You are here: Compliance Check Types > Cisco IOS Configuration > Command Line Examples > Search for a Defined SNMP ACL

Search for a Defined SNMP ACL

Following is a simple .audit file that looks for a defined “deny” SNMP ACL. If none are found, the audit will display a failure message. This check will only run if the router IOS version matches the specified regex. Otherwise the check will be skipped.

<check_type: "Cisco">

 

<item>

type: CONFIG_CHECK

description: "Require a Defined SNMP ACL"

info: "Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device."

ios_version: "12\.[4-9]"

item: "deny ip any any"

</item>

 

</check_type>

When running this command, the following output is expected from a compliant system:

"Require a Defined SNMP ACL" : [PASSED]

 

Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device.

A failed audit would return the following output:

"Require a Defined SNMP ACL" : [FAILED]

 

Verify a defined simple network management protocol (SNMP) access control list (ACL) exists with rules for restricting SNMP access to the device.

 

- error message: deny ip any any not found in the configuration file

In this case, the check failed because we were looking for a “deny ip” rule, and none was found.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.