STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SNMP communities, users, and passphrases must be changed from the default.

DISA Rule

SV-216220r603268_rule

Vulnerability Number

V-216220

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-080160

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

Change the default snmpd.conf community passwords. To change them, locate the snmpd.conf file and edit it.

# pfedit [filename]

Locate the line system-group-read-community which has a default password of public and make the password something more random (less guessable). Make the same changes for the lines that read system- group-write-community, read-community, write-community, trap, and trap-community. Read the information in the file carefully. The trap is defining who to send traps to, for instance, by default. It is not a password, but the name of a host.

Check Contents

The root role is required.

Check the SNMP configuration for default passwords.
Locate and examine the SNMP configuration.

Procedure:

Find any occurrences of the snmpd.conf file delivered with Solaris packages:

# pkg search -Ho path snmpd.conf | awk '{ print "/"$1 }'

# more [filename]

Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.

Vulnerability Number

V-216220

Documentable

False

Rule Version

SOL-11.1-080160

Severity Override Guidance

The root role is required.

Check the SNMP configuration for default passwords.
Locate and examine the SNMP configuration.

Procedure:

Find any occurrences of the snmpd.conf file delivered with Solaris packages:

# pkg search -Ho path snmpd.conf | awk '{ print "/"$1 }'

# more [filename]

Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.

Check Content Reference

M

Target Key

4021

Comments