{"description": "Edit <tt>/etc/snmp/snmpd.conf</tt>, remove or change the default community strings of\n<tt>public</tt> and <tt>private</tt>.\nThis profile configures new read-only community string to <tt><sub idref=\"var_snmpd_ro_string\" /></tt> and read-write community string to <tt><sub idref=\"var_snmpd_rw_string\" /></tt>.\nOnce the default community strings have been changed, restart the SNMP service:\n<pre>$ sudo systemctl restart snmpd</pre>", "rationale": "Whether active or not, default simple network management protocol (SNMP) community\nstrings must be changed to maintain security. If the service is running with the\ndefault authenticators, then anyone can gather data about the system and the network\nand use the information to potentially compromise the integrity of the system and\nnetwork(s).", "severity": "high", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(e)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the default SNMP passwords public and private have not been changed or removed", "ocil": "To ensure the default password is not set, run the following command:\n<pre>$ sudo grep -v \"^#\" /etc/snmp/snmpd.conf| grep -E 'public|private'</pre>\nThere should be no output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[net-snmp]", "platforms": ["package[net-snmp]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_net-snmp"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Default SNMP Password Is Not Used", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml", "template": null}