VACM configuration

The full flexibility of the VACM, for example allowing access to two or more distinct OID subtrees, or different access requirements for reading and writing, is available using four configuration directives - com2sec, group, view and access. The directives essentially define who has access and what they have access to using four directives. The first two directives (comsec2sec and group) define the who, while the last two (view and access) define the what.

Com2sec [-Cn CONTEXT] SECNAME SOURCE COMMUNITY

Maps an SNMPv1 or SNMPv2c community string to a security name. As it defines the community and maps it to a security name, rocommunity/rwcommunity directives are not required when using the directive.

SECNAME is the security name to be defined.

SOURCE is as defined for the rocommunity/rwcommunity directives above.

COMMUNITY defines the community name to be mapped to the security name. The same community string can be specified in several separate directives with different source tokens, and the first source/community combination that matches the incoming request will be selected. Various source/community combinations can also map to the same security name.

CONTEXT if defined (using -Cn), means that the community string will be mapped to a security name in the named SNMPv3 context. Otherwise the default context ("") will be used.

Example:

Creating three SNMPv1/v2c community names (private, public and ltd), where private and ltd only allow requests from the machine on which the SNMP Agent is running (note lines beginning with a # in snmpd.conf are treated as comments):

#         [-Cn CONTEXT] SECNAME     SOURCE    COMMUNITY
com2sec   “”            sec_private localhost private
com2sec                 sec_public  default   public
com2sec                 sec_limited localhost ltd
group GROUP v1 | v2c | usm SECNAME

Maps a security name (in the specified security model) into a named group. Several group directives can specify the same group name, allowing a single access setting to apply to several users and /or community strings. Note that groups must be set up for the two community-based models separately - a single com2sec directive will typically be accompanied by two group directives.

  • GROUP is the group name being defined/added to.

  • v1, v2c, or usm defines the security model to which the definition relates.

  • SECNAME is the security (USM) user name or security name defined by com2sec to be added to the group.

Example:

Creating three groups (grp_private, grp_public, grp_limited) for three USM users (user1, user2 and user3) and the three communities shown in the com2sec example above:

# GROUP v1|v2c|usm SECNAME
group grp_private v1 sec_private
group grp_private v2c sec_private
group grp_private usm user1

group grp_public v1 sec_public
group grp_public v2c sec_public
group grp_public usm user2

group grp_limited v1 sec_limited
group grp_limited v2c sec_limited
group grp_limited usm user3
view VNAME included | excluded OID [MASK]

Defines a named view - a subset of the overall OID tree. This is most commonly a single subtree, but several view directives can be given with the same view name (VNAME), to build up a more complex collection of OIDs. An optional mask can also be specified, providing a means of indicating which parts of the OID must be matched.

VNAME is the view being modified.

included | excluded allows you to define whether the view includes or excludes the subtree, allowing the definition of a more complex view (for example, by excluding certain sensitive objects from an otherwise accessible subtree).

MASK is an optional list of hex octets (separated by '.' or ':') whose bits indicate which OID sub-identifiers to match against. So for example if we assume we have on OID with 11 sub-identifiers (.1.3.6.1.x.y.z.table.entry.column.1) where the last four relate to a table, an entry, a column and index 1, specifying a MASK value of " FF.A0 " (1111111110100000) maps to this OID as follows:

1.3.6.1.x.y.z.table.entry.column.1
1 1 1 1 1 1 1   1     1     0    1

This mask means all parts of the OID except the column must match, therefore defining a view to any column of the first row of the table.

By including and excluding various aspects of the full OID tree, it is possible to define fine grained visibility within a view’s definition.

Example:

Creating five views where vw_sysContact only has access to the system.sysContact.0 OID, vw_nCipher only has access to the MIB, vw_global has access to the full OID tree, vw_nCipher_stats only has access to nCipher.nC-series.statistics and vw_nCipher_admin only has access to nCipher.nC-series.administration:

#     VNAME             included|excluded   OID                                       [MASK]
view  vw_sysContact     excluded            .1
view  vw_sysContact     included            system.sysContact.0                       FF.80

view  vw_nCipher        excluded            .iso
view  vw_nCipher        included            .1.3.6.1.4.1.7682

view  vw_global         included            .1

view  vw_nCipher_stats  excluded            .1
view  vw_nCipher_stats  included            enterprises.nCipher.nC-series.statistics

view  vw_nCipher_admin  excluded            .1
view  vw_nCipher_admin  included            enterprises.nCipher.nC-series.administration
access GROUP CONTEXT any | v1 | v2c | usm noauth | auth | priv exact | prefix READ WRITE NOTIFY

Maps from a group of users/communities (with a particular security model and minimum security level, and specific context) to one of three views, depending on the request being processed.

GROUP is a group name defined by the group directive and specifies the group that access is being defined for.

CONTEXT specifies the context for the access (the default context is the empty string ""). The context of incoming requests must match against the context either exactly or by prefix, as specified by the choice of exact | prefix made in this directive.

any, v1, v2c, or usm define the security model to which this definition relates.

noauth | auth | priv define the security level to which this definition relates. For v1 or v2c access, this will need to be noauth as these protocols do not support authentication.

exact | prefix specify how CONTEXT should be matched against the context of the incoming request, either an exact match to CONTEXT, or prefixed by CONTEXT.

READ, WRITE and NOTIFY specifies the view to be used for GET*, SET and TRAP/INFORM requests (although the NOTIFY view is not currently used). The keyword none is used if there is to be no access for that type of request.

Example:

Specifying that:

  • SNMPv1 requests using the public community only have read access to the enterprises.nCipher.nC-series.statistics subtree,

  • SNMPv2c requests using the public community only have read access to the enterprises.nCipher.nC-series.administration.subtree,

  • SNMPv3 requests using the user2 USM user, must as a minimum be authenticated, and have read, notify access to the nShield MIB (that is, enterprises nCipher)

  • SNMPv3 requests using the user1 USM user, must as a minimum be authenticated and encrypted, and have read, write and notify access to the full OID tree. Note that since requests must be authenticated and encrypted as a minimum, SNMPv1 and v2c requests using the private community cannot be made even though the community is included in grp_private.

  • SNMPv1 and SNMPv2 requests using the ltd community and SNMPv3 requests using the user3 USM user, do not require to be authenticated or encrypted, and have read, write access to the system.sysContact.0 OID.

#      GROUP       CONTEXT  SECMODEL  LEVEL      PREFIX  READ              WRITE     NOTIFY
access grp_public  ""       v1        noauth     exact   vw_nCipher_stats  none      none
access grp_public  ""       v2c       noauth     exact   vw_nCipher_admin  none      none
access grp_public  ""       usm       auth       exact   vw_nCipher        none      vw_nCipher
access grp_private ""       any       priv       exact   vw_global         vw_global                                                                                              vw_global
access grp_limited ""       any       noauth     exact   vw_sysContact     vw_sysContact                                                                                          none