smilint output for ./CABH-SEC-MIB
| Message Severities |
|---|
| Severity | Count |
|---|
| severe | 1 |
| error | 4 |
| warning | 5 |
| Message Types |
|---|
| Type | Count |
|---|
| basetype-unknown (error) | 1 |
| import-failed (error) | 1 |
| import-unused (warning) | 1 |
| inetaddress-inetaddresstype (warning) | 2 |
| integer-misuse (warning) | 2 |
| object-identifier-not-prefix (error) | 1 |
| object-identifier-unknown (severe) | 1 |
| type-unknown (error) | 1 |
Messages:
CABH-SEC-MIB
1: -- extracted from draft-jones-cable-gateway-security-mib-02.txt
2: -- at Sun Mar 9 06:12:36 2003
3:
4: CABH-SEC-MIB DEFINITIONS ::= BEGIN
5: IMPORTS
6: MODULE-IDENTITY,
7: Unsigned32,
8: zeroDotZero,
9: OBJECT-TYPE FROM SNMPv2-SMI -- RFC2578
10:
11: RowStatus,
12: DateAndTime,
13: TruthValue,
14: DisplayString,
15: TimeStamp,
16: TEXTUAL-CONVENTION,
16: warning -
warning: identifier `TEXTUAL-CONVENTION' imported from module `SNMPv2-TC' is never used
17: VariablePointer FROM SNMPv2-TC -- RFC2579
18:
19: OBJECT-GROUP,
20: MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC2580
21: InetPortNumber,
22: InetAddress FROM INET-ADDRESS-MIB --RFC3291
23:
24: SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC2571
25:
26: DocsX509ASN1DEREncodedCertificate FROM DOCS-BPI2-MIB
26: error -
identifier `DocsX509ASN1DEREncodedCertificate' cannot be imported from module `DOCS-BPI2-MIB'
27:
28: ZeroBasedCounter32 FROM RMON2-MIB;
29:
30: cabhSecMib MODULE-IDENTITY
31: LAST-UPDATED "200303010000Z" -- March 1, 2003
32: ORGANIZATION "CableLabs Broadband Access Department"
33: CONTACT-INFO
34: "Kevin Luehrs
35: Postal: Cable Television Laboratories, Inc.
36: 400 Centennial Parkway
37: Louisville, Colorado 80027-1266
38: U.S.A.
39: Phone: +1 303-661-9100
40: Fax: +1 303-661-9199
41: E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com"
42: DESCRIPTION
43: "This MIB module supplies the basic management
44: objects for the Security Portal Services."
45: REVISION "200303010000Z" -- March 1, 2003
46: DESCRIPTION
47: "Initial version, published as RFC xxxx."
48: -- RFC editor to assign xxxx
49: ::= { mib-2 xx } -- xx to be assigned by IANA
49: error -
Object identifier element `xx' name only allowed as first element
49: severe -
unknown object identifier label `mib-2'
50:
51: -- Textual Conventions
52:
53: cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 }
54: cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 }
55: cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
56: cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }
57:
58: cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 }
59: cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 }
60: cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 }
61: cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 }
62: cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 }
63: cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 }
64: cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 }
65: cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 }
66:
67: --cabhSec2Misc OBJECT IDENTIFIER ::= { cabhSecMib 5 }
68: --might be needed for config file encryption key management
69:
70: --
71: -- CableHome 1.0 Base Firewall Functions
72: --
73:
74: cabhSecFwPolicyFileEnable OBJECT-TYPE
75: SYNTAX INTEGER {
76: enable(1),
77: disable(2)
78: }
79: MAX-ACCESS read-write
80: STATUS current
81: DESCRIPTION
82: "This parameter indicates whether or not to enable
83: the firewall functionality."
84: DEFVAL {enable}
85: ::= { cabhSecFwBase 1 }
86:
87: cabhSecFwPolicyFileURL OBJECT-TYPE
88: SYNTAX DisplayString
89: MAX-ACCESS read-write
90: STATUS current
91: DESCRIPTION
92: "This object contains the name and IP address of
93: the policy rule set file in a TFTP URL format.
94: Once this object has been updated, it will trigger
95: the file download."
96: ::= { cabhSecFwBase 2 }
97:
98:
99: cabhSecFwPolicyFileHash OBJECT-TYPE
100: SYNTAX OCTET STRING (SIZE(0|20))
101: MAX-ACCESS read-write
102: STATUS current
103: DESCRIPTION
104: "Hash of the contents of the rules set file,
105: calculated and sent to the PS prior to sending
106: the rules set file. For the SHA-1 authentication
107: algorithm the length of the hash is 160 bits.
108: This hash value is encoded in binary format."
109: DEFVAL {''h}
110: ::= { cabhSecFwBase 3 }
111:
112: cabhSecFwPolicyFileOperStatus OBJECT-TYPE
113: SYNTAX INTEGER {
114: inProgress(1),
115: complete(2),
116: -- completeFromMgt(3), deprecated
117: failed(4)
118: }
119: MAX-ACCESS read-only
120: STATUS current
121: DESCRIPTION
122: "inProgress(1) indicates a firewall configuration
123: file download is underway.
