Security issue when adding a snmpv3 user with the formula

[Gerwie]

When adding a SNMPv3 user according the formula:

rwusers:
- username: '<user>'
   authpassphrase: '<authpassphrase>'
   view: all
   authproto: 'SHA'
   privproto: 'AES'
   privpassphrase: '<privpassphrase>'

The formula adds two lines to the snmpd.conf file:

rwuser <user> auth -V all
createUser <user> SHA <authpassphrase> AES <privpassphrase>

The last line is what causes the security issue.
When adding an SNMPv3 user by using net-snmp-create-v3-user the first line is added in the file snmpd.conf file located in /etc/snmp/snmpd. The second line is added in another file snmpd.conf file located in: /var/lib/net-snmp/.
When the line is read from the snmpd.conf file located in /var/lib/net-snmp/, the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it.
Source: man page snmpd.conf

In the current situation, the formula adds the createUser line in the snmpd.conf file located in /etc/snmp/. Therefore the line will not be removed and the passwords are visible to anyone that can access that snmpd.conf file.

[TheNetworkIsDown]

I have a workaround... essentially, what I am doing here is running a script: (this is Suse Linux)

run_snmpv3_config:
  pkg.installed:
    - pkgs:
      - net-snmp
  service.running:
    - name: snmpd
    - enable: true
    - require:
      - pkg: run_snmpv3_config
  cmd.script:
    - name: salt://run_snmpv3_config_cmd.sh
    - creates: /var/run/suma_run_snmpv3_config.state
    - require:
      - service: snmpd

#!/bin/bash
set -e

cfg1=/var/lib/net-snmp/snmpd.conf
cfg2=/usr/share/snmp/snmpd.conf

service snmpd stop

sed -i '/usmUser/d' $cfg1
sed -i '/createUser/d' $cfg1

sed -i '/rouser/d' $cfg2

/usr/bin/net-snmp-create-v3-user -ro -a SHA -A authpass -x AES -X privpass myrouser >/dev/null

service snmpd start

touch /var/run/suma_run_snmpv3_config.state

This is probably not a very "salted" approach but it does the trick.