Ps command on Linux shows the SNMP community string in the clear

Help
1

In this day and age of security prominence, is there any way to suppress/disguise the snmp community string being displayed on the command that shows from a simple ps command ? : where -c ‘???’ is the community string in clear text.

librenms 7943 30078 0 17:30 ? 00:00:00 sh -c /usr/bin/snmpbulkwalk -v2c -c ‘???’ -OQUst -m IF-MIB -M /apps/librenms/mibs:/apps/librenms/mibs/supermicro:/apps/librenms/mibs/dell udp:server1:161 ifLastChange 2>/dev/null

librenms 7944 30501 0 17:30 ? 00:00:00 sh -c /usr/bin/snmpbulkwalk -v2c -c ‘???’ -OQUst -m IF-MIB -M /apps/librenms/mibs:/apps/librenms/mibs/supermicro:/apps/librenms/mibs/dell udp:server2:161 ifOperStatus 2>/dev/null

librenms 7945 27901 0 17:30 ? 00:00:00 sh -c /usr/bin/snmpbulkwalk -v2c -c ‘???’ -OQUst -m IF-MIB -M /apps/librenms/mibs:/apps/librenms/mibs/supermicro:/apps/librenms/mibs/dell udp:server3:161 ifOutDiscards 2>/dev/null

librenms 7947 2969 0 17:30 ? 00:00:00 sh -c /usr/bin/snmpbulkwalk -v2c -c ‘???’ -OQUs -m IP-MIB -M /apps/librenms/mibs:/apps/librenms/mibs/supermicro:/apps/librenms/mibs/dell udp:server4:161 icmp 2>/dev/null

2

I think this is a bug with your chosen distro. net-snmp tries to hide it from PS, but not all support hiding.

3

Thanks Murrant - RHEL 7 is the distro and net-snmp version at 5.7.2 - I’ll do some research - if net-snmp tries to hide it from PS, I assume it would be an nmpd.conf parameter - correct ? Could also be the difference between v2c and v3 ? We are currently running v2c.

4

I checked on my Ubuntu 20.04 LTS system and community string hiding is partially broken there too.

librenms 3743058  0.0  0.0  10352  5560 ?        R    15:01   0:00  |               |       \_ /usr/bin/snmpbulkwalk -v2c -c        -OQUs -m IP-MIB -M /opt/librenms/mibs -t 5 -r 2 udp:10.0.5.67:161 ipSystemStats
librenms 3743064  0.0  0.0   7092  3476 ?        R    15:01   0:00  |               |       \_ /usr/bin/snmpbulkwalk -v2c -c Blah12 -OQUst -m IF-MIB -M /opt/librenms/mibs -t 5 -r 2 udp:10.0.10.28:161 ifDescr

Here is an example from ps - some snmpbulkwalk lines replace the community with spaces in ps, some show the actual community. (I’ve changed it before posting here of course)

@pig_bucket:

IMO this is only really an issue if you run other services on your LibreNMS server that are potentially “hostile”. I dedicate a server to running LibreNMS.

Keep in mind SNMP v1 and v2 are sent in the clear on the network (and v3 can also be depending on how you configure it) and that is a much more likely place for your community string to be intercepted then a hostile process on your server looking at ps output.

There is also a lot of other sensitive information about your network stored in LibreNMS that could easily be obtained through a privilege escalation exploit on the server if other potentially hostile or remotely exploitable pieces of software running on the server were compromised.

The best solution to this is don’t run anything other than LibreNMS on the server.

Another possible workaround would be using systemd containers to put LibreNMS and whatever other software you’re worried about looking at ps in separate process namespaces that are isolated from each other, but that seems like a lot of hassle.

5

Thanks for the comprehensive analysis DBMandrake - still running v2c everywhere so like you said it’s out there on the network in the clear anyway. There’s only LibreNMS running on the server so I think I’ll live with it for the time being and just ensure tight restrictions as to who can get onto the system.

6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.