Configuring the snmpd service in the operating system

Interaction with KSMG over SNMP is achieved using the 'snmpd' service of the operating system. The snmpd service acts as a master agent, receiving and processing requests from monitoring systems and other external consumers over SNMP. KSMG connects to the snmpd service as a subagent over the AgentX protocol through a UNIX socket.

Creating a user account for access to the data

Before creating the account, stop the snmpd service.

To ensure the security of access to the data over SNMPv3 with authentication and encryption, you need to create a user account on the snmpd service side with the following information:

• User name (case sensitive)
• Authentication algorithm (MD5 or SHA, SHA is recommended)
• Authentication password
• Encryption algorithm (DES or AES, AES is recommended)

  Encryption password

For security purposes, we recommend using an independent user account on each node of the KSMG cluster.

You can create an account using the net-snmp-create-v3-user utility.

To create a user account using the net-snmp-create-v3-user utility:

1. Connect to the cluster node over SSH to gain access to the Technical Support Mode.
2. Run the following command:

   net-snmp-create-v3-user -ro -a <snmp_auth_algo> -x <snmp_priv_algo> <snmp_username>

Authentication and encryption passwords are requested interactively.

Creating a user account for receiving SNMP traps

To receive SNMP traps over SNMPv3 with authentication and encryption, you need to create an account on the side of the monitoring system in the context of the corresponding service (usually the snmptrapd service).

The account must contain the following information:

• User name
• Authentication algorithm
• Authentication password
• Encryption algorithm
• Encryption password

For security purposes, you must use separate user accounts for access to data and for receiving SNMP traps.
We recommend creating independent user accounts for receiving SNMP traps from each node of the KSMG cluster.

For instructions on creating a user account for receiving SNMP traps, refer to the documentation of your monitoring system.

Configuring the snmpd service

The configuration of the snmpd service is stored in the /etc/snmp/snmpd.conf file. You must create a new configuration file and add to it the following lines in the given order.

To configure the snmpd service:

1. Connect to the cluster node over SSH to gain access to the Technical Support Mode.
2. Create a new configuration file and set access permissions for it:

   mv -f /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup

   touch /etc/snmp/snmpd.conf

   chown root:root /etc/snmp/snmpd.conf

   chmod 600 /etc/snmp/snmpd.conf

3. Specify the protocol, network interface address, and port number on which the snmpd service must listen for incoming requests.
   • If you want to listen for requests on all network interfaces, add the following lines to the configuration file:

     # Listen for incoming SNMP requests via UDP

     agentAddress udp:161

   • If you want to listen for requests only on the local network interface, for example, if the monitoring system is installed on the same machine, add the following lines:

     # Listen for incoming SNMP requests via UDP

     agentAddress udp:127.0.0.1:161

4. Specify the path and permissions for the UNIX socket on which the snmpd service must listen for subagent connections over the AgentX protocol. To do so, add the following lines to the configuration file:

   # Listen for subagent connections via UNIX socket

   master agentx

   agentXSocket unix:/var/run/agentx-master.socket

   agentXPerms 770 770 kluser klusers

5. If necessary, you can provide a system description, location of the system, and the contact address of the administrator. To do so, add the following lines to the configuration file:

   # Basic system information

   sysDescr <system_description>

   sysLocation <system_location>

   sysContact <contact_address>

   sysServices 72

6. Specify the scope of the OID tree that you want to be available to your monitoring system via the SNMP protocol. To have access to KSMG data, add the following lines to the configuration file:

   # Kaspersky Secure Mail Gateway SNMP statistics

   view monitoring included .1.3.6.1.4.1.23668.1735

7. You can additionally specify the scope of the OID tree containing information about the operating system that is stored by the snmpd service. This scope will be available to your monitoring system.

   Information about the operating system includes, for example, information about CPU and RAM usage, free space on disk partitions, load of network interfaces; a list of installed software; a list of open network connections; and a list of running processes. Part of this information may be confidential.

   • If you want to allow access only to general system information and information about the usage of RAM, CPU, and disk devices, add the following lines to the configuration file:

     # SNMPv2-MIB - Basic system information

     view monitoring included .1.3.6.1.2.1.1

     # HOST-RESOURCES-MIB - CPU, Memory, Filesystems

     view monitoring included .1.3.6.1.2.1.25.1

     view monitoring included .1.3.6.1.2.1.25.2

     view monitoring included .1.3.6.1.2.1.25.3

     view monitoring included .1.3.6.1.2.1.25.5

     # UCD-SNMP-MIB - Memory and CPU usage

     view monitoring included .1.3.6.1.4.1.2021.4

     view monitoring included .1.3.6.1.4.1.2021.10

     view monitoring included .1.3.6.1.4.1.2021.11

     # UCD-SNMP-DISKIO-MIB - Block devices I/O statistics

     view monitoring included .1.3.6.1.4.1.2021.13

     # IF-MIB - Network interfaces I/O statistics

     view monitoring included .1.3.6.1.2.1.2

     view monitoring included .1.3.6.1.2.1.31

   • If you want to allow access to all system information, add the following lines to the configuration file:

     # Allow access to the whole OID tree

     view monitoring included .1

8. Specify the access mode and scope of information for the created user account. To do so, add the following lines to the configuration file:

   # Access control for SNMPv3 monitoring system user

   rouser <snmp_username> priv -V monitoring

9. To send SNMP traps, specify the IP address of the monitoring system and user credentials for receiving traps. To do so, add the following lines to the configuration file:

   # Send SNMPv3 traps to the monitoring system

   trapsess -Ci -v3 -t0.1 -r1 -l authPriv -u <trap_username> -a <trap_auth_algo> -A "<trap_auth_pass>" -x <trap_priv_algo> -X "<trap_priv_pass>" udp:<IP_address>:162

The snmpd service will be configured.

To integrate with multiple monitoring systems, create a separate user account for each system, specify the scope of available information for each user account (the 'view' and 'rouser' directives) and configure the sending of SNMP traps (the 'trapsess' directive).

Starting the snmpd service with the new configuration

To apply the new configuration:

1. Restart the snmpd service:

   systemctl restart snmpd

2. Check the status of the snmpd service:

   systemctl status snmpd

   The status must be running.

3. Allow the service to start automatically at operating system startup:

   systemctl enable snmpd

4. If you are using a firewall in your operating system or network equipment, add rules to let SNMP packets through.

The snmpd service is configured.

Checking the health of the snmpd service

To test the snmpd service, configure the use of SNMP in the KSMG web interface and request SNMP data using the 'snmpwalk' utility.

To get the scopes of SNMP data provided by KSMG:

snmpwalk -v3 -l authPriv -u <snmp_username> -a <snmp_auth_algo> -A "<snmp_auth_pass>" -x <snmp_priv_algo> -X "<snmp_priv_pass>" <IP address> .1.3.6.1.4.1.23668.1735