This patch add two new checks for SNMP related rules. Minor rule description changes regarding how to disable v1 and v2c.
Signed-off-by: Rui Bernardino rui-p-bernardino@telecom.pt --- RHEL/6/input/checks/snmpd_not_default_password.xml | 25 ++++++++++++++++++++ RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 25 ++++++++++++++++++++ RHEL/6/input/services/snmp.xml | 6 +++- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 RHEL/6/input/checks/snmpd_not_default_password.xml create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml
diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml b/RHEL/6/input/checks/snmpd_not_default_password.xml new file mode 100644 index 0000000..2e2f0c6 --- /dev/null +++ b/RHEL/6/input/checks/snmpd_not_default_password.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="snmpd_not_default_password" version="1"> + <metadata> + <title>SNMP default communities disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP default communities must be removed</description> + </metadata> + <criteria operator="AND"> + <criterion comment="snmp communities" test_ref="snmp_default_communities_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_default_communities_test" version="1"> + <ind:object object_ref="snmp_default_communities" /> + </ind:textfilecontent54_test> <ind:textfilecontent54_object + comment="Check SNMP communities" id="snmp_default_communities" version="1"> + ind:path/etc/snmp/</ind:path> + ind:filenamesnmpd.conf</ind:filename> + <ind:pattern operation="pattern match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml new file mode 100644 index 0000000..7cd2d8f --- /dev/null +++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="snmpd_use_newer_protocol" version="1"> + <metadata> + <title>SNMP version 1 and 2c disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>SNMP version 1 and 2c must not be unabled</description> + </metadata> + <criteria> + <criterion comment="snmp version check" test_ref="snmp_versions_test" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_versions_test" version="1"> + <ind:object object_ref="snmp_versions_validate" /> + </ind:textfilecontent54_test> <ind:textfilecontent54_object + comment="Check SNMP versions" id="snmp_versions_validate" version="1"> + ind:path/etc/snmp/</ind:path> + ind:filenamesnmpd.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml index 0e4f8b3..edc584f 100644 --- a/RHEL/6/input/services/snmp.xml +++ b/RHEL/6/input/services/snmp.xml @@ -70,13 +70,13 @@ stations</li> <Rule id="snmpd_use_newer_protocol" severity="medium"> <title>Configure SNMP Service to Use Only SNMPv3 or Newer </title> <description> -Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or <tt>com2sec</tt>. +Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>, <tt>rwcommunity</tt>, or <tt>com2sec</tt>. Upon doing that, restart the SNMP service: <pre># service snmpd restart</pre> </description> <ocil clause="there is output"> To ensure only SNMPv3 or newer is used, run the following command: -<pre># grep 'v1|v2c|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre> +<pre># grep 'rocommunity|rwcommunity|com2sec' /etc/snmp/snmpd.conf | +grep -v "^#"</pre> There should be no output. </ocil> <rationale> @@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. </rationale> <ident cce="27365-6"/> +<oval id="snmpd_use_newer_protocol" /> </Rule>
<Rule id="snmpd_not_default_password" severity="medium"> @@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. </rationale> <ident cce="27593-3"/> +<oval id="snmpd_not_default_password" /> <tested by="MAN" on="20121214"/> </Rule>
-- 1.7.1
On 6/24/14, 6:23 AM, Rui Pedro Bernardino wrote:
This patch add two new checks for SNMP related rules. Minor rule description changes regarding how to disable v1 and v2c.
Signed-off-by: Rui Bernardinorui-p-bernardino@telecom.pt
RHEL/6/input/checks/snmpd_not_default_password.xml | 25 ++++++++++++++++++++ RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 25 ++++++++++++++++++++ RHEL/6/input/services/snmp.xml | 6 +++- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 RHEL/6/input/checks/snmpd_not_default_password.xml create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml
diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml b/RHEL/6/input/checks/snmpd_not_default_password.xml new file mode 100644 index 0000000..2e2f0c6 --- /dev/null +++ b/RHEL/6/input/checks/snmpd_not_default_password.xml @@ -0,0 +1,25 @@ +<def-group>
<definition class="compliance" id="snmpd_not_default_password" version="1">
<metadata>
<title>SNMP default communities disabled</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>SNMP default communities must be removed</description></metadata>
<criteria operator="AND">
<criterion comment="snmp communities" test_ref="snmp_default_communities_test" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_default_communities_test" version="1">
- <ind:object object_ref="snmp_default_communities" />
- </ind:textfilecontent54_test> <ind:textfilecontent54_object
- comment="Check SNMP communities" id="snmp_default_communities" version="1">
- ind:path/etc/snmp/</ind:path>
- ind:filenamesnmpd.conf</ind:filename>
- <ind:pattern operation="pattern match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml new file mode 100644 index 0000000..7cd2d8f --- /dev/null +++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml @@ -0,0 +1,25 @@ +<def-group>
<definition class="compliance" id="snmpd_use_newer_protocol" version="1">
<metadata>
<title>SNMP version 1 and 2c disabled</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>SNMP version 1 and 2c must not be unabled</description></metadata>
<criteria>
<criterion comment="snmp version check" test_ref="snmp_versions_test" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_versions_test" version="1">
- <ind:object object_ref="snmp_versions_validate" />
- </ind:textfilecontent54_test> <ind:textfilecontent54_object
- comment="Check SNMP versions" id="snmp_versions_validate" version="1">
- ind:path/etc/snmp/</ind:path>
