Forge Home

secc_snmpd

Dieses Modul bietet eine teilweise Abdeckung der SoC Anforderungen für SNMP unter Linux.

11,134 downloads

2,455 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.1.0 (latest)
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.2.0
  • 1.1.0
released Oct 18th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 7.0.0
  • ,
This module has been deprecated by its author since Jun 22nd 2021.

The author has suggested puppet-snmp as its replacement.

Start using this module

Documentation

tsystemsmms/secc_snmpd — version 2.1.0 Oct 18th 2019

SNMP Module

Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Deviations - Possible bypass of requirements
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

This module provides a partial coverage of the SoC conditions for SNMP under Linux.

Module Description

This module can install and configure SNMP on a Linux system.

Fullfilled Requirements

  • 3.45/1 SNMP must be used in version 3.
    • older version of SNMP do not support secure authentification mechanisms which correspond to today's state of technology
  • 3.45/2 The SNMP Server has to prevent the usage of a too small length of the HMAC
    • many current applications allow the SNMP client to set the length of the HMAC on their own - this represents a potential security vulnerability
  • 3.45/3 Predefined authentication characteristics have to be changed
    • third-party authentication features, such as passwords or cryptographic keys, can not be trusted.
  • 3.45/4 Accounts must be protected against unauthorized use by using at least one authentication feature (token, passwords, PIN's)
  • 3.45/5 When using passwords for authentication, they have to be at least 8 characters long and must include three of the following character types:
    • lowercase letters
    • uppercase letters
    • digits
    • special character
  • 3.45/6 Authentication and encryption must be enabled depending on the protection requirements of the data
  • 3.45/7 Protective information must not be included in files, issues and messages that are accessible to unauthorized users
  • 3.45/8 If customers are contractually granted SNMP access to components managed by the DTAG, it must bed ensured that they are read-only and no vulnerable data of the DTAG can be queried

Possible deviations

  • 3.45/1, 3.45/6 Can be bypassed with the parameter $v2_enabled = true
  • 3.45/5 Can be bypassed with the parameter$enforce_password_security = false

Notable

The requirement 3.45/2 can not be fulfilled configuratively. It refers to an old bug, which is resolved in the current versions (Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1).

Usage

  • By using this module, SNMP v1 and v2 will be deactivated and v3 activated using a password and a passphrase.
  • This module has dependencies to puppetlabs/stdlib and puppetlabs/concat

Reference

  • The requirements come from the technical safety requirements 3_45_SNMP.pdf of the PSA procedure

Limitations

  • This module was tested with CentOS6 and CentOS7

Development

  • Please document changes withing the module using git commits
  • Execution of tests: bundler install, bundler exec rake