Why is CUPS running on RHEL broadcasting SNMP requests? Can I stop it?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6
  • Common Unix Printing System (CUPS) 1.4.2

Issue

From the following audit log, and packet capture information, I see that /usr/lib/cups/backend/snmp is causing SNMP broacasts to be sent. Why is CUPS doing this? How can it be stopped? Audit log shows:

type=SYSCALL msg=audit(1429260336.114:23288): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=2 a2=0 a3=0 items=0 
ppid=22154 pid=22156 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 
comm="snmp" exe="/usr/lib/cups/backend/snmp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key="SOCKET"

And the packet capture shows:

12      0.001171        10.1.2.3    10.1.2.255  SNMP    88      get-request 1.3.6.1.2.1.25.3.2.1.3.1

Resolution

One of the reasons CUPS sends out SNMP queries is to discover printers when it receives a CUPS-Get-Devices IPP (Internet Printing Protocol) request. This request is sent by clients (such as the Web interface and the Printer Configuration Utility (system-config-printer) to search for available printers to configure). The program /usr/lib/cups/backend/snmp is one of the programs used to search for printers when CUPS receives a CUPS-Get-Devices IPP request. In this case, there are three ways to prevent CUPS from sending out SNMP requests:

  1. Figure out who is sending the CUPS-Get-Devices IPP request to the CUPS server, and get them to stop. You should be able to figure out who is sending the IPP requests by running a command like the following:

    tcpdump -s 0 -w /tmp/ipp.pcap 'port 631'

    Analysis of the file /tmp/ipp.pcap with a program such as Wireshark should provide information about which systems are making IPP requests to the CUPS server.

  2. Change the following line in /etc/cups/snmp.conf:

    Address @LOCAL

    to

    Address 127.0.0.1

    This will configure CUPS to only send the SNMP requests to discover printers to the local host.

  3. Remove the file /usr/lib/cups/backend/snmp or make it non-executable.

Root Cause

CUPS sends SNMP requests for two reasons:

  1. To discover printers when it receives a CUPS-Get-Devices IPP request. This request is sent by clients (such as the Web interface and the Printer Configuration Utility (system-config-printer) to search for available printers to configure). This Knowledgebase Solution describes ways to prevent CUPS from sending out these SNMP broadcast messages.

  2. To get the supply (ink, toner, paper, etc.) levels from an already configured printer when a job is printed to the printer. To find out more information about this CUPS behavior (including how to prevent it), please refer to the following Knowledgebase Solution:

    My RHEL print server is sending SNMP queries to the printers. Why? Can I prevent this?

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments