SNMP configured with default community public/private-juniper-junos

SNMP configured with default community public/private-juniper-junos
0

SNMP configured with default community public/private-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni will alert if any of SNMP communities is set to “public” or “private”.

Remediation Steps:
If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.
|1. On the device command line interface execute Òshow configuration snmpÓ and Òshow snmp statisticsÓ commands to review SNMP configuration and statistics.
|2. For security reasons it is highly recommended to use SNMP version 3.
|3. Using the community string “public” is discouraged, as this is a common default setting and presents a security vulnerability.
|4. Ensure that all of the SNMP settings are configured correctly on all cluster members.
|5. Review the following article on Juniper tech support site: Configuring SNMP on Devices Running Junos OS.

junos-show-configuration-snmp

name: junos-show-configuration-snmp
description: JUNOS SRX retrieving snmp configuration information
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall
comments:
    snmp-enabled:
        why: |
            Capture whether SNMP is enabled on the device.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-version:
        why: |
            Capture the SNMP version enabled on the device.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-location:
        why: |
            Capture the SNMP location information. This field can be used to store real location information for the device.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-communities:
        why: |
            Capture the SNMP communities.If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-traps-status:
        why: |
            Capture whether SNMP Traps are enabled or not.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-traps-receiver:
        why: |
            Capture SNMP Traps configuration.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-users:
        why: |
            Capture the SNMP users and permissions. SNMPv3 is the recommended SNMP version because of the additional security authentication and encryption mechanisms.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    unencrypted-snmp-configured:
        why: |
            SNMPv2c is an unsecure protocol and should not be used. Users should prefer the more secure SNMPv3.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
    snmp-contact:
        why: |
            Capture contact details. If the wrong contact is specified in the SNMP settings, the network monitoring team might contact the wrong person or team when there is an issue.
        how: |
            This script retrieves how the snmp is configured on the SRX device by running the command "show configuration snmp" via SSH connection to a device.
        can-with-snmp: false
        can-with-syslog: false
steps:
    -   run:
            type: SSH
            command: show configuration snmp | display set
        parse:
            type: AWK
            file: show-configuration-snmp.parser.1.awk

cross_vendor_snmp_communities_default

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.conditions._
import com.indeni.ruleengine.expressions.data._
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition

/**
  * Created by tomas on 20170721.
  */

case class CrossVendorSnmpCommunitiesDefault() extends MultiSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_communities_default",
  ruleFriendlyName = "All Devices: SNMP configured with default community public/private",
  severity = AlertSeverity.INFO,
  ruleDescription = "Indeni will alert if any of SNMP communities is set to \"public\" or \"private\".",
  metricName = "snmp-communities",
  alertDescription = "Using a well known SNMP community means that it is easy for others to guess, and to poll the device. An attacker could use this to get information from the device.",
  baseRemediationText = "If SNMPv2 has to be used, use a random community that is hard to guess. If possible switch to SNMPv3 instead, which uses username and password instead of a single community string.",
  complexCondition = Or(
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("public")),
    Contains(MultiSnapshotExtractScalarExpression(SnapshotExpression("snmp-communities").asMulti().mostRecent().value(), "community"), ConstantExpression("private")))
  )(RemediationStepCondition.VENDOR_JUNIPER ->
  """|1. On the device command line interface execute Òshow configuration snmpÓ and Òshow snmp statisticsÓ commands to review  SNMP configuration and statistics.
     |2. For security reasons it is highly recommended to use SNMP version 3.
     |3. Using the community string  "public" is discouraged, as this is  a common default setting and presents a security vulnerability.
     |4. Ensure that all of the SNMP settings are configured correctly on all cluster members.
     |5. Review the following article on Juniper tech support site: <a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/snmp-best-practices-basic-config.html">Configuring SNMP on Devices Running Junos OS</a>.""".stripMargin
)