snmp.persistentconfig }}{% else %}{{ v3_createUser_string(user) }}{% endif %} {%- endfor %} {%- for user in conf.get('rwusers', '') %} -rwuser {{ user.username }} {{ user.get('securitylevel', 'auth') }} -V {{ user.view }} -createUser {{ user.username }} {{ user.get('authproto', 'MD5') }} {{ user.get('authpassphrase', user.passphrase) }} {{ user.get('privproto', 'AES') }} {{ user.get('privpassphrase', user.passphrase) }} +rwuser {{ user.username }} {% if user.get('view') %}{{ user.get('securitylevel', 'auth') }} -V {{ user.view }}{% endif %} +{% if 'persistentconfig' in snmp %}# createUser string will be added to {{ snmp.persistentconfig }}{% else %}{{ v3_createUser_string(user) }}{% endif %} {%- endfor %} {% for declaration, values in config.items() %} diff --git a/snmp/files/snmpd.conf.minimal b/snmp/files/snmpd.conf.minimal index ebbf3fc..881adc1 100644 --- a/snmp/files/snmpd.conf.minimal +++ b/snmp/files/snmpd.conf.minimal @@ -1,5 +1,6 @@ {% from "snmp/conf.jinja" import conf with context -%} -{% from "snmp/macros.jinja" import v12c_communities with context -%} +{% from "snmp/map.jinja" import snmp with context -%} +{% from "snmp/macros.jinja" import v12c_communities,v3_createUser_string with context -%} # {{ salt['pillar.get']('SALT_MANAGED','This file is managed by salt. Do not edit') }} # @@ -16,16 +17,10 @@ ############################################################################## # System contact information # -sysLocation {{ conf.get('location', 'Unknown (add saltstack pillar)') }} -sysContact {{ conf.get('syscontact', 'Root (add saltstack pillar)') }} +sysLocation {{ conf.get('sysLocation', 'Unknown (add saltstack pillar)') }} +sysContact {{ conf.get('sysContact', 'Root (add saltstack pillar)') }} -{% if conf.get('logconnects') is not none %} -{%- if conf.get('logconnects') %} -# dontLogTCPWrappersConnects yes -{%- else %} -dontLogTCPWrappersConnects yes -{%- endif %} -{% endif %} +dontLogTCPWrappersConnects {{ 'no' if 'dontLogTCPWrappersConnects' in conf and not conf.get('dontLogTCPWrappersConnects')|to_bool else 'yes' }} ############################################################################### # Access Control @@ -61,7 +56,7 @@ view {{ entry.name }} {{ entry.type }} {{ entry.oid }} {{ entry.mask if 'mask' i # group context sec.model sec.level prefix read write notif {%- for entry in conf.get('access', []) %} -access {{ entry.name }} {{ entry.context }} {{ entry.match }} {{ entry.level }} {{ entry.prefix }} {{ entry.read }} {{ entry.write }} {{ entry.notify }} +access {{ entry.name }} {{ entry.context or '""' }} {{ entry.match }} {{ entry.level }} {{ entry.prefix }} {{ entry.read or 'none' }} {{ entry.write or 'none' }} {{ entry.notify or 'none' }} {%- endfor %} # Version 1/2c users (read only) @@ -71,14 +66,14 @@ access {{ entry.name }} {{ entry.context }} {{ entry.match }} {{ entry.level }} # Version 3 users (read only) {%- for user in conf.get('rousers', []) %} -rouser {{ user.username }} auth -V {{ user.view }} -createUser {{ user.username }} {{ user.get('authproto', 'MD5') }} {{ user.passphrase }} {{ user.get('privproto', 'AES') }} +rouser {{ user.username }} {% if user.get('view') %}{{ user.get('securitylevel', 'auth') }} -V {{ user.view }}{% endif %} +{% if 'persistentconfig' in snmp %}# createUser string will be added to {{ snmp.persistentconfig }}{% else %}{{ v3_createUser_string(user) }}{% endif %} {%- endfor %} # Version 3 users (read/write) {%- for user in conf.get('rwusers', []) %} -rwuser {{ user.username }} auth -V {{ user.view }} -createUser {{ user.username }} {{ user.get('authproto', 'MD5') }} {{ user.passphrase }} {{ user.get('privproto', 'AES') }} +rwuser {{ user.username }} {% if user.get('view') %}{{ user.get('securitylevel', 'auth') }} -V {{ user.view }}{% endif %} +{% if 'persistentconfig' in snmp %}# createUser string will be added to {{ snmp.persistentconfig }}{% else %}{{ v3_createUser_string(user) }}{% endif %} {%- endfor %} # Extra settings diff --git a/snmp/macros.jinja b/snmp/macros.jinja index b9705cf..cce1803 100644 --- a/snmp/macros.jinja +++ b/snmp/macros.jinja @@ -2,7 +2,7 @@ {# mode can be either 'ro' or 'rw' #} {%- macro v12c_communities(mode, proto='') -%} - {% set communities = conf.get(mode+'communities'+proto, []) -%} + {% set communities = conf.get(mode~'communities'~proto, []) -%} {%- for community in communities %} {%- if communities is mapping and communities.get(community, {}) is mapping %} {%- set source = communities.get(community).get('source', '') %} @@ -15,8 +15,12 @@ {%- set source = [source] %} {%- endif %} {%- for src in source -%} -{{ mode }}community {{ community }} {{ src }}{{ ' -V ' + view if view else '' }} +{{ mode }}community {{ community }} {{ src }}{{' -V ' ~ view if view else ''}} {% endfor %} {%- endfor -%} -{% endmacro -%} +{% endmacro-%} +{%- macro v3_createUser_string(user) -%} + {% set seclevel = user.get('securitylevel', 'auth') -%} +createUser {{ user.username }} {{ user.get('authproto', 'SHA') }} {{ user.authpassphrase }} {{ user.get('privproto', 'AES') }} {% if seclevel == "priv" %}{{ user.privpassphrase }}{% else %}{{ user.get('privpassphrase', '') }}{% endif %} +{%- endmacro -%} \ No newline at end of file diff --git a/snmp/map.jinja b/snmp/map.jinja index ae716f3..7eda507 100644 --- a/snmp/map.jinja +++ b/snmp/map.jinja @@ -21,6 +21,7 @@ RedHat: pkgutils: net-snmp-utils options: /etc/sysconfig/snmpd optionstrap: /etc/sysconfig/snmptrapd + persistentconfig: /var/lib/net-snmp/snmpd.conf sourceoptions: salt://snmp/files/snmpd.options sourceoptionstrap: salt://snmp/files/snmptrapd.options Debian: @@ -28,6 +29,7 @@ Debian: pkgutils: snmp configdefault: /etc/default/snmpd sourcedefault: salt://snmp/files/snmpd.default + persistentconfig: /var/lib/snmp/snmpd.conf snmpdargs: -Lsd -Lf /dev/null -u snmp -g snmp -I -smux,mteTrigger,mteTriggerConf -p /var/run/snmpd.pid mibs: snmpdrun: "yes" From 67c31b28bc803260b515458fcf85883e10e03c17 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:19:25 -0500 Subject: [PATCH 06/12] docs(secure-v3-users): docs to match * `pillar.example` - updated to match secure v3 users functionality * `README.rst` - similarly updated --- docs/README.rst | 2 +- pillar.example | 249 +++++++++++++++++++++++++++++++----------------- 2 files changed, 164 insertions(+), 87 deletions(-) diff --git a/docs/README.rst b/docs/README.rst index 945e32f..1a4fcb1 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -113,7 +113,7 @@ For example, you may setup generic SNMP configuration in common pillar file, and snmp: conf: settings: - logconnects: false + dontLogTCPWrappersConnects: false sysServices: 72 Whereas team, that wants to monitor GPFS with SNMP on the same cluster will add this pillar file to their package: diff --git a/pillar.example b/pillar.example index c7f1aa7..9a184d9 100644 --- a/pillar.example +++ b/pillar.example @@ -1,114 +1,191 @@ -# -*- coding: utf-8 -*- # vim: ft=yaml --- snmp: - # lookup: - # snmpdargs: '-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a' - # trapdargs: '-Lsd -p /var/run/snmptrapd.pid' - # trapdrun: 'no' # Needs "'", otherwise it'll be a bool + # Use `lookup` to override default config values + # (such as those found in snmp/map.jinja) + lookup: + snmpdargs: '-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a' + trapdargs: '-Lsd -p /var/run/snmptrapd.pid' + trapdrun: 'no' # Single quote wrap to avoid boolean behavior conf: - location: 'Unknown (add saltstack pillar)' - syscontact: 'Root (add saltstack pillar)' - logconnects: false - # disk checks - # disk: / - # disks: - # - / - # vacm com2sec's (map communities into security names) - # com2sec: - # - name: local - # source: localhost - # community: localhost - # vacm group's (map security names to group names) - # groups: - # - name: ROgroup1 - # version: usm - # secname: local - # - name: ROgroup1 - # version: v1 - # secname: local - # - name: ROgroup1 - # version: v2c - # secname: local - # - name: Other - # version: usm - # secname: local - # - name: Other - # version: v1 - # secname: local - # - name: Other - # version: v2c - # secname: local - # vacm views (map mib trees to views) + ## Config reference: http://www.net-snmp.org/docs/man/snmpd.conf.html + sysLocation: 'IT Office, Third Floor' + sysContact: 'John Doe ' + # (SALT: Omitting dontLogTCPWrappersConnects defaults to 'true') + dontLogTCPWrappersConnects: true + + ################################# + ### Disk Usage Monitoring ### + ################################# + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAS + #disks: + # (path): (min-space-in-kB) + disks: + '/': 1000000 + '/nfs/apache': 250000 + + ############################## + ### VACM Configuration ### + ############################## + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL + # `com2sec` : map an SNMPv1 or SNMPv2c community string to a + # security name - either from a particular range of + # source addresses, or globally ("default") + # (SALT: multiple entries allowed, list syntax) + #com2sec: + # - name: (helpful label) + # source: {hostname|IP+Mask|IP+Subnet} + # community: (community string) + com2Sec: + - name: localSec + source: 10.20.30.0/24 + community: ROwrowrowtheboat + - name: secOps + source: 110.120.130.0/24 + community: seriousSecurityThx + # + # `group` : maps a security name (in the specified security model) + # into a named group + # (SALT: multiple entries allowed, list syntax) + #groups: + # - name: (helpful label) + # version: {v1|v2c|usm|tsm|ksm} + # secname: (any valid `com2Sec` entry defined) + groups: + - name: ROwers1 + version: v1 + secname: localSec + - name: ROwers2 + version: v2c + secname: localSec + - name: SecEngTeam + version: usm + # + # `view` : defines a named "view" - a subset of the overall OID tree + # (SALT: multiple entries allowed, list syntax) + #views: + # - name: (helpful label) + # type: {included|excluded} + # oid: (oid string) + # mask: (list of hex octets to match against) ## OPTIONAL views: - name: all type: included oid: '.1' - # optional mask mask: 80 - # vacm access (map groups to views with access restrictions) - # access: - # - name: ROgroup1 - # context: '""' - # match: any - # level: noauth - # prefix: exact - # read: all - # write: none - # notify: none - # - name: Other - # context: "cont" - # match: any - # level: noauth - # prefix: exact - # read: all - # write: none - # notify: none - # v1/2c read-only communities + - name: ifRow4 + type: included + oid: '.1.3.6.1.2.1.2.2.1.0.4' + - name: iso3 + type: included + oid: '.iso.org.dod.mgmt' + # + # `access` : maps from a group of users/communities (with a particular + # security model and minimum security level, and in a + # specific context) to one of three views, depending on the + # request being processed + # (SALT: multiple entries allowed, list syntax) + #access: + # - name: (any valid `group` entry defined) + # context: (incoming request context) # can be leftout to assume 'blank' + # match: {any|v1|v2c|usm|tsm|ksm} + # level: {noauth|auth|priv} # v1 & v2c require 'noauth' + # prefix: {exact|prefix} + # read: {all|none} # omitting selects 'none' + # write: {all|none} # omitting selects 'none' + # notify: {all|none} # omitting selects 'none' + access: + - name: ROwers1 + match: any + level: noauth + prefix: exact + read: all + - name: SecEngTeam + match: any + level: auth + prefix: exact + read: all + write: all + + ###################################### + ### Traditional Access Control ### + ###################################### + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAK + ## v1/v2c ## + # rXcommunity - specify an SNMPv1 or SNMPv2c community that will be + # allowed read-only (if `rocommunity`) or be