- Red Hat Enterprise Linux (RHEL) 6
- Common Unix Printing System (CUPS) 1.4.2
From the following audit log, and packet capture information, I see that
/usr/lib/cups/backend/snmp is causing SNMP broacasts to be sent. Why is CUPS doing this? How can it be stopped? Audit log shows:
type=SYSCALL msg=audit(1429260336.114:23288): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=2 a2=0 a3=0 items=0 ppid=22154 pid=22156 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="snmp" exe="/usr/lib/cups/backend/snmp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key="SOCKET"
And the packet capture shows:
12 0.001171 10.1.2.3 10.1.2.255 SNMP 88 get-request 188.8.131.52.184.108.40.206.220.127.116.11
One of the reasons CUPS sends out SNMP queries is to discover printers when it receives a
CUPS-Get-Devices IPP (Internet Printing Protocol) request. This request is sent by clients (such as the Web interface and the Printer Configuration Utility (
system-config-printer) to search for available printers to configure). The program
/usr/lib/cups/backend/snmp is one of the programs used to search for printers when CUPS receives a
CUPS-Get-Devices IPP request. In this case, there are three ways to prevent CUPS from sending out SNMP requests:
Figure out who is sending the CUPS-Get-Devices IPP request to the CUPS server, and get them to stop. You should be able to figure out who is sending the IPP requests by running a command like the following:
tcpdump -s 0 -w /tmp/ipp.pcap 'port 631'
Analysis of the file
/tmp/ipp.pcapwith a program such as Wireshark should provide information about which systems are making IPP requests to the CUPS server.
Change the following line in
This will configure CUPS to only send the SNMP requests to discover printers to the local host.
Remove the file
/usr/lib/cups/backend/snmpor make it non-executable.
CUPS sends SNMP requests for two reasons:
To discover printers when it receives a
CUPS-Get-DevicesIPP request. This request is sent by clients (such as the Web interface and the Printer Configuration Utility (
system-config-printer) to search for available printers to configure). This Knowledgebase Solution describes ways to prevent CUPS from sending out these SNMP broadcast messages.
To get the supply (ink, toner, paper, etc.) levels from an already configured printer when a job is printed to the printer. To find out more information about this CUPS behavior (including how to prevent it), please refer to the following Knowledgebase Solution:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.