nv-l
[Top] [All Lists]

RE: [NV-L] FW: Varbind errors

To: JaneTaylor@HBOSplc.com
Subject: RE: [NV-L] FW: Varbind errors
From: "Evans, Bill" <Bill.Evans@hq.doe.gov>
Date: Tue, 6 Nov 2007 10:45:56 -0500
Cc: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Delivery-date: Tue, 06 Nov 2007 15:47:35 +0000
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <200711060749.lA67nj8p006672@e6.ny.us.ibm.com>
List-help: <mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id: Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post: <mailto:nv-l@lists.ca.ibm.com>
List-subscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
References: <200711060749.lA67nj8p006672@e6.ny.us.ibm.com>
Reply-to: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender: nv-l-bounces@lists.ca.ibm.com
Thread-index: Acgf2HNzfvbIWXItSlOJ2p8dqCMZ3gAcN5rAAA9kmGA=
Thread-topic: [NV-L] FW: Varbind errors

 
The "illegal characters" are those which follow the backslashes in the messages.  You can strip them out with a SED command on Unix/Linux (sed -e "s/\\//g") somewhere along the line.  I'm not sure how to do the same in a ruleset.  They are inserted to forestall hackers who might try to bury something executable in the attribute strings forwarded by SNMP.  This write-up is copied from the IBM Redbook on Event Management SG24-6094. 


      Security fix and its impact on NetView automated actions
      A fix has been made to ovactiond, nvcorrd, and actionsvr to close a potential
      security hole. This hole may allow any non-authorized user, with some
      knowledge of NetView trap customization, to gain root access to the NetView
      system by sending a trap to the NetView system from anywhere in the network.
      This did not happen in the product as it is shipped, but can occur after trap
      customization is done by the NetView administrator or anyone with root authority
      on the NetView system. The security hole opened when a trap was customized
      to include a variable in the Command for Automatic Action field. A trap can then
      be sent from any system using command substitution, rather than the intended
      variable, to execute unauthorized operating system commands on the NetView
      system.
      The UNIX daemons impacted by this fix are ovactiond, nvcorrd, and actionsvr.
      The Windows daemons impacted by this fix are nvcorrd and trapd. These
      daemons now filter out all non-alphanumeric characters except for the minus sign
      (-) and the decimal point (.). All characters that do not fall into this set are
      replaced with an underscore (_). If a minus sign or decimal point is encountered,
      it is escaped (preceded by a back slash (\)) as a precaution.
      If any non-alphanumeric character is encountered (and filtering is not disabled), a
      message is logged to the appropriate log file (if logging is enabled). On UNIX, the
      log files are /usr/OV/log/nvcorrd.alog, /usr/OV/log/ovactiond.log, and
      /usr/OV/log/nvaction.alog. On Windows, the log files are \usr\ov\log\nvcorrd.alog
      and trapd.log.
      The modified characters include: $, ‘, ;, &, |, @, #, %, ^, <, >, /, \, =, {, }, -, ", and !.
      When these characters are encountered, a message is entered into the
      appropriate daemon log file.
      This list of filtered characters can be configured by creating a variable (UNIX) or
      a registry variable (Windows) called AdditionalLegalTrapCharacters. If you set
      this variable to disable, then no filtering is done. If you set the variable to a string
      containing nonalphanumeric characters, then the filtering allows those
      characters to pass through the filter, but they are escaped.
      Stop and restart the NetView daemons after setting the variable.

Bill Evans 

-----Original Message-----
From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of JaneTaylor@HBOSplc.com
Sent: Tuesday, November 06, 2007 2:48 AM
To: nv-l@lists.ca.ibm.com
Subject: [NV-L] FW: Varbind errors



> Can anyone help?
>
> I'm trying to generate new traps after receiving certain traps and
> then forward them to our tec server. The reason being, I don't want to
> send them all. I'm getting the following errors
>
> 2007/05/11 18:23:28    UserExitDnode.C[345] :   Varbind contained an
> illegal character.
> Issuing sanitized version of the varbind:
> 2007/05/11 18:23:28    UserExitDnode.C[346] :
> NVATTR_3="1\.3\.6\.1\.3\.94\.1\.8\.1\.2\.33\.0\.0\.96\.223\.34\.84\.18
> 2\.0\.0\.0\.0\.0\.0\.0\.0\.12"
> 2007/05/11 18:23:28    UserExitDnode.C[345] :   Varbind contained an
> illegal character.
> Issuing sanitized version of the varbind:
> 2007/05/11 18:23:28    UserExitDnode.C[346] :
> NVATTR_4="BUFFER_RETRIEVAL_REQUEST S_success F_IO Board 11 DD_RAM
> Buffer needs to be retrieved\.  Either it has reached its threshold or
> the periodic retrieval is needed\.  This event triggers EM to
> automatically retrieve the file\.  Board is IO Board 11\."
>
> I'm just trying to forward the same fields from the original trap. The
> NVATTR_3 is an ObjectIdentifier and NVATTR_4 is an OctetString. These
> are actually the ones
>
> In fact, I just want to drop some of these traps by parsing what's in
> the description (NVATTR_4). Is there an easy way of doing that in a
> ruleset?
>
> Help greatly appreciated.
>
> Jane
>
> Jane Taylor
> Enterprise Monitoring & Automation Service
> Group Technology
> Group Operations - HBOS Plc
> (7584)   38733
> 01422 338733
> Copley Ground Floor West Wing
> JaneTaylor@HBOSplc.com
> COP/CG/GT/OPS/EMAS/JBT/348063
> For details of monitoring solutions and statistics....
> http://hww.intranet.hx-online.hxgroup.com/intranet/sites/site46.nsf?op
> endatabase
> Please direct any general queries to our Global Mailbox:
> $Enterprise Monitoring & Automation (HO)
>
>

.
--------------------------------------------------------------------------------------------------------------------

HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are authorised and regulated by the Financial Services Authority.

==============================================================================

_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)
<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web