Now with ‘filepath’ and those ‘extra’ line breaks that outlook insists on removing…
Signed-off-by: Rui Bernardino <[email protected]<mailto:[email protected]>> --- RHEL/6/input/checks/snmpd_not_default_password.xml | 24 ++++++++++++++++++++ RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 24 ++++++++++++++++++++ RHEL/6/input/services/snmp.xml | 6 +++- 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 RHEL/6/input/checks/snmpd_not_default_password.xml create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml b/RHEL/6/input/checks/snmpd_not_default_password.xml new file mode 100644 index 0000000..4043960 --- /dev/null +++ b/RHEL/6/input/checks/snmpd_not_default_password.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="snmpd_not_default_password" version="1"> + <metadata> + <title>SNMP default communities disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP default communities must be removed</description> + </metadata> + <criteria operator="AND"> + <criterion comment="snmp communities" test_ref="snmp_default_communities_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_default_communities_test" version="1"> + <ind:object object_ref="snmp_default_communities" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="Check SNMP communities" id="snmp_default_communities" version="1"> + <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath> + <ind:pattern operation="pattern match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml new file mode 100644 index 0000000..ba3a65b --- /dev/null +++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="snmpd_use_newer_protocol" version="1"> + <metadata> + <title>SNMP version 1 and 2c disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP version 1 and 2c must not be unabled</description> + </metadata> + <criteria> + <criterion comment="snmp version check" test_ref="snmp_versions_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_versions_test" version="1"> + <ind:object object_ref="snmp_versions_validate" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="Check SNMP versions" id="snmp_versions_validate" version="1"> + <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml index 0e4f8b3..edc584f 100644 --- a/RHEL/6/input/services/snmp.xml +++ b/RHEL/6/input/services/snmp.xml @@ -70,13 +70,13 @@ stations</li> <Rule id="snmpd_use_newer_protocol" severity="medium"> <title>Configure SNMP Service to Use Only SNMPv3 or Newer </title> <description> -Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or <tt>com2sec</tt>. +Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>, <tt>rwcommunity</tt>, or <tt>com2sec</tt>. Upon doing that, restart the SNMP service: <pre># service snmpd restart</pre> </description> <ocil clause="there is output"> To ensure only SNMPv3 or newer is used, run the following command: -<pre># grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre> +<pre># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre> There should be no output. </ocil> <rationale> @@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. </rationale> <ident cce="27365-6"/> +<oval id="snmpd_use_newer_protocol" /> </Rule> <Rule id="snmpd_not_default_password" severity="medium"> @@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. </rationale> <ident cce="27593-3"/> +<oval id="snmpd_not_default_password" /> <tested by="MAN" on="20121214"/> </Rule> -- 1.7.1 From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Wells Sent: quinta-feira, 26 de Junho de 2014 19:47 To: [email protected] Subject: Re: [PATCH] Added SNMP related OVAL checks (…) Good catch on the regex values. Had to doublcheck the docs on rocommunity/rwcommunity: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-System_Monitoring_Tools-Net-SNMP-Configuring.html Convert ind:file & ind:filename to ind:filepath.... e.g. <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath> and resubmit
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
