Ensure Default SNMP Password Is Not Used

An XCCDF Rule

Description

Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. This profile configures new read-only community string to and read-write community string to . Once the default community strings have been changed, restart the SNMP service:

$ sudo service snmpd restart

Rationale

Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s).

ID: xccdf_org.ssgproject.content_rule_snmpd_not_default_password
Severity: High
References: 1 12 15 16 5

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

CCI-000366

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

IA-5(e)

PR.AC-1 PR.AC-6 PR.AC-7

SRG-OS-000480-GPOS-00227

RHEL-07-040800

SV-204627r603261_rule

CCE-27386-2
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-27386-2
  - DISA-STIG-RHEL-07-040800  - NIST-800-53-IA-5(e)
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - snmpd_not_default_password
- name: XCCDF Value var_snmpd_ro_string # promote to variable
  set_fact:
    var_snmpd_ro_string: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_snmpd_ro_string" use="legacy"/>
  tags:
    - always
- name: XCCDF Value var_snmpd_rw_string # promote to variable
  set_fact:
    var_snmpd_rw_string: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_snmpd_rw_string" use="legacy"/>
  tags:
    - always

- name: Check if file /etc/snmp/snmpd.conf exists
  stat:
    path: /etc/snmp/snmpd.conf
  register: snmpd
  when: '"net-snmp" in ansible_facts.packages'
  tags:
  - CCE-27386-2
  - DISA-STIG-RHEL-07-040800
  - NIST-800-53-IA-5(e)
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - snmpd_not_default_password

- name: Replace all instances of SNMP RO strings
  replace:
    path: /etc/snmp/snmpd.conf
    regexp: public
    replace: '{{ var_snmpd_ro_string }}'
  when:
  - '"net-snmp" in ansible_facts.packages'
  - (snmpd.stat.exists is defined and snmpd.stat.exists)
  tags:
  - CCE-27386-2
  - DISA-STIG-RHEL-07-040800
  - NIST-800-53-IA-5(e)
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - snmpd_not_default_password

- name: Replace all instances of SNMP RW strings
  replace:
    path: /etc/snmp/snmpd.conf
    regexp: private
    replace: '{{ var_snmpd_rw_string }}'
  when:
  - '"net-snmp" in ansible_facts.packages'
  - (snmpd.stat.exists is defined and snmpd.stat.exists)
  tags:
  - CCE-27386-2
  - DISA-STIG-RHEL-07-040800
  - NIST-800-53-IA-5(e)
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - snmpd_not_default_password

# Remediation is applicable only in certain platforms
if rpm --quiet -q net-snmp; then

var_snmpd_ro_string='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_snmpd_ro_string" use="legacy"/>'
var_snmpd_rw_string='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_snmpd_rw_string" use="legacy"/>'

# remediate read-only community string
if grep -q 'public' /etc/snmp/snmpd.conf; then
    sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf
fi

# remediate read-write community string
if grep -q 'private' /etc/snmp/snmpd.conf; then
    sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Default SNMP Password Is Not Used

Description

Rationale

Remediation - Ansible

Remediation - Shell Script