From 4e0da0216d3ca96c930eca053c9a229e86cc7402 Mon Sep 17 00:00:00 2001 From: Anton Lofgren Date: Fri, 7 Mar 2014 11:35:21 +0100 Subject: check_snmp: Handle SNMPv3 noAuthNoPriv properly The SNMPv3 noAuthNoPriv security level, somewhat unintuitively, requires a security name to be passed along together with the request. Check_snmp previously did not do this, causing snmpget to throw an error: "External command error: No log handling enabled - turning on stderr logging snmpget: No securityName specified" This patch fixes the issue by always providing the security name when noAuthNoPriv is specified. See also: https:://bugs.op5.com/view.php?id=8385. Signed-off-by: Anton Lofgren --- plugins/check_snmp.c | 10 ++++++---- plugins/t/check_snmp.t | 11 +++++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) (limited to 'plugins') diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c index d516fbc1..2c62a230 100644 --- a/plugins/check_snmp.c +++ b/plugins/check_snmp.c @@ -963,11 +963,16 @@ validate_arguments () if (seclevel == NULL) xasprintf(&seclevel, "noAuthNoPriv"); + if (secname == NULL) + die(STATE_UNKNOWN, _("Required parameter: %s\n"), "secname"); + if (strcmp(seclevel, "noAuthNoPriv") == 0) { - numauthpriv = 2; + numauthpriv = 4; authpriv = calloc (numauthpriv, sizeof (char *)); authpriv[0] = strdup ("-l"); authpriv[1] = strdup ("noAuthNoPriv"); + authpriv[2] = strdup ("-u"); + authpriv[3] = strdup (secname); } else { if (! ( (strcmp(seclevel, "authNoPriv")==0) || (strcmp(seclevel, "authPriv")==0) ) ) { usage2 (_("Invalid seclevel"), seclevel); @@ -976,9 +981,6 @@ validate_arguments () if (authproto == NULL ) xasprintf(&authproto, DEFAULT_AUTH_PROTOCOL); - if (secname == NULL) - die(STATE_UNKNOWN, _("Required parameter: %s\n"), "secname"); - if (authpasswd == NULL) die(STATE_UNKNOWN, _("Required parameter: %s\n"), "authpasswd"); diff --git a/plugins/t/check_snmp.t b/plugins/t/check_snmp.t index 6de5f299..c35d7821 100644 --- a/plugins/t/check_snmp.t +++ b/plugins/t/check_snmp.t @@ -10,7 +10,7 @@ use NPTest; BEGIN { plan skip_all => 'check_snmp is not compiled' unless -x "./check_snmp"; - plan tests => 60; + plan tests => 61; } my $res; @@ -26,6 +26,7 @@ my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRES my $hostname_invalid = getTestParameter( "hostname_invalid", "NP_HOSTNAME_INVALID", "nosuchhost", "An invalid (not known to DNS) hostname" ); +my $user_snmp = getTestParameter( "user_snmp", "NP_SNMP_USER", "auth_md5", "An SNMP user"); $res = NPTest->testCmd( "./check_snmp -t 1" ); is( $res->return_code, 3, "No host name" ); @@ -35,7 +36,7 @@ $res = NPTest->testCmd( "./check_snmp -H fakehostname" ); is( $res->return_code, 3, "No OIDs specified" ); is( $res->output, "No OIDs specified" ); -$res = NPTest->testCmd( "./check_snmp -H fakehost -o oids -P 3 --seclevel=rubbish" ); +$res = NPTest->testCmd( "./check_snmp -H fakehost -o oids -P 3 -U not_a_user --seclevel=rubbish" ); is( $res->return_code, 3, "Invalid seclevel" ); like( $res->output, "/check_snmp: Invalid seclevel - rubbish/" ); @@ -154,6 +155,12 @@ SKIP: { like($res->output, '/^SNMP OK - Timeticks:\s\(\d+\)\s+(?:\d+ days?,\s+)?\d+:\d+:\d+\.\d+\s.*$/', "Timetick used as a string, result printed rather than parsed"); } +SKIP: { + skip "no SNMP user defined", 1 if ( ! $user_snmp ); + $res = NPTest->testCmd( "./check_snmp -H $host_snmp -o HOST-RESOURCES-MIB::hrSystemUptime.0 -P 3 -U $user_snmp -L noAuthNoPriv"); + like( $res->output, '/^SNMP OK - Timeticks:\s\(\d+\)\s+(?:\d+ days?,\s+)?\d+:\d+:\d+\.\d+\s.*$/', "noAuthNoPriv security level works properly" ); +} + # These checks need a complete command line. An invalid community is used so # the tests can run on hosts w/o snmp host/community in NPTest.cache. Execution will fail anyway SKIP: { -- cgit v1.2.3-74-g34f1