124: complete (2) indicates the firewall configuration
125: file downloaded and configured successfully.
126: completeFromMgt(3) This state is deprecated.
127: failed(4) indicates the last attempted firewall
128: configuration file download or processing
129: failed ordinarily due to TFTP timeout."
130: ::= { cabhSecFwBase 4 }
131:
132:
133: cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
134: SYNTAX SnmpAdminString
135: MAX-ACCESS read-only
136: STATUS current
137: DESCRIPTION
138: "The rule set version currently operating in the
139: PS device. This object should be in the syntax
140: used by the individual vendor to identify software
141: versions. Any PS element MUST return a string
142: descriptive of the current rule set file load.
143: If this is not applicable, this object MUST
144: contain an empty string."
145: ::= { cabhSecFwBase 5 }
146:
147: --
148: -- CableHome 1.0 Firewall Event MIBs
149: --
150:
151:
152: cabhSecFwEventType1Enable OBJECT-TYPE
153: SYNTAX INTEGER {
154: enable (1), -- log event
155: disable (2) -- do not log event
156: }
157: MAX-ACCESS read-write
158: STATUS current
159: DESCRIPTION
160: "This object enables or disables logging of type 1
161: firewall event messages. Type 1 event messages report
162: attempts from both private and public clients to
163: traverse the firewall that violate the Security
164: Policy."
165: DEFVAL { disable }
166: ::= { cabhSecFwLogCtl 1 }
167:
168: cabhSecFwEventType2Enable OBJECT-TYPE
169: SYNTAX INTEGER {
170: enable (1), -- log event
171: disable (2) -- do not log event
172: }
173: MAX-ACCESS read-write
174: STATUS current
175: DESCRIPTION
176: "This object enables or disables logging of
177: type 2 firewall event messages. Type 2 event
178: messages report identified Denial of Service
179: attack attempts."
180: DEFVAL { disable }
181: ::= { cabhSecFwLogCtl 2 }
182:
183: cabhSecFwEventType3Enable OBJECT-TYPE
184: SYNTAX INTEGER {
185: enable (1), -- log event
186: disable (2) -- do not log event
187: }
188: MAX-ACCESS read-write
189: STATUS current
190: DESCRIPTION
191: "Enables or disables logging of type 3 firewall
192: event messages. Type 3 event messages report
193: changes made to the following firewall management
194: parameters: cabhSecFwPolicyFileURL,
195: cabhSecFwPolicyFileCurrentVersion,
196: cabhSecFwPolicyFileEnable"
197: DEFVAL { disable }
198: ::= { cabhSecFwLogCtl 3 }
199:
200: cabhSecFwEventAttackAlertThreshold OBJECT-TYPE
201: SYNTAX INTEGER (0..65535)
201: warning -
warning: use Integer32 instead of INTEGER in SMIv2
202: MAX-ACCESS read-write
203: STATUS current
204: DESCRIPTION
205: "If the number of type 1 or 2 hacker attacks
206: exceeds this threshold in the period define
207: by cabhSecFwEventAttackAlertPeriod, a firewall
208: message event MUST be logged with priority
209: level 4."
210:
211: DEFVAL { 65535 }
212: ::= { cabhSecFwLogCtl 4 }
213:
214:
215: cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
216: SYNTAX INTEGER (0..65535)
216: warning -
warning: use Integer32 instead of INTEGER in SMIv2
217: MAX-ACCESS read-write
218: STATUS current
219: DESCRIPTION
220: "Indicates the period to be used (in hours) for
221: the cabhSecFwEventAttackAlertThreshold. This MIB
222: variable should always keep track of the last x
223: hours of events meaning that if the variable is
224: set to track events for 10 hours then when the
225: 11th hour is reached, the 1st hour of events is
226: deleted from the tracking log. A default value
227: is set to zero, meaning zero time, so that this
228: MIB variable will not track any events unless
229: configured."
230: DEFVAL {0}
231: ::= { cabhSecFwLogCtl 5 }
232:
233:
234: --
235: -- CableHome PS device certificate
236: --
237:
238: cabhSecCertPsCert OBJECT-TYPE
238: error -
type `DocsX509ASN1DEREncodedCertificate' of node `cabhSecCertPsCert' does not resolve to a known base type
239: SYNTAX DocsX509ASN1DEREncodedCertificate
240: MAX-ACCESS read-only
240: error -
unknown type `DocsX509ASN1DEREncodedCertificate'
241: STATUS current
242: DESCRIPTION
243: "The X509 DER-encoded PS certificate."
