Safenet HSM Check Broken on New Thales HSMs

solarisfire · October 7, 2021, 3:37pm

We’ve got some brand new HSMs in the office, attached along side some old ones.

Older ones will successfully snmp scan and find the OIDs for safenet_ntls, and safenet_hsm.

However the newer ones, this does not work.

The check has:

“snmp_scan_function”: lambda oid: oid(".1.3.6.1.2.1.1.2.0").startswith(".1.3.6.1.4.1.12383")

On an older HSM this is fine…

#snmpbulkwalk -v3 -l ‘’ -a ‘sha’ -u '’ -A ‘’ -x ‘AES’ -X '’ -m ‘’ -M ‘’ -Cc -OQ -OU -On -Ot ... .1.3.6.1.2.1.1.2.0
.1.3.6.1.2.1.1.2.0 = .1.3.6.1.4.1.12383.3.1.1

However on a newer HSM this does not work…

#snmpbulkwalk -v3 -l ‘’ -a ‘sha’ -u '’ -A ‘’ -x ‘AES’ -X '’ -m ‘’ -M ‘’ -Cc -OQ -OU -On -Ot ... .1.3.6.1.2.1.1.2.0
.1.3.6.1.2.1.1.2.0 = .1.3.6.1.4.1.8072.3.2.10

I can obviously change the snmp_scan_function to get this to work. But is there any way to cover both scenarios easily?

solarisfire · October 7, 2021, 3:50pm

Ah, sorted this with:

"snmp_scan_function": lambda oid: oid(".1.3.6.1.2.1.1.2.0").startswith(".1.3.6.1.4.1.12383") or \
                                      oid(".1.3.6.1.2.1.1.2.0").startswith(".1.3.6.1.4.1.8072"),

r.sander · October 8, 2021, 7:45am

Please send this to feedback@checkmk.com so that they can add the new OID to the scan function.

solarisfire · October 8, 2021, 9:03am

I did a pull request for this last night

system · October 8, 2022, 9:03am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.