-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-linux-snmp-policy.mql.yaml
122 lines (106 loc) · 4.07 KB
/
mondoo-linux-snmp-policy.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: linux-snmp-policy
name: Linux Server Operational Policy
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: best-practices
mondoo.com/platform: linux
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
Linux Server SNMP Policy by Mondoo provides guidance for vulnerable SNMP configurations on Linux hosts.
## Local scan
Local scan refer to scans of files and operating systems where cnspec is installed.
To scan the `localhost` against this policy:
```bash
cnspec scan local
```
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Prerequisites
Remote scans of Linux hosts requires authentication such as SSH keys.
### Scan a remote Linux host (SSH authentication)
```bash
cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: SNMP Server Configuration
filters: |
asset.family.contains("linux")
packages.contains(name == /snmpd/)
checks:
- uid: linux-snmp-v3-user-file-protected
- uid: linux-snmp-contains-no-read-write-community-strings
- uid: linux-snmp-no-unauthenticated-access
queries:
- uid: linux-snmp-v3-user-file-protected
title: Ensure the file containing SNMP user hashes is secured
impact: 70
mql: |
file("/var/lib/snmp/snmpd.conf") {
user.name == 'Debian-snmp'
group.name == 'Debian-snmp'
permissions.user_executable == false
permissions.group_writeable == false
permissions.group_readable == false
permissions.group_executable == false
permissions.other_writeable == false
permissions.other_executable == false
permissions.other_readable == false
}
docs:
desc: |
The file `/var/lib/snmp/snmpd.conf` contains user password hashes which can be as weak as MD5.
Note: So far this only work for Debian-based OS.
remediation: |
Make sure to set the file permissions of the file in question to 0600.
- uid: linux-snmp-contains-no-read-write-community-strings
title: Ensure the SNMP configuration does not contains any read-write community strings
impact: 100
mql: |
files.find(from: '/etc/snmp/snmpd.conf.d', type: "file").list
{files = _
path
if(path.length > 0) {
file(path).content.lines.none(/^(\s+)?rwcommunity|rwcommunity6(\s+)/)
}
}
file("/etc/snmp/snmpd.conf") {
_.content.lines.none(/^(\s+)?rwcommunity|rwcommunity6(\s+)/)
}
docs:
desc: |
No Read-Write community strings should be allowed.
remediation: |
Remove the `rwcommunity` or `rwcommunity6` strings from your SNMP configuration files.
- uid: linux-snmp-no-unauthenticated-access
title: Ensure unauthenticated access to SNMP is not allowed
impact: 100
mql: |-
files.find(from: '/etc/snmp/snmpd.conf.d', type: "file").list
{files = _
path
if(path.length > 0) {
file(path).content.lines.none(/^(\s+)?rwuser\s+noauth(\s+)?/)
}
}
file("/etc/snmp/snmpd.conf") {
_.content.lines.none(/^(\s+)?rwuser\s+noauth(\s+)?/)
}
docs:
desc: |
No unauthenticated access to SNMP should be allowed.
Note: So far this only work for Debian-based OS.
remediation: Remove the Read-Write community strings from the SNMP configuration files.