244: ::= { cabhSecCertObjects 1 }
245:
246:
247:
248: --
249: -- CableHome 1.1 Firewall Management MIBs
250: --
251:
252: cabhSec2FwEnable OBJECT-TYPE
253: SYNTAX INTEGER {
254: enabled(1),
255: disabled(2)
256: }
257: MAX-ACCESS read-write
258: STATUS current
259: DESCRIPTION
260: "This parameter indicates whether to enable or disable
261: the
262: firewall."
263:
264: DEFVAL {enabled }
265: ::= { cabhSec2FwBase 1 }
266:
267:
268:
269: cabhSec2FwPolicyFileURL OBJECT-TYPE
270: SYNTAX SnmpAdminString
271: MAX-ACCESS read-write
272: STATUS current
273: DESCRIPTION
274: "This object contains the name and IP address
275: of the policy ruleset file in a TFTP or HTTP URL
276: format. Once this object has been updated, it
277: will trigger the file download."
278: ::= { cabhSec2FwBase 2 }
279:
280:
281: cabhSec2FwPolicyFileHash OBJECT-TYPE
282: SYNTAX OCTET STRING (SIZE(0|20))
283: MAX-ACCESS read-write
284: STATUS current
285: DESCRIPTION
286: "Hash of the contents of the firewall
287: configuration file. For the SHA-1 authentication
288: algorithm the length of the hash is 160 bits.
289: This hash value is encoded in binary format."
290: DEFVAL { ''h}
291: ::= { cabhSec2FwBase 3 }
292:
293: cabhSec2FwPolicyFileOperStatus OBJECT-TYPE
294: SYNTAX INTEGER {
295: inProgress(1),
296: complete(2),
297: failed(3)
298: }
299: MAX-ACCESS read-only
300: STATUS current
301: DESCRIPTION
302: "InProgress(1) indicates a firewall configuration
303: file download is underway. Complete(2) indicates
304: the firewall configuration file was downloaded
305: and processed successfully. Failed(3) indicates
306: that the last attempted firewall configuration
307: file download or processing failed."
308: ::= { cabhSec2FwBase 4 }
309:
310: cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE
311: SYNTAX SnmpAdminString
312: MAX-ACCESS read-write
313: STATUS current
314: DESCRIPTION
315: "The configured ruleset currently loaded in the PS
316: regardless if it is enabled or disabled. The PS MUST
317: return a string descriptive of the current ruleset.
318: If there is no configured ruleset, this object
319: contains the string 'factory_default'."
320: DEFVAL { "factory_Default" }
321: ::= { cabhSec2FwBase 5 }
322:
323:
324: cabhSec2FwClearPreviousRuleset OBJECT-TYPE
325: SYNTAX INTEGER {
326: increment(1),
327: complete(2)
328: }
329: MAX-ACCESS read-write
330: STATUS current
331: DESCRIPTION
332: "If set to 'complete', the PS must purge all previous
333: firewall rules configured by the cable operator before
334: applying the new rules contained within the configuration
335: file, otherwise the firewall rules in the configuration
336: file are incremental to the previously established
337: configured ruleset."
338: DEFVAL { increment }
339: ::= { cabhSec2FwBase 6 }
340:
341: cabhSec2PolicySelection OBJECT-TYPE
342: SYNTAX INTEGER {
343: factoryDefault(1),
344: configuredRuleset(2)
345: }
346: MAX-ACCESS read-write
347: STATUS current
348: DESCRIPTION
349: "This parameter indicates which policy should currently
350: be
351: running in the firewall, either the factoryDefault policy
352: or the configuredRuleset."
353: DEFVAL { factoryDefault }
354: ::= { cabhSec2FwBase 7 }
355:
356: cabhSec2FwEventSetToFactory OBJECT-TYPE
357: SYNTAX TruthValue
358: MAX-ACCESS read-write
359: STATUS current
360: DESCRIPTION
361: "If set to 'true', entries in cabhSec2FwEventControlEntry
362: are set to their default values.
363: Reading this value always returns false."
364: DEFVAL { false }
365: ::= { cabhSec2FwBase 8 }
366:
367:
368: cabhSec2FwEventSetToFactoryLastReset OBJECT-TYPE
369: SYNTAX TimeStamp
370: MAX-ACCESS read-only
371: STATUS current
372: DESCRIPTION
373: "The value of sysUpTime when cabhSec2FwEventSetToFactory
374: was
375: Last set to true. Zero if never reset."
376: ::= { cabhSec2FwBase 9 }
377:
378:
379: -- +++++++++++
380:
381: --
382: -- CableHome 1.1 Firewall Event MIBS
383: --
384:
385:
386: cabhSec2FwEventControlTable OBJECT-TYPE
387: SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry
388: MAX-ACCESS not-accessible
389: STATUS current
390: DESCRIPTION
391: "This table controls the reporting of the
392: Firewall Attacks events"
393: ::= { cabhSec2FwEvent 1 }
394:
395:
396: cabhSec2FwEventControlEntry OBJECT-TYPE
397: SYNTAX CabhSec2FwEventControlEntry
398: MAX-ACCESS not-accessible
399: STATUS current
400: DESCRIPTION
401: "Allows configuration of the reporting mechanisms
402: for a particular type of attack."
