Difference between revisions of "Old Tomato"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search| Line 92: | Line 92: | ||
path = /var | path = /var | ||
comment = user and system storage | comment = user and system storage | ||
| + | </pre> | ||
| + | == SNMP Configuration == | ||
| + | === /etc/snmp/snmpd.conf === | ||
| + | <pre>############################################################################### | ||
| + | # | ||
| + | # snmpd.conf: | ||
| + | # An example configuration file for configuring the ucd-snmp snmpd agent. | ||
| + | # | ||
| + | ############################################################################### | ||
| + | # | ||
| + | # This file is intended to only be as a starting point. Many more | ||
| + | # configuration directives exist than are mentioned in this file. For | ||
| + | # full details, see the snmpd.conf(5) manual page. | ||
| + | # | ||
| + | # All lines beginning with a '#' are comments and are intended for you | ||
| + | # to read. All other lines are configuration commands for the agent. | ||
| + | |||
| + | ############################################################################### | ||
| + | # Access Control | ||
| + | ############################################################################### | ||
| + | |||
| + | # As shipped, the snmpd demon will only respond to queries on the | ||
| + | # system mib group until this file is replaced or modified for | ||
| + | # security purposes. Examples are shown below about how to increase the | ||
| + | # level of access. | ||
| + | |||
| + | # By far, the most common question I get about the agent is "why won't | ||
| + | # it work?", when really it should be "how do I configure the agent to | ||
| + | # allow me to access it?" | ||
| + | # | ||
| + | # By default, the agent responds to the "public" community for read | ||
| + | # only access, if run out of the box without any configuration file in | ||
| + | # place. The following examples show you other ways of configuring | ||
| + | # the agent so that you can change the community names, and give | ||
| + | # yourself write access to the mib tree as well. | ||
| + | # | ||
| + | # For more information, read the FAQ as well as the snmpd.conf(5) | ||
| + | # manual page. | ||
| + | |||
| + | ## sec.name source community | ||
| + | com2sec local 127.0.0.1 NPG | ||
| + | com2sec mynetwork 10.0.0.0/24 NPG | ||
| + | |||
| + | ## group.name sec.model sec.name | ||
| + | group MyRWGroup v1 local | ||
| + | group MyRWGroup v2c local | ||
| + | group MyRWGroup usm local | ||
| + | group MyROGroup v1 mynetwork | ||
| + | group MyROGroup v2c mynetwork | ||
| + | group MyROGroup usm mynetwork | ||
| + | |||
| + | ## incl/excl subtree mask | ||
| + | view all included .1 80 | ||
| + | |||
| + | ## -or just the mib2 tree- | ||
| + | |||
| + | #view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc | ||
| + | |||
| + | |||
| + | ## context sec.model sec.level prefix read write notif | ||
| + | access MyROGroup "" any noauth 0 all none none | ||
| + | access MyRWGroup "" any noauth 0 all all all | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # Sample configuration to make net-snmpd RFC 1213. | ||
| + | # Unfortunately v1 and v2c don't allow any user based authentification, so | ||
| + | # opening up the default config is not an option from a security point. | ||
| + | # | ||
| + | # WARNING: If you uncomment the following lines you allow write access to your | ||
| + | # snmpd daemon from any source! To avoid this use different names for your | ||
| + | # community or split out the write access to a different community and | ||
| + | # restrict it to your local network. | ||
| + | # Also remember to comment the syslocation and syscontact parameters later as | ||
| + | # otherwise they are still read only (see FAQ for net-snmp). | ||
| + | # | ||
| + | |||
| + | # First, map the community name "public" into a "security name" | ||
| + | # sec.name source community | ||
| + | #com2sec notConfigUser default public | ||
| + | |||
| + | # Second, map the security name into a group name: | ||
| + | # groupName securityModel securityName | ||
| + | #group notConfigGroup v1 notConfigUser | ||
| + | #group notConfigGroup v2c notConfigUser | ||
| + | |||
| + | # Third, create a view for us to let the group have rights to: | ||
| + | # Open up the whole tree for ro, make the RFC 1213 required ones rw. | ||
| + | # name incl/excl subtree mask(optional) | ||
| + | #view roview included .1 | ||
| + | #view rwview included system.sysContact | ||
| + | #view rwview included system.sysName | ||
| + | #view rwview included system.sysLocation | ||
| + | #view rwview included interfaces.ifTable.ifEntry.ifAdminStatus | ||
| + | #view rwview included at.atTable.atEntry.atPhysAddress | ||
| + | #view rwview included at.atTable.atEntry.atNetAddress | ||
| + | #view rwview included ip.ipForwarding | ||
| + | #view rwview included ip.ipDefaultTTL | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask | ||
| + | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 | ||
| + | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex | ||
| + | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress | ||
| + | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress | ||
| + | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType | ||
| + | #view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState | ||
| + | #view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger | ||
| + | #view rwview included snmp.snmpEnableAuthenTraps | ||
| + | |||
| + | # Finally, grant the group read-only access to the systemview view. | ||
| + | # group context sec.model sec.level prefix read write notif | ||
| + | #access notConfigGroup "" any noauth exact roview rwview none | ||
| + | |||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # System contact information | ||
| + | # | ||
| + | |||
| + | # It is also possible to set the sysContact and sysLocation system | ||
| + | # variables through the snmpd.conf file: | ||
| + | |||
| + | syslocation On the Farm | ||
| + | syscontact Root <root@physics.unh.edu> | ||
| + | |||
| + | # Example output of snmpwalk: | ||
| + | # % snmpwalk -v 1 localhost -c public system | ||
| + | # system.sysDescr.0 = "SunOS name sun4c" | ||
| + | # system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4 | ||
| + | # system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55 | ||
| + | # system.sysContact.0 = "Me <me@somewhere.org>" | ||
| + | # system.sysName.0 = "name" | ||
| + | # system.sysLocation.0 = "Right here, right now." | ||
| + | # system.sysServices.0 = 72 | ||
| + | |||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # Process checks. | ||
| + | # | ||
| + | # The following are examples of how to use the agent to check for | ||
| + | # processes running on the host. The syntax looks something like: | ||
| + | # | ||
| + | # proc NAME [MAX=0] [MIN=0] | ||
| + | # | ||
| + | # NAME: the name of the process to check for. It must match | ||
| + | # exactly (ie, http will not find httpd processes). | ||
| + | # MAX: the maximum number allowed to be running. Defaults to 0. | ||
| + | # MIN: the minimum number to be running. Defaults to 0. | ||
| + | |||
| + | # | ||
| + | # Examples (commented out by default): | ||
| + | # | ||
| + | |||
| + | # Make sure mountd is running | ||
| + | #proc mountd | ||
| + | |||
| + | # Make sure there are no more than 4 ntalkds running, but 0 is ok too. | ||
| + | #proc ntalkd 4 | ||
| + | |||
| + | # Make sure at least one sendmail, but less than or equal to 10 are running. | ||
| + | #proc sendmail 10 1 | ||
| + | |||
| + | # A snmpwalk of the process mib tree would look something like this: | ||
| + | # | ||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" | ||
| + | # enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" | ||
| + | # enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 | ||
| + | # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 | ||
| + | # | ||
| + | # Note that the errorFlag for mountd is set to 1 because one is not | ||
| + | # running (in this case an rpc.mountd is, but thats not good enough), | ||
| + | # and the ErrMessage tells you what's wrong. The configuration | ||
| + | # imposed in the snmpd.conf file is also shown. | ||
| + | # | ||
| + | # Special Case: When the min and max numbers are both 0, it assumes | ||
| + | # you want a max of infinity and a min of 1. | ||
| + | # | ||
| + | |||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # Executables/scripts | ||
| + | # | ||
| + | |||
| + | # | ||
| + | # You can also have programs run by the agent that return a single | ||
| + | # line of output and an exit code. Here are two examples. | ||
| + | # | ||
| + | # exec NAME PROGRAM [ARGS ...] | ||
| + | # | ||
| + | # NAME: A generic name. | ||
| + | # PROGRAM: The program to run. Include the path! | ||
| + | # ARGS: optional arguments to be passed to the program | ||
| + | |||
| + | # a simple hello world | ||
| + | |||
| + | #exec echotest /bin/echo hello world | ||
| + | |||
| + | # Run a shell script containing: | ||
| + | # | ||
| + | # #!/bin/sh | ||
| + | # echo hello world | ||
| + | # echo hi there | ||
| + | # exit 35 | ||
| + | # | ||
| + | # Note: this has been specifically commented out to prevent | ||
| + | # accidental security holes due to someone else on your system writing | ||
| + | # a /tmp/shtest before you do. Uncomment to use it. | ||
| + | # | ||
| + | #exec shelltest /bin/sh /tmp/shtest | ||
| + | |||
| + | # Then, | ||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest" | ||
| + | # enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest" | ||
| + | # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world" | ||
| + | # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest" | ||
| + | # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." | ||
| + | # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." | ||
| + | # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 | ||
| + | # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 | ||
| + | |||
| + | # Note that the second line of the /tmp/shtest shell script is cut | ||
| + | # off. Also note that the exit status of 35 was returned. | ||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # disk checks | ||
| + | # | ||
| + | |||
| + | # The agent can check the amount of available disk space, and make | ||
| + | # sure it is above a set limit. | ||
| + | |||
| + | # disk PATH [MIN=100000] | ||
| + | # | ||
| + | # PATH: mount path to the disk in question. | ||
| + | # MIN: Disks with space below this value will have the Mib's errorFlag set. | ||
| + | # Default value = 100000. | ||
| + | |||
| + | # Check the / partition and make sure it contains at least 10 megs. | ||
| + | |||
| + | disk / 10000 | ||
| + | disk /data 10000 | ||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0" | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 | ||
| + | # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" | ||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # load average checks | ||
| + | # | ||
| + | |||
| + | # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] | ||
| + | # | ||
| + | # 1MAX: If the 1 minute load average is above this limit at query | ||
| + | # time, the errorFlag will be set. | ||
| + | # 5MAX: Similar, but for 5 min average. | ||
| + | # 15MAX: Similar, but for 15 min average. | ||
| + | |||
| + | # Check for loads: | ||
| + | #load 12 14 14 | ||
| + | |||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" | ||
| + | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" | ||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # Extensible sections. | ||
| + | # | ||
| + | |||
| + | # This alleviates the multiple line output problem found in the | ||
| + | # previous executable mib by placing each mib in its own mib table: | ||
| + | |||
| + | # Run a shell script containing: | ||
| + | # | ||
| + | # #!/bin/sh | ||
| + | # echo hello world | ||
| + | # echo hi there | ||
| + | # exit 35 | ||
| + | # | ||
| + | # Note: this has been specifically commented out to prevent | ||
| + | # accidental security holes due to someone else on your system writing | ||
| + | # a /tmp/shtest before you do. Uncomment to use it. | ||
| + | # | ||
| + | # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest | ||
| + | |||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 | ||
| + | # enterprises.ucdavis.50.1.1 = 1 | ||
| + | # enterprises.ucdavis.50.2.1 = "shelltest" | ||
| + | # enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest" | ||
| + | # enterprises.ucdavis.50.100.1 = 35 | ||
| + | # enterprises.ucdavis.50.101.1 = "hello world." | ||
| + | # enterprises.ucdavis.50.101.2 = "hi there." | ||
| + | # enterprises.ucdavis.50.102.1 = 0 | ||
| + | |||
| + | # Now the Output has grown to two lines, and we can see the 'hi | ||
| + | # there.' output as the second line from our shell script. | ||
| + | # | ||
| + | # Note that you must alter the mib.txt file to be correct if you want | ||
| + | # the .50.* outputs above to change to reasonable text descriptions. | ||
| + | |||
| + | # Other ideas: | ||
| + | # | ||
| + | # exec .1.3.6.1.4.1.2021.51 ps /bin/ps | ||
| + | # exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top | ||
| + | # exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq | ||
| + | |||
| + | # ----------------------------------------------------------------------------- | ||
| + | |||
| + | |||
| + | ############################################################################### | ||
| + | # Pass through control. | ||
| + | # | ||
| + | |||
| + | # Usage: | ||
| + | # pass MIBOID EXEC-COMMAND | ||
| + | # | ||
| + | # This will pass total control of the mib underneath the MIBOID | ||
| + | # portion of the mib to the EXEC-COMMAND. | ||
| + | # | ||
| + | # Note: You'll have to change the path of the passtest script to your | ||
| + | # source directory or install it in the given location. | ||
| + | # | ||
| + | # Example: (see the script for details) | ||
| + | # (commented out here since it requires that you place the | ||
| + | # script in the right location. (its not installed by default)) | ||
| + | |||
| + | # pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest | ||
| + | |||
| + | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 | ||
| + | # enterprises.ucdavis.255.1 = "life the universe and everything" | ||
| + | # enterprises.ucdavis.255.2.1 = 42 | ||
| + | # enterprises.ucdavis.255.2.2 = OID: 42.42.42 | ||
| + | # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 | ||
| + | # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 | ||
| + | # enterprises.ucdavis.255.5 = 42 | ||
| + | # enterprises.ucdavis.255.6 = Gauge: 42 | ||
| + | # | ||
| + | # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 | ||
| + | # enterprises.ucdavis.255.5 = 42 | ||
| + | # | ||
| + | # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" | ||
| + | # enterprises.ucdavis.255.1 = "New string" | ||
| + | # | ||
| + | |||
| + | # For specific usage information, see the man/snmpd.conf.5 manual page | ||
| + | # as well as the local/passtest script used in the above example. | ||
| + | |||
| + | # Added for support of bcm5820 cards. | ||
| + | pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat | ||
| + | |||
| + | ############################################################################### | ||
| + | # Further Information | ||
| + | # | ||
| + | # See the snmpd.conf manual page, and the output of "snmpd -H". | ||
</pre> | </pre> | ||
Revision as of 13:42, 23 July 2007
General Information
Okra is the monitoring server. Uses Cacti to do the monitoring, which currently operates questionably.
Hostnames: okra.unh.edu, okra.farm.physics.unh.edu
Network Configuration
Currently has ethernet cable to switch, accessing outside world via the VLAN functions of the switch.
/etc/sysconfig/network-scripts/ifcfg-farm
# Realtek|RTL-8169 Gigabit Ethernet HWADDR=00:09:5B:BC:EC:C9 DEVICE=eth0 BOOTPROTO=none IPADDR=10.0.0.246 NETMASK=255.255.255.0 ONBOOT=yes TYPE=Ethernet USERCTL=no PEERDNS=yes IPV6INIT=no
/etc/sysconfig/network-scripts/ifcfg-unh
# UNH network VLAN=yes DEVICE=eth0.2 BOOTPROTO=none BROADCAST=132.177.91.255 IPADDR=132.177.88.73 NETMASK=255.255.252.0 NETWORK=132.177.88.0 ONBOOT=yes REORDER_HDR=no GATEWAY=132.177.88.1 TYPE=Ethernet USERCTL=no PEERDNS=yes IPV6INIT=no
/etc/sysconfig/network-scripts/ifcfg-lo
DEVICE=lo IPADDR=127.0.0.1 NETMASK=255.0.0.0 NETWORK=127.0.0.0 # If you're having problems with gated making 127.0.0.0/8 a martian, # you can change this to something else (255.255.255.255, for example) BROADCAST=127.255.255.255 ONBOOT=yes NAME=loopback
Access Configuration
/etc/security/access.conf
# NPG Config: # Allow direct root logins only from console and einstein + : root : LOCAL einstein.unh.edu einstein.farm.physics.unh.edu lentil.unh.edu lentil.farm.physics.unh.edu # Allow only NPG users and administrators - : ALL EXCEPT npg domain_admins : ALL
Backup Configuration
/etc/rsync-backup.conf
# Backups are 'pull' only. Too bad there isn't a better way to enforce this.
read only = yes
# Oh for the ability to retain CAP_DAC_READ_SEARCH, and no other.
#uid = root
# XXX There seems to be an obscure bug with pam_ldap and rsync whereby
# getpwnam(3) segfaults when (and only when) archiving /etc. Using a numeric
# uid avoids this bug. Only verified on Fedora Core 2.
uid = 0
# There's not much point in putting the superuser in a chroot jail
# use chroot = yes
# This isn't really an effective "lock" per se, since the value is per-module,
# but there really ought never be more than one, and it would at least
# ensure serialized backups.
max connections = 1
[usr_local]
path = /usr/local
comment = unpackaged software
[opt]
path = /opt
comment = unpackaged software
[etc]
path = /etc
comment = conf files
[var]
path = /var
comment = user and system storage
SNMP Configuration
/etc/snmp/snmpd.conf
############################################################################### # # snmpd.conf: # An example configuration file for configuring the ucd-snmp snmpd agent. # ############################################################################### # # This file is intended to only be as a starting point. Many more # configuration directives exist than are mentioned in this file. For # full details, see the snmpd.conf(5) manual page. # # All lines beginning with a '#' are comments and are intended for you # to read. All other lines are configuration commands for the agent. ############################################################################### # Access Control ############################################################################### # As shipped, the snmpd demon will only respond to queries on the # system mib group until this file is replaced or modified for # security purposes. Examples are shown below about how to increase the # level of access. # By far, the most common question I get about the agent is "why won't # it work?", when really it should be "how do I configure the agent to # allow me to access it?" # # By default, the agent responds to the "public" community for read # only access, if run out of the box without any configuration file in # place. The following examples show you other ways of configuring # the agent so that you can change the community names, and give # yourself write access to the mib tree as well. # # For more information, read the FAQ as well as the snmpd.conf(5) # manual page. ## sec.name source community com2sec local 127.0.0.1 NPG com2sec mynetwork 10.0.0.0/24 NPG ## group.name sec.model sec.name group MyRWGroup v1 local group MyRWGroup v2c local group MyRWGroup usm local group MyROGroup v1 mynetwork group MyROGroup v2c mynetwork group MyROGroup usm mynetwork ## incl/excl subtree mask view all included .1 80 ## -or just the mib2 tree- #view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc ## context sec.model sec.level prefix read write notif access MyROGroup "" any noauth 0 all none none access MyRWGroup "" any noauth 0 all all all ############################################################################### # Sample configuration to make net-snmpd RFC 1213. # Unfortunately v1 and v2c don't allow any user based authentification, so # opening up the default config is not an option from a security point. # # WARNING: If you uncomment the following lines you allow write access to your # snmpd daemon from any source! To avoid this use different names for your # community or split out the write access to a different community and # restrict it to your local network. # Also remember to comment the syslocation and syscontact parameters later as # otherwise they are still read only (see FAQ for net-snmp). # # First, map the community name "public" into a "security name" # sec.name source community #com2sec notConfigUser default public # Second, map the security name into a group name: # groupName securityModel securityName #group notConfigGroup v1 notConfigUser #group notConfigGroup v2c notConfigUser # Third, create a view for us to let the group have rights to: # Open up the whole tree for ro, make the RFC 1213 required ones rw. # name incl/excl subtree mask(optional) #view roview included .1 #view rwview included system.sysContact #view rwview included system.sysName #view rwview included system.sysLocation #view rwview included interfaces.ifTable.ifEntry.ifAdminStatus #view rwview included at.atTable.atEntry.atPhysAddress #view rwview included at.atTable.atEntry.atNetAddress #view rwview included ip.ipForwarding #view rwview included ip.ipDefaultTTL #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType #view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState #view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger #view rwview included snmp.snmpEnableAuthenTraps # Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif #access notConfigGroup "" any noauth exact roview rwview none ############################################################################### # System contact information # # It is also possible to set the sysContact and sysLocation system # variables through the snmpd.conf file: syslocation On the Farm syscontact Root <root@physics.unh.edu> # Example output of snmpwalk: # % snmpwalk -v 1 localhost -c public system # system.sysDescr.0 = "SunOS name sun4c" # system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4 # system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55 # system.sysContact.0 = "Me <me@somewhere.org>" # system.sysName.0 = "name" # system.sysLocation.0 = "Right here, right now." # system.sysServices.0 = 72 # ----------------------------------------------------------------------------- ############################################################################### # Process checks. # # The following are examples of how to use the agent to check for # processes running on the host. The syntax looks something like: # # proc NAME [MAX=0] [MIN=0] # # NAME: the name of the process to check for. It must match # exactly (ie, http will not find httpd processes). # MAX: the maximum number allowed to be running. Defaults to 0. # MIN: the minimum number to be running. Defaults to 0. # # Examples (commented out by default): # # Make sure mountd is running #proc mountd # Make sure there are no more than 4 ntalkds running, but 0 is ok too. #proc ntalkd 4 # Make sure at least one sendmail, but less than or equal to 10 are running. #proc sendmail 10 1 # A snmpwalk of the process mib tree would look something like this: # # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 # enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" # enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" # enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 # # Note that the errorFlag for mountd is set to 1 because one is not # running (in this case an rpc.mountd is, but thats not good enough), # and the ErrMessage tells you what's wrong. The configuration # imposed in the snmpd.conf file is also shown. # # Special Case: When the min and max numbers are both 0, it assumes # you want a max of infinity and a min of 1. # # ----------------------------------------------------------------------------- ############################################################################### # Executables/scripts # # # You can also have programs run by the agent that return a single # line of output and an exit code. Here are two examples. # # exec NAME PROGRAM [ARGS ...] # # NAME: A generic name. # PROGRAM: The program to run. Include the path! # ARGS: optional arguments to be passed to the program # a simple hello world #exec echotest /bin/echo hello world # Run a shell script containing: # # #!/bin/sh # echo hello world # echo hi there # exit 35 # # Note: this has been specifically commented out to prevent # accidental security holes due to someone else on your system writing # a /tmp/shtest before you do. Uncomment to use it. # #exec shelltest /bin/sh /tmp/shtest # Then, # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 # enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest" # enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest" # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world" # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest" # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 # Note that the second line of the /tmp/shtest shell script is cut # off. Also note that the exit status of 35 was returned. # ----------------------------------------------------------------------------- ############################################################################### # disk checks # # The agent can check the amount of available disk space, and make # sure it is above a set limit. # disk PATH [MIN=100000] # # PATH: mount path to the disk in question. # MIN: Disks with space below this value will have the Mib's errorFlag set. # Default value = 100000. # Check the / partition and make sure it contains at least 10 megs. disk / 10000 disk /data 10000 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0" # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" # ----------------------------------------------------------------------------- ############################################################################### # load average checks # # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] # # 1MAX: If the 1 minute load average is above this limit at query # time, the errorFlag will be set. # 5MAX: Similar, but for 5 min average. # 15MAX: Similar, but for 15 min average. # Check for loads: #load 12 14 14 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1" # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5" # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15" # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39 # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31 # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36 # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00" # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00" # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00" # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" # ----------------------------------------------------------------------------- ############################################################################### # Extensible sections. # # This alleviates the multiple line output problem found in the # previous executable mib by placing each mib in its own mib table: # Run a shell script containing: # # #!/bin/sh # echo hello world # echo hi there # exit 35 # # Note: this has been specifically commented out to prevent # accidental security holes due to someone else on your system writing # a /tmp/shtest before you do. Uncomment to use it. # # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 # enterprises.ucdavis.50.1.1 = 1 # enterprises.ucdavis.50.2.1 = "shelltest" # enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest" # enterprises.ucdavis.50.100.1 = 35 # enterprises.ucdavis.50.101.1 = "hello world." # enterprises.ucdavis.50.101.2 = "hi there." # enterprises.ucdavis.50.102.1 = 0 # Now the Output has grown to two lines, and we can see the 'hi # there.' output as the second line from our shell script. # # Note that you must alter the mib.txt file to be correct if you want # the .50.* outputs above to change to reasonable text descriptions. # Other ideas: # # exec .1.3.6.1.4.1.2021.51 ps /bin/ps # exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top # exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq # ----------------------------------------------------------------------------- ############################################################################### # Pass through control. # # Usage: # pass MIBOID EXEC-COMMAND # # This will pass total control of the mib underneath the MIBOID # portion of the mib to the EXEC-COMMAND. # # Note: You'll have to change the path of the passtest script to your # source directory or install it in the given location. # # Example: (see the script for details) # (commented out here since it requires that you place the # script in the right location. (its not installed by default)) # pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 # enterprises.ucdavis.255.1 = "life the universe and everything" # enterprises.ucdavis.255.2.1 = 42 # enterprises.ucdavis.255.2.2 = OID: 42.42.42 # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 # enterprises.ucdavis.255.5 = 42 # enterprises.ucdavis.255.6 = Gauge: 42 # # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 # enterprises.ucdavis.255.5 = 42 # # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" # enterprises.ucdavis.255.1 = "New string" # # For specific usage information, see the man/snmpd.conf.5 manual page # as well as the local/passtest script used in the above example. # Added for support of bcm5820 cards. pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat ############################################################################### # Further Information # # See the snmpd.conf manual page, and the output of "snmpd -H".
