From 43223c64eb10feefa4e7946173b6bdcb33974461 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 23 Sep 2020 14:47:27 +0200
Subject: [PATCH 1/3] Fix snmpd_not_default_password ansible remediation when
 file doesn't exist.

---
 .../snmpd_not_default_password/ansible/shared.yml          | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index d92c0a17da..9094560a1d 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -6,14 +6,21 @@
 
 {{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
 
+- name: "Check if file /etc/snmp/snmpd.conf exists"
+  stat:
+    path: /etc/snmp/snmpd.conf
+  register: snmpd
+
 - name: "Replace all instances of SNMP RO strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
     regexp: 'public'
     replace: '{{ var_snmpd_ro_string }}'
+  when: snmpd.stat is defined and snmpd.stat.exists
 
 - name: "Replace all instances of SNMP RW strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
     regexp: 'private'
     replace: '{{ var_snmpd_rw_string }}'
+  when: snmpd.stat is defined and snmpd.stat.exists

From 459d15b2fc2a86d37588cbebbbe1732910e1a397 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 24 Sep 2020 14:06:48 +0200
Subject: [PATCH 2/3] Add net-snmp CPE entry to detect if package is installed.

---
 debian10/cpe/debian10-cpe-dictionary.xml      |  4 ++
 debian10/product.yml                          |  4 ++
 debian9/cpe/debian9-cpe-dictionary.xml        |  4 ++
 debian9/product.yml                           |  4 ++
 fedora/cpe/fedora-cpe-dictionary.xml          |  4 ++
 .../snmp/snmp_configure_server/group.yml      |  2 +
 .../ansible/shared.yml                        |  4 +-
 .../oval/shared.xml                           |  3 +-
 .../tests/missing.pass.sh                     |  3 ++
 .../tests/package_missing.notapplicable.sh    |  3 ++
 ol7/cpe/ol7-cpe-dictionary.xml                |  4 ++
 ol8/cpe/ol8-cpe-dictionary.xml                |  4 ++
 rhel6/cpe/rhel6-cpe-dictionary.xml            |  4 ++
 rhel7/cpe/rhel7-cpe-dictionary.xml            |  4 ++
 rhel8/cpe/rhel8-cpe-dictionary.xml            |  4 ++
 .../installed_env_has_net-snmp_package.xml    | 38 +++++++++++++++++++
 ssg/constants.py                              |  1 +
 .../cpe/wrlinux1019-cpe-dictionary.xml        |  4 ++
 18 files changed, 94 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
 create mode 100644 shared/checks/oval/installed_env_has_net-snmp_package.xml

diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index ddb68c34bd..f94c59d028 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -76,4 +76,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/debian10/product.yml b/debian10/product.yml
index c9b30b9d23..88fb497eb0 100644
--- a/debian10/product.yml
+++ b/debian10/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_manager: "apt_get"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  net-snmp: "snmp"
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index d5595fd594..bd18e5e754 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -76,4 +76,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/debian9/product.yml b/debian9/product.yml
index 53e4e7509a..cfbdfd109a 100644
--- a/debian9/product.yml
+++ b/debian9/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_manager: "apt_get"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  net-snmp: "snmp"
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index bef1337fc9..581abc41c7 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -111,4 +111,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/group.yml b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
index 339e5843c2..8052ade2f6 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/group.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
@@ -17,3 +17,5 @@ description: |-
     stations</li>
     <li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>
     <li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
+
+platform: net-snmp
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index 9094560a1d..b10733861d 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -16,11 +16,11 @@
     path: "/etc/snmp/snmpd.conf"
     regexp: 'public'
     replace: '{{ var_snmpd_ro_string }}'
-  when: snmpd.stat is defined and snmpd.stat.exists
+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)
 
 - name: "Replace all instances of SNMP RW strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
     regexp: 'private'
     replace: '{{ var_snmpd_rw_string }}'
-  when: snmpd.stat is defined and snmpd.stat.exists
+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
index 0ff056c48c..5504c0151f 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
@@ -1,8 +1,7 @@
 <def-group>
   <definition class="compliance" id="snmpd_not_default_password" version="2">
     {{{ oval_metadata("SNMP default communities must be removed.") }}}
-    <criteria operator="OR">
-      <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed" />
+    <criteria>
       <criterion comment="SNMP communities" test_ref="test_snmp_default_communities" />
     </criteria>
   </definition>
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
new file mode 100644
index 0000000000..3982740e83
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y install net-snmp
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
new file mode 100644
index 0000000000..c388fe3652
--- /dev/null
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y remove net-snmp
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index 59c5c728aa..6b1ab98ab6 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -80,4 +80,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 473ba36235..3e90619c27 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -75,4 +75,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index 1b696b88d3..d0557cc807 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -96,4 +96,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index e6b88f55cd..50f8006c97 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -110,4 +110,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index 699251868d..3b9b4fc038 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -80,4 +80,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/shared/checks/oval/installed_env_has_net-snmp_package.xml b/shared/checks/oval/installed_env_has_net-snmp_package.xml
new file mode 100644
index 0000000000..66df54d473
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_net-snmp_package.xml
@@ -0,0 +1,38 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_net-snmp_package" version="1">
+    <metadata>
+      <title>Package net-snmp is installed</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Checks if package net-snmp is installed.</description>
+      <reference ref_id="cpe:/a:net-snmp" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package net-snmp is installed" test_ref="test_env_has_net-snmp_installed" />
+    </criteria>
+  </definition>
+
+{{% if pkg_system == "rpm" %}}
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+  id="test_env_has_net-snmp_installed" version="1"
+  comment="system has package net-snmp installed">
+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_net-snmp_installed" version="1">
+    <linux:name>net-snmp</linux:name>
+  </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+  <linux:dpkginfo_test check="all" check_existence="all_exist"
+  id="test_env_has_net-snmp_installed" version="1"
+  comment="system has package net-snmp installed">
+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
+  </linux:dpkginfo_test>
+  <linux:dpkginfo_object id="obj_env_has_net-snmp_installed" version="1">
+    <!-- dpkg systems differ in the package name -->
+    <linux:name>snmp</linux:name>
+  </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index a585f32afc..fa2c4ccd76 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -500,6 +500,7 @@
     "systemd": "cpe:/a:systemd",
     "yum": "cpe:/a:yum",
     "zipl": "cpe:/a:zipl",
+    "net-snmp": "cpe:/a:net-snmp",
 }
 
 # Default platform to package mapping
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index f32e69e118..f31bad72e8 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -79,4 +79,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

From b058d43efac626eea413f0d185bb5219027cc7d4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 29 Sep 2020 09:53:25 +0200
Subject: [PATCH 3/3] Fix test scenario for snmpd_not_default_password.

---
 .../snmpd_not_default_password/tests/missing.pass.sh             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
index 3982740e83..d2a024f006 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
 
 yum -y install net-snmp
+rm -f /etc/snmp/snmpd.conf