SNMP configured with default community public/private-checkpoint-secureplatform

SNMP configured with default community public/private-checkpoint-secureplatform
0

SNMP configured with default community public/private-checkpoint-secureplatform

Vendor: checkpoint

OS: secureplatform

Description:
Indeni will alert if any of SNMP communities is set to “public” or “private”.

Remediation Steps:
If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.

How does this work?
Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.

Why is this important?
If the default SNMP communities are configured, like “public” or “private” it could allow unauthorized clients to poll the device.

Without Indeni how would you find this?
An administrator could log in and manually run the command.

chkp-secureplatform-snmpd-conf

name: chkp-secureplatform-snmpd-conf
description: displays SNMP information
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: checkpoint
    os.name: secureplatform
comments:
    snmp-enabled:
        why: |
            To ensure the snmp is enbaled for the gateway
        how: |
            By parsing the GAia configuration database in "/config/active" and then retrive the configuration details
            for SNMP
        can-with-snmp: false
        can-with-syslog: false

    snmp-version:
        why: |
            To check the snmp-version to check if all the SNMP features are applicable
        how: |
            By parsing the GAia configuration database in "/config/active" and then retrive the configuration details
            for SNMP
        can-with-snmp: false
        can-with-syslog: false
    snmp-contact:
        why: |
            If the wrong contact is specified in the SNMP settings, the network monitoring team might not have the information they need to notify the administrator when needed.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the current configuration for SNMP.
        can-with-snmp: false
        can-with-syslog: false

    snmp-location:
        why: |
            The SNMP location should be set correctly, since it gives the administrator a fast and easy way to determine where the device is located.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        can-with-snmp: false
        can-with-syslog: false

    snmp-communities:
        why: |
            If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        can-with-snmp: false
        can-with-syslog: false

    unencrypted-snmp-configured:
        why: |
            If SNMP is not using encryption to retrieve data from devices, the data could be intercepted. Authentication data such as passwords used to login and get the data could also be compromised.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 snmp service stat && cat /etc/snmp/snmpd.conf
    parse:
        type: AWK
        file: snmpd-conf.parser.1.awk

cross_vendor_snmp_communities_default

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.conditions._
import com.indeni.ruleengine.expressions.data._
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition

/**
  * Created by tomas on 20170721.
  */

case class CrossVendorSnmpCommunitiesDefault() extends MultiSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_communities_default",
  ruleFriendlyName = "All Devices: SNMP configured with default community public/private",
  severity = AlertSeverity.INFO,
  ruleDescription = "Indeni will alert if any of SNMP communities is set to \"public\" or \"private\".",
  metricName = "snmp-communities",
  alertDescription = "Using a well known SNMP community means that it is easy for others to guess, and to poll the device. An attacker could use this to get information from the device.",
  baseRemediationText = "If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.",
  complexCondition = Or(
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("public")),
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("private")))
  )(RemediationStepCondition.VENDOR_JUNIPER ->
  """|1. On the device command line interface execute Òshow configuration snmpÓ and Òshow snmp statisticsÓ commands to review  SNMP configuration and statistics.
     |2. For security reasons it is highly recommended to use SNMP version 3.
     |3. Using the community string  "public" is discouraged, as this is  a common default setting and presents a security vulnerability.
     |4. Ensure that all of the SNMP settings are configured correctly on all cluster members.
     |5. Review the following article on Juniper tech support site: <a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/snmp-best-practices-basic-config.html">Configuring SNMP on Devices Running Junos OS</a>.""".stripMargin
)