403: INDEX { cabhSec2FwEventType }
404: ::= { cabhSec2FwEventControlTable 1 }
405:
406: CabhSec2FwEventControlEntry ::= SEQUENCE {
407: cabhSec2FwEventType INTEGER,
408: cabhSec2FwEventEnable INTEGER,
409: cabhSec2FwEventThreshold Unsigned32,
410: cabhSec2FwEventInterval Unsigned32,
411: cabhSec2FwEventCount ZeroBasedCounter32,
412: cabhSec2FwEventLogReset TruthValue,
413: cabhSec2FwEventLogLastReset TimeStamp
414:
415: }
416:
417: cabhSec2FwEventType OBJECT-TYPE
418: SYNTAX INTEGER {
419: type1(1),
420: type2(2),
421: type3(3),
422: type4(4),
423: type5(5),
424: type6(6)
425: }
426: MAX-ACCESS not-accessible
427: STATUS current
428: DESCRIPTION
429: "Classification of the different types of
430: attacks.
431: Type 1 logs all attempts from both LAN and WAN
432: clients to traverse the Firewall that violate the
433: Security Policy.
434: Type 2 logs identified Denial of Service attack
435: attempts.
436: Type 3 logs all changes made to the
437: cabhSec2FwPolicyFileURL,
438: cabhSec2FwPolicyFileCurrentVersion or
439: cabhSec2FwPolicyFileEnable objects.
440: Type 4 logs all failed attempts to modify
441: cabhSec2FwPolicyFileURL and
442: cabhSec2FwPolicyFileEnable objects.
443: Type 5 logs allowed inbound packets from the WAN.
444: Type 6 logs allowed outbound packets from the
445: LAN."
446: ::= { cabhSec2FwEventControlEntry 1 }
447:
448: cabhSec2FwEventEnable OBJECT-TYPE
449: SYNTAX INTEGER {
450: enabled(1),
451: disabled(2)
452: }
453: MAX-ACCESS read-write
454: STATUS current
455: DESCRIPTION
456: "Enables or disables counting and logging of
457: firewall events by type as assigned by
458: cabhSec2FwEventType."
459:
460: DEFVAL { disabled }
461: ::= { cabhSec2FwEventControlEntry 2 }
462:
463:
464: cabhSec2FwEventThreshold OBJECT-TYPE
465: SYNTAX Unsigned32 (0..65535)
466: MAX-ACCESS read-write
467: STATUS current
468: DESCRIPTION
469: "Number of attacks to count before sending the
470: appropriate event by type as assigned by
471: cabhSec2FwEventType."
472: DEFVAL {0}
473: ::= { cabhSec2FwEventControlEntry 3 }
474:
475:
476: cabhSec2FwEventInterval OBJECT-TYPE
477: SYNTAX Unsigned32 (0..65535)
478: UNITS "hours"
479: MAX-ACCESS read-write
480: STATUS current
481: DESCRIPTION
482: "Indicates the time interval in hours to count
483: and log occurrences of a firewall event type as
484: assigned in cabhSec2FwEventType. If this MIB has
485: a value of zero then there is no interval assigned
486: and the PS will not count or log events."
487: DEFVAL {0}
488: ::= { cabhSec2FwEventControlEntry 4 }
489:
490: cabhSec2FwEventCount OBJECT-TYPE
491: SYNTAX ZeroBasedCounter32
492: MAX-ACCESS read-only
493: STATUS current
494: DESCRIPTION
495: "Indicates the current count up to the
496: cabhSec2FwEventThreshold value by type as
497: assigned by cabhSec2FwEventType."
498: ::= { cabhSec2FwEventControlEntry 5 }
499:
500:
501: cabhSec2FwEventLogReset OBJECT-TYPE
502: SYNTAX TruthValue
503: MAX-ACCESS read-write
504: STATUS current
505: DESCRIPTION
506: "Setting this object to true clears the log table
507: for the specified event type. Reading this object
508: always returns false."
509: DEFVAL {false}
510: ::= { cabhSec2FwEventControlEntry 6 }
511:
512:
513: cabhSec2FwEventLogLastReset OBJECT-TYPE
514: SYNTAX TimeStamp
515: MAX-ACCESS read-only
516: STATUS current
517: DESCRIPTION
518: "The value of sysUpTime when cabhSec2FwEventLogReset was
519: last set to true. Zero if never reset."
520: ::= { cabhSec2FwEventControlEntry 7 }
521:
522:
523:
524: --
525: -- CableHome 1.1 Firewall Log Tables
526: --
527: cabhSec2FwLogTable OBJECT-TYPE
528: SYNTAX SEQUENCE OF CabhSec2FwLogEntry
529: MAX-ACCESS not-accessible
530: STATUS current
531: DESCRIPTION
532: "Contains a log of packet information as related
533: to events enabled by the cable operator. The types
534: are defined in the CableHome 1.1 specification and
535: require various objects to be included in the log.
