Cover V10, I07

Article
Sidebar 1
Sidebar 2

jul2001.tar


What Have We Sacrificed

A colleague expressed some concern about my hardening of the SNMP service:

"Without tons of experimentation, we don't know if what you did locks down too tight, and for a large company using a vendorware SNMP management station, you might have broken monitoring in favor of hardening." -- Patrick Matlock, 10/10/2000.

Patrick suggested that we explore the SNMP service with the tool snmpwalk(1) to see what variables are available before hardening and what remains after hardening. That tool is part of the UCDavis SNMP Suite, which we have installed on some systems. You won't find any vendor provided tools on Solaris to query the service unless you've installed some value-added packages. Here's an example of how you can use it to find out about "system" values: 

[1:38pm wally] snmpwalk dilbert public system
system.sysDescr.0 = Sun SNMP Agent, SPARCstation-20
system.sysObjectID.0 = OID: enterprises.42.2.1.1
system.sysUpTime.0 = Timeticks: (619954285) 71 days, 18:05:42.85
system.sysContact.0 = dilbert@ist.uwaterloo.ca
system.sysName.0 = dilbert
system.sysLocation.0 = Machine Room, UW/IST, MC
system.sysServices.0 = 72
The arguments to the command are the system (e.g., "dilbert" is a computer name), the community (e.g., "public" and "private" are the defaults), and the optional objectId (i.e., the things you want to know about). I understand that the objectId's are all strings that begin with one of these: at, icmp, interfaces, ip, snmp, system, tcp, and udp. We discovered, and this came as quite a surprise to me, that we had not lost any SNMP values through hardening. Here's how we determined this: 

[1:39pm wally] snmpwalk system-a public | \
        sed -e 's/[0-9.]* =.*//' | sort -fu  /tmp/system-a
[1:40pm wally] snmpwalk system-b public | \
        sed -e 's/[0-9.]* =.*//' | sort -fu  /tmp/system-b
[1:40pm wally] diff /tmp/system-a /tmp/system-b
If system-a has a vendor-configured service, and system-b has a hardened service (as above, but also configured to let wally be a "manager" for the system), then each of them returns the same 150 things. I'm confident that we've not sacrificed any data by hardening. The "private" things returned is a small list (7 things), and again that's not any different pre- or post-hardening.

The CERT Advisory CA-2001-05 at http://www.cert.org/advisories/CA-2001-05.html of March 30, 2001 identified a serious vulnerablity in the snmpXdmid RPC daemon. The hardening strategy recommended here does not require that service. We discovered that we didn't need the service and removed it long before the advisory was ever released. It's always a good idea to remove services you don't need -- doing so means you won't be caught by a vulnerablity that's discovered later.


 

© 2002 CMP Media LLC. All Rights Reserved.
www.samag.com