From 5ac59fa21c10ba7d87beefaa8c26099ddd73a0c3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 4 Sep 2020 15:51:47 +0200 Subject: [PATCH 1/6] make oval regex stricter --- .../snmpd_not_default_password/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml index b617c7339d..1bc84e1a88 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml @@ -17,7 +17,7 @@ /etc/snmp/snmpd.conf - ^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private) + ^((?!#).)*(public|private).* 1 From 481cce33f5b148071e36d07a75291f5d39a8c02a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 4 Sep 2020 15:52:07 +0200 Subject: [PATCH 2/6] add tests --- .../snmpd_not_default_password/tests/both.fail.sh | 6 ++++++ .../snmpd_not_default_password/tests/commented.pass.sh | 7 +++++++ .../snmpd_not_default_password/tests/correct.pass.sh | 6 ++++++ .../snmpd_not_default_password/tests/private.fail.sh | 5 +++++ .../snmpd_not_default_password/tests/public.fail.sh | 6 ++++++ 5 files changed, 30 insertions(+) create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh new file mode 100644 index 0000000000..5b8efa3c75 --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +yum -y install net-snmp + +echo "something public" >> /etc/snmp/snmpd.conf +echo "something private" >> /etc/snmp/snmpd.conf diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh new file mode 100644 index 0000000000..410d00f5a1 --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +yum -y install net-snmp + +sed -i '/.*public.*/d' /etc/snmp/snmpd.conf +sed -i '/.*private.*/d' /etc/snmp/snmpd.conf +echo '# public' >> /etc/snmp/snmpd.conf diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh new file mode 100644 index 0000000000..355cc8b71d --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +yum -y install net-snmp + +sed -i '/.*public.*/d' /etc/snmp/snmpd.conf +sed -i '/.*private.*/d' /etc/snmp/snmpd.conf diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh new file mode 100644 index 0000000000..c6bcf9b401 --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +yum -y install net-snmp + +echo "something private" >> /etc/snmp/snmpd.conf diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh new file mode 100644 index 0000000000..43022ba28c --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +yum -y install net-snmp + +echo "something public" >> /etc/snmp/snmpd.conf + From 9ad3734aa2c6a40fc8a6881d361e420faaaa1117 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 9 Sep 2020 11:19:46 +0200 Subject: [PATCH 3/6] add variables --- .../snmpd_not_default_password/bash/shared.sh | 5 ----- .../snmpd_not_default_password/rule.yml | 1 + .../snmp_configure_server/var_snmpd_ro_string.var | 14 ++++++++++++++ .../snmp_configure_server/var_snmpd_rw_string.var | 14 ++++++++++++++ 4 files changed, 29 insertions(+), 5 deletions(-) delete mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh deleted file mode 100644 index 4d5bc82282..0000000000 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol - -if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then - sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf -fi diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml index 648f45caa2..72d2495713 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml @@ -7,6 +7,7 @@ title: 'Ensure Default SNMP Password Is Not Used' description: |- Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. + This profile configures new read-only community string to {{{ sub_var_value("var_snmpd_ro_string") }}} and read-write community string to {{{ sub_var_value("var_snmpd_rw_string") }}}. Once the default community strings have been changed, restart the SNMP service: 
$ sudo service snmpd restart
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var new file mode 100644 index 0000000000..ac755d154f --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var @@ -0,0 +1,14 @@ +documentation_complete: true + +title: 'SNMP read-only community string' + +description: "Specify the SNMP community string used for read-only access." + +type: string + +operator: equals + +interactive: true + +options: + default: changemero diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var new file mode 100644 index 0000000000..7d2016a4dd --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var @@ -0,0 +1,14 @@ +documentation_complete: true + +title: 'SNMP read-write community string' + +description: "Specify the SNMP community string used for read-write access." + +type: string + +operator: equals + +interactive: true + +options: + default: changemerw From c2f193a43373900d65da6134325a8916a734c659 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 9 Sep 2020 18:03:31 +0200 Subject: [PATCH 4/6] add bash remediation --- .../snmpd_not_default_password/bash/shared.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh new file mode 100644 index 0000000000..1b0474c07c --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 + +. /usr/share/scap-security-guide/remediation_functions + +{{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}} + +# remediate read-only community string +if grep -q 'public' /etc/snmp/snmpd.conf; then + sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf +fi + +# remediate read-write community string +if grep -q 'private' /etc/snmp/snmpd.conf; then + sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf +fi From 967f9eedd0dfac92d85c62231c13894964fafb5d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 11 Sep 2020 10:23:52 +0200 Subject: [PATCH 5/6] add ansible remediation --- .../ansible/shared.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml new file mode 100644 index 0000000000..33062169cd --- /dev/null +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml @@ -0,0 +1,21 @@ +# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 +# reboot = false +# strategy = configure +# complexity = low +# disruption = medium + +{{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}} + +- name: "Replace all instances of SNMP RO strings" + replace: + path: "/etc/snmp/snmpd.conf" + #regexp: '^[#](.*)public(.*)$' + regexp: 'public' + replace: '{{ var_snmpd_ro_string }}' + +- name: "Replace all instances of SNMP RW strings" + replace: + path: "/etc/snmp/snmpd.conf" + #regexp: '^[#](.*)private(.*)$' + regexp: 'private' + replace: '{{ var_snmpd_rw_string }}' From 946e540dadaf43eadb43479cc6328ee503e5d981 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 14 Sep 2020 07:30:56 +0200 Subject: [PATCH 6/6] remove forgotten commented lines --- .../snmpd_not_default_password/ansible/shared.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml index 33062169cd..d92c0a17da 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml @@ -9,13 +9,11 @@ - name: "Replace all instances of SNMP RO strings" replace: path: "/etc/snmp/snmpd.conf" - #regexp: '^[#](.*)public(.*)$' regexp: 'public' replace: '{{ var_snmpd_ro_string }}' - name: "Replace all instances of SNMP RW strings" replace: path: "/etc/snmp/snmpd.conf" - #regexp: '^[#](.*)private(.*)$' regexp: 'private' replace: '{{ var_snmpd_rw_string }}'