THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

Network Change & Configuration Management

Reply

Policies, Rules and CLI output: snmpv3 users

Techie
Posts: 9
6033     0

Hi,

 

Im currently implementing the CIS benchmarks for our environment. With a bit of regex magic its straightforward to create rules that check against configuration files. Unfortuanly there are a few compliance checks that cannot be checked against the config. snmpv3 users is such one. snmpv3 users are not stored in config, it can only be checked in the CLI through 'show snmp user'.

 

What is your common practise to include such checks in a policy check? To include here is preferred since comliance reporting should also be considered. But if not possible, how can it be done.. Smiley Wink

 

Thanks!

 

 

Re: Policies, Rules and CLI output: snmpv3 users

Expert
Posts: 70
6034     0

I implemented the CIS IOS 15 v4.0 policy as well.  As close as you can get is to verify that the group statement(s) include "priv" (1.5.9):

snmp-server group mygroup v3 priv access myacl

snmp-server group mygroup v3 priv context vlan- match prefix access myacl  !For switches

 

To verify the actual username encryption method, you have to either check the CLI output or use a NetMRI API call to check what's stored for a given device.

 

Depending on your environment, if your global v3 credential list only includes "sha" and "aes 128", you could argue that if polling succeeds for a device, then it must be compliant.

 

Re: Policies, Rules and CLI output: snmpv3 users

Techie
Posts: 9
6034     0

Thanks for your reply. For CIS compliance im having issue for below controls.

 

1.5.5 Set the ACL for each 'snmp-server community'

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'

 

These two are applicable for our environment but not easily accomplished... The answer from both checks cannot be found in the config so, they can only be obtained in CLI through show commands.

 

Since CLI scripts are not support within the rules, policy section im looking at a script (python or css) and have it logged as an issue so the compliance can be tracked and reported upon. Many there are other options?

 

 

Re: Policies, Rules and CLI output: snmpv3 users

Superuser
Posts: 115
6034     0

Please take a look at "Script 3" here - https://community.infoblox.com/t5/How-to-Articles/5-Python-Scripts-to-get-you-started-in-NetMRI/ba-p... 

 

This will run a show command and generate an issue so you can track if something is misconfigured on the CLI that is not in the config file

 

Other options you can follow Script 4 on the same page Update a custom filed and run a report every day to see if that changes Smiley Happy

 

Let me know if that makes sense

 

Happy New Year!

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

Re: Policies, Rules and CLI output: snmpv3 users

Expert
Posts: 70
6034     0

I don't understand what the issue is with verifying the v2 community string.  It's in the config in plain text.

 

As for the key length, I definitely agree with Sif -- a CLI login is required.  I wrote a script some years ago that verified the SSH config, and would auto-correct obvious ones.  E.G., only SSH v2.0, crypto key length, VTYs only allow inbound SSH, etc.

 

Re: Policies, Rules and CLI output: snmpv3 users

[ Edited ]
New Member
Posts: 1
6034     0

@SBaksh wrote:

Please take a look at "Script 3" here - https://community.infoblox.com/t5/How-to-Articles/5-Python-Scripts-to-get-you-started-in-NetMRI/ba-p... 

 

This will run a show command and generate an issue so you can track if something is misconfigured on the CLI that is not in the config file My CFA Visit

 

Other options you can follow Script 4 on the same page Update a custom filed and run a report every day to see if that changes Smiley Happy

 

Let me know if that makes sense

 

Happy New Year!


Thank you for the information and advice!

Showing results for 
Search instead for 
Did you mean: 

Recommended for You