SNMP Traps - Ciena AAA (#15998)

* Ciena AAA snmp trap handler

* Removed IP from log message

* Added unit test

* Fixed unit test

* Removing reference from handler

LibreNMS/Snmptrap/Handlers/CienaCesAAAUserAuthenticationEvent.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * CienaCesAAAUserAuthenticationEvent.php
+ *
+ * -Description-
+ *
+ * Handles Ciena authentication traps. States whether or not user
+ * successfully authenticates to the device.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * @link       https://www.librenms.org
+ *
+ * @copyright  2024 KanREN Inc
+ * @author     Heath Barnhart <hbarnhart@kanren.net>
+ */
+
+namespace LibreNMS\Snmptrap\Handlers;
+
+use App\Models\Device;
+use LibreNMS\Enum\Severity;
+use LibreNMS\Interfaces\SnmptrapHandler;
+use LibreNMS\Snmptrap\Trap;
+
+class CienaCesAAAUserAuthenticationEvent implements SnmptrapHandler
+{
+    /**
+     * Handle snmptrap.
+     * Data is pre-parsed and delivered as a Trap.
+     *
+     * @param  Device  $device
+     * @param  Trap  $trap
+     * @return void
+     */
+    public function handle(Device $device, Trap $trap)
+    {
+        $user = $trap->getOidData($trap->findOid('CIENA-CES-AAA-MIB::cienaCesAAAUserName'));
+        $message = $trap->getOidData($trap->findOid('CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationDescription'));
+        $severity = Severity::Notice;
+        if ($trap->getOidData($trap->findOid('CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationStatus')) == 'failure') {
+            $severity = Severity::Warning;
+        }
+        $trap->log("Authentication attempt by $user. $message", $severity);
+    }
+}

config/snmptraps.php

@@ -28,6 +28,7 @@ return [
         'BGP4-V2-MIB-JUNIPER::jnxBgpM2Established' => \LibreNMS\Snmptrap\Handlers\JnxBgpM2Established::class,
         'BRIDGE-MIB::newRoot' => \LibreNMS\Snmptrap\Handlers\BridgeNewRoot::class,
         'BRIDGE-MIB::topologyChange' => \LibreNMS\Snmptrap\Handlers\BridgeTopologyChanged::class,
+        'CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationEvent' => \LibreNMS\Snmptrap\Handlers\CienaCesAAAUserAuthenticationEvent::class,
         'CISCO-PORT-SECURITY-MIB::cpsSecureMacAddrViolation' => \LibreNMS\Snmptrap\Handlers\CiscoMacViolation::class,
         'CISCO-ERR-DISABLE-MIB::cErrDisableInterfaceEventRev1' => \LibreNMS\Snmptrap\Handlers\CiscoErrDisableInterfaceEvent::class,
         'CISCO-IETF-DHCP-SERVER-MIB::cDhcpv4ServerStartTime' => \LibreNMS\Snmptrap\Handlers\CiscoDHCPServerStart::class,

