Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Ubuntu 16.04
Services
SNMP Server
SNMP Server
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string.
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed.
Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered:
use only SNMP version 3 security models and enable the use of authentication and encryption
write access to the MIB (Management Information Base) should be allowed only if necessary
all access to the MIB should be restricted following a principle of least privilege
network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
ensure that permissions on the
snmpd.conf
configuration file (by default, in
/etc/snmp
) are 640 or more restrictive
ensure that any MIB files' permissions are also 640 or more restrictive
SNMP read-only community string
Specify the SNMP community string used for read-only access.
SNMP read-write community string
Specify the SNMP community string used for read-write access.