The system must ensure proper SNMP configuