Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3056241
  • 博文数量: 535
  • 博客积分: 15788
  • 博客等级: 上将
  • 技术积分: 6507
  • 用 户 组: 普通用户
  • 注册时间: 2007-03-07 09:11
文章分类

全部博文(535)

文章存档

2016年(1)

2015年(1)

2014年(10)

2013年(26)

2012年(43)

2011年(86)

2010年(76)

2009年(136)

2008年(97)

2007年(59)

分类: LINUX

2008-06-27 16:35:30

snmp提供了发送自定义信息的功能。查看snmpd.conf会看到有一个小节是关于外部脚本的,Executables/scripts。这个小节里面也举了例子,告诉你怎么通过snmp发送信息。我的做法如下(下面假定你已经配置好了snmp,通过cacti已经能采集到信息了)。
修改/etc/snmp/snmpd.conf
在任意位置添加一行:
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
extend .1.3.6.1.4.1.2021.50 jkhttp /bin/sh /usr/local/apache/bin/jkhttp.sh
(as4上用exec)
为什么不用exec?报错
SNMP daemon version 5.0 and above from the NetSNMP project provides a way to access output of user supplied scripts via SNMP protocol. In other words: SNMP client on one machine can invoke a script on another machine just by sending a SNMP query. After the remote script finishes its standard/error output, return code and some other values are sent back to the client in a SNMP response.
(NOTE: See SNMP exec section below if you run older SNMP daemon than NetSNMP 5.0)
SNMP exec provides a similar functionality to extend, however exec is less flexible and slightly slower to work with. On the other hand it is supported in many older implementations of SNMP daemons including UCD-SNMP and NetSNMP 4.x which are still found on many servers.

其中jkhttp 是命令的名称,后面是命令以及参数。命令的名称可以随便起。脚本:
#!/bin/sh
num=$(ps -e |grep http|grep -v grep|grep -v jkhttp|wc -l)
echo $num
echo OK

重启snmpd,然后远程通过snmpwalk接收一下数据看看:
[root@db ~]# snmpwalk  -v 2c 172.18.3.131  -c public .1.3.6.1.4.1.2021.50               
UCD-SNMP-MIB::ucdavis.50.1.0 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.2.6.106.107.104.116.116.112 = STRING: "/bin/sh"
UCD-SNMP-MIB::ucdavis.50.2.1.3.6.106.107.104.116.116.112 = STRING: "/usr/local/apache/bin/jkhttp.sh"
UCD-SNMP-MIB::ucdavis.50.2.1.4.6.106.107.104.116.116.112 = ""
UCD-SNMP-MIB::ucdavis.50.2.1.5.6.106.107.104.116.116.112 = INTEGER: 5
UCD-SNMP-MIB::ucdavis.50.2.1.6.6.106.107.104.116.116.112 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.7.6.106.107.104.116.116.112 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.20.6.106.107.104.116.116.112 = INTEGER: 4
UCD-SNMP-MIB::ucdavis.50.2.1.21.6.106.107.104.116.116.112 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.3.1.1.6.106.107.104.116.116.112 = STRING: "142"
UCD-SNMP-MIB::ucdavis.50.3.1.2.6.106.107.104.116.116.112 = STRING: "OK"
UCD-SNMP-MIB::ucdavis.50.3.1.3.6.106.107.104.116.116.112 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.3.1.4.6.106.107.104.116.116.112 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.50.4.1.2.6.106.107.104.116.116.112.1 = STRING: "142"
UCD-SNMP-MIB::ucdavis.50.4.1.2.6.106.107.104.116.116.112.2 = STRING: "OK"
其中我们需要的是UCD-SNMP-MIB::ucdavis.50.4.1.2.6.106.107.104.116.116.112.1 = STRING: "142"这一行

#snmpwalk  -v 2c 172.18.3.131  -c public .1.3.6.1.4.1.2021.50.3.1.2.6.106.107.104.116.116.112.1
UCD-SNMP-MIB::ucdavis.50.3.1.2.6.106.107.104.116.116.112.1 = STRING: "86"



SNMPv2-SMI::experimental.2 = No Such Object available on this agent at this OID
使用extend?
要做oid后面添加一个名称
extend .1.3.6.1.3.2  fxa-proxy /bin/bash /usr/local/nagios/libexec/check_cn-fxa-acccount-proxy.sh

使用nagios的check_snmp还是报No Such Object available on this agent at this OID
先使用snmpwalk找到要获取的准确的OID。

能采集到数据之后,就可以配置cacti来接收了。在cacti界面中console->Templates->Data Templates,然后点击右上角的Add,Data Templates中的name是给这个数据模板的命名,Data Source中的name将来显示在Data Sources中,我这里添加“|host_description| - HTTP NUM”,选get snmp data,Internal Data Source Name也可以随便添,这个用来给rrd文件命名 Unix - HTTP NUM。设置完后就可以save了,save之后会发现下面多了一些选项,在最下面那个添上我们需要的数据的 OID