mibs/ciena/CIENA-CES-AAA-MIB

@@ -0,0 +1,252 @@
+CIENA-CES-AAA-MIB DEFINITIONS ::= BEGIN
+
+	IMPORTS
+		cienaGlobalMacAddress
+			FROM CIENA-GLOBAL-MIB
+		cienaCommon, cienaCesConfig, cienaCesNotifications
+			FROM CIENA-SMI
+		CienaGlobalSeverity
+			FROM CIENA-TC
+		enterprises, IpAddress, Unsigned32,
+		MODULE-IDENTITY, OBJECT-IDENTITY, NOTIFICATION-TYPE
+			FROM SNMPv2-SMI
+		DisplayString, MacAddress, TruthValue,
+		TEXTUAL-CONVENTION
+			FROM SNMPv2-TC;
+
+--
+-- Node definitions
+--
+	-- 1.3.6.1.4.1.1271.2.1.60
+	cienaCesAAAMIB MODULE-IDENTITY
+		LAST-UPDATED "202212060000Z"		-- December 6, 2022 at 00:00 GMT (202212060000Z)
+		ORGANIZATION
+			"Ciena Corp."
+		CONTACT-INFO
+			"   Mib Meister
+			7035 Ridge Road
+			Hanover, Maryland 21076
+			USA
+			Phone:  +1 800 921 1144
+			Email:  support@ciena.com"
+		DESCRIPTION
+			"This MIB module defines objects and notifications used by User Authentication,
+			Authorization and Accounting (AAA) services on system."
+		REVISION "202212060000Z"		-- December 6, 2022 at 00:00 GMT (202212060000Z)
+		DESCRIPTION
+			"Added support for TACACS server events cienaCesAAATacacsServerStatusEvent,
+			cienaCesAAAAllTacacsServersDownEvent and support for LDAP server events
+			cienaCesAAALdapServerStatusEvent, cienaCesAAAAllLdapServersDownEvent."
+		REVISION "202108110000Z"		-- August 11, 2021 at 00:00 GMT (202108110000Z)
+		DESCRIPTION
+			"Initial creation."
+	::= { cienaCesConfig 60 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1
+	cienaCesAAAMibObjects OBJECT IDENTIFIER ::= { cienaCesAAAMIB 1 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.1
+	cienaCesAAAUserName OBJECT-TYPE
+		SYNTAX DisplayString (SIZE (0..32))
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"User credentials used by a remote host to connect to the system."
+	::= { cienaCesAAAMibObjects 1 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.2
+	cienaCesAAAHostIp OBJECT-TYPE
+		SYNTAX IpAddress
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address of a remote host trying to connect to the system."
+	::= { cienaCesAAAMibObjects 2 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.3
+	cienaCesAAAUserPort OBJECT-TYPE
+		SYNTAX Unsigned32
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"Port number used by a remote host to connect for an ssh or telnet session."
+	::= { cienaCesAAAMibObjects 3 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.4
+	cienaCesAAAUserAuthenticationServiceType OBJECT-TYPE
+		SYNTAX INTEGER
+		{
+			local(1),
+			tacacs(2),
+			radius(3),
+			radsec(4)
+		}
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"User authentication service being used, local or remote."
+	::= { cienaCesAAAMibObjects 4 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.5
+	cienaCesAAAUserAuthenticationStatus OBJECT-TYPE
+		SYNTAX INTEGER
+		{
+			success(1),
+			failure(2)
+		}
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"User authentication status as success or failure."
+	::= { cienaCesAAAMibObjects 5 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.6
+	cienaCesAAAUserAuthenticationDescription OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"Detailed description of the user authentication event."
+	::= { cienaCesAAAMibObjects 6 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.7
+	cienaCesAAAServerGroup OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"Server group to which TACACS server belongs."
+	::= { cienaCesAAAMibObjects 7 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.8
+	cienaCesAAATacacsServer OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address of the TACACS server."
+	::= { cienaCesAAAMibObjects 8 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.9
+	cienaCesAAAServerStatus OBJECT-TYPE
+		SYNTAX INTEGER
+		{
+			available(1),
+			unreachable(2)
+		}
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"Status of the TACACS server."
+	::= { cienaCesAAAMibObjects 9 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.10
+	cienaCesAAAAllServerDownStatus OBJECT-TYPE
+		SYNTAX TruthValue
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"Describes if all the TACACS servers are down or not."
+	::= { cienaCesAAAMibObjects 10 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.11
+	cienaCesAAALdapServer OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address or hostname of LDAP server."
+	::= { cienaCesAAAMibObjects 11 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.12
+	cienaCesAAAUser OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address or hostname of LDAP server."
+	::= { cienaCesAAAMibObjects 12 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.13
+	cienaCesAAANacmGroup OBJECT-TYPE
+		SYNTAX DisplayString
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address or hostname of LDAP server."
+	::= { cienaCesAAAMibObjects 13 }
+
+	-- 1.3.6.1.4.1.1271.2.1.60.1.14
+	cienaCesAAALdapServerStatus OBJECT-TYPE
+		SYNTAX INTEGER
+		{
+			available(1),
+			unavailable(2),
+			ruleparseerror(3)
+		}
+		ACCESS accessible-for-notify
+		STATUS current
+		DESCRIPTION
+			"IP address or hostname of LDAP server."
+	::= { cienaCesAAAMibObjects 14 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111
+	cienaCesAAAMIBNotificationPrefix OBJECT IDENTIFIER ::= { cienaCesNotifications 111 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0
+	cienaCesAAAMIBNotification OBJECT IDENTIFIER ::= { cienaCesAAAMIBNotificationPrefix 0 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0.1
+	cienaCesAAAUserAuthenticationEvent NOTIFICATION-TYPE
+		OBJECTS { cienaGlobalSeverity, cienaGlobalMacAddress, cienaCesAAAUserName, 
+		cienaCesAAAHostIp, cienaCesAAAUserPort, 
+		cienaCesAAAUserAuthenticationServiceType, 
+		cienaCesAAAUserAuthenticationStatus, 
+		cienaCesAAAUserAuthenticationDescription } 
+		STATUS current
+		DESCRIPTION
+			"This notification is generated when an authentication event,
+			as identified by the value of cienaCesAAAUserAuthenticationStatus
+			has occurred."
+	::= { cienaCesAAAMIBNotification 1 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0.2
+	cienaCesAAATacacsServerStatusEvent NOTIFICATION-TYPE
+		OBJECTS { cienaGlobalSeverity, cienaGlobalMacAddress, cienaCesAAAServerGroup, 
+		cienaCesAAATacacsServer, cienaCesAAAServerStatus } 
+		STATUS current
+		DESCRIPTION
+			"This notification is generated when a TACACS server is not reachable."
+	::= { cienaCesAAAMIBNotification 2 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0.3
+	cienaCesAAAAllTacacsServersDownEvent NOTIFICATION-TYPE
+		OBJECTS { cienaGlobalSeverity, cienaGlobalMacAddress, cienaCesAAAServerGroup, 
+		cienaCesAAAAllServerDownStatus } 
+		STATUS current
+		DESCRIPTION
+			"This notification is generated when all the configured TACACS
+			servers are not reachable."
+	::= { cienaCesAAAMIBNotification 3 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0.4
+	cienaCesAAALdapServerStatusEvent NOTIFICATION-TYPE
+		OBJECTS { cienaGlobalSeverity, cienaGlobalMacAddress, cienaCesAAALdapServer, 
+		cienaCesAAAUser, cienaCesAAANacmGroup, cienaCesAAALdapServerStatus } 
+		STATUS current
+		DESCRIPTION
+			"This notification is generated when an LDAP server is not reachable
+			or NACM rule downloaded from LDAP server is not parsed correctly."
+	::= { cienaCesAAAMIBNotification 4 }
+
+	-- 1.3.6.1.4.1.1271.2.2.111.0.5
+	cienaCesAAAAllLdapServersDownEvent NOTIFICATION-TYPE
+		OBJECTS { cienaGlobalSeverity, cienaGlobalMacAddress, 
+		cienaCesAAAAllServerDownStatus } 
+		STATUS current
+		DESCRIPTION
+			"This notification is generated when all the configured LDAP servers
+			are not reachable/available."
+	::= { cienaCesAAAMIBNotification 5 }
+
+END

