SNMPv2c/v1 used-f5-False

warn
false
regulatory-complianc
f5
SNMPv2c/v1 used-f5-False
0

#1

SNMPv2c/v1 used-f5-False

Vendor: f5

OS: False

Description:
As SNMPv2 is not very secure, Indeni will alert if it is used.

Remediation Steps:
Configure SNMPv3 instead.
Review https://support.f5.com/csp/article/K13625

How does this work?
This alert uses the iControl REST interface to extract SNMP configuration.

Why is this important?
Version 1 and 2 of the SNMP protocol is unencrypted. This could potentially allow an attacker to obtain valuable information about the infrastructure.

Without Indeni how would you find this?
Login to the device’s web interface and click on “System” -> “SNMP” -> “Agent” -> " Access (v1, v2c)". This would show a list of configured access for SNMP version 1 and 2c.

f5-rest-mgmt-tm-sys-snmp-communities

 #! META
name: f5-rest-mgmt-tm-sys-snmp-communities
description: Determine if any SNMP communities for SNMPv1 or SNMPv2 has been configured
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
unencrypted-snmp-configured:
    why: |
        Version 1 and 2 of the SNMP protocol is unencrypted. This could potentially allow an attacker to obtain valuable information about the infrastructure.
    how: |
        This alert uses the iControl REST interface to extract SNMP configuration.
    without-indeni: |
        Login to the device's web interface and click on "System" -> "SNMP" -> "Agent" -> " Access (v1, v2c)". This would show a list of configured access for SNMP version 1 and 2c.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/sys/snmp/communities
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - # Record community configuration

        _tags:
            "im.name":
                _constant: "unencrypted-snmp-configured"
            "im.dstype.displaytype":
                _constant: "boolean"
        _temp:
            "noCommunities":
                #'default' means localhost and is useful to keep in case of local SNMP troubleshooting
                _count: "$.items[0:][?(@.source != 'default' && @.source != '127.0.0.1')]"
        _transform:
            _value.complex:
                value: |
                    {
                        if(temp("noCommunities") > 0){
                            print "true"
                        } else {
                            print "false"
                        }
                    }

cross_vendor_snmp_v2

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  *
  */
case class cross_vendor_snmp_v2() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_snmp_v2",
  ruleFriendlyName = "All Devices: SNMPv2c/v1 used",
  ruleDescription = "As SNMPv2 is not very secure, Indeni will alert if it is used.",
  severity = AlertSeverity.WARN,
  metricName = "unencrypted-snmp-configured",
  alertDescription = "Older versions of SNMP do not use encryption. This could potentially allow an attacker to obtain valuable information about the infrastructure.",
  baseRemediationText = "Configure SNMPv3 instead.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("unencrypted-snmp-configured").asSingle().mostRecent().value().noneable)
)(ConditionalRemediationSteps.VENDOR_F5 -> "Review https://support.f5.com/csp/article/K13625")