ident-like MIB for SNMP
Mike StJohns <stjohns@umd5.umd.edu> Sat, 11 April 1992 13:38 UTC
Received: from nri.nri.reston.va.us by ietf.NRI.Reston.VA.US id aa00485; 11 Apr 92 9:38 EDT
Received: from nri.reston.va.us by NRI.Reston.VA.US id aa06457; 11 Apr 92 9:41 EDT
Received: from nri.reston.va.us by NRI.Reston.VA.US id aa06450; 11 Apr 92 9:41 EDT
Received: from umd5.umd.edu by NRI.Reston.VA.US id aa06445; 11 Apr 92 9:41 EDT
Received: by umd5.umd.edu id <AA13805@umd5.umd.edu>; Sat, 11 Apr 92 09:42:05 -0400
Message-Id: <9204111342.AA13805@umd5.umd.edu>
To: ident@nri.reston.va.us
Subject: ident-like MIB for SNMP
Date: Sat, 11 Apr 1992 09:41:57 -0400
From: Mike StJohns <stjohns@umd5.umd.edu>
X-Mts: smtp
What follows is a MIB for SNMP that provides functionality approximately equal to that of the "ident" protocol. Marshall Rose was kind enough to do the work to put this into a formal format. In addition, he's already modified his SNMP agent implementation (I think its the one supplied in ISODE?) to return these variables. For now, I'm going to ask for discussion of this MIB on the ident list as many of the issues are the same. (For ex - the character set issue and the relationship of the userid to the opsys) If the list gets too cluttered I'll ask to have a seperate list created. This MIB is targeted to move onto the standards track. It is NOT meant to replace or prevent the ident draft from moving forward also. Mike ------- Forwarded Message Draft Ident MIB Apr 92 Ident MIB Fri Apr 10 23:01:59 1992 Michael St. Johns U.S. Department of Defense stjohns@UMD5.UMD.EDU Marshall T. Rose Dover Beach Consulting, Inc. mrose@dbc.mtview.ca.us 1. Status of this Memo This memo provides information for the Internet community. It does not specify any standard. Distribution of this memo is unlimited. Please send comments to the authors. 2. Abstract This memo defines a MIB for use with identifying the users associated with TCP connections. It provides functionality approximately equivalent to that provided by the protocol defined in RFC 931[1]. St. Johns, Rose [Page 1] Draft Ident MIB Apr 92 3. The Network Management Framework The Internet-standard Network Management Framework consists of three components. They are: RFC 1155[2] which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. RFC 1212[3] defines a more concise description mechanism, which is wholly consistent with the SMI. RFC 1213[4] which defines MIB-II, the core set of managed objects for the Internet suite of protocols. RFC 1157[5] which defines the SNMP, the protocol used for network access to managed objects. The Framework permits new objects to be defined for the purpose of experimentation and evaluation. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Within a given MIB module, objects are defined using RFC 1212's OBJECT-TYPE macro. At a minimum, each object has a name, a syntax, an access-level, and an implementation-status. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the object descriptor, to also refer to the object type. The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1[6] language is used for this purpose. However, RFC 1155 purposely restricts the ASN.1 constructs which may be used. These restrictions are explicitly made for simplicity. The access-level of an object type defines whether it makes "protocol sense" to read and/or write the value of an instance of the object type. (This access-level is independent of any administrative authorization policy.) The implementation-status of an object type indicates whether the object is mandatory, optional, obsolete, or deprecated. St. Johns, Rose [Page 2] Draft Ident MIB Apr 92 4. Ident MIB The Ident MIB defines a uniform set of objects useful for identifying users associated with TCP connections. St. Johns, Rose [Page 3] Draft Ident MIB Apr 92 5. Definitions RFC-ident-MIB DEFINITIONS ::= BEGIN IMPORTS experimental FROM RFC-1155 OBJECT-TYPE FROM RFC-1212 tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort FROM RFC1213-MIB; ident OBJECT IDENTIFIER ::= { experimental 33 } -- conformance groups identInfo OBJECT IDENTIFIER ::= { ident 1 } -- textual conventions -- none St. Johns, Rose [Page 4] Draft Ident MIB Apr 92 -- the ident information system group -- -- implementation of this group is mandatory identTable OBJECT-TYPE SYNTAX SEQUENCE OF IdentEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A table containing user information for TCP connections. Note that this table contains entries only for TCP connections in the ESTABLISHED state. Hence, a management protocol retrieval operation on a column which does not correspond to a TCP connection in the ESTABLISHED state will result in a `noSuchName' error." ::= { identInfo 1 } identEntry OBJECT-TYPE SYNTAX IdentEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "User information about a particular TCP connection." INDEX { tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort } ::= { identTable 1 } IdentEntry ::= SEQUENCE { identStatus INTEGER, identOpSys OBJECT IDENTIFIER, identUserid OCTET STRING, identMisc OCTET STRING } identStatus OBJECT-TYPE SYNTAX