tests/Feature/SnmpTraps/CienaCesAAAUserAuthenticationEventTest.php

@@ -0,0 +1,97 @@
+<?php
+/**
+ * CienaCesAAAUserAuthenticationEventTest.php
+ *
+ * -Description-
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * @link       https://www.librenms.org
+ *
+ * @copyright  2019 Heath Barnhart
+ * @author     Heath Barnhart <hbarnhart@kanren.net>
+ */
+
+namespace LibreNMS\Tests\Feature\SnmpTraps;
+
+use LibreNMS\Enum\Severity;
+
+class CienaCesAAAUserAuthenticationEventTest extends SnmpTrapTestCase
+{
+    public function testAuthSuccess(): void
+    {
+        $this->assertTrapLogsMessage(<<<'TRAP'
+{{ hostname }}
+UDP: [{{ ip }}]:57602->[192.168.5.5]:162
+DISMAN-EVENT-MIB::sysUpTimeInstance 0:0:15:22.68
+SNMPv2-MIB::snmpTrapOID.0 CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationEvent
+CIENA-GLOBAL-MIB::cienaGlobalSeverity info
+CIENA-GLOBAL-MIB::cienaGlobalMacAddress ac:89:de:ad:be:ef
+CIENA-CES-AAA-MIB::cienaCesAAAUserName lorem
+CIENA-CES-AAA-MIB::cienaCesAAAHost 192.168.251.251
+CIENA-CES-AAA-MIB::cienaCesAAAUserPort 4444
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationServiceType radius
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationStatus success
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationDescription User authentication succeeded
+TRAP,
+            'Authentication attempt by lorem. User authentication succeeded',
+            'Could not handle CienaCesAAAUserAuthenticationEvent success',
+            [Severity::Notice],
+        );
+    }
+
+    public function testAuthFail(): void
+    {
+        $this->assertTrapLogsMessage(<<<'TRAP'
+{{ hostname }}
+UDP: [{{ ip }}]:57602->[192.168.5.5]:162
+DISMAN-EVENT-MIB::sysUpTimeInstance 0:0:15:22.68
+SNMPv2-MIB::snmpTrapOID.0 CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationEvent
+CIENA-GLOBAL-MIB::cienaGlobalSeverity info
+CIENA-GLOBAL-MIB::cienaGlobalMacAddress ac:89:de:ad:be:ef
+CIENA-CES-AAA-MIB::cienaCesAAAUserName lorem
+CIENA-CES-AAA-MIB::cienaCesAAAHostIp 10.1.1.1
+CIENA-CES-AAA-MIB::cienaCesAAAUserPort 6564
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationServiceType radius
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationStatus failure
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationDescription User authentication failed
+TRAP,
+            'Authentication attempt by lorem. User authentication failed',
+            'Could not handle CienaCesAAAUserAuthenticationEvent failure',
+            [Severity::Warning],
+        );
+    }
+
+    public function testAuthLogout(): void
+    {
+        $this->assertTrapLogsMessage(<<<'TRAP'
+{{ hostname }}
+UDP: [{{ ip }}]:57602->[192.168.5.5]:162
+DISMAN-EVENT-MIB::sysUpTimeInstance 0:0:15:22.68
+SNMPv2-MIB::snmpTrapOID.0 CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationEvent
+CIENA-GLOBAL-MIB::cienaGlobalSeverity info
+CIENA-GLOBAL-MIB::cienaGlobalMacAddress ac:89:de:ad:be:ef
+CIENA-CES-AAA-MIB::cienaCesAAAUserName lorem
+CIENA-CES-AAA-MIB::cienaCesAAAHostIp 10.10.10.10
+CIENA-CES-AAA-MIB::cienaCesAAAUserPort 8899
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationServiceType local
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationStatus success
+CIENA-CES-AAA-MIB::cienaCesAAAUserAuthenticationDescription User logout succeeded
+TRAP,
+            'Authentication attempt by lorem. User logout succeeded',
+            'Could not handle CienaCesAAAUserAuthenticationEvent logout',
+            [Severity::Notice],
+        );
+    }
+}