From 5ac59fa21c10ba7d87beefaa8c26099ddd73a0c3 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 4 Sep 2020 15:51:47 +0200

Subject: [PATCH 1/6] make oval regex stricter

---

 .../snmpd_not_default_password/oval/shared.xml                  | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml

index b617c7339d..1bc84e1a88 100644

--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml

@@ -17,7 +17,7 @@

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object id="object_snmp_default_communities" version="1">

     <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>

-    <ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>

+    <ind:pattern operation="pattern match">^((?!#).)*(public|private).*</ind:pattern>

     <ind:instance datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

 </def-group>

From 481cce33f5b148071e36d07a75291f5d39a8c02a Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 4 Sep 2020 15:52:07 +0200

Subject: [PATCH 2/6] add tests

---

 .../snmpd_not_default_password/tests/both.fail.sh          | 6 ++++++

 .../snmpd_not_default_password/tests/commented.pass.sh     | 7 +++++++

 .../snmpd_not_default_password/tests/correct.pass.sh       | 6 ++++++

 .../snmpd_not_default_password/tests/private.fail.sh       | 5 +++++

 .../snmpd_not_default_password/tests/public.fail.sh        | 6 ++++++

 5 files changed, 30 insertions(+)

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh

new file mode 100644

index 0000000000..5b8efa3c75

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+yum -y install net-snmp

+

+echo "something public" >> /etc/snmp/snmpd.conf

+echo "something private" >> /etc/snmp/snmpd.conf

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh

new file mode 100644

index 0000000000..410d00f5a1

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+yum -y install net-snmp

+

+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf

+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf

+echo '# public' >> /etc/snmp/snmpd.conf

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh

new file mode 100644

index 0000000000..355cc8b71d

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+yum -y install net-snmp

+

+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf

+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh

new file mode 100644

index 0000000000..c6bcf9b401

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+

+yum -y install net-snmp

+

+echo "something private" >> /etc/snmp/snmpd.conf

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh

new file mode 100644

index 0000000000..43022ba28c

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+yum -y install net-snmp

+

+echo "something public" >> /etc/snmp/snmpd.conf

+

From 9ad3734aa2c6a40fc8a6881d361e420faaaa1117 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 9 Sep 2020 11:19:46 +0200

Subject: [PATCH 3/6] add variables

---

 .../snmpd_not_default_password/bash/shared.sh      |  5 -----

 .../snmpd_not_default_password/rule.yml            |  1 +

 .../snmp_configure_server/var_snmpd_ro_string.var  | 14 ++++++++++++++

 .../snmp_configure_server/var_snmpd_rw_string.var  | 14 ++++++++++++++

 4 files changed, 29 insertions(+), 5 deletions(-)

 delete mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

deleted file mode 100644

index 4d5bc82282..0000000000

--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

+++ /dev/null

@@ -1,5 +0,0 @@

-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol

-

-if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then

-	sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf

-fi

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml

index 648f45caa2..72d2495713 100644

--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml

@@ -7,6 +7,7 @@ title: 'Ensure Default SNMP Password Is Not Used'

 description: |-

     Edit <tt>/etc/snmp/snmpd.conf</tt>, remove or change the default community strings of

     <tt>public</tt> and <tt>private</tt>.

+    This profile configures new read-only community string to <tt>{{{ sub_var_value("var_snmpd_ro_string") }}}</tt> and read-write community string to <tt>{{{ sub_var_value("var_snmpd_rw_string") }}}</tt>.

     Once the default community strings have been changed, restart the SNMP service:

     
$ sudo service snmpd restart

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var

new file mode 100644

index 0000000000..ac755d154f

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var

@@ -0,0 +1,14 @@

+documentation_complete: true

+

+title: 'SNMP read-only community string'

+

+description: "Specify the SNMP community string used for read-only access."

+

+type: string

+

+operator: equals

+

+interactive: true

+

+options:

+    default: changemero

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var

new file mode 100644

index 0000000000..7d2016a4dd

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var

@@ -0,0 +1,14 @@

+documentation_complete: true

+

+title: 'SNMP read-write community string'

+

+description: "Specify the SNMP community string used for read-write access."

+

+type: string

+

+operator: equals

+

+interactive: true

+

+options:

+    default: changemerw

From c2f193a43373900d65da6134325a8916a734c659 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 9 Sep 2020 18:03:31 +0200

Subject: [PATCH 4/6] add bash remediation

---

 .../snmpd_not_default_password/bash/shared.sh    | 16 ++++++++++++++++

 1 file changed, 16 insertions(+)

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

new file mode 100644

index 0000000000..1b0474c07c

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh

@@ -0,0 +1,16 @@

+#!/bin/bash

+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019

+

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}

+

+# remediate read-only community string

+if grep -q 'public' /etc/snmp/snmpd.conf; then

+    sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf

+fi

+

+# remediate read-write community string

+if grep -q 'private' /etc/snmp/snmpd.conf; then

+    sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf

+fi

From 967f9eedd0dfac92d85c62231c13894964fafb5d Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 11 Sep 2020 10:23:52 +0200

Subject: [PATCH 5/6] add ansible remediation

---

 .../ansible/shared.yml                        | 21 +++++++++++++++++++

 1 file changed, 21 insertions(+)

 create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

new file mode 100644

index 0000000000..33062169cd

--- /dev/null

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

@@ -0,0 +1,21 @@

+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019

+# reboot = false

+# strategy = configure

+# complexity = low

+# disruption = medium

+

+{{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}

+

+- name: "Replace all instances of SNMP RO strings"

+  replace:

+    path: "/etc/snmp/snmpd.conf"

+    #regexp: '^[#](.*)public(.*)$'

+    regexp: 'public'

+    replace: '{{ var_snmpd_ro_string }}'

+

+- name: "Replace all instances of SNMP RW strings"

+  replace:

+    path: "/etc/snmp/snmpd.conf"

+    #regexp: '^[#](.*)private(.*)$'

+    regexp: 'private'

+    replace: '{{ var_snmpd_rw_string }}'

From 946e540dadaf43eadb43479cc6328ee503e5d981 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 14 Sep 2020 07:30:56 +0200

Subject: [PATCH 6/6] remove forgotten commented lines

---

 .../snmpd_not_default_password/ansible/shared.yml               | 2 --

 1 file changed, 2 deletions(-)

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

index 33062169cd..d92c0a17da 100644

--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

@@ -9,13 +9,11 @@

 - name: "Replace all instances of SNMP RO strings"

   replace:

     path: "/etc/snmp/snmpd.conf"

-    #regexp: '^[#](.*)public(.*)$'

     regexp: 'public'

     replace: '{{ var_snmpd_ro_string }}'

 - name: "Replace all instances of SNMP RW strings"

   replace:

     path: "/etc/snmp/snmpd.conf"

-    #regexp: '^[#](.*)private(.*)$'

     regexp: 'private'

     replace: '{{ var_snmpd_rw_string }}'