VACM configuration
The full flexibility of the VACM, for example allowing access to two or more distinct OID subtrees, or different access requirements for reading and writing, is available using four configuration directives - com2sec
, group
, view
and access
.
The directives essentially define who has access and what they have access to using four directives.
The first two directives (comsec2sec
and group
) define the who, while the last two (view
and access
) define the what.
Com2sec [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
Maps an SNMPv1 or SNMPv2c community string to a security name.
As it defines the community and maps it to a security name, rocommunity
/rwcommunity
directives are not required when using the directive.
SECNAME
is the security name to be defined.
SOURCE
is as defined for the rocommunity
/rwcommunity
directives above.
COMMUNITY
defines the community name to be mapped to the security name.
The same community string can be specified in several separate directives with different source tokens, and the first source/community combination that matches the incoming request will be selected.
Various source/community combinations can also map to the same security name.
CONTEXT
if defined (using -Cn
), means that the community string will be mapped to a security name in the named SNMPv3 context.
Otherwise the default context ("") will be used.
Example:
Creating three SNMPv1/v2c community names (private
, public
and ltd
), where private
and ltd
only allow requests from the machine on which the SNMP Agent is running (note lines beginning with a # in snmpd.conf
are treated as comments):
# [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
com2sec “” sec_private localhost private
com2sec sec_public default public
com2sec sec_limited localhost ltd
group GROUP v1 | v2c | usm SECNAME
Maps a security name (in the specified security model) into a named group.
Several group directives can specify the same group name, allowing a single access setting to apply to several users and /or community strings.
Note that groups must be set up for the two community-based models separately - a single com2sec
directive will typically be accompanied by two group
directives.
-
GROUP
is the group name being defined/added to. -
v1
,v2c
, orusm
defines the security model to which the definition relates. -
SECNAME
is the security (USM) user name or security name defined bycom2sec
to be added to the group.
Example:
Creating three groups (grp_private
, grp_public
, grp_limited
) for three USM users (user1
, user2
and user3
) and the three communities shown in the com2sec
example above:
# GROUP v1|v2c|usm SECNAME
group grp_private v1 sec_private
group grp_private v2c sec_private
group grp_private usm user1
group grp_public v1 sec_public
group grp_public v2c sec_public
group grp_public usm user2
group grp_limited v1 sec_limited
group grp_limited v2c sec_limited
group grp_limited usm user3
view VNAME included | excluded OID [MASK]
Defines a named view
- a subset of the overall OID tree.
This is most commonly a single subtree, but several view
directives can be given with the same view name (VNAME
), to build up a more complex collection of OIDs.
An optional mask can also be specified, providing a means of indicating which parts of the OID must be matched.
VNAME
is the view being modified.
included
| excluded
allows you to define whether the view includes or excludes the subtree, allowing the definition of a more complex view (for example, by excluding certain sensitive objects from an otherwise accessible subtree).
MASK
is an optional list of hex octets (separated by '.' or ':') whose bits indicate which OID sub-identifiers to match against.
So for example if we assume we have on OID with 11 sub-identifiers (.1.3.6.1.x.y.z.table.entry.column.1
) where the last four relate to a table, an entry, a column and index 1, specifying a MASK
value of " FF.A0
" (1111111110100000
) maps to this OID as follows:
1.3.6.1.x.y.z.table.entry.column.1
1 1 1 1 1 1 1 1 1 0 1
This mask means all parts of the OID except the column must match, therefore defining a view to any column of the first row of the table.
By including and excluding various aspects of the full OID tree, it is possible to define fine grained visibility within a view’s definition.
Example:
Creating five views where vw_sysContact
only has access to the system.sysContact.0
OID, vw_nCipher
only has access to the MIB, vw_global
has access to the full OID tree, vw_nCipher_stats
only has access to nCipher.nC-series.statistics
and vw_nCipher_admin
only has access to nCipher.nC-series.administration
:
# VNAME included|excluded OID [MASK]
view vw_sysContact excluded .1
view vw_sysContact included system.sysContact.0 FF.80
view vw_nCipher excluded .iso
view vw_nCipher included .1.3.6.1.4.1.7682
view vw_global included .1
view vw_nCipher_stats excluded .1
view vw_nCipher_stats included enterprises.nCipher.nC-series.statistics
view vw_nCipher_admin excluded .1
view vw_nCipher_admin included enterprises.nCipher.nC-series.administration
access GROUP CONTEXT any | v1 | v2c | usm noauth | auth | priv exact | prefix READ WRITE NOTIFY
Maps from a group of users/communities (with a particular security model and minimum security level, and specific context) to one of three views, depending on the request being processed.
GROUP
is a group name defined by the group directive and specifies the group that access is being defined for.
CONTEXT
specifies the context for the access (the default context is the empty string "").
The context of incoming requests must match against the context either exactly or by prefix, as specified by the choice of exact
| prefix
made in this directive.
any
, v1
, v2c
, or usm
define the security model to which this definition relates.
noauth
| auth
| priv
define the security level to which this definition relates.
For v1
or v2c
access, this will need to be noauth
as these protocols do not support authentication.
exact
| prefix
specify how CONTEXT
should be matched against the context of the incoming request, either an exact match to CONTEXT
, or prefixed by CONTEXT
.
READ
, WRITE
and NOTIFY
specifies the view to be used for GET*
, SET
and TRAP
/INFORM
requests (although the NOTIFY
view is not currently used).
The keyword none
is used if there is to be no access for that type of request.
Example:
Specifying that:
-
SNMPv1 requests using the public community only have read access to the enterprises.nCipher.nC-series.statistics subtree,
-
SNMPv2c requests using the public community only have read access to the enterprises.nCipher.nC-series.administration.subtree,
-
SNMPv3 requests using the user2 USM user, must as a minimum be authenticated, and have read, notify access to the nShield MIB (that is, enterprises nCipher)
-
SNMPv3 requests using the user1 USM user, must as a minimum be authenticated and encrypted, and have read, write and notify access to the full OID tree. Note that since requests must be authenticated and encrypted as a minimum, SNMPv1 and v2c requests using the private community cannot be made even though the community is included in grp_private.
-
SNMPv1 and SNMPv2 requests using the ltd community and SNMPv3 requests using the user3 USM user, do not require to be authenticated or encrypted, and have read, write access to the system.sysContact.0 OID.
# GROUP CONTEXT SECMODEL LEVEL PREFIX READ WRITE NOTIFY
access grp_public "" v1 noauth exact vw_nCipher_stats none none
access grp_public "" v2c noauth exact vw_nCipher_admin none none
access grp_public "" usm auth exact vw_nCipher none vw_nCipher
access grp_private "" any priv exact vw_global vw_global vw_global
access grp_limited "" any noauth exact vw_sysContact vw_sysContact none