Configure SNMP Server if Necessary

Description

If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered:

• use only SNMP version 3 security models and enable the use of authentication and encryption
• write access to the MIB (Management Information Base) should be allowed only if necessary
• all access to the MIB should be restricted following a principle of least privilege
• network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
• ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
• ensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictive
• ensure that any MIB files' permissions are also 640 or more restrictive