SNMPv2c/v1 used-checkpoint-secureplatform

SNMPv2c/v1 used-checkpoint-secureplatform
0

SNMPv2c/v1 used-checkpoint-secureplatform

Vendor: checkpoint

OS: secureplatform

Description:
As SNMPv2 is not very secure, Indeni will alert if it is used.

Remediation Steps:
Configure SNMPv3 instead.

How does this work?
Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.

Why is this important?
If SNMP is not using encryption to retrieve data from devices, the data could be intercepted. Authentication data such as passwords used to login and get the data could also be compromised.

Without Indeni how would you find this?
An administrator could log in and manually run the command.

chkp-secureplatform-snmpd-conf

name: chkp-secureplatform-snmpd-conf
description: displays SNMP information
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: checkpoint
    os.name: secureplatform
comments:
    snmp-enabled:
        skip-documentation: true
    snmp-version:
        skip-documentation: true
    snmp-contact:
        why: |
            If the wrong contact is specified in the SNMP settings, the network monitoring team might not have the information they need to notify the administrator when needed.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the current configuration for SNMP.
        without-indeni: |
            An administrator could log in and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface.
    snmp-location:
        why: |
            The SNMP location should be set correctly, since it gives the administrator a fast and easy way to determine where the device is located.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        without-indeni: |
            An administrator could log in and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface.
    snmp-communities:
        why: |
            If the default SNMP communities are configured, like "public" or "private" it could allow unauthorized clients to poll the device.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        without-indeni: |
            An administrator could log in and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            Listing SNMP information is only available from the command line interface.
    unencrypted-snmp-configured:
        why: |
            If SNMP is not using encryption to retrieve data from devices, the data could be intercepted. Authentication data such as passwords used to login and get the data could also be compromised.
        how: |
            Parse the /etc/snmp/snmpd.conf file and retreive the currently configuration for SNMP.
        without-indeni: |
            An administrator could log in and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Listing SNMP information is only available from
            the command line interface.
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 snmp service stat && cat /etc/snmp/snmpd.conf
    parse:
        type: AWK
        file: snmpd-conf.parser.1.awk

cross_vendor_snmp_v2

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.RemediationStepCondition
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class cross_vendor_snmp_v2() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_v2",
  ruleFriendlyName = "All Devices: SNMPv2c/v1 used",
  ruleDescription = "As SNMPv2 is not very secure, Indeni will alert if it is used.",
  severity = AlertSeverity.WARN,
  metricName = "unencrypted-snmp-configured",
  alertDescription = "Older versions of SNMP do not use encryption. This could potentially allow an attacker to obtain valuable information about the infrastructure.",
  baseRemediationText = "Configure SNMPv3 instead.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("unencrypted-snmp-configured").asSingle().mostRecent().value().noneable)
)(RemediationStepCondition.VENDOR_F5 -> "Review https://support.f5.com/csp/article/K13625")