536: The following is a description for what is
537: expected in the log for each type Type 1, Type 2,
538: Type 5 and Type 6 table MUST include
539: cabhSec2FwEventType, cabhSec2FwEventPriority,
540: cabhSec2FwEventId, cabhSec2FwLogTime,
541: cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr,
542: cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort,
543: cabhSec2FwIpDestPort, cabhSec2Fw,
544: cabhSec2FwReplayCount. The other values not used
545: by type 1, 2, 5 & 6 are default values. Type 3 &
546: Type 4 MUST include cabhSec2FwEventType,
547: cabhSec2FwEventPriority, cabhSec2FwEventId,
548: cabhSec2FwLogTime, cabhSec2FwIpSourceAddr,
549: cabhSec2FwLogMIBPointer. The other values not used
550: by type 3 and 4 are default values."
551: ::= { cabhSec2FwLog 1 }
552:
553: cabhSec2FwLogEntry OBJECT-TYPE
554: SYNTAX CabhSec2FwLogEntry
555: MAX-ACCESS not-accessible
556: STATUS current
557: DESCRIPTION
558: "Each entry contains the log of firewall events"
559: INDEX {cabhSec2FwLogIndex}
560: ::= { cabhSec2FwLogTable 1 }
561:
562: CabhSec2FwLogEntry ::= SEQUENCE {
563: cabhSec2FwLogIndex Unsigned32,
564: cabhSec2FwLogEventType INTEGER,
565: cabhSec2FwLogEventPriority INTEGER,
566: cabhSec2FwLogEventId Unsigned32,
567: cabhSec2FwLogTime DateAndTime,
568: cabhSec2FwLogIpProtocol Unsigned32,
569: cabhSec2FwLogIpSourceAddr InetAddress,
570: cabhSec2FwLogIpDestAddr InetAddress,
571: cabhSec2FwLogIpSourcePort InetPortNumber,
572: cabhSec2FwLogIpDestPort InetPortNumber,
573: cabhSec2FwLogMessageType Unsigned32,
574: cabhSec2FwLogReplayCount Unsigned32,
575: cabhSec2FwLogMIBPointer VariablePointer
576: }
577:
578: cabhSec2FwLogIndex OBJECT-TYPE
579: SYNTAX Unsigned32 (1..2147483647)
580: MAX-ACCESS not-accessible
581: STATUS current
582: DESCRIPTION
583: "A sequence number for the specific events
584: under a cabhSec2FwEventType."
585: ::= { cabhSec2FwLogEntry 1 }
586:
587: cabhSec2FwLogEventType OBJECT-TYPE
588: SYNTAX INTEGER {
589: type1(1),
590: type2(2),
591: type3(3),
592: type4(4),
593: type5(5),
594: type6(6)
595: }
596: MAX-ACCESS read-only
597: STATUS current
598: DESCRIPTION
599: "Classification of the different types of
600: attacks.
601: Type 1 logs all attempts from both LAN and WAN
602: clients to traverse the Firewall that violate
603: the Security Policy.
604: Type 2 logs identified Denial of Service attack
605: attempts.
606: Type 3 logs all changes made to the
607: cabhSec2FwPolicyFileURL,
608: cabhSec2FwPolicyFileCurrentVersion or
609: cabhSec2FwPolicyFileEnable objects.
610: Type 4 logs all failed attempts to modify
611: cabhSec2FwPolicyFileURL and
612: cabhSec2FwPolicyFileEnable objects.
613: Type 5 logs allowed inbound packets from the WAN.
614: Type 6 logs allowed outbound packets from the
615: LAN."
616: ::= { cabhSec2FwLogEntry 2 }
617:
618: cabhSec2FwLogEventPriority OBJECT-TYPE
619: SYNTAX INTEGER {
620: emergency(1),
621: alert(2),
622: critical(3),
623: error(4),
624: warning(5),
625: notice(6),
626: information(7),
627: debug(8)
628: }
629: MAX-ACCESS read-only
630: STATUS current
631: DESCRIPTION
632: "The priority level of this event as defined
633: by CableHome Specification. If a priority is
634: not assigned in the CableHome specification for
635: a particular event then the vendor or cable
636: operator may assign priorities. These are
637: ordered from most serious (emergency)to least
638: serious (debug)."
639: ::= { cabhSec2FwLogEntry 3 }
640:
641:
642: cabhSec2FwLogEventId OBJECT-TYPE
643: SYNTAX Unsigned32
644: MAX-ACCESS read-only
645: STATUS current
646: DESCRIPTION
647: "The assigned event ID."
648: ::= { cabhSec2FwLogEntry 4 }
649:
650:
651: cabhSec2FwLogTime OBJECT-TYPE
652: SYNTAX DateAndTime
653: MAX-ACCESS read-only
654: STATUS current
655: DESCRIPTION
656: "The time that this entry was created by the PS."
