Randomness Check to Verify SNMP Community Strings and Access Control are Sufficiently Random

The following is a simple .audit file that looks for SNMP community strings that are insufficiently random. If a community string is found that is not determined to be sufficiently random, the audit will display a failure message. Because the “required” option is set to “NO”, the check will still pass if no snmp-server community strings exist. This check will only run if the router is using Feature Set: “K9”. Otherwise the check will be skipped.

<check_type: "Cisco">

 

<item>

type: RANDOMNESS_CHECK

description: "Require Authorized Read SNMP Community Strings and Access Control"

info: "Verify an authorized community string and access control is configured to restrict read access to the device."

feature_set: "K9"

regex: "snmp-server community ([^ ]*) .*"

required: NO

</item>

 

</check_type>

When running this command, the following output is expected from a compliant system:

"Require Authorized Read SNMP Community Strings and Access Control" : [PASSED]

 

Verify an authorized community string and access control is configured to restrict read access to the device.

A failed audit would return the following output:

"Require Authorized Read SNMP Community Strings and Access Control" : [FAILED]

 

Verify an authorized community string and access control is configured to restrict read access to the device.

- error message:

 

The following configuration line does not contain a token deemed random enough:

snmp-server community foobar RO

 

The following configuration line does not contain a token deemed random enough:

snmp-server community public RO

In the case above, there were two strings: “foobar” and “public” that did not have a sufficiently random token and thus failed the check.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.