allowed + # read-write (if `rwcommunity`) access + # (SALT: suffix '6' for ipv6 version of the communities, + # such as 'rocommunities6' or 'rwcommunities6') + # SYNTAX WITH SOURCE + #rXcommunities: + # (community string): + # source: {hostname|IP+Mask|IP+Subnet} or [{hostname|IP+Mask|IP+Subnet}, ...] # list format or single entry rocommunities: public: - source: [localhost, 192.168.0.0/24, 192.168.1.0/24] - withoutsource: null - # or - # rocommunities: - # - public - # rocommunities6: - # public: - # source: 2001:DB8::1 - # v1/2c read-write communities + source: [localhost, 192.168.0.0/24, 2001:DB8::1] rwcommunities: private: source: 192.168.1.0/24 - # v3 users for read-only + # SYNTAX WITHOUT SOURCE + #rXcommunities: + # - (community string) + # - (another community string) + rocommunities: + - monitoring + - dontbreakit + rwcommunities: + - privatestuff + ## v3 ## + # (SALT: The default authproto will be SHA, instead of MD5, + # and the default privproto will be AES, instead of + # DES, for the sake of security. + # `securitylevel` = 'priv' enforces encryption, in + # addition to auth, which *requires* privpassphrase + # to be defined. + #rXusers: + # - username: (snmpv3 user name) + # authpassphrase: (authentication password) + # privpassphrase: (encryption password) ## optional only if `securitylevel` = 'auth' + # securitylevel: {auth|priv} # omitting selects 'auth' + # authproto: {MD5|SHA} # omitting selects 'SHA' + # privproto: {DES|AES} # omitting selects 'AES' + # view: (any valid `view` entry defined) ## OPTIONAL rousers: - - username: 'myv3user' - authpassphrase: 'myv3password' - view: all - # securitylevel: priv - # authproto: 'SHA' - # privproto: 'AES' - # privpassphrase: 'v3privpass' - # v3 users for read-write + - username: 'someNewUser' + authpassphrase: 'tklhgKipJF1nNY' + view: all rwusers: - - username: 'myv3user_rw' - authpassphrase: 'myv3password' - view: all - # securitylevel: priv - # authproto: 'SHA' - # privproto: 'AES' - # privpassphrase: 'v3privpass' - # misc snmpd.conf settings + - username: 'somethingCICD' + authpassphrase: 'VPluOBhwmnFB6z' + privpassphrase: 'IO0wa0wROUSaeB' + securitylevel: priv + view: iso3 + + ######################################## + ### Miscellaneous SNMPD Settings ### + ######################################## + # (SALT: These are example settings, but any valid setting + # should be acceptable here.) settings: - # agentAddress: 'udp:161,udp6:[::1]:161' + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAD + #agentAddress: [:] + agentAddress: 'udp:161,udp6:[::1]:161' sysServices: 72 master: ['agentx'] - # custom MIB files + # (SALT: For custom MIB files, follow this syntax) # mibs: # : salt:// + mibs: + GPFS: salt://gpfs/files/GPFS-mib.txt + # (SALT: The name field for `extent` entries can be a human + # readable string or an OID string.) + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAZ extend: - name: 'HTTPD_PIDS' prog: '/bin/sh /path/to/check_apache.sh' + # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbBD dlmod: - name: 'nstAgentPluginObject' sharedobject: '/path/to/nstAgentPluginObject.so' From e6bfdb696a6048e0c367f51b1ebfad65ed621a07 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:32:10 -0500 Subject: [PATCH 07/12] test(secure-v3-users): updated to match * `config.rb` - Now aware of the correct createUser state * `default.sls` - Updated to match new snmpd.conf --- test/integration/default/controls/config.rb | 19 +++++++++++++++---- test/salt/pillar/default.sls | 6 +++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/test/integration/default/controls/config.rb b/test/integration/default/controls/config.rb index a885397..bde6edd 100644 --- a/test/integration/default/controls/config.rb +++ b/test/integration/default/controls/config.rb @@ -3,7 +3,7 @@ control 'snmp.config.file' do title 'Verify the configuration file' - # Overide by platform family + # Override by platform family config_file, root_group = case platform[:family] when 'bsd' @@ -11,14 +11,25 @@ else %w[/etc/snmp/snmpd.conf root] end + + # Override for persistent config file + createUser_str = + case platform[:family] + when 'debian' + 'createUser string will be added to /var/lib/snmp/snmpd.conf' + when 'redhat' + 'createUser string will be added to /var/lib/net-snmp/snmpd.conf' + else + 'createUser myv3user SHA myv3password AES v3privpass' + end describe file(config_file) do it { should be_file } it { should be_owned_by 'root' } it { should be_grouped_into root_group } its('mode') { should cmp '0644' } - its('content') { should include 'syslocation Right Here' } - its('content') { should include 'syscontact System Admin' } + its('content') { should include 'sysLocation Right Here' } + its('content') { should include 'sysContact System Admin' } its('content') { should include 'dontLogTCPWrappersConnects yes' } its('content') { should include 'view all included .1 80' } its('content') { should include 'rocommunity public localhost' } @@ -27,7 +38,7 @@ its('content') { should include 'rwcommunity private 192.168.1.0/24' } its('content') { should include 'rouser myv3user auth -V all' } its('content') do - should include 'createUser myv3user SHA myv3password AES v3privpass' + should include createUser_str end end end diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index f1d2b41..e92ae04 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -3,9 +3,9 @@ --- snmp: conf: - location: 'Right Here' - syscontact: 'System Admin' - logconnects: false + sysLocation: 'Right Here' + sysContact: 'System Admin' + dontLogTCPWrappersConnects: true views: - name: all type: included From d97cece6c1e8fa58c97c7021f098167454272767 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 18:33:31 -0500 Subject: [PATCH 08/12] fix(init,conf): correcting reverse watch pt2 This version of `init.sls` should have been in 177f110e and 3f8c6f2c. --- snmp/init.sls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/snmp/init.sls b/snmp/init.sls index 6476772..f47b833 100644 --- a/snmp/init.sls +++ b/snmp/init.sls @@ -5,10 +5,13 @@ snmp: pkg.installed: - name: {{ snmp.pkg }} - service.enabled: + service.running: - name: {{ snmp.service }} + - enable: true - require: - pkg: {{ snmp.pkg }} + +snmp_daemon_start: service.running: - name: {{ snmp.service }} - watch: From 728e370269d8560edb0dc163e5a5d7c07d0ded49 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Thu, 20 Jan 2022 19:02:21 -0500 Subject: [PATCH 09/12] fix(conf.sls): correcting requisite It should be `onchanges`, not `require` as it triggers if step 1 completes with 'unless condition is true' --- snmp/conf.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snmp/conf.sls b/snmp/conf.sls index eeee06d..25efd8d 100644 --- a/snmp/conf.sls +++ b/snmp/conf.sls @@ -37,13 +37,13 @@ snmpv3 creating {{ user.username }} step 2 of 3: - location: end - content: {{ v3_createUser_string(user) }} - show_changes: False - - require: + - onchanges: - snmpv3 creating {{ user.username }} step 1 of 3 snmpv3 creating {{ user.username }} step 3 of 3: service.running: - name: {{ snmp.service }} - - require: + - onchanges: - snmpv3 creating {{ user.username }} step 2 of 3 {% endfor %} {% endfor %} From 8ba2f52ff9e89662cb660fb3614242eb470b0b11 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Tue, 1 Feb 2022 19:07:32 -0500 Subject: [PATCH 10/12] style(*): correcting to appease the lint masters * pillar.example - corrected to match yamllint guidelines * snmp/conf.sls - exploded into variables to stay below 160 char * snmp/macros.jinja - corrected style issues * config.rb - fixed to snake_cake --- pillar.example | 114 ++++++++++---------- snmp/conf.sls | 9 +- snmp/macros.jinja | 9 +- test/integration/default/controls/config.rb | 6 +- 4 files changed, 74 insertions(+), 64 deletions(-) diff --git