secc_snmpd

pdk
Dieses Modul bietet eine teilweise Abdeckung der SoC Anforderungen für SNMP unter Linux.

T-Systems Multimedia Solutions GmbH

tsystemsmms

9,810 downloads

2,021 latest version

5.0 quality score

Version information

  • 2.1.0 (latest)
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.2.0
  • 1.1.0
released Oct 18th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 7.0.0
  • RedHat
    ,
    CentOS

Start using this module

Documentation

tsystemsmms/secc_snmpd — version 2.1.0 Oct 18th 2019

SNMP Module

Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Deviations - Possible bypass of requirements
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

This module provides a partial coverage of the SoC conditions for SNMP under Linux.

Module Description

This module can install and configure SNMP on a Linux system.

Fullfilled Requirements

  • 3.45/1 SNMP must be used in version 3.
    • older version of SNMP do not support secure authentification mechanisms which correspond to today's state of technology
  • 3.45/2 The SNMP Server has to prevent the usage of a too small length of the HMAC
    • many current applications allow the SNMP client to set the length of the HMAC on their own - this represents a potential security vulnerability
  • 3.45/3 Predefined authentication characteristics have to be changed
    • third-party authentication features, such as passwords or cryptographic keys, can not be trusted.
  • 3.45/4 Accounts must be protected against unauthorized use by using at least one authentication feature (token, passwords, PIN's)
  • 3.45/5 When using passwords for authentication, they have to be at least 8 characters long and must include three of the following character types:
    • lowercase letters
    • uppercase letters
    • digits
    • special character
  • 3.45/6 Authentication and encryption must be enabled depending on the protection requirements of the data
  • 3.45/7 Protective information must not be included in files, issues and messages that are accessible to unauthorized users
  • 3.45/8 If customers are contractually granted SNMP access to components managed by the DTAG, it must bed ensured that they are read-only and no vulnerable data of the DTAG can be queried

Possible deviations

  • 3.45/1, 3.45/6 Can be bypassed with the parameter $v2_enabled = true
  • 3.45/5 Can be bypassed with the parameter$enforce_password_security = false

Notable

The requirement 3.45/2 can not be fulfilled configuratively. It refers to an old bug, which is resolved in the current versions (Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1).

Usage

  • By using this module, SNMP v1 and v2 will be deactivated and v3 activated using a password and a passphrase.
  • This module has dependencies to puppetlabs/stdlib and puppetlabs/concat

Reference

  • The requirements come from the technical safety requirements 3_45_SNMP.pdf of the PSA procedure

Limitations

  • This module was tested with CentOS6 and CentOS7

Development

  • Please document changes withing the module using git commits
  • Execution of tests: bundler install, bundler exec rake