4.5.5.4 SNMP - disable Readwrite community access

Information

If snmpd is required within the environment, disable readWrite permissions for all active community strings.

Rationale:

If SNMP is required, none of the available community strings should have global readWrite permissions defined. This would allow any remote client to query and to set system configuration parameters. SNMP readWrite communities must be disabled unless absolutely necessary. If a readWrite community is enabled, then access must be granted to only trusted machines in your network. As SNMP uses community names as part of authentication, you must ensure that all community names are greater than six characters and is a mix of characters, numbers, and special characters.

Solution

Identify if there are any currently configured community strings:

grep '^community[[:blank:]]' /etc/snmpd.conf

If there are active community strings, edit the configuration file:

vi /etc/snmpd.conf

Replace all instances of:

community <community name> <IP addresses> <netmask> [ readWrite <view>]

With:

community <community name> <IP addresses> <netmask> [ readOnly <view>]

Default Value:

N/A

Additional Information:

Reversion:

Copy back the original /etc/snmpd.conf file:

cp -p /etc/snmpd.conf.pre_cis /etc/snmpd.conf

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 550b7ff351da7e61f379ed906f2654ab3717c4cbec461d3f98b930647b98f82a