2.2.24 Ensure default SNMP community strings don't exist

Information

SNMP community strings must be changed from the default values.

Rationale:

Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.

Solution

If the /etc/snmp/snmpd.conf file exists, modify any lines that contain a community string value of public or private to another string value.
Example: vim /etc/snmp/snmpd.conf
Example of changing the public and private string value:

snmp-server community nEV8rM1ndthi$ RO

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72313

Rule ID: SV-86937r2_rule

STIG ID: RHEL-07-040800

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5c.

Plugin: Unix

Control ID: 3f84043da2803c29c2661870de20b2e36c3b0a244fa35935d53316b6c355c9ff