1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
|
CISCOSB-SECSD-MIB DEFINITIONS ::= BEGIN
-- -------------------------------------------------------------
-- Security Sensitive Data MIB
-- Title: CISCOSB Security Sensitive Data
-- This Private MIB manages the Security Sensitive Data access.
-- Version: 7.50
-- Date: 31 Aug 2011
--
-- -------------------------------------------------------------
IMPORTS
switch001 FROM CISCOSB-MIB
TEXTUAL-CONVENTION,DisplayString FROM SNMPv2-TC
EnabledStatus FROM P-BRIDGE-MIB
TruthValue, RowStatus FROM SNMPv2-TC
OBJECT-TYPE FROM SNMPv2-SMI;
rlSecSd MODULE-IDENTITY
LAST-UPDATED "201108310001Z"
ORGANIZATION "Cisco Systems, Inc."
CONTACT-INFO
"Postal: 170 West Tasman Drive
San Jose , CA 95134-1706
USA
Website: Cisco Small Business Support Community <http://www.cisco.com/go/smallbizsupport>"
DESCRIPTION
"The private MIB module definition for Security Sensitive Data (SSD),
contains the MIB tables and scalars to manage the access through
the different management channels as CLI, WEB and others,
for sensitive data as user names and passwords in system."
REVISION "201108310000Z"
DESCRIPTION
"Initial revision."
::= { switch001 209 }
RlSecSdRuleUserType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data channels access users.
user-name - the rule is per rlSecSdRuleUserName.
default-user - the rule is per the default system user name.
all-users - all users which their user level permission is less then 15.
level-15-users - users which their user level permission is 15."
SYNTAX INTEGER {
user-name(1),
default-user(2),
level-15-users(3),
all-users(4)
}
RlSecSdChannelType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data channels:
secure - secure channels as console, ssh, scp, https.
insecure - insecure channels as telnet, http.
secure-xml-snmp - SNMPv3 with privacy or XML over https.
insecure-xml-snmp - SNMPv1/v2/v3 without privacy, xml over http."
SYNTAX INTEGER {
secure-xml-snmp(1),
secure(2),
insecure(3),
insecure-xml-snmp(4)
}
RlSecSdAccessType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data channels default read/write access action:
exclude - Security Sensitive Data can not retrieved/set.
include-encrypted - SSD can retrieved/set as encrypted only.
include-decrypted - SSD can retrieved/set as decrypted only."
SYNTAX INTEGER {
exclude(1),
include-encrypted(2),
include-decrypted(3)
}
RlSecSdPermitAccessType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data channels access permit read/write action:
exclude - Security Sensitive Data can not retrieved/set.
include-encrypted - SSD can retrieved/set as encrypted only.
include-decrypted - SSD can retrieved/set as decrypted only.
include-all - SSD can retrieved/set as encrypted or as decrypted."
SYNTAX INTEGER {
exclude(1),
include-encrypted(2),
include-decrypted(3),
include-all(4)
}
RlSecSdSessionAccessType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data (SSD) channels access per session:
exclude - Security Sensitive Data can not retrieved.
include-encrypted - SSD can retrieved as encrypted only.
include-decrypted - SSD can retrieved as decrypted only.
default - Set to the default SSD access as defined by the SSD rules."
SYNTAX INTEGER {
exclude(1),
include-encrypted(2),
include-decrypted(3),
default(4)
}
RlSecSdRuleOwnerType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Security Sensitive Data rule owner:
default - default rule which is defined by the device.
user - rule which is defined by user."
SYNTAX INTEGER {
default(1),
user(2)
}
--------------------------------------------------------------------------------
-- rlSecSd Tables --
--------------------------------------------------------------------------------
----------------------------------
-- rlSecSdRulesTable --
----------------------------------
rlSecSdRulesTable OBJECT-TYPE
SYNTAX SEQUENCE OF RlSecSdRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table holding the Security Sensitive Data access rules per:
user name / user level and management channel.
Allow to add/edit/remove Security Sensitive Data rules."
::= {rlSecSd 1 }
rlSecSdRulesEntry OBJECT-TYPE
SYNTAX RlSecSdRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the rlSecSdRulesTable."
INDEX { rlSecSdRuleUser,
rlSecSdRuleUserName,
rlSecSdRuleChannel
}
::= {rlSecSdRulesTable 1 }
RlSecSdRulesEntry ::= SEQUENCE {
rlSecSdRuleUser RlSecSdRuleUserType,
rlSecSdRuleUserName DisplayString,
rlSecSdRuleChannel RlSecSdChannelType,
rlSecSdRuleRead RlSecSdAccessType,
rlSecSdRulePermitRead RlSecSdPermitAccessType,
rlSecSdRuleIsDefault TruthValue,
rlSecSdRuleOwner RlSecSdRuleOwnerType,
rlSecSdRuleStatus RowStatus
}
rlSecSdRuleUser OBJECT-TYPE
SYNTAX RlSecSdRuleUserType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the Rule user type as described in RlSecSdRuleUserType."
::= { rlSecSdRulesEntry 1 }
rlSecSdRuleUserName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..39))
MAX-ACCESS read-write
STATUS current
DESCRIPTION "Contains the Rule user name when rlSecSdRuleUser value is user-name,
Otherwise it contains an empty string"
::= { rlSecSdRulesEntry 2 }
rlSecSdRuleChannel OBJECT-TYPE
SYNTAX RlSecSdChannelType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the Rule management channel type as described in RlSecSdChannelType.
secure-xml-snmp and insecure-xml-snmp management channels have no include-encrypted capability
thus their rlSecSdRulePermitRead and rlSecSdRuleRead can have only RlSecSdAccessType values of
exclude or include-decrypted."
::= { rlSecSdRulesEntry 3 }
rlSecSdRuleRead OBJECT-TYPE
SYNTAX RlSecSdAccessType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the Rule default read access level as described in RlSecSdAccessType,
must be lower or equal access from rlSecSdRulePermitRead"
::= { rlSecSdRulesEntry 4}
rlSecSdRulePermitRead OBJECT-TYPE
SYNTAX RlSecSdPermitAccessType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the Rule maximum permission access level as described in RlSecSdPermitAccessType."
::= { rlSecSdRulesEntry 5}
rlSecSdRuleIsDefault OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"true - Rule has created by the by the system.
false - Rule has created by the user."
::= { rlSecSdRulesEntry 6}
rlSecSdRuleOwner OBJECT-TYPE
SYNTAX RlSecSdRuleOwnerType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the current Rule ownership as defined in RlSecSdRuleOwnerType.
when rlSecSdRuleIsDefault is true, rlSecSdRuleOwner allowed to change
default rule to user rule and vice versa."
::= { rlSecSdRulesEntry 7}
rlSecSdRuleStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of a table entry.
It is used to Add/Edit/Delete an entry from this table."
::= { rlSecSdRulesEntry 8}
----------------------------------
-- rlSecSdMngSessionsTable --
----------------------------------
rlSecSdMngSessionsTable OBJECT-TYPE
SYNTAX SEQUENCE OF RlSecSdMngSessionsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table holding Security Sensitive Data management sessions.
Allowing to get management channel, user name, user level."
::= {rlSecSd 2 }
rlSecSdMngSessionsEntry OBJECT-TYPE
SYNTAX RlSecSdMngSessionsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the rlSecSdMngSessionsTable."
INDEX { rlSecSdMngSessionId }
::= {rlSecSdMngSessionsTable 1}
RlSecSdMngSessionsEntry ::= SEQUENCE {
rlSecSdMngSessionId INTEGER,
rlSecSdMngSessionUserLevel INTEGER,
rlSecSdMngSessionUserName DisplayString,
rlSecSdMngSessionChannel RlSecSdChannelType
}
rlSecSdMngSessionId OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Contains the Security Sensitive Data management session identifier,
rlSecSdCurrentSessionId is used to get the current management session identifier"
::= { rlSecSdMngSessionsEntry 1 }
rlSecSdMngSessionUserLevel OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Contains the Security Sensitive Data management session user access level."
::= { rlSecSdMngSessionsEntry 2 }
rlSecSdMngSessionUserName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..160))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Contains the Security Sensitive Data management session user name."
::= { rlSecSdMngSessionsEntry 3 }
rlSecSdMngSessionChannel OBJECT-TYPE
SYNTAX RlSecSdChannelType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Contains the Security Sensitive Data management session channel type as described in RlSecSdChannelType."
::= { rlSecSdMngSessionsEntry 4 }
--------------------------------------------------------------------------------
-- rlSecSd Scalars --
--------------------------------------------------------------------------------
----------------------------------
-- rlSecSdSessionControl --
----------------------------------
rlSecSdSessionControl OBJECT-TYPE
SYNTAX RlSecSdSessionAccessType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Action scalar which set the default read access of Security Sensitive Data.
Affect only on session which from this scalar is configured.
Scalar Get value is the default-display/read of the session which from
this scalar is retrieved."
::= { rlSecSd 3 }
----------------------------------
-- rlSecSdCurrentSessionId --
----------------------------------
rlSecSdCurrentSessionId OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Get the current SSD management channel identifier,
used to get information from rlSecSdMngSessionsTable."
::= { rlSecSd 4 }
----------------------------------
-- rlSecSdPassPhrase --
----------------------------------
rlSecSdPassPhrase OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..160))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Set the passphrase for the SSD encryptyption / decryption key.
on set, passphrase is in plain text format.
on get, passphrase is encrypted."
DEFVAL{""}
::= { rlSecSd 5 }
----------------------------------
-- rlSecSdFilePassphraseControl --
----------------------------------
rlSecSdFilePassphraseControl OBJECT-TYPE
SYNTAX INTEGER {
restricted(1),
unrestricted(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"File Passphrase control provides an additional level of protection on passphrase and configurations.
restricted - a device restricts its passphrase from being inserted into a configuration file.
unrestricted - (default) a device will include its passphrase when creating a configuration file."
DEFVAL { unrestricted }
::= { rlSecSd 6 }
----------------------------------
-- rlSecSdFileIntegrityControl --
----------------------------------
rlSecSdFileIntegrityControl OBJECT-TYPE
SYNTAX INTEGER {
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"File integrity control provides a validation of configuration file.
enable - Validate the configuration file digest when downloading the file to startup configuration.
disable - Do not validate."
DEFVAL { enable }
::= { rlSecSd 7 }
---------------------------------------
-- rlSecSdConfigurationFileSsdDigest --
---------------------------------------
rlSecSdConfigurationFileSsdDigest OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..160))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"SSD block in configuration file integrity digest, auxiliary action scalar for
internal system using during configuration download."
DEFVAL{""}
::= { rlSecSd 8 }
------------------------------------
-- rlSecSdConfigurationFileDigest --
------------------------------------
rlSecSdConfigurationFileDigest OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..160))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"SSD configuration file integrity digest, auxiliary action scalar for
internal system using during configuration download."
DEFVAL{""}
::= { rlSecSd 9 }
----------------------------------
-- rlSecSdFileIndicator --
----------------------------------
rlSecSdFileIndicator OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..39))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Retrieve configuration file SSD indicator.
set value: configuration file name.
get value: Exclude, Encrypted, Plaintext"
::= { rlSecSd 10 }
END
|