657: ::= { cabhSec2FwLogEntry 5 }
658:
659: cabhSec2FwLogIpProtocol OBJECT-TYPE
660: SYNTAX Unsigned32 (0..256)
661: MAX-ACCESS read-only
662: STATUS current
663: DESCRIPTION
664: "The IP Protocol"
665: ::= { cabhSec2FwLogEntry 6 }
666:
667:
668: cabhSec2FwLogIpSourceAddr OBJECT-TYPE
668: warning -
warning: `InetAddress' object should have an accompanied preceding `InetAdressType' object
669: SYNTAX InetAddress
670: MAX-ACCESS read-only
671: STATUS current
672: DESCRIPTION
673: "The Source IP Address of the packet logged"
674: ::= { cabhSec2FwLogEntry 7 }
675:
676:
677: cabhSec2FwLogIpDestAddr OBJECT-TYPE
677: warning -
warning: `InetAddress' object should have an accompanied preceding `InetAdressType' object
678: SYNTAX InetAddress
679: MAX-ACCESS read-only
680: STATUS current
681: DESCRIPTION
682: "The Destination IP Address of the packet logged"
683: ::= { cabhSec2FwLogEntry 8 }
684:
685:
686: cabhSec2FwLogIpSourcePort OBJECT-TYPE
687: SYNTAX InetPortNumber
688: MAX-ACCESS read-only
689: STATUS current
690: DESCRIPTION
691: "The Source IP Port of the packet logged"
692: ::= { cabhSec2FwLogEntry 9 }
693:
694:
695: cabhSec2FwLogIpDestPort OBJECT-TYPE
696: SYNTAX InetPortNumber
697: MAX-ACCESS read-only
698: STATUS current
699: DESCRIPTION
700: "The Source IP Port of the packet logged"
701: ::= { cabhSec2FwLogEntry 10 }
702:
703: cabhSec2FwLogMessageType OBJECT-TYPE
704: SYNTAX Unsigned32
705: MAX-ACCESS read-only
706: STATUS current
707: DESCRIPTION
708: "The ICMP defined types."
709: ::= { cabhSec2FwLogEntry 11}
710:
711:
712: cabhSec2FwLogReplayCount OBJECT-TYPE
713: SYNTAX Unsigned32
714: MAX-ACCESS read-only
715: STATUS current
716: DESCRIPTION
717: "The number of identical attack packets that
718: were seen by the firewall based on
719: cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr,
720: cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort,
721: cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType"
722: DEFVAL { 0 }
723: ::= { cabhSec2FwLogEntry 12 }
724:
725: cabhSec2FwLogMIBPointer OBJECT-TYPE
726: SYNTAX VariablePointer
727: MAX-ACCESS read-only
728: STATUS current
729: DESCRIPTION
730: "Identifies if the cabhSec2FwPolicyFileURL or the
731: cabhSec2FwEnable MIB object changed or an attempt
732: was made to change it."
733: DEFVAL { zeroDotZero }
734: ::= { cabhSec2FwLogEntry 13 }
735:
736:
737: -- ============================================================
738: --
739: -- CableHome 1.1 PS IP Filter Scheduling Table
740: --
741: -- The cabhSec2FwFilterScheduleTable contains the firewall
742: -- policy identification and links that policy as defined
743: -- in RFC 2669 to specific time of day restrictions.
744: --
745: -- =============================================================
746:
747: cabhSec2FwFilterScheduleTable OBJECT-TYPE
748: SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry
749: MAX-ACCESS not-accessible
750: STATUS current
751: DESCRIPTION
752: "Contains the link between the firewall
753: rule and the associated time of day.
754: This table is compared based on a filter ruleset
755: configured with docsDevFilterControl value of 'policy' and
756: docsDevFilterPolicyId value not zero. A packet matching
757: this
758: Table time constrains is accepted for further processing"
759: ::= { cabhSec2FwFilter 1 }
760:
761:
762: cabhSec2FwFilterScheduleEntry OBJECT-TYPE
763: SYNTAX CabhSec2FwFilterScheduleEntry
764: MAX-ACCESS not-accessible
765: STATUS current
766: DESCRIPTION
767: "List of IP firewall policies linked to time of day"
768: INDEX { cabhSec2FwFilterScheduleIndex }
769: ::= { cabhSec2FwFilterScheduleTable 1 }
770:
771:
772: CabhSec2FwFilterScheduleEntry ::= SEQUENCE {
773: cabhSec2FwFilterScheduleIndex Unsigned32,
774: cabhSec2FwFilterScheduleRowStatus RowStatus,
775: cabhSec2FwFilterScheduleStartTime DateAndTime,
776: cabhSec2FwFilterScheduleEndTime DateAndTime,
777: cabhSec2FwFilterScheduleDOW BITS
778: }
779:
780: cabhSec2FwFilterScheduleIndex OBJECT-TYPE
781: SYNTAX Unsigned32 (1..65535)
782: MAX-ACCESS not-accessible
783: STATUS current
784: DESCRIPTION
785: "Index for the Time Entry table."