- ind:filenamesnmpd.conf</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml index 0e4f8b3..edc584f 100644 --- a/RHEL/6/input/services/snmp.xml +++ b/RHEL/6/input/services/snmp.xml @@ -70,13 +70,13 @@ stations</li> <Rule id="snmpd_use_newer_protocol" severity="medium"> <title>Configure SNMP Service to Use Only SNMPv3 or Newer </title> <description> -Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or <tt>com2sec</tt>. +Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>, <tt>rwcommunity</tt>, or <tt>com2sec</tt>. Upon doing that, restart the SNMP service:
<pre># service snmpd restart</pre>
</description> <ocil clause="there is output"> To ensure only SNMPv3 or newer is used, run the following command: -<pre># grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre> +<pre># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | +grep -v "^#"</pre> There should be no output. </ocil> <rationale> @@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. </rationale> <ident cce="27365-6"/> +<oval id="snmpd_use_newer_protocol" /> </Rule>
<Rule id="snmpd_not_default_password" severity="medium"> @@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
</rationale> <ident cce="27593-3"/> +<oval id="snmpd_not_default_password" /> <tested by="MAN" on="20121214"/> </Rule>
-- 1.7.1
Good catch on the regex values. Had to doublcheck the docs on rocommunity/rwcommunity: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
Convert ind:file & ind:filename to ind:filepath.... e.g. ind:filepath/etc/snmp/snmpd.conf</ind:filepath> and resubmit
Now with ‘filepath’ and those ‘extra’ line breaks that outlook insists on removing…
Signed-off-by: Rui Bernardino <rui-p-bernardino@telecom.ptmailto:rui-p-bernardino@telecom.pt>
---
RHEL/6/input/checks/snmpd_not_default_password.xml | 24 ++++++++++++++++++++
RHEL/6/input/checks/snmpd_use_newer_protocol.xml | 24 ++++++++++++++++++++
RHEL/6/input/services/snmp.xml | 6 +++-
3 files changed, 52 insertions(+), 2 deletions(-)
create mode 100644 RHEL/6/input/checks/snmpd_not_default_password.xml
create mode 100644 RHEL/6/input/checks/snmpd_use_newer_protocol.xml
diff --git a/RHEL/6/input/checks/snmpd_not_default_password.xml b/RHEL/6/input/checks/snmpd_not_default_password.xml
new file mode 100644
index 0000000..4043960
--- /dev/null
+++ b/RHEL/6/input/checks/snmpd_not_default_password.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="compliance" id="snmpd_not_default_password" version="1">
+ <metadata>
+ <title>SNMP default communities disabled</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>SNMP default communities must be removed</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="snmp communities" test_ref="snmp_default_communities_test" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_default_communities_test" version="1">
+ <ind:object object_ref="snmp_default_communities" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Check SNMP communities" id="snmp_default_communities" version="1">
+ ind:filepath/etc/snmp/snmpd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*(com2sec|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/6/input/checks/snmpd_use_newer_protocol.xml b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml
new file mode 100644
index 0000000..ba3a65b
--- /dev/null
+++ b/RHEL/6/input/checks/snmpd_use_newer_protocol.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="compliance" id="snmpd_use_newer_protocol" version="1">
+ <metadata>
+ <title>SNMP version 1 and 2c disabled</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>SNMP version 1 and 2c must not be unabled</description>
+ </metadata>
+ <criteria>
+ <criterion comment="snmp version check" test_ref="snmp_versions_test" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="snmp_versions_test" version="1">
+ <ind:object object_ref="snmp_versions_validate" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Check SNMP versions" id="snmp_versions_validate" version="1">
+ ind:filepath/etc/snmp/snmpd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(com2sec|rocommunity|rwcommunity)</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/6/input/services/snmp.xml b/RHEL/6/input/services/snmp.xml
index 0e4f8b3..edc584f 100644
--- a/RHEL/6/input/services/snmp.xml
+++ b/RHEL/6/input/services/snmp.xml
@@ -70,13 +70,13 @@ stations</li>
<Rule id="snmpd_use_newer_protocol" severity="medium">
<title>Configure SNMP Service to Use Only SNMPv3 or Newer </title>
<description>
-Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>v1</tt>, <tt>v2c</tt>, or <tt>com2sec</tt>.
+Edit <tt>/etc/snmp/snmpd.conf</tt>, removing any references to <tt>rocommunity</tt>, <tt>rwcommunity</tt>, or <tt>com2sec</tt>.
Upon doing that, restart the SNMP service:
<pre># service snmpd restart</pre>
</description>
<ocil clause="there is output">
To ensure only SNMPv3 or newer is used, run the following command:
-<pre># grep 'v1|v2c|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
+<pre># grep 'rocommunity|rwcommunity|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
There should be no output.
</ocil>
<rationale>
@@ -84,6 +84,7 @@ Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.
</rationale>
<ident cce="27365-6"/>
+<oval id="snmpd_use_newer_protocol" />
</Rule>
<Rule id="snmpd_not_default_password" severity="medium">
@@ -103,6 +104,7 @@ Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
</rationale>
<ident cce="27593-3"/>
+<oval id="snmpd_not_default_password" />
<tested by="MAN" on="20121214"/>
</Rule>
--
1.7.1
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: quinta-feira, 26 de Junho de 2014 19:47 To: scap-security-guide@lists.fedorahosted.org Subject: Re: [PATCH] Added SNMP related OVAL checks
(…)
Good catch on the regex values. Had to doublcheck the docs on rocommunity/rwcommunity: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
Convert ind:file & ind:filename to ind:filepath.... e.g. ind:filepath/etc/snmp/snmpd.conf</ind:filepath> and resubmit
scap-security-guide@lists.fedorahosted.org
-
Rui Pedro Bernardino -
Shawn Wells