snmpvacm(1)

1SNMPVACM(1)                        Net-SNMP                        SNMPVACM(1)
2
3
4

NAME

6       snmpvacm  -  creates  and  maintains  SNMPv3  View-based Access Control
7       entries on a network entity
8

SYNOPSIS

10       snmpvacm [COMMON OPTIONS] createSec2Group MODEL SECURITYNAME  GROUPNAME
11       snmpvacm [COMMON OPTIONS] deleteSec2Group MODEL SECURITYNAME
12       snmpvacm [COMMON OPTIONS] createView [-Ce] NAME SUBTREE MASK
13       snmpvacm [COMMON OPTIONS] deleteView NAME SUBTREE
14       snmpvacm [COMMON OPTIONS] createAccess GROUPNAME [CONTEXTPREFIX]  MODEL
15       LEVEL CONTEXTMATCH READVIEW WRITEVIEW NOTIFYVIEW
16       snmpvacm  [COMMON OPTIONS] deleteAccess GROUPNAME [CONTEXTPREFIX] MODEL
17       LEVEL
18       snmpvacm [COMMON OPTIONS] createAuth  GROUPNAME  [CONTEXTPREFIX]  MODEL
19       LEVEL AUTHTYPE CONTEXTMATCH VIEW
20       snmpvacm  [COMMON  OPTIONS]  deleteAuth GROUPNAME [CONTEXTPREFIX] MODEL
21       LEVEL AUTHTYPE
22
23

DESCRIPTION

25       snmpvacm is an SNMP application that can be used to do  simple  mainte‐
26       nance  on the View-based Control Module (VACM) tables of an SNMP agent.
27       The SNMPv3 VACM specifications (see RFC2575) define assorted tables  to
28       specify  groups  of  users,  MIB views, and authorised access settings.
29       These snmpvacm commands effectively create or delete rows in the appro‐
30       priate  one  of these tables, and match the equivalent configure direc‐
31       tives which are documented in the snmpd.conf(5) man page.
32
33       A fuller explanation of how these operate can be found in  the  project
34       FAQ.
35

SUB-COMMANDS

37   createSec2Group MODEL SECURITYNAME GROUPNAME
38       Create an entry in the SNMPv3 security name to group table.  This table
39       allows a single access control entry to be applied to a number of users
40       (or  'principals'),  and  is indexed by the security model and security
41       name values.
42
43       MODEL
44
45              An integer representing the security model, taking  one  of  the
46              following values:
47              1 - reserved for SNMPv1
48              2 - reserved for SNMPv2c
49              3 - User-based Security Model (USM)
50
51
52       SECURITYNAME
53
54              A  string representing the security name for a principal (repre‐
55              sented in a security-model-independent format).   For  USM-based
56              requests, the security name is the same as the username.
57
58
59       GROUPNAME
60
61              A  string  identifying  the group that this entry (i.e. security
62              name/model pair) should belong to.  This group name will then be
63              referenced in the access table (see createAccess below).
64
65   deleteSec2Group MODEL SECURITYNAME
66       Delete  an  entry  from  the  SNMPv3 security name to group table, thus
67       removing access control settings for the given principal.  The entry to
68       be  removed  is  indexed  by  the  MODEL and SECURITYNAME values, which
69       should match those used in the  corresponding  createSec2Group  command
70       (or equivalent).
71
72
73   createView [-Ce] NAME SUBTREE MASK
74       Create an entry in the SNMPv3 MIB view table.  A MIB view consists of a
75       family of view subtrees which may be individually included in or (occa‐
76       sionally)  excluded  from  the view.  Each view subtree is defined by a
77       combination of an OID subtree together with a  bit  string  mask.   The
78       view table is indexed by the view name and subtree OID values.
79
80       [-Ce]
81
82              An  optional  flag  to indicate that this view subtree should be
83              excluded from the named view.  If not specified, the default  is
84              to  include  the  subtree in the view.  When constructing a view
85              from a mixture of included and excluded subtrees,  the  excluded
86              subtrees  should  be  defined  first - particularly if the named
87              view is already referenced in one or more access entries.
88
89       NAME
90
91              A string identifying a particular MIB view, of  which  this  OID
92              subtree/mask forms part (possibly the only part).
93
94       SUBTREE
95
96              The  OID  defining the root of the subtree to add to (or exclude
97              from) the named view.
98
99       MASK
100
101              A bit mask indicating which sub-identifiers  of  the  associated
102              subtree OID should be regarded as significant.
103
104
105   deleteView NAME SUBTREE
106       Delete  an  entry from the SNMPv3 view table, thus removing the subtree
107       from the given MIB view.  Removing the final  (or  only)  subtree  will
108       result in the deletion of the view.  The entry to be removed is indexed
109       by the NAME and SUBTREE values, which should match those  used  in  the
110       corresponding createView command (or equivalent).
111
112       When removing subtrees from a mixed view (i.e. containing both included
113       and excluded subtrees), the included subtrees should be removed first.
114
115
116   createAccess GROUPNAME [CONTEXTPREFIX] MODEL  LEVEL  CONTEXTMATCH  READVIEW
117       WRITEVIEW NOTIFYVIEW
118       Create  an  entry  in  the SNMPv3 access table, thus allowing a certain
119       level of access to particular MIB views for the principals in the spec‐
120       ified  group (given suitable security model and levels in the request).
121       The access table is indexed by the group name, context prefix, security
122       model and security level values.
123
124       GROUPNAME
125
126              The  name of the group that this access entry applies to (as set
127              up by a createSec2Group command, or equivalent)
128
129       CONTEXTPREFIX
130
131              A string representing a context name (or collection  of  context
132              names)  which  this access entry applies to.  The interpretation
133              of this string depends on the value of  the  CONTEXTMATCH  field
134              (see below).
135
136              If omitted, this will default to the null context "".
137
138       MODEL
139
140              An  integer  representing  the security model, taking one of the
141              following values:
142              1 - reserved for SNMPv1
143              2 - reserved for SNMPv2c
144              3 - User-based Security Model (USM)
145
146       LEVEL
147
148              An integer representing the minimal security level,  taking  one
149              of the following values:
150              1 - noAuthNoPriv
151              2 - authNoPriv
152              3 - authPriv
153
154              This  access  entry will be applied to requests of this level or
155              higher (where authPriv is higher than  authNoPriv  which  is  in
156              turn higher than noAuthNoPriv).
157
158       CONTEXTMATCH
159
160              Indicates  how  to  interpret  the CONTEXTPREFIX value.  If this
161              field has the value '1' (representing 'exact') then the  context
162              name of a request must match the CONTEXTPREFIX value exactly for
163              this access entry to be applicable to that request.
164
165              If this field has the value '2' (representing 'prefix') then the
166              initial  substring  of  the context name of a request must match
167              the CONTEXTPREFIX value for this access entry to  be  applicable
168              to that request.  This provides a simple form of wildcarding.
169
170       READVIEW
171
172              The name of the MIB view (as set up by createView or equivalent)
173              defining the MIB objects for which this request may request  the
174              current values.
175
176              If  there  is  no  view  with this name, then read access is not
177              granted.
178
179       WRITEVIEW
180
181              The name of the MIB view (as set up by createView or equivalent)
182              defining  the MIB objects for which this request may potentially
183              SET new values.
184
185              If there is no view with this name,  then  read  access  is  not
186              granted.
187
188       NOTIFYVIEW
189
190              The name of the MIB view (as set up by createView or equivalent)
191              defining the MIB objects which may be included  in  notification
192              request.
193
194              Note  that  this  aspect of access control is not currently sup‐
195              ported.
196
197
198   deleteAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL
199       Delete an entry from the SNMPv3 access table, thus removing the  speci‐
200       fied  access  control  settings.  The entry to be removed is indexed by
201       the group name, context prefix, security model and security level  val‐
202       ues,  which  should  match those used in the corresponding createAccess
203       command (or equivalent).
204
205
206   createAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE CONTEXTMATCH VIEW
207       Create an entry in the Net-SNMP extension to the standard access table,
208       thus  allowing a certain type of access to the MIB view for the princi‐
209       pals in the specified group.  The  interpretation  of  GROUPNAME,  CON‐
210       TEXTPREFIX,  MODEL, LEVEL and CONTEXTMATCH are the same as for the cre‐
211       ateAccess directive.  The extension access  table  is  indexed  by  the
212       group name, context prefix, security model, security level and authtype
213       values.
214
215       AUTHTYPE
216
217              The style of access that this entry should be applied  to.   See
218              snmpd.conf(5) and snmptrapd.conf(5) for details of valid tokens.
219
220       VIEW
221
222              The name of the MIB view (as set up by createView or equivalent)
223              defining the MIB objects for  which  this  style  of  access  is
224              authorized.
225
226
227   deleteAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE
228       Delete  an  entry  from  the  extension access table, thus removing the
229       specified access control settings.  The entry to be removed is  indexed
230       by  the  group name, context prefix, security model, security level and
231       authtype values, which should match those  used  in  the  corresponding
232       createAuth command (or equivalent).
233
234

EXAMPLES

236       Given  a  pre-existing  user dave (which could be set up using the snm‐
237       pusm(1) command), we could configure  full  read-write  access  to  the
238       whole OID tree using the commands:
239
240
241              snmpvacm localhost createSec2Group 3 dave RWGroup
242
243              snmpvacm localhost createView   all .1 80
244
245              snmpvacm localhost createAccess  RWGroup 3 1 1 all all none
246
247       This creates a new security group named "RWGroup" containing the SNMPv3
248       user "dave", a new view "all" containing the full  OID  tree  based  on
249       .iso(1)  ,  and  then  allows  those users in the group "RWGroup" (i.e.
250       "dave") both read- and write-access to the view "all"  (i.e.  the  full
251       OID tree) when using authenticated SNMPv3 requests.
252
253
254       As  a  second example, we could set up read-only access to a portion of
255       the OID tree using the commands:
256
257
258              snmpvacm localhost createSec2Group 3 wes ROGroup
259
260              snmpvacm localhost createView   sysView  system fe
261
262              snmpvacm localhost createAccess  ROGroup 3 0 1 sysView none none
263
264       This creates a new security group named "ROGroup" containing the  (pre-
265       existing) user "wes", a new view "sysView" containing just the OID tree
266       based on .iso(1).org(3).dod(6).inet(1).mgmt(2).mib-2(1).system(1) , and
267       then  allows  those  users  in  the  group "ROGroup" (i.e. "wes") read-
268       access, but not write-access to the view  "sysView"  (i.e.  the  system
269       group).
270
271

EXIT STATUS

273       The following exit values are returned:
274
275       0 - Successful completion
276
277       1 - A usage syntax error (which displays a suitable usage message) or a
278       request timeout.
279
280       2 - An error occurred while executing the command (which also  displays
281       a suitable error message).
282
283

LIMITATIONS

285       This  utility  does  not  support  the  configuration  of new community
286       strings, so is only of use for setting up new access control for SNMPv3
287       requests.   It  can  be  used to amend the access settings for existing
288       community strings, but not to set up new ones.
289
290
291       The use of numeric parameters for secLevel and contextMatch  parameters
292       is  less than intuitive.  These commands do not provide the full flexi‐
293       bility of the equivalent config file directives.
294
295
296       There is (currently) no equivalent to the one-shot configure directives
297       rouser and rwuser.
298
299