786: ::= { cabhSec2FwFilterScheduleEntry 1 }
787:
788:
789: cabhSec2FwFilterScheduleRowStatus OBJECT-TYPE
790: SYNTAX RowStatus
791: MAX-ACCESS read-create
792: STATUS current
793: DESCRIPTION
794: "The Row Status interlock for creation and
795: deletion of row entries. Any object in each
796: row can be modified at any time while the row
797: is active (1)."
798: ::={ cabhSec2FwFilterScheduleEntry 2 }
799:
800:
801: cabhSec2FwFilterScheduleStartTime OBJECT-TYPE
802: SYNTAX DateAndTime
803: MAX-ACCESS read-create
804: STATUS current
805: DESCRIPTION
806: "The start time, with optional time zone,
807: for a firewall filter ruleset."
808: ::= { cabhSec2FwFilterScheduleEntry 3 }
809:
810: cabhSec2FwFilterScheduleEndTime OBJECT-TYPE
811: SYNTAX DateAndTime
812: MAX-ACCESS read-create
813: STATUS current
814: DESCRIPTION
815: "The end time, with optional time zone,
816: for a firewall filter ruleset."
817: ::= { cabhSec2FwFilterScheduleEntry 4 }
818:
819:
820: cabhSec2FwFilterScheduleDOW OBJECT-TYPE
821: SYNTAX BITS {
822: sunday(0),
823: monday(1),
824: tuesday(2),
825: wednesday(3),
826: thursday(4),
827: friday(5),
828: saturday(6)
829: }
830: MAX-ACCESS read-create
831: STATUS current
832: DESCRIPTION
833: "The day of week to be used with the IP filter
834: table from RFC2669.
835: If the day of week bit associated with the PS given day
836: is '1', this object criteria matches."
837: ::= { cabhSec2FwFilterScheduleEntry 5 }
838:
839: --
840: -- Kerberos MIBs
841: --
842:
843:
844: cabhSecKerbPKINITGracePeriod OBJECT-TYPE
845: SYNTAX Unsigned32 (15..600)
846: UNITS "minutes"
847: MAX-ACCESS read-write
848: STATUS current
849: DESCRIPTION
850: "The PKINIT Grace Period is needed by the PS
851: to know when it should start retrying to get
852: a new ticket. The PS MUST obtain a new Kerberos
853: ticket (with a PKINIT exchange)this many minutes
854: before the old ticket expires. The minimum
855: allowed value is 15 minutes. The default value
856: is 30 minutes."
857: DEFVAL { 30 }
858: ::= { cabhSecKerbBase 1}
859: cabhSecKerbTGSGracePeriod OBJECT-TYPE
860: SYNTAX Unsigned32 (15..600)
861: UNITS "minutes"
862: MAX-ACCESS read-write
863: STATUS current
864: DESCRIPTION
865: "The TGS Grace Period is needed by the PS to
866: know when it should start retrying to get a new
867: ticket. The PS MUST obtain a new Kerberos ticket
868: (with a TGS Request) this many minutes before the
869: old ticket expires. The minimum allowed value is
870: 15 minutes. The default value is 30 minutes."
871: DEFVAL { 30 }
872: ::= { cabhSecKerbBase 2}
873:
874: cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE
875: SYNTAX Unsigned32 (15..600)
876: UNITS "seconds"
877: MAX-ACCESS read-write
878: STATUS current
879: DESCRIPTION
880: "This timeout applies to PS initiated AP-REQ/REP
881: key management exchange with NMS. The maximum
882: timeout is the value which may not be exceeded in
883: the exponential backoff algorithm. The minimum
884: allowed value is 15 minutes. The default value
885: is 600 minutes."
886: DEFVAL { 600 }
887: ::= { cabhSecKerbBase 3}
888:
889:
890: cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE
891: SYNTAX Unsigned32 (1..32)
892: MAX-ACCESS read-write
893: STATUS current
894: DESCRIPTION
895: "The number of retries the PS is allowed for
896: AP-REQ/REP key management exchange initiation
897: with the NMS. This is the maximum number of
898: retries before the PS gives up attempting to
899: establish an SNMPv3 security association
900: with NMS."
901: DEFVAL { 8 }
902: ::= { cabhSecKerbBase 4}
903:
904:
905: cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 }
906: cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 3 }
907: cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
908: cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 }
909:
910: --
911: -- Notification Group for future extension
912: --
913:
914: -- compliance statements
915:
916: cabhSecCompliance MODULE-COMPLIANCE
917: STATUS current
918: DESCRIPTION
919: "The compliance statement for CableHome Security."
920: MODULE --cabhSecMib
921:
922:
923:
924: -- unconditionally mandatory groups
925:
926: MANDATORY-GROUPS {
927: -- cabhSecGroup,
928: cabhSecCertGroup,
929: cabhSecKerbGroup
930: }
931:
932:
933: -- conditional mandatory groups
934:
935: GROUP cabhSecGroup
936: DESCRIPTION
937: "This group is implemented only for CH 1.0 gateways."