“.1.3.6.1.4.1.2021.50.3.1.2.6.106.107.104.116.116.112.1”,可以保存了。

此后需要创建一个Graph Templates,好让cacti生成图片。在cacti界面中console->Templates->Graph Templates,然后点击右上角的Add,Templates中的name是给这个数据模板的命名Unix - HTTP NUM,Graph Template中的name是将来显示在图片上面中间的内容,我这里添加“|host_description| - HTTP NUM”,其他保持默认,保存之后上面会出来一些选项。

在Graph Template Items中添加一个item,Data Source选之前添加的,color选择一个图片的颜色,Graph Item Type选AREA,也就是区域,也可以选其他的线条,Text Format设置说明。
然后再添加一个item,Data Source选之前添加的,color选择none,Graph Item Type选GPRINT,Consolidation Function选LAST,也就是当前的值,Text Format输入Current。你还可以添加一些Graph Item Type为COMMENT的注释说明等。
现在只要为host添加这个画图模板就可以看到画出来的图了。

1.关于SELinux报错:
Jun 30 10:45:03 web1 setroubleshoot:      SELinux is preventing /bin/ps (snmpd_t) "sys_ptrace" access to (snmpd_t).      For complete SELinux messages. run sealert -l 32ec5849-2d38-49b8-a13c-faaba9239c98
解决:You can disable SELinux for snmpd by issuing the following command:
启动 setroubleshoot,以便可以使用sealert命令查询错误数据库,查询完毕后可以关闭
service setroubleshoot start
使用 sealert -l 32ec5849-2d38-49b8-a13c-faaba9239c98 查看错误数据库
按提示操作setsebool -P snmpd_disable_trans=1 
-P参数是永久有效的意思
停止 setroubleshoot
service setroubleshoot stop
重起snmpd
service snmpd restart



2.关于报错:last message repeated 3 times
vi /etc/init.d/snmpd
#OPTIONS="-Lsd -Lf  /dev/null -p /var/run/snmpd.pid -a"
OPTIONS="-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid -a"


3.使用cacti监控一台比较老的centos4.2的apache连接数,自定义的脚本,运行报错
[root@send4 data]# /usr/local/net-snmp/bin/snmpwalk -v 1 172.18.1.9  -c public .1.3.6.1.4.1.2021.50
UCD-SNMP-MIB::ucdavis.50.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1 = STRING: "jkhttp"
UCD-SNMP-MIB::ucdavis.50.3.1 = STRING: "/bin/sh /usr/local/apache/bin/jkhttp.sh"
UCD-SNMP-MIB::ucdavis.50.100.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.101.1 = STRING: "/bin/sh: Permission denied"
UCD-SNMP-MIB::ucdavis.50.102.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.50.103.1 =

查看/var/log/message
Jul 17 11:06:37 server7 kernel: audit(1216263997.231:115): avc:  denied  { read } for  pid=2697 comm="snmpd" name="sh" dev=sda2 ino=
1261577 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Jul 17 11:06:37 server7 kernel: audit(1216263997.237:116): avc:  denied  { read } for  pid=2698 comm="snmpd" name="sh" dev=sda2 ino=
1261577 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Jul 17 11:06:37 server7 kernel: audit(1216263997.243:117): avc:  denied  { read } for  pid=2699 comm="snmpd" name="sh" dev=sda2 ino=
1261577 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
解决办法
查看selinux拒绝了那些snmp正常的操作
[root@server7 snmp]# audit2allow -d
allow snmpd_t bin_t:lnk_file read;
allow snmpd_t sysctl_net_t:dir search;

把上面的行输出加入到文件
/etc/selinux/targeted/src/policy/domains/program/snmpd.te中。发现没有这个文件

原因是没有安装selinux-policy-targeted-sources-1.17.30-2.110.noarch.rpm
安装后把上面几行输出加入到文件    /etc/selinux/targeted/src/policy/domains/program/snmpd.te中。
执行
[root@server7 snmp]# cd  /etc/selinux/targeted/src/policy
[root@server7 policy]# make load
[root@server7 policy]# setfiles file_contexts/file_contexts /usr/share/snmp

OK了
[root@send4 data]# /usr/local/net-snmp/bin/snmpwalk -v 1 172.18.1.9  -c public .1.3.6.1.4.1.2021.50
UCD-SNMP-MIB::ucdavis.50.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1 = STRING: "jkhttp"
UCD-SNMP-MIB::ucdavis.50.3.1 = STRING: "/bin/sh /usr/local/apache/bin/jkhttp.sh"
UCD-SNMP-MIB::ucdavis.50.100.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.50.101.1 = STRING: "12"
UCD-SNMP-MIB::ucdavis.50.101.2 = STRING: "ok"
UCD-SNMP-MIB::ucdavis.50.102.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.50.103.1 = ""

