Search for a Defined SNMP ACL

Following is a simple .audit file that looks for a defined “deny” SNMP ACL. If none are found, the audit will display a failure message. This check will only run if the router IOS version matches the specified regex. Otherwise the check will be skipped.

<check_type: "Cisco">

<item>

type: CONFIG_CHECK

description: "Require a Defined SNMP ACL"

info: "Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device."

ios_version: "12\.[4-9]"

item: "deny ip any any"

</item>

</check_type>

When running this command, the following output is expected from a compliant system:

"Require a Defined SNMP ACL" : [PASSED]

Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device.

A failed audit would return the following output:

"Require a Defined SNMP ACL" : [FAILED]

Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device.

- error message: deny ip any any not found in the configuration file

In this case, the check failed because we were looking for a “deny ip” rule, and none was found.