HPE Community
Operating System - HP-UX
1824638 Members
4806 Online
109672 Solutions
New Discussion юеВ

Disabling Snmp

 
SOLVED
Go to solution
John Sisak
Advisor

тАО02-16-2004 08:11 AM

тАО02-16-2004 08:11 AM

Disabling Snmp

I am disabling snmp on a server but haven't been able to determine how /sbin/init.d/SnmpFddi gets started. There doesn't seem to be a corresponding config file in /etc/rc.config.d. I could always move S570SnmpFddi to s570SnmpFddi to prevent it from starting, but if there is a control parameter somewhere, I would prefer to set its value to zero.
0 Kudos
Reply
8 REPLIES 8
Todd McDaniel_1
Honored Contributor

тАО02-16-2004 08:41 AM

тАО02-16-2004 08:41 AM

Solution

Re: Disabling Snmp

There is no config file for that one... Config files are good coding, but not required.

The best way is to disable the startup and kill scripts and make the script non-executable.

Dont forget to comment it out of /etc/servcies to free up those ports if you need to lock them down.
Unix, the other white meat.
Reply
Bill Hassell
Honored Contributor

тАО02-16-2004 09:30 AM

тАО02-16-2004 09:30 AM

Re: Disabling Snmp

Actually, the preferred method is to turn off SNMP values and leave the scripts in /sbin/init.d alone. The reason is that /sbin/init.d contains non-configurable scripts and these may get replaced in a future patch. And if you run swverify it will report errors in this directory as the permissions will be incorrect.

To turn off any start/stop service in /sbin/init.d, use the corresponding configuration script in /etc/rc.config.d. Most (but not all) will have a 1:1 naming convention. For instance, ems has the same name in both directories. Alas, several scripts use a 'combination' config file such as netconf or netdaemons. However, for SNMP, the choice is easy. Just do this:

for MYSCRIPT in /sbin/init.d/Snmp*
do
$MYSCRIPT stop
done

vi /etc/rc.config.d/Snmp*

and in vi, type G to go to the end of the file, set =1 to =0, then save the file and type :n to go to the next file and repeat until done. (or just edit each Snmp file in /etc/rc.config.d one at a time). Now you've stopped all Snmp services (not a bad idea at all) and disabled these services from starting at the next reboot.


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-16-2004 09:33 AM

тАО02-16-2004 09:33 AM

Re: Disabling Snmp

Almost forgot: the /sbin/init.d/SnmpFddi* is badly written and does not correspond to the HP-UX standard for start/stop scripts. Removing the symlink is the best solution. Hopefully, HP will fix this oversight.


Bill Hassell, sysadmin
Reply
Naveen_17
New Member

тАО02-19-2004 07:10 PM

тАО02-19-2004 07:10 PM

Re: Disabling Snmp

I own the FDDI network product including the
subagent.

The main issue with SnmpFddi4 startup script
is that it doesn't have a corresponding
configuration file in /etc/rc.config.d/
directory. As Todd has mentioned, config
files for subagents(in etc/rc.config.d/
directory) doesn't seem to be mandatory.

I understand that absence of FDDI's
configuration file in etc/rc.config.d/
directory is an usability issue and doesn't
provide a proper uniform mechanism to disable
subagent's start.

FDDI technology being legacy is getting
obsoleted during 11.31 and as you are already
aware of the workarounds available for this
issue. Also, as no customer has ever
complained about this, I think the ROI is not
worth the effort required to patch this
issue. Please let me know your opinion
about this.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-20-2004 12:28 AM

тАО02-20-2004 12:28 AM

Re: Disabling Snmp

"Config files ... not required"? Hummmm. That seems to be in opposition to the design and standard practice for start/stop scripts. Perhaps this document may be of some help: http://docs.hp.com/cgi-bin/onlinedocs.py?mpn=5963-8942&service=hpux&path=00/00/1&title=HP-UX%2010.0%20File%20System%20Layout%20White%20Paper

The reality is that without a config script, you can have a true hodge-podge (technical term) of solutions (chmod -x or rename the script or remove the script, etc) all of which (because they are in /sbin/...) are subject to patch changes. SNMP is the subject of many security concerns so it should be easily configurable. I don't want a disabled service to sneak back in after patching. True, FDDI is going away but the code will exist (11.00, 11.11) for many years. If an swremove will remove FDDI and the start/stop script, then that would be a good alternative.


Bill Hassell, sysadmin
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО06-04-2004 02:36 AM

тАО06-04-2004 02:36 AM

Re: Disabling Snmp

Just as a follow up... There must have been a recent patch that I loaded which corrected this anomaly of no config files in /etc/rc.config.d/

I now see Snmp* in /etc/rc.config.d/ that I didnt see before... maybe I just missed them.

Three of the dates are older "Pre-Install" dates of my host so I dont know when they might have been installed unless I go back and check my patch install history...

So I can also now disable my own snmp and lock down that port.



I will have to check and post back again.

NO points here please.
Unix, the other white meat.
0 Kudos
Reply
John Sisak
Advisor

тАО06-04-2004 03:50 AM

тАО06-04-2004 03:50 AM

Re: Disabling Snmp

Thanks, Todd. I had/have four files in /etc/rc.config.d:
SnmpHpunix
SnmpMaster
SnmpMib2
SnmpTrpDst
Unfortunately, none control /sbin/init.d/SnmpFddi.
0 Kudos
Reply
Elena Leontieva
Esteemed Contributor

тАО06-04-2004 04:00 AM

тАО06-04-2004 04:00 AM

Re: Disabling Snmp

Hi,

I found this method of disabling SNMP:

cd /sbin/rc2.d
for file in S565OspfMib S941opcagt S570SnmpFddi
do mv -f $file .NO$file
done

ch_rc -a -p SNMP_HPUNIX_START=0 /etc/rc.config.d/SnmpHpunix
ch_rc -a -p SNMP_MASTER_START=0 /etc/rc.config.d/SnmpMaster
ch_rc -a -p SNMP_MIB2_START=0 /etc/rc.config.d/SnmpMib2
ch_rc -a -p SNMP_TRAPDEST_START=0 /etc/rc.config.d/SnmpTrpDst

Elena
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.