4.5.5.3 SNMP - disable public community string

Information

If snmpd is required within the environment, disable or change the public community string.

Rationale:

The public community string can be polled by remote SNMP devices and pertinent information can be read or changed on the host. The public community string should but commented out, or if SNMP is a required service the public community name should be changed to be a combination of letters, numbers and special characters to enhance security.

Solution

Edit the file:

vi /etc/snmpd.conf

Comment out the public entry:

#community public

Default Value:

Commented in

Additional Information:

Reversion:

Copy back the original /etc/snmpd.conf file:

cp -p /etc/snmpd.conf.pre_cis /etc/snmpd.conf

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5c.

Plugin: Unix

Control ID: 6347af1184c903e97799948726e57cc39e5cb7410a485ca107a57bb8686fca68