Policies, Rules and CLI output: snmpv3 users

semangka99 · ‎12-24-2019

Hi,

Im currently implementing the CIS benchmarks for our environment. With a bit of regex magic its straightforward to create rules that check against configuration files. Unfortuanly there are a few compliance checks that cannot be checked against the config. snmpv3 users is such one. snmpv3 users are not stored in config, it can only be checked in the CLI through 'show snmp user'.

What is your common practise to include such checks in a policy check? To include here is preferred since comliance reporting should also be considered. But if not possible, how can it be done..

Thanks!

MAdkins · ‎12-24-2019

I implemented the CIS IOS 15 v4.0 policy as well. As close as you can get is to verify that the group statement(s) include "priv" (1.5.9):

snmp-server group mygroup v3 priv access myacl

snmp-server group mygroup v3 priv context vlan- match prefix access myacl !For switches

To verify the actual username encryption method, you have to either check the CLI output or use a NetMRI API call to check what's stored for a given device.

Depending on your environment, if your global v3 credential list only includes "sha" and "aes 128", you could argue that if polling succeeds for a device, then it must be compliant.

semangka99 · ‎01-02-2020

Thanks for your reply. For CIS compliance im having issue for below controls.

1.5.5 Set the ACL for each 'snmp-server community'

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'

These two are applicable for our environment but not easily accomplished... The answer from both checks cannot be found in the config so, they can only be obtained in CLI through show commands.

Since CLI scripts are not support within the rules, policy section im looking at a script (python or css) and have it logged as an issue so the compliance can be tracked and reported upon. Many there are other options?

SBaksh · ‎01-02-2020

Please take a look at "Script 3" here - https://community.infoblox.com/t5/How-to-Articles/5-Python-Scripts-to-get-you-started-in-NetMRI/ba-p...

This will run a show command and generate an issue so you can track if something is misconfigured on the CLI that is not in the config file

Other options you can follow Script 4 on the same page Update a custom filed and run a report every day to see if that changes

Let me know if that makes sense

Happy New Year!

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

MAdkins · ‎01-08-2020

I don't understand what the issue is with verifying the v2 community string. It's in the config in plain text.

As for the key length, I definitely agree with Sif -- a CLI login is required. I wrote a script some years ago that verified the SSH config, and would auto-correct obvious ones. E.G., only SSH v2.0, crypto key length, VTYs only allow inbound SSH, etc.

WiseHawk · ‎04-03-2020

@SBaksh wrote:
Please take a look at "Script 3" here - https://community.infoblox.com/t5/How-to-Articles/5-Python-Scripts-to-get-you-started-in-NetMRI/ba-p...

This will run a show command and generate an issue so you can track if something is misconfigured on the CLI that is not in the config file My CFA Visit

Other options you can follow Script 4 on the same page Update a custom filed and run a report every day to see if that changes

Let me know if that makes sense

Happy New Year!

Thank you for the information and advice!

THE GAME HAS CHANGED

Network Change & Configuration Management

Policies, Rules and CLI output: snmpv3 users

Re: Policies, Rules and CLI output: snmpv3 users

Re: Policies, Rules and CLI output: snmpv3 users

Re: Policies, Rules and CLI output: snmpv3 users

Re: Policies, Rules and CLI output: snmpv3 users

Re: Policies, Rules and CLI output: snmpv3 users