Randomness Check to Verify SNMP Community Strings and Access Control are Sufficiently Random
The following is a simple .audit file that looks for SNMP community strings that are insufficiently random. If a community string is found that is not determined to be sufficiently random, the audit will display a failure message. Because the “required” option is set to “NO”, the check will still pass if no snmp-server community strings exist. This check will only run if the router is using Feature Set: “K9”. Otherwise the check will be skipped.
<check_type: "Cisco">
<item>
type: RANDOMNESS_CHECK
description: "Require Authorized Read SNMP Community Strings and Access Control"
info: "Verify an authorized community string and access control is configured to restrict read access to the device."
feature_set: "K9"
regex: "snmp-server community ([^ ]*) .*"
required: NO
</item>
</check_type>
When running this command, the following output is expected from a compliant system:
"Require Authorized Read SNMP Community Strings and Access Control" : [PASSED]
Verify an authorized community string and access control is configured to restrict read access to the device.
A failed audit would return the following output:
"Require Authorized Read SNMP Community Strings and Access Control" : [FAILED]
Verify an authorized community string and access control is configured to restrict read access to the device.
- error message:
The following configuration line does not contain a token deemed random enough:
snmp-server community foobar RO
The following configuration line does not contain a token deemed random enough:
snmp-server community public RO
In the case above, there were two strings: “foobar” and “public” that did not have a sufficiently random token and thus failed the check.