From 43223c64eb10feefa4e7946173b6bdcb33974461 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 23 Sep 2020 14:47:27 +0200
Subject: [PATCH 1/3] Fix snmpd_not_default_password ansible remediation when
file doesn't exist.
---
.../snmpd_not_default_password/ansible/shared.yml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index d92c0a17da..9094560a1d 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -6,14 +6,21 @@
{{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
+- name: "Check if file /etc/snmp/snmpd.conf exists"
+ stat:
+ path: /etc/snmp/snmpd.conf
+ register: snmpd
+
- name: "Replace all instances of SNMP RO strings"
replace:
path: "/etc/snmp/snmpd.conf"
regexp: 'public'
replace: '{{ var_snmpd_ro_string }}'
+ when: snmpd.stat is defined and snmpd.stat.exists
- name: "Replace all instances of SNMP RW strings"
replace:
path: "/etc/snmp/snmpd.conf"
regexp: 'private'
replace: '{{ var_snmpd_rw_string }}'
+ when: snmpd.stat is defined and snmpd.stat.exists
From 459d15b2fc2a86d37588cbebbbe1732910e1a397 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 24 Sep 2020 14:06:48 +0200
Subject: [PATCH 2/3] Add net-snmp CPE entry to detect if package is installed.
---
debian10/cpe/debian10-cpe-dictionary.xml | 4 ++
debian10/product.yml | 4 ++
debian9/cpe/debian9-cpe-dictionary.xml | 4 ++
debian9/product.yml | 4 ++
fedora/cpe/fedora-cpe-dictionary.xml | 4 ++
.../snmp/snmp_configure_server/group.yml | 2 +
.../ansible/shared.yml | 4 +-
.../oval/shared.xml | 3 +-
.../tests/missing.pass.sh | 3 ++
.../tests/package_missing.notapplicable.sh | 3 ++
ol7/cpe/ol7-cpe-dictionary.xml | 4 ++
ol8/cpe/ol8-cpe-dictionary.xml | 4 ++
rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++
rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++
rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++
.../installed_env_has_net-snmp_package.xml | 38 +++++++++++++++++++
ssg/constants.py | 1 +
.../cpe/wrlinux1019-cpe-dictionary.xml | 4 ++
18 files changed, 94 insertions(+), 4 deletions(-)
create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
create mode 100644 shared/checks/oval/installed_env_has_net-snmp_package.xml
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index ddb68c34bd..f94c59d028 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -76,4 +76,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian10/product.yml b/debian10/product.yml
index c9b30b9d23..88fb497eb0 100644
--- a/debian10/product.yml
+++ b/debian10/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
pkg_manager: "apt_get"
init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ net-snmp: "snmp"
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index d5595fd594..bd18e5e754 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -76,4 +76,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian9/product.yml b/debian9/product.yml
index 53e4e7509a..cfbdfd109a 100644
--- a/debian9/product.yml
+++ b/debian9/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
pkg_manager: "apt_get"
init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ net-snmp: "snmp"
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index bef1337fc9..581abc41c7 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -111,4 +111,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/group.yml b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
index 339e5843c2..8052ade2f6 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/group.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
@@ -17,3 +17,5 @@ description: |-
stations</li>
<li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>
<li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
+
+platform: net-snmp
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index 9094560a1d..b10733861d 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -16,11 +16,11 @@
path: "/etc/snmp/snmpd.conf"
regexp: 'public'
replace: '{{ var_snmpd_ro_string }}'
- when: snmpd.stat is defined and snmpd.stat.exists
+ when: (snmpd.stat.exists is defined and snmpd.stat.exists)
- name: "Replace all instances of SNMP RW strings"
replace:
path: "/etc/snmp/snmpd.conf"
regexp: 'private'
replace: '{{ var_snmpd_rw_string }}'
- when: snmpd.stat is defined and snmpd.stat.exists
+ when: (snmpd.stat.exists is defined and snmpd.stat.exists)
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
index 0ff056c48c..5504c0151f 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
@@ -1,8 +1,7 @@
<def-group>
<definition class="compliance" id="snmpd_not_default_password" version="2">
{{{ oval_metadata("SNMP default communities must be removed.") }}}
- <criteria operator="OR">
- <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed" />
+ <criteria>
<criterion comment="SNMP communities" test_ref="test_snmp_default_communities" />
</criteria>
</definition>
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
new file mode 100644
index 0000000000..3982740e83
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y install net-snmp
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
new file mode 100644
index 0000000000..c388fe3652
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y remove net-snmp
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index 59c5c728aa..6b1ab98ab6 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -80,4 +80,8 @@
<title xml:lang="en-us">SSSD is configured to use LDAP</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 473ba36235..3e90619c27 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -75,4 +75,8 @@
<title xml:lang="en-us">SSSD is configured to use LDAP</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index 1b696b88d3..d0557cc807 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -96,4 +96,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index e6b88f55cd..50f8006c97 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -110,4 +110,8 @@
<title xml:lang="en-us">SSSD is configured to use LDAP</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index 699251868d..3b9b4fc038 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -80,4 +80,8 @@
<title xml:lang="en-us">SSSD is configured to use LDAP</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/shared/checks/oval/installed_env_has_net-snmp_package.xml b/shared/checks/oval/installed_env_has_net-snmp_package.xml
new file mode 100644
index 0000000000..66df54d473
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_net-snmp_package.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_net-snmp_package" version="1">
+ <metadata>
+ <title>Package net-snmp is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package net-snmp is installed.</description>
+ <reference ref_id="cpe:/a:net-snmp" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package net-snmp is installed" test_ref="test_env_has_net-snmp_installed" />
+ </criteria>
+ </definition>
+
+{{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_net-snmp_installed" version="1"
+ comment="system has package net-snmp installed">
+ <linux:object object_ref="obj_env_has_net-snmp_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_net-snmp_installed" version="1">
+ <linux:name>net-snmp</linux:name>
+ </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_net-snmp_installed" version="1"
+ comment="system has package net-snmp installed">
+ <linux:object object_ref="obj_env_has_net-snmp_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_net-snmp_installed" version="1">
+ <!-- dpkg systems differ in the package name -->
+ <linux:name>snmp</linux:name>
+ </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index a585f32afc..fa2c4ccd76 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -500,6 +500,7 @@
"systemd": "cpe:/a:systemd",
"yum": "cpe:/a:yum",
"zipl": "cpe:/a:zipl",
+ "net-snmp": "cpe:/a:net-snmp",
}
# Default platform to package mapping
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index f32e69e118..f31bad72e8 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -79,4 +79,8 @@
<title xml:lang="en-us">SSSD is configured to use LDAP</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
</cpe-item>
+ <cpe-item name="cpe:/a:net-snmp">
+ <title xml:lang="en-us">Package net-snmp is installed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+ </cpe-item>
</cpe-list>
From b058d43efac626eea413f0d185bb5219027cc7d4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 29 Sep 2020 09:53:25 +0200
Subject: [PATCH 3/3] Fix test scenario for snmpd_not_default_password.
---
.../snmpd_not_default_password/tests/missing.pass.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
index 3982740e83..d2a024f006 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
@@ -1,3 +1,4 @@
#!/bin/bash
yum -y install net-snmp
+rm -f /etc/snmp/snmpd.conf