{"description": "If it is necessary to run the snmpd agent on the system, some best\npractices should be followed to minimize the security risk from the\ninstallation. The multiple security models implemented by SNMP cannot be fully\ncovered here so only the following general configuration advice can be offered:\n<ul>\n<li>use only SNMP version 3 security models and enable the use of authentication and encryption</li>\n<li>write access to the MIB (Management Information Base) should be allowed only if necessary</li>\n<li>all access to the MIB should be restricted following a principle of least privilege</li>\n<li>network access should be limited to the maximum extent possible including restricting to expected network\naddresses both in the configuration files and in the system firewall rules</li>\n<li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management\nstations</li>\n<li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>\n<li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>", "warnings": [], "requires": [], "conflicts": [], "values": ["var_snmpd_ro_string", "var_snmpd_rw_string"], "groups": {}, "rules": ["snmpd_no_rwusers", "snmpd_not_default_password", "snmpd_use_newer_protocol"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Configure SNMP Server if Necessary", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/snmp/snmp_configure_server/group.yml"}