This patch add two new checks for SNMP related rules. Minor rule description changes regarding how to disable v1 and v2c.
Signed-off-by: Rui Bernardino <[email protected]> --- RHEL/6/input/checks/snmpd_not_default_password.xml | 25 ++++++++++++++++++++ RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 25 ++++++++++++++++++++ RHEL/6/input/services/snmp.xml | 6 +++- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 RHEL/6/input/checks/snmpd_not_default_password.xml create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml b/RHEL/6/input/checks/snmpd_not_default_password.xml new file mode 100644 index 0000000..2e2f0c6 --- /dev/null +++ b/RHEL/6/input/checks/snmpd_not_default_password.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="snmpd_not_default_password" version="1"> + <metadata> + <title>SNMP default communities disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP default communities must be removed</description> + </metadata> + <criteria operator="AND"> + <criterion comment="snmp communities" test_ref="snmp_default_communities_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_default_communities_test" version="1"> + <ind:object object_ref="snmp_default_communities" /> + </ind:textfilecontent54_test> <ind:textfilecontent54_object + comment="Check SNMP communities" id="snmp_default_communities" version="1"> + <ind:path>/etc/snmp/</ind:path> + <ind:filename>snmpd.conf</ind:filename> + <ind:pattern operation="pattern match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml new file mode 100644 index 0000000..7cd2d8f --- /dev/null +++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="snmpd_use_newer_protocol" version="1"> + <metadata> + <title>SNMP version 1 and 2c disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP version 1 and 2c must not be unabled</description> + </metadata> + <criteria> + <criterion comment="snmp version check" test_ref="snmp_versions_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_versions_test" version="1"> + <ind:object object_ref="snmp_versions_validate" /> + </ind:textfilecontent54_test> <ind:textfilecontent54_object + comment="Check SNMP versions" id="snmp_versions_validate" version="1"> + <ind:path>/etc/snmp/</ind:path> + <ind:filename>snmpd.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml index 0e4f8b3..edc584f 100644 --- a/RHEL/6/input/services/snmp.xml +++ b/RHEL/6/input/services/snmp.xml @@ -70,13 +70,13 @@ stations</li> <Rule id="snmpd_use_newer_protocol" severity="medium"> <title>Configure SNMP Service to Use Only SNMPv3 or Newer </title> <description> -Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or <tt>com2sec</tt>. +Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>, <tt>rwcommunity</tt>, or <tt>com2sec</tt>. Upon doing that, restart the SNMP service: <pre># service snmpd restart</pre> </description> <ocil clause="there is output"> To ensure only SNMPv3 or newer is used, run the following command: -<pre># grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre> +<pre># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | +grep -v "^#"</pre> There should be no output. </ocil> <rationale> @@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. </rationale> <ident cce="27365-6"/> +<oval id="snmpd_use_newer_protocol" /> </Rule> <Rule id="snmpd_not_default_password" severity="medium"> @@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. </rationale> <ident cce="27593-3"/> +<oval id="snmpd_not_default_password" /> <tested by="MAN" on="20121214"/> </Rule> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
