2018年12月

审计所有命令

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

发送到syslog
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf

SNMP 版本
有V1 V2c V3
V1使用明文community,The biggest downsides are that it does not support 64 bit counters, only 32 bit counters, and that it has little security.
V2c和V1使用明文community,it adds support for 64 bit counters. SNMPv2c is a sub-version of SNMPv2. Its key advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.
V3可设置身份验证及数据在网络传输时加密

SNMP 方法
常用的是Get, GetNext, Set, Trap
ro(read only)的community/username password不能使用set方法
rw(read write)可以使用全部方法

SNMP 端口
SNMP使用UDP(IP 17) 161
SNMP trap使用UDP 162 (部分系统组件/配置发生变更,SNMP daemon主动发送消息通知网管平台)

SNMP OID结构 [图片来源Paessler AG]
653-OID+tree.png

SNMP v1 defines a special TRAP message format, different from other messages (such as GET). http://tools.ietf.org/html/rfc1157#page-27
This message format is not used any more in SNMP v2 and v3. If an SNMP agent sends out such TRAP messages for v2 or v3, that can be a bug. Since v2, TRAP starts to use the common message format (the same as GET and so on). So it is called SNMPv2-Trap-PDU. http://tools.ietf.org/search/rfc3416#page-22 SNMP v3 introduces the security model to all messages, so TRAP receives such update too. It is still based on SNMPv2-Trap-PDU.

Debian系 SNMP trap配置一些问题
启动snmp daemon,日志提示

  /etc/snmp/snmpd.conf: line 145: Warning: Unknown token: defaultMonitors.
  /etc/snmp/snmpd.conf: line 147: Warning: Unknown token: linkUpDownNotifications.
Edit /etc/default/snmpd:
comment the "export MIBS=" line:
#export MIBS=
remove ",mteTrigger,mteTriggerConf" from the SNMPDOPTS line:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /run/snmpd.pid'
install snmp-mibs-downloader. It will download abunch of MIBs in its postinst:
sudo apt install snmp-mibs-downloader

RHEL常用的OID

Network Interface Statistics
List NIC names: .1.3.6.1.2.1.2.2.1.2
Get Bytes IN: .1.3.6.1.2.1.2.2.1.10
Get Bytes IN for NIC 4: .1.3.6.1.2.1.2.2.1.10.4
Get Bytes OUT: .1.3.6.1.2.1.2.2.1.16
Get Bytes OUT for NIC 4: .1.3.6.1.2.1.2.2.1.16.4

CPU Statistics
Load
1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1
5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2
15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

CPU times
percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
raw user cpu time: .1.3.6.1.4.1.2021.11.50.0
percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
raw system cpu time: .1.3.6.1.4.1.2021.11.52.0
percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0
raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory Statistics
Total Swap Size: .1.3.6.1.4.1.2021.4.3.0
Available Swap Space: .1.3.6.1.4.1.2021.4.4.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0
Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

Disk Statistics
Add the following line to snmpd.conf and restart:
includeAllDisks 10% for all partitions and disks
Disk OID's
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

IANA分配的OID查询 https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers