SNMP community settings do not match across cluster members-checkpoint-gaia,ipso

SNMP community settings do not match across cluster members-checkpoint-gaia,ipso
0

SNMP community settings do not match across cluster members-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
Indeni will identify when two devices are part of a cluster and alert if the SNMP settings do not match.

Remediation Steps:
Ensure all of the SNMP settings are configured correctly on all cluster members.

How does this work?
Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.

Why is this important?
If the default SNMP communities are configured, like “public” or “private” it could allow unauthorized clients to poll the device.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-show_snmp_agent

name: chkp-clish-show_snmp_agent
description: Show all SNMP settings
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    or:
    -   os.name: gaia
    -   os.name: ipso
comments:
    snmp-enabled:
        skip-documentation: true
    snmp-version:
        skip-documentation: true
    snmp-contact:
        why: |
            If the wrong contact is specified in the SNMP settings, the network monitoring team might contact the wrong person or team when there is an issue.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-location:
        why: |
            The SNMP location is important, since it gives the administrator a fast and easy way to determine where it is located.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-communities:
        why: |
            If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-traps-status:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-traps-receiver:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-users:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    unencrypted-snmp-configured:
        why: |
            If SNMP is not using version 3 only, this means that SNMP communication is not encrypted.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Listing SNMP information is only available from
            the command line interface and WebUI.
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 grep "snmp" /config/active
    parse:
        type: AWK
        file: show-snmp-agent.parser.1.awk

cross_vendor_snmp_communities_comparison

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_snmp_communities_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_snmp_communities_comparison",
  ruleFriendlyName = "Clustered Devices: SNMP community settings do not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the SNMP settings do not match.",
  metricName = "snmp-communities",
  isArray = true,
  alertDescription = "Devices that are part of a cluster should have the same SNMP configuration. Review the differences below.",
  baseRemediationText = "Ensure all of the SNMP settings are configured correctly on all cluster members.")(
  RemediationStepCondition.VENDOR_CISCO ->
    """|
      |1. Ensure all of the SNMPv2 communities are configured correctly on all cluster members by using  the "show snmp" NX-OS command.
      |2. Configure the same SNMPv2c communities by using the next command "snmp-server community name group { ro | rw }" across the peer Switches.
      |3. For more information please review  the next CISCO configuration guide:
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_9snmp.html
    """.stripMargin
)