SNMP configured with default community public/private-cisco-nxos

SNMP configured with default community public/private-cisco-nxos
0

SNMP configured with default community public/private-cisco-nxos

Vendor: cisco

OS: nxos

Description:
Indeni will alert if any of SNMP communities is set to “public” or “private”.

Remediation Steps:
If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.

How does this work?
This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the “show snmp” command.

Why is this important?
Capture the SNMP communities and permissions. SNMP communities are used by SNMP v1/v2c to identify the management system polling SNMP information from the device. Each community can be associated with a different security level (read-only or read/write) and a different view of the SNMP MIB tree. Note that SNMP communities are transimitted in clear text.

Without Indeni how would you find this?
The administrator would have to manually log in to the device and check the SNMP communities configuration.

nexus-snmp-protocol-status

name: nexus-snmp-protocol-status
description: Nexus snmp protocol status
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: cisco
    os.name: nxos
comments:
    snmp-enabled:
        why: |
            Capture whether SNMP is enabled on the device.
        how: |
            This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
        without-indeni: |
            The administrator would have to manually log in to the device and check if SNMP is enabled.
        can-with-snmp: false
        can-with-syslog: false
    snmp-contact:
        why: |
            Capture the SNMP contact information. This field can be used to store real contact information for the device.
        how: |
            This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
        without-indeni: |
            The administrator would have to manually log in to the device and check the SNMP contact.
        can-with-snmp: true
        can-with-syslog: false
    snmp-location:
        why: |
            Capture the SNMP location information. This field can be used to store real location information for the device.
        how: |
            This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
        without-indeni: |
            The administrator would have to manually log in to the device and check the SNMP location.
        can-with-snmp: true
        can-with-syslog: false
    snmp-communities:
        why: |
            Capture the SNMP communities and permissions. SNMP communities are used by SNMP v1/v2c to identify the management system polling SNMP information from the device. Each community can be associated with a different security level (read-only or read/write) and a different view of the SNMP MIB tree.
            Note that SNMP communities are transimitted in clear text.
        how: |
            This script logs in to the Cisco Nexus switch using SSH and retrieves the current state of the SNMP protocol by using the "show snmp" command.
        without-indeni: |
            The administrator would have to manually log in to the device and check the SNMP communities configuration.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: show snmp
    parse:
        type: AWK
        file: show_snmp.parser.1.awk

cross_vendor_snmp_communities_default

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.conditions._
import com.indeni.ruleengine.expressions.data._
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition

/**
  * Created by tomas on 20170721.
  */

case class CrossVendorSnmpCommunitiesDefault() extends MultiSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_communities_default",
  ruleFriendlyName = "All Devices: SNMP configured with default community public/private",
  severity = AlertSeverity.INFO,
  ruleDescription = "Indeni will alert if any of SNMP communities is set to \"public\" or \"private\".",
  metricName = "snmp-communities",
  alertDescription = "Using a well known SNMP community means that it is easy for others to guess, and to poll the device. An attacker could use this to get information from the device.",
  baseRemediationText = "If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.",
  complexCondition = Or(
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("public")),
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("private")))
  )(RemediationStepCondition.VENDOR_JUNIPER ->
  """|1. On the device command line interface execute Òshow configuration snmpÓ and Òshow snmp statisticsÓ commands to review  SNMP configuration and statistics.
     |2. For security reasons it is highly recommended to use SNMP version 3.
     |3. Using the community string  "public" is discouraged, as this is  a common default setting and presents a security vulnerability.
     |4. Ensure that all of the SNMP settings are configured correctly on all cluster members.
     |5. Review the following article on Juniper tech support site: <a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/snmp-best-practices-basic-config.html">Configuring SNMP on Devices Running Junos OS</a>.""".stripMargin
)