There are some minimal "Security" configuration options for the MIB browser.The
options are in: /usr/OV/app-defaults/XNm
xnmbrowser.showCommunityName: False
xnmbrowser.allowSnmpSets: FalseThe 1st option will prevent the community name
from being displayed and prevent the user from manually entering a different
community name in the Community Name field in the upper right corner. The 2nd
will prevent the user from performing SNMP Sets.
You probably do not want to make these changes in this (XNm) file because they
will be global for all NetView users. Instead, copy the 2 lines to the
individual users $HOME/.Xdefaults file. (Do not give the users Write access
to this file.)
Caution: These modifications only affect the GUI browser. They have NO effect
on SNMP commands issued from the command line or the Web Browser interface.
Don Davis
APC, Inc.
> Subject: Re: SNMP Setup / Netview Security
> Date: Thu, 9 Jul 1998 10:29:25 -0600
> From: "John A. Dorsey" <dorsey@COLQUITT.ORG>
>
> Liebe NV-L-ers,
>
> -> It is possible to reboot any device in any Netview map for which you
> -> have a read-write community in the ovsnmp database if that device has a
> -> read-write snmp variable that will trigger it. It has nothing to do
> -> with Nways. You can do the same through the mib browser. It's the (lack
> -> of) security function in SNMPv1.
>
> I'd like to add my humble comments to this. When I first
> familiarised myself with Netview security, I noted that each user
> can have any of several security permissions (eg. "r", "w", "x"
> or presumably others) for each application supporting the NV security
> API. It took awhile for me to realise that for most (all?)
> such applications, there is no fine-level control of function based on
> this capability.
>
> What I would have loved would be for Netview applications to
> refuse to use or divulge the read-write community to users with
> only "r" (read) permission, but happily use/divulge it for users with
> "w" (write) permission. But I haven't ever known any app to do this
> sort of thing, and as Jim points out it's pretty pointless if
> xnmbrowser is willing to do anything for anybody with a modicum of
> security clearance. Has anyone's mileage varied?
>
> To my discredit, I've never thought this through enough
> to justify making it a formal request or requirement to send to
> Tivoli's Official Black Hole Requirements Address.
>
> -> Until you get IPsec and SNMPv3, this will continue to be the case. My
> -> suspicion is that you'll begin to see these on hardware devices and
> -> hardware management applications (whether or not they're in Netview) by
> -> the end of the year. (My opinion only, not an IBM announcement).
>
> Such promising new technology likely makes obsolete my
> ideas of better using the old security mechanism.
>
> John Dorsey
>
>
|