4.5.5.5 SNMP - restrict community access

Information

If snmpd is required within the environment, implement IP access restrictions on the available community strings.

Rationale:

If SNMP is required, IP access restrictions should be put into place to limit which hosts or networks subnets are able to remotely poll the server.

Solution

Identify if there are any currently configured community strings:

grep '^community[[:blank:]]' /etc/snmpd.conf

If there are active community strings, edit the configuration file:

vi /etc/snmpd.conf

Implement IP access restrictions to ALL of the available community names e.g.:

community tivoli 192.132.10.0 255.255.255.0 readOnly

The format of each line should reflect:

community <community name> <IP addresses> <netmask> [ <permissions> <view>]

Default Value:

N/A

Additional Information:

Reversion:

Copy back the original /etc/snmpd.conf file:

cp -p /etc/snmpd.conf.pre_cis /etc/snmpd.conf

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 9838942d850044b55fd174c54c6c1f06e64f7ccaf82ecd8cb25ae3b6fd1e6973