Article ID: 5898
Protocols/Features
SNMP
Goal
Prevent Read-only users from viewing Read-Write or Admin SNMP credentials
Symptoms
RO users can see rw / admin snmp credentials in the MIBs
Cause
When setting up SNMPv1/2/3 configurations, it is not unusual to allow each user an unrestricted view of the entire MIB Tree.
Doing this for read-only groups (and thus, read-only users) unfortunately allows them the possibility of viewing the branch containing the SNMP configuration parameters, which could then be used to provide sufficient credentials to obtain read-write or admin level SNMP access.
Solution
FAD (Functions as Designed)
The following command sequence creates an SNMP view (
5610) permitting full MIB access
except for the 'snmpV2=1.3.6.1.6' branch:
set snmp view viewname RO subtree 1
set snmp view viewname RO subtree 0.0
set snmp view viewname RO subtree 1.3.6.1.6 excluded
For any SNMP version this (case-sensitive) 'RO' view may then be referenced instead of the default 'All' view, in the 'set snmp access' commands for read-only groups (
5245).