SNMP configured with default community public/private-cisco-nxos
Vendor: cisco
OS: nxos
Description:
Indeni will alert if any of SNMP communities is set to “public” or “private”.
Remediation Steps:
If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.
How does this work?
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the “show snmp” command.
Why is this important?
Capture the SNMP communities and permissions. SNMP communities are used by SNMP v1/v2c to identify the management system polling SNMP information from the device. Each community can be associated with a different security level (read-only or read/write) and a different view of the SNMP MIB tree. Note that SNMP communities are transimitted in clear text.
Without Indeni how would you find this?
The administrator would have to manually log in to the device and check the SNMP communities configuration.
nexus-snmp-protocol-status
name: nexus-snmp-protocol-status
description: Nexus snmp protocol status
type: monitoring
monitoring_interval: 60 minutes
requires:
vendor: cisco
os.name: nxos
comments:
snmp-enabled:
why: |
Capture whether SNMP is enabled on the device.
how: |
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
can-with-snmp: false
can-with-syslog: false
snmp-contact:
why: |
Capture the SNMP contact information. This field can be used to store real contact information for the device.
how: |
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
can-with-snmp: true
can-with-syslog: false
snmp-location:
why: |
Capture the SNMP location information. This field can be used to store real location information for the device.
how: |
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
can-with-snmp: true
can-with-syslog: false
snmp-communities:
why: |
Capture the SNMP communities and permissions. SNMP communities are used by SNMP v1/v2c to identify the management system polling SNMP information from the device. Each community can be associated with a different security level (read-only or read/write) and a different view of the SNMP MIB tree.
Note that SNMP communities are transimitted in clear text.
how: |
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: show snmp
parse:
type: AWK
file: show_snmp.parser.1.awk
cross_vendor_snmp_communities_default
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/CrossVendorSnmpCommunitiesDefault.scala