SNMPv2c/v1 used-checkpoint-gaia,ipso

SNMPv2c/v1 used-checkpoint-gaia,ipso
0

SNMPv2c/v1 used-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
As SNMPv2 is not very secure, Indeni will alert if it is used.

Remediation Steps:
Configure SNMPv3 instead.

How does this work?
Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.

Why is this important?
If SNMP is not using version 3 only, this means that SNMP communication is not encrypted.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-show_snmp_agent

name: chkp-clish-show_snmp_agent
description: Show all SNMP settings
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    or:
    -   os.name: gaia
    -   os.name: ipso
comments:
    snmp-enabled:
        skip-documentation: true
    snmp-version:
        skip-documentation: true
    snmp-contact:
        why: |
            If the wrong contact is specified in the SNMP settings, the network monitoring team might contact the wrong person or team when there is an issue.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-location:
        why: |
            The SNMP location is important, since it gives the administrator a fast and easy way to determine where it is located.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-communities:
        why: |
            If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-traps-status:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-traps-receiver:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    snmp-users:
        why: |
            SNMP configuration should be the same across cluster members. indeni retrieves SNMP configuration to compare between them.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface and WebUI.
    unencrypted-snmp-configured:
        why: |
            If SNMP is not using version 3 only, this means that SNMP communication is not encrypted.
        how: |
            Parse the GAiA configuration database in /config/active and retrieve the current configuration for SNMP.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Listing SNMP information is only available from
            the command line interface and WebUI.
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 grep "snmp" /config/active
    parse:
        type: AWK
        file: show-snmp-agent.parser.1.awk

cross_vendor_snmp_v2

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class cross_vendor_snmp_v2() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_v2",
  ruleFriendlyName = "All Devices: SNMPv2c/v1 used",
  ruleDescription = "As SNMPv2 is not very secure, Indeni will alert if it is used.",
  severity = AlertSeverity.WARN,
  metricName = "unencrypted-snmp-configured",
  alertDescription = "Older versions of SNMP do not use encryption. This could potentially allow an attacker to obtain valuable information about the infrastructure.",
  baseRemediationText = "Configure SNMPv3 instead.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("unencrypted-snmp-configured").asSingle().mostRecent().value().noneable)
)(RemediationStepCondition.VENDOR_F5 -> "Review https://support.f5.com/csp/article/K13625")