INTEGER { noError(1), unknownError(2) } ACCESS read-only St. Johns, Rose [Page 5] Draft Ident MIB Apr 92 STATUS mandatory DESCRIPTION "Indicates whether user information for the associated TCP connection can be determined. A value of `noError(1)' indicates that user information is available. A value of `unknownError(2)' indicates that user information is not available." ::= { identEntry 1 } identOpSys OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-only STATUS mandatory DESCRIPTION "Indicates the type of operating system in use. In addition to identifying an operating system, each assignment made for this purpose also (implicitly) identifies the syntax, maximum size, and repertoire of the corresponding identUserid and identMisc objects. The `identSystems' subtree may be used for assignments." ::= { identEntry 2 } identUserid OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Indicates the user's identity. Interpretation of this object requires examination of the corresponding value of the identOpSys object." ::= { identEntry 3 } identMisc OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Indicates the user's identity. Interpretation of this object requires examination of the corresponding value of the identOpSys object." ::= { identEntry 4 } St. Johns, Rose [Page 6] Draft Ident MIB Apr 92 -- operating system assignments, used for identOpSys identSystems OBJECT IDENTIFIER ::= { ident 2 } -- when the Assigned Numbers "system name" is UNIX identSysUnix OBJECT IDENTIFIER ::= { identSystems 1 } -- when identOpSys has the value identSysUnix: -- -- identUserid corresponds to the UNIX username (pw_name) -- of length 1 to 8 octets -- from the NVT ASCII repertoire -- -- the syntax (and length) of identMisc is a local matter, -- but the NVT ASCII repertoire is used END St. Johns, Rose [Page 7] Draft Ident MIB Apr 92 6. Security Considerations The information available through this MIB is at most as trustworthy as the host providing it OR the organization operating the host. For example, a PC in an open lab has few if any controls on it to prevent a user from having an SNMP query return any identifier the user wants. Likewise, if the host has been compromised the information returned may be completely erroneous and misleading. This portion of the MIB space should only be used to gain hints as to who "owns" a particular TCP connection -- information returned should NOT be considered authoritative for at least the reasons described above. At best, this MIB provides some additional auditing information with respect to TCP connections. At worse it can provide misleading, incorrect or maliciously incorrect information. UNDER NO CIRCUMSTANCES should information returned from this MIB space be used to make access control decisions -- either as the primary method (i.e., no other checks) or as an adjunct to other methods. This MIB provides access to information that some systems might consider privacy-related. The information accessible through this MIB is roughly as revealing as that returned by the "finger" server and protocol[7]. Access to this portion of the MIB tree may be controlled under the normal methods available through SNMP agent implementations. St. Johns, Rose [Page 8] Draft Ident MIB Apr 92 7. References [1] M. St. Johns, Authentication Server. Request for Comments 931, (May, 1990). [2] M.T. Rose and K. McCloghrie, Structure and Identification of Management Information for TCP/IP-based internets. Request for Comments 1155, (May, 1990). [3] M.T. Rose and K. McCloghrie, Concise MIB Definitions. Request for Comments 1212, (March, 1991). [4] K. McCloghrie and M.T. Rose, Management Information Base for Network Management of TCP/IP-based internets: MIB-II. Request for Comments 1213, (March, 1991). [5] J.D. Case, M.S. Fedor, M.L. Schoffstall, and J.R. Davin, Simple Network Management Protocol. Request for Comments 1157, (May, 1990). [6] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, (December, 1987). [7] D.P. Zimmerman, Finger User Information Protocol. Request for Comments 1288, (December, 1991). St. Johns, Rose [Page 9] Draft Ident MIB Apr 92 Table of Contents 1 Status of this Memo ................................... 1 2 Abstract .............................................. 1 3 The Network Management Framework ...................... 2 4 Ident MIB ............................................. 3 5 Definitions ........................................... 4 5.1 Conformance Groups .................................. 4 5.2 Textual Conventions ................................. 4 5.3 The Ident information Group ......................... 5 5.4 Operating System Assignments ........................ 7 5.4.1 identSysUnix ...................................... 7 6 Security Considerations ............................... 8 7 References ............................................ 9 St. Johns, Rose [Page 10] ------- End of Forwarded Message
- ident-like MIB for SNMP Mike StJohns
- Re: ident-like MIB for SNMP brnstnd
- Re: ident-like MIB for SNMP Steve Kent
- Re: ident-like MIB for SNMP Marshall Rose
- Re: ident-like MIB for SNMP brnstnd