On 6/24/14, 6:23 AM, Rui Pedro Bernardino wrote:
This patch add two new checks for SNMP related rules. Minor rule description
changes regarding how to disable v1 and v2c.
Signed-off-by: Rui Bernardino<[email protected]>
---
RHEL/6/input/checks/snmpd_not_default_password.xml | 25 ++++++++++++++++++++
RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 25 ++++++++++++++++++++
RHEL/6/input/services/snmp.xml | 6 +++-
3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644
RHEL/6/input/checks/snmpd_not_default_password.xml
create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml
diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml
b/RHEL/6/input/checks/snmpd_not_default_password.xml
new file mode 100644
index 0000000..2e2f0c6
--- /dev/null
+++ b/RHEL/6/input/checks/snmpd_not_default_password.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="snmpd_not_default_password" version="1">
+ <metadata>
+ <title>SNMP default communities disabled</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>SNMP default communities must be removed</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="snmp communities"
test_ref="snmp_default_communities_test" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd
configuration" id="snmp_default_communities_test" version="1">
+ <ind:object object_ref="snmp_default_communities" />
+ </ind:textfilecontent54_test> <ind:textfilecontent54_object
+ comment="Check SNMP communities" id="snmp_default_communities" version="1">
+ <ind:path>/etc/snmp/</ind:path>
+ <ind:filename>snmpd.conf</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml
b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml
new file mode 100644
index 0000000..7cd2d8f
--- /dev/null
+++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="snmpd_use_newer_protocol" version="1">
+ <metadata>
+ <title>SNMP version 1 and 2c disabled</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>SNMP version 1 and 2c must not be unabled</description>
+ </metadata>
+ <criteria>
+ <criterion comment="snmp version check" test_ref="snmp_versions_test" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd
configuration" id="snmp_versions_test" version="1">
+ <ind:object object_ref="snmp_versions_validate" />
+ </ind:textfilecontent54_test> <ind:textfilecontent54_object
+ comment="Check SNMP versions" id="snmp_versions_validate" version="1">
+ <ind:path>/etc/snmp/</ind:path>
+ <ind:filename>snmpd.conf</ind:filename>
+ <ind:pattern operation="pattern
match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml
index 0e4f8b3..edc584f 100644
--- a/RHEL/6/input/services/snmp.xml
+++ b/RHEL/6/input/services/snmp.xml
@@ -70,13 +70,13 @@ stations</li>
<Rule id="snmpd_use_newer_protocol" severity="medium"> <title>Configure SNMP Service to Use Only SNMPv3 or Newer </title>
<description> -Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or
<tt>com2sec</tt>.
+Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>,
<tt>rwcommunity</tt>, or <tt>com2sec</tt>.
Upon doing that, restart the SNMP service:
<pre># service snmpd restart</pre>
</description>
<ocil clause="there is output">
To ensure only SNMPv3 or newer is used, run the following command:
-<pre># grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
+<pre># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf |
+grep -v "^#"</pre>
There should be no output.
</ocil>
<rationale>
@@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they
potentially allow unauthorized access to detailed system management
information.
</rationale>
<ident cce="27365-6"/>
+<oval id="snmpd_use_newer_protocol" />
</Rule>
<Rule id="snmpd_not_default_password" severity="medium"> @@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
</rationale>
<ident cce="27593-3"/>
+<oval id="snmpd_not_default_password" />
<tested by="MAN" on="20121214"/>
</Rule>
--
1.7.1
Good catch on the regex values. Had to doublcheck the docs on
rocommunity/rwcommunity:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-System_Monitoring_Tools-Net-SNMP-Configuring.html
Convert ind:file & ind:filename to ind:filepath.... e.g.
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath> and resubmit
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
