DVM Modifications (SNMP & accepting SSL)

One of the many advantages of the DefenseStorm GRID is the level of customization and modifications available. Two of those options include, 

  • Enabling the DVM to accept Syslog over SSL 
  • Setting to Receive SNMP Traps 

Enabling DVM to accept Syslog over SSL

For advanced users that need to enable Syslog over SSL on their DVM, the following instructions are provided.  It is recommended you contact DefenseStorm and we can work with you to enable this configuration.

Put ssl.conf into /etc/syslog-ng/conf.d

Follow these steps to generate a cert and put it in the correct place:

# cd /etc/syslog-ng
# mkdir cert.d
# mkdir key.d
# mkdir ca.d
# cd cert.d
# openssl req -new -x509 -out cacert.pem -days 1095 -nodes
# mv privkey.pem ../key.d
# sudo ufw allow 6514


Create a file called  /etc/syslog-ng/conf.d/ssl.conf and put the following configuration into it:

@version: 3.5

# Automatically generated by Praesidio on 2014-12-17T17:01:32Z

# Basic source definition for syslog compliant systems
source s_net_ssl {
        tcp(ip(0.0.0.0) port(6514)
        tls( ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/privkey.pem")
        cert_file("/etc/syslog-ng/cert.d/cacert.pem")
        peer_verify(optional-untrusted)) );
};

log {
    source(s_net_ssl);
    rewrite(r_praesidio);
    log { filter(f_0); destination(d_praesidiosqs_0); };
    log { filter(f_1); destination(d_praesidiosqs_1); };
    log { filter(f_2); destination(d_praesidiosqs_2); };
    log { filter(f_3); destination(d_praesidiosqs_3); };
    flags("flow_control");
};


Setting up to receive SNMP Traps

Prerequisites

  • SNMP client auth config details (if SNMP traps already set up in org, and/or this is a DVM migration)
  • DVM credentials & access

Procedure

Step 1: Execute the following commands to install the required modules

$ sudo apt-get install snmp snmpd snmp-mibs-downloader

Step 2: Edit the file at /etc/default/snmpd and change the following 3 values for these variables 

(the last line, set TRAPDOPTS, is a long line and is wrapped):

>> /etc/default/snmpd

set SNMPDRUN=no
set TRAPDRUN=yes
set TRAPDOPTS='-Lsd -Oq -p /var/run/snmptrapd.pid -M /usr/share/mibs/ietf:/usr/share/mibs/iana:/usr/share/mibs/defensestorm -m ALL'


Step 3: Create a new config file for syslog-ng to pick up SNMP Traps from the log file:

>> /etc/syslog-ng/conf.d/snmpd.conf

log {
    source(s_src);
    filter(f_daemon);
    rewrite(r_praesidio);
    log { filter(f_0); destination(d_praesidiosqs_0); };
    log { filter(f_1); destination(d_praesidiosqs_1); };
    log { filter(f_2); destination(d_praesidiosqs_2); };
    log { filter(f_3); destination(d_praesidiosqs_3); };
    flags("flow_control");
};


Step 4: Edit the /etc/snmp/snmp.conf and comment the mibs line out

Step 5: Edit the /etc/snmp/snmptrapd.conf and add lines following the example below.

DefenseStorm recommends SNMP v3 with authentication.  If the system you want to send traps from does not support authentication, use the SNMP v2c setup and change the community string.For SNMP v2c

For unauthenticated SNMP, add the following line

disableAuthorization yes

Next, edit the /etc/snmp/snmpd.conf file and change the Community String from “public” to a string specific to the organization.

For SNMP v3

If this is a new SNMP trap integration

Change the username SHA and AES passphrases to private values for your environment.  SNMP sources will need to be configured to use these new values.

If this is a migration from a previous DVM version

Change the username SHA and AES passphrases to the values in the old DVM’s /etc/snmp/snmptrapd.conf. These should match the auth credentials saved in the SNMP trap message sources.

You will need 3 values

User name: ds

SHA Pass: "defensestorm"

AES Pass: "defensestorm"

Example: file edits for creating new SNMP configuration

>> /etc/snmp/snmptrapd.conf

createUser -e 0x800013700465504f5f536572766572 ds SHA "defensestorm" AES "defensestorm"
authUser log ds

  1. Copy any MIBS you obtain from your software vendors into the following directory:
mibs go into /usr/share/mibs/defensestorm

If this is a DVM migration, copy MIB files in folders from the old DVM into /usr/share/mibs/defensestorm.  Check old DVM snmpd file for other MIB locations under TRAPDOPTS. 

  1. Allow the SNMP Traps in UFW
$ sudo ufw allow 162


  1. Restart snmpd and syslog-ng
$ sudo system syslog-ng restart
$ sudo system snmpd restart