a/pillar.example b/pillar.example index 9a184d9..cc79f5f 100644 --- a/pillar.example +++ b/pillar.example @@ -6,7 +6,7 @@ snmp: lookup: snmpdargs: '-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a' trapdargs: '-Lsd -p /var/run/snmptrapd.pid' - trapdrun: 'no' # Single quote wrap to avoid boolean behavior + trapdrun: 'no' # Single quote wrap to avoid boolean behavior conf: ## Config reference: http://www.net-snmp.org/docs/man/snmpd.conf.html @@ -19,8 +19,8 @@ snmp: ### Disk Usage Monitoring ### ################################# # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAS - #disks: - # (path): (min-space-in-kB) + # disks: + # (path): (min-space-in-kB) disks: '/': 1000000 '/nfs/apache': 250000 @@ -29,14 +29,14 @@ snmp: ### VACM Configuration ### ############################## # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL - # `com2sec` : map an SNMPv1 or SNMPv2c community string to a - # security name - either from a particular range of + # `com2sec` : map an SNMPv1 or SNMPv2c community string to a + # security name - either from a particular range of # source addresses, or globally ("default") # (SALT: multiple entries allowed, list syntax) - #com2sec: - # - name: (helpful label) - # source: {hostname|IP+Mask|IP+Subnet} - # community: (community string) + # com2sec: + # - name: (helpful label) + # source: {hostname|IP+Mask|IP+Subnet} + # community: (community string) com2Sec: - name: localSec source: 10.20.30.0/24 @@ -48,10 +48,10 @@ snmp: # `group` : maps a security name (in the specified security model) # into a named group # (SALT: multiple entries allowed, list syntax) - #groups: - # - name: (helpful label) - # version: {v1|v2c|usm|tsm|ksm} - # secname: (any valid `com2Sec` entry defined) + # groups: + # - name: (helpful label) + # version: {v1|v2c|usm|tsm|ksm} + # secname: (any valid `com2Sec` entry defined) groups: - name: ROwers1 version: v1 @@ -64,11 +64,11 @@ snmp: # # `view` : defines a named "view" - a subset of the overall OID tree # (SALT: multiple entries allowed, list syntax) - #views: - # - name: (helpful label) - # type: {included|excluded} - # oid: (oid string) - # mask: (list of hex octets to match against) ## OPTIONAL + # views: + # - name: (helpful label) + # type: {included|excluded} + # oid: (oid string) + # mask: (list of hex octets to match against) ## OPTIONAL views: - name: all type: included @@ -80,21 +80,21 @@ snmp: - name: iso3 type: included oid: '.iso.org.dod.mgmt' - # - # `access` : maps from a group of users/communities (with a particular - # security model and minimum security level, and in a + # + # `access` : maps from a group of users/communities (with a particular + # security model and minimum security level, and in a # specific context) to one of three views, depending on the # request being processed # (SALT: multiple entries allowed, list syntax) - #access: - # - name: (any valid `group` entry defined) - # context: (incoming request context) # can be leftout to assume 'blank' - # match: {any|v1|v2c|usm|tsm|ksm} - # level: {noauth|auth|priv} # v1 & v2c require 'noauth' - # prefix: {exact|prefix} - # read: {all|none} # omitting selects 'none' - # write: {all|none} # omitting selects 'none' - # notify: {all|none} # omitting selects 'none' + # access: + # - name: (any valid `group` entry defined) + # context: (incoming request context) # can be leftout to assume 'blank' + # match: {any|v1|v2c|usm|tsm|ksm} + # level: {noauth|auth|priv} # v1 & v2c require 'noauth' + # prefix: {exact|prefix} + # read: {all|none} # omitting selects 'none' + # write: {all|none} # omitting selects 'none' + # notify: {all|none} # omitting selects 'none' access: - name: ROwers1 match: any @@ -107,31 +107,32 @@ snmp: prefix: exact read: all write: all - + ###################################### ### Traditional Access Control ### ###################################### # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAK ## v1/v2c ## - # rXcommunity - specify an SNMPv1 or SNMPv2c community that will be + # rXcommunity - specify an SNMPv1 or SNMPv2c community that will be # allowed read-only (if `rocommunity`) or be allowed # read-write (if `rwcommunity`) access # (SALT: suffix '6' for ipv6 version of the communities, # such as 'rocommunities6' or 'rwcommunities6') + # (SALT: source, if used, accepts list format or single entry) # SYNTAX WITH SOURCE - #rXcommunities: - # (community string): - # source: {hostname|IP+Mask|IP+Subnet} or [{hostname|IP+Mask|IP+Subnet}, ...] # list format or single entry - rocommunities: - public: - source: [localhost, 192.168.0.0/24, 2001:DB8::1] - rwcommunities: - private: - source: 192.168.1.0/24 - # SYNTAX WITHOUT SOURCE - #rXcommunities: - # - (community string) - # - (another community string) + # rXcommunities: + # (community string): + # source: {hostname|IP+Mask|IP+Subnet} or [{hostname|IP+Mask|IP+Subnet}, ...] + # rocommunities: + # public: + # source: [localhost, 192.168.0.0/24, 2001:DB8::1] + # rwcommunities: + # private: + # source: 192.168.1.0/24 + # SYNTAX WITHOUT SOURCE + # rXcommunities: + # - (community string) + # - (another community string) rocommunities: - monitoring - dontbreakit @@ -142,20 +143,21 @@ snmp: # and the default privproto will be AES, instead of # DES, for the sake of security. # `securitylevel` = 'priv' enforces encryption, in - # addition to auth, which *requires* privpassphrase + # addition to auth, which *requires* privpassphrase # to be defined. - #rXusers: - # - username: (snmpv3 user name) - # authpassphrase: (authentication password) - # privpassphrase: (encryption password) ## optional only if `securitylevel` = 'auth' - # securitylevel: {auth|priv} # omitting selects 'auth' - # authproto: {MD5|SHA} # omitting selects 'SHA' - # privproto: {DES|AES} # omitting selects 'AES' - # view: (any valid `view` entry defined) ## OPTIONAL + # (SALT: `privpassphrase` is optional only if `securitylevel` = 'auth') + # rXusers: + # - username: (snmpv3 user name) + # authpassphrase: (authentication password) + # privpassphrase: (encryption password) + # securitylevel: {auth|priv} # omitting selects 'auth' + # authproto: {MD5|SHA} # omitting selects 'SHA' + # privproto: {DES|AES} # omitting selects 'AES' + # view: (any valid `view` entry defined) ## OPTIONAL rousers: - username: 'someNewUser' authpassphrase: 'tklhgKipJF1nNY' - view: all + view: all rwusers: - username: 'somethingCICD' authpassphrase: 'VPluOBhwmnFB6z' @@ -170,7 +172,7 @@ snmp: # should be acceptable here.) settings: # ref: http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAD - #agentAddress: [:] + # agentAddress: [:] agentAddress: 'udp:161,udp6:[::1]:161' sysServices: 72 master: ['agentx'] diff --git a/snmp/conf.sls b/snmp/conf.sls index 25efd8d..8c01d0b 100644 --- a/snmp/conf.sls +++ b/snmp/conf.sls @@ -22,13 +22,18 @@ snmp_conf: {% if 'persistentconfig' in snmp %} {% for groups in ['rousers', 'rwusers'] %} {% for user in conf.get(groups, []) %} -{% set securitylevel = 'authPriv' if user.get('securitylevel') == 'priv' else 'authNoPriv' %} +{% set seclevel = 'authPriv' if user.get('securitylevel') == 'priv' else 'authNoPriv' %} +{% set uname = user.username %} +{% set authproto = user.get('authproto', 'SHA') %} +{% set authpass = user.authpassphrase %} +{% set privproto = user.get('privproto', 'AES') %} +{% set privpass = '-X ' ~ user.privpassphrase if seclevel == 'authPriv' else '' %} {# if test fails, stop snmpd, add user to persistent config file, restart snmpd #} snmpv3 creating {{ user.username }} step 1 of 3: service.dead: - name: {{ snmp.service }} - unless: - - "snmpget -v3 -l {{ securitylevel }} -u {{ user.username }} -a {{ user.get('authproto', 'SHA') }} -A {{ user.authpassphrase }} -x {{ user.get('privproto', 'AES') }} {% if securitylevel == "authPriv" %}-X {{ user.privpassphrase }}{% endif %} 127.0.0.1 1.3.6.1.2.1.1.5.0 -On" + - "snmpget -v3 -l {{ seclevel }} -u {{ uname }} -a {{ authproto }} -A {{ authpass }} -x {{ privproto }} {{ privpass }} 127.0.0.1 1.3.6.1.2.1.1.5.0 -On" snmpv3 creating {{ user.username }} step 2 of 3: file.line: diff --git a/snmp/macros.jinja b/snmp/macros.jinja index cce1803..e59656e 100644 --- a/snmp/macros.jinja +++ b/snmp/macros.jinja @@ -15,12 +15,15 @@ {%- set source = [source] %} {%- endif %} {%- for src in source -%} -{{ mode }}community {{ community }} {{ src }}{{' -V ' ~ view if view else ''}} +{{ mode~'community' }} {{ community }} {{ src }} {{ ' -V ' ~ view if view else '' }} {% endfor %} {%- endfor -%} -{% endmacro-%} +{% endmacro -%} {%- macro v3_createUser_string(user) -%} {% set seclevel = user.get('securitylevel', 'auth') -%} -createUser {{ user.username }} {{ user.get('authproto', 'SHA') }} {{ user.authpassphrase }} {{ user.get('privproto', 'AES') }} {% if seclevel == "priv" %}{{ user.privpassphrase }}{% else %}{{ user.get('privpassphrase', '') }}{% endif %} + {% set authproto = user.get('authproto', 'SHA') -%} + {% set privproto = user.get('privproto', 'AES') %} + {% set privpass = user.get('privpassphrase', '') %} +createUser {{ user.username }} {{ authproto }} {{ user.authpassphrase }} {{ privproto }} {{ privpass }} {%- endmacro -%} \ No newline at end of file diff --git a/test/integration/default/controls/config.rb b/test/integration/default/controls/config.rb index bde6edd..a2a1b7a 100644 --- a/test/integration/default/controls/config.rb +++ b/test/integration/default/controls/config.rb @@ -11,9 +11,9 @@ else %w[/etc/snmp/snmpd.conf root] end - + # Override for persistent config file - createUser_str = + create_user_str = case platform[:family] when 'debian' 'createUser string will be added to /var/lib/snmp/snmpd.conf' @@ -38,7 +38,7 @@ its('content') { should include 'rwcommunity private 192.168.1.0/24' } its('content') { should include 'rouser myv3user auth -V all' } its('content') do - should include createUser_str + should include create_user_str end end end From 4ca95919ce2e334468d5eb5e784a85123420fe04 Mon Sep 17 00:00:00 2001 From: Beau Date: Fri, 4 Feb 2022 11:47:00 -0500 Subject: [PATCH 11/12] fix(snmp/macros.jinja): apply suggestions Co-authored-by: Imran Iqbal --- snmp/macros.jinja | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/snmp/macros.jinja b/snmp/macros.jinja index e59656e..9a1d64a 100644 --- a/snmp/macros.jinja +++ b/snmp/macros.jinja @@ -20,10 +20,10 @@ {%- endfor -%} {% endmacro -%} -{%- macro v3_createUser_string(user) -%} +{% macro v3_createUser_string(user) -%} {% set seclevel = user.get('securitylevel', 'auth') -%} {% set authproto = user.get('authproto', 'SHA') -%} - {% set privproto = user.get('privproto', 'AES') %} - {% set privpass = user.get('privpassphrase', '') %} + {% set privproto = user.get('privproto', 'AES') -%} + {% set privpass = user.get('privpassphrase', '') -%} createUser {{ user.username }} {{ authproto }} {{ user.authpassphrase }} {{ privproto }} {{ privpass }} -{%- endmacro -%} \ No newline at end of file +{%- endmacro %} \ No newline at end of file From 882ba4630501b387cfb84b065d38610fae2bb772 Mon Sep 17 00:00:00 2001 From: Beau Bilyeu Date: Fri, 18 Mar 2022 13:42:12 -0400 Subject: [PATCH 12/12] test(config.rb): corrected fedora --- test/integration/default/controls/config.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/default/controls/config.rb b/test/integration/default/controls/config.rb index a2a1b7a..e21dc9f 100644 --- a/test/integration/default/controls/config.rb +++ b/test/integration/default/controls/config.rb @@ -17,7 +17,7 @@ case platform[:family] when 'debian' 'createUser string will be added to /var/lib/snmp/snmpd.conf' - when 'redhat' + when 'redhat', 'fedora' 'createUser string will be added to /var/lib/net-snmp/snmpd.conf' else 'createUser myv3user SHA myv3password AES v3privpass'