数据出来了,可是后台又有新的错误
Jul 17 14:57:10 server7 kernel: audit(1216277829.987:1928): avc:  denied  { read } for  pid=5663 comm="ps" name="2" dev=proc ino=234782722 scontext=root:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=lnk_file
Jul 17 14:57:10 server7 kernel: audit(1216277829.988:1929): avc:  denied  { search } for  pid=5663 comm="ps" name="/" dev=devpts ino=1 scontext=root:system_r:snmpd_t tcontext=user_u:object_r:devpts_t tclass=dir
Jul 17 14:57:10 server7 kernel: audit(1216277829.988:1930): avc:  denied  { getattr } for  pid=5663 comm="ps" name="/" dev=devpts ino=1 scontext=root:system_r:snmpd_t tcontext=user_u:object_r:devpts_t tclass=dir

同样的步骤
[root@server7 ~]# audit2allow -d
allow snmpd_t devpts_t:dir { getattr search };
allow snmpd_t tty_device_t:chr_file getattr;
allow snmpd_t unconfined_t:lnk_file read;
allow snmpd_t usr_t:file ioctl;

把上面的行输出加入到文件
/etc/selinux/targeted/src/policy/domains/program/snmpd.te中

[root@server7 snmp]# cd  /etc/selinux/targeted/src/policy
[root@server7 policy]# make load
[root@server7 policy]# setfiles file_contexts/file_contexts /usr/share/snmp



关于permission deny

[cacti@srv ~]$ snmpwalk -v 2c -c public 192.168.1.1 .1.3.6.1.4.1.2021.50
UCD-SNMP-MIB::ucdavis.50.1.0 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.2.11.115.119.105.116.99.104.95.102.108.111.119 = STRING: "/bin/sh"
UCD-SNMP-MIB::ucdavis.50.2.1.3.11.115.119.105.116.99.104.95.102.108.111.119 = STRING: "/opt/switch_flow.sh"
UCD-SNMP-MIB::ucdavis.50.2.1.4.11.115.119.105.116.99.104.95.102.108.111.119 = ""
UCD-SNMP-MIB::ucdavis.50.2.1.5.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 5
UCD-SNMP-MIB::ucdavis.50.2.1.6.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.7.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.2.1.20.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 4
UCD-SNMP-MIB::ucdavis.50.2.1.21.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.3.1.1.11.115.119.105.116.99.104.95.102.108.111.119 = STRING: "/bin/sh: /opt/switch_flow.sh: Permission denied"
UCD-SNMP-MIB::ucdavis.50.3.1.2.11.115.119.105.116.99.104.95.102.108.111.119 = STRING: "/bin/sh: /opt/switch_flow.sh: Permission denied"
UCD-SNMP-MIB::ucdavis.50.3.1.3.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.50.3.1.4.11.115.119.105.116.99.104.95.102.108.111.119 = INTEGER: 126
UCD-SNMP-MIB::ucdavis.50.4.1.2.11.115.119.105.116.99.104.95.102.108.111.119.1 = STRING: "/bin/sh: /opt/switch_flow.sh: Permission denied"
查看:
/var/log/audit/audit.log
type=AVC msg=audit(1305512224.385:445917): avc:  denied  { read } for  pid=5180 comm="sh" name="switch_flow.sh" dev=sdb2 ino=2555908 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1305512224.385:445917): arch=c000003e syscall=2 success=no exit=-13 a0=1b21c570 a1=0 a2=1b21c583 a3=0 items=0 ppid=13920 pid=5180 auid=510 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58194 comm="sh" exe="/bin/bash" subj=user_u:system_r:snmpd_t:s0 key=(null)

[xiajc@srv145 opt]$ ls -Z switch_flow.sh 
-rwxr--r--  xiajc xiajc user_u:object_r:user_home_t      switch_flow.sh
因为该文件是由home目录下mv出来的,所以,selinux访问权限由些问题,需要更改该文件的selinux安全策略。

解释:
查看SElinux上下文
使用命令 ps –Z 和 ls –Z
每个进程都属于个SElinux域;
每个文件都被赋予一个SElinux上下文。
相关的域和上下文可以使用ls和ps命令的命令选项 –Z 来显示

上面的字段以冒号作为分隔符,
第一个字段:用户
第二个字段:角色
第三个字段:类型
第四个字段:与MLS,MCS有关
说明:
SEliunx目标策略只于第三个字段有关,即类型字段(TYPE).

文档: Relabeling a File or Directory

[xiajc@srv145 opt]$ chcon -t usr_t switch_flow.sh      
[xiajc@srv145 opt]$ ls -Z switch_flow.sh         
-rwxr--r--  xiajc xiajc user_u:object_r:usr_t            switch_flow.sh
阅读(3560) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

网络安全服务2011-05-11 16:44:30

网络安全服务````