938:
939:
940: GROUP cabhSec2Group
941: DESCRIPTION
942: "This group is implemented only for CH 1.1 gateways."
943:
944: ::= { cabhSecCompliances 1}
945:
946: cabhSecGroup OBJECT-GROUP
947: OBJECTS {
948: cabhSecFwPolicyFileEnable,
949: cabhSecFwPolicyFileURL,
950: cabhSecFwPolicyFileHash,
951: cabhSecFwPolicyFileOperStatus,
952: cabhSecFwPolicyFileCurrentVersion,
953:
954: cabhSecFwEventType1Enable,
955: cabhSecFwEventType2Enable,
956: cabhSecFwEventType3Enable,
957: cabhSecFwEventAttackAlertThreshold,
958: cabhSecFwEventAttackAlertPeriod
959: }
960: STATUS current
961: DESCRIPTION
962: "Group of objects in CableHome 1.0 Firewall MIB."
963: ::= { cabhSecGroups 1 }
964:
965:
966: cabhSecCertGroup OBJECT-GROUP
967: OBJECTS {
968: cabhSecCertPsCert
969: }
970: STATUS current
971: DESCRIPTION
972: "Group of objects in CableHome gateway for PS
973: Certificate."
974: ::= { cabhSecGroups 2 }
975:
976:
977: cabhSecKerbGroup OBJECT-GROUP
978: OBJECTS {
979: cabhSecKerbPKINITGracePeriod,
980: cabhSecKerbTGSGracePeriod,
981: cabhSecKerbUnsolicitedKeyMaxTimeout,
982: cabhSecKerbUnsolicitedKeyMaxRetries
983: }
984: STATUS current
985: DESCRIPTION
986: "Group of objects in CableHome gateway for Kerberos."
987: ::= { cabhSecGroups 3 }
988:
989: cabhSec2Group OBJECT-GROUP
990: OBJECTS {
991: cabhSec2FwEnable,
992: cabhSec2FwPolicyFileURL,
993: cabhSec2FwPolicyFileHash,
994: cabhSec2FwPolicyFileOperStatus,
995: cabhSec2FwPolicyFileCurrentVersion,
996: cabhSec2FwClearPreviousRuleset,
997: cabhSec2PolicySelection,
998: cabhSec2FwEventSetToFactory,
999: cabhSec2FwEventSetToFactoryLastReset,
1000: cabhSec2FwEventEnable,
1001: cabhSec2FwEventThreshold,
1002: cabhSec2FwEventInterval,
1003: cabhSec2FwEventCount,
1004: cabhSec2FwEventLogReset,
1005: cabhSec2FwEventLogLastReset,
1006: cabhSec2FwLogEventType,
1007: cabhSec2FwLogEventPriority,
1008: cabhSec2FwLogEventId,
1009: cabhSec2FwLogTime,
1010: cabhSec2FwLogIpProtocol,
1011: cabhSec2FwLogIpSourceAddr,
1012: cabhSec2FwLogIpDestAddr,
1013: cabhSec2FwLogIpSourcePort,
1014: cabhSec2FwLogIpDestPort,
1015: cabhSec2FwLogMessageType,
1016: cabhSec2FwLogReplayCount,
1017: cabhSec2FwLogMIBPointer,
1018: cabhSec2FwFilterScheduleRowStatus,
1019: cabhSec2FwFilterScheduleStartTime,
1020: cabhSec2FwFilterScheduleEndTime,
1021: cabhSec2FwFilterScheduleDOW
1022: }
1023: STATUS current
1024: DESCRIPTION
1025: "Group of objects in CableHome 1.1 Firewall MIB."
1026: ::= { cabhSecGroups 4 }
1027:
1028: END
1029:
1030: --
1031: -- Copyright (C) The Internet Society (2003). All Rights Reserved.
1032: --
1033: -- This document and translations of it may be copied and furnished to
1034: -- others, and derivative works that comment on or otherwise explain it
1035: -- or assist in its implementation may be prepared, copied, published
1036: -- and distributed, in whole or in part, without restriction of any
1037: -- kind, provided that the above copyright notice and this paragraph are
1038: -- included on all such copies and derivative works. However, this
1039: -- document itself may not be modified in any way, such as by removing
1040: -- the copyright notice or references to the Internet Society or other
1041: -- Internet organizations, except as needed for the purpose of
1042: -- developing Internet standards in which case the procedures for
1043: -- copyrights defined in the Internet Standards process must be
1044: -- followed, or as required to translate it into languages other than
1045: -- English.
1046: --
1047: -- The limited permissions granted above are perpetual and will not be
1048: -- revoked by the Internet Society or its successors or assigns.
1049: -- This document and the information contained herein is provided on an
1050: -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1051: -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1052: -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1053: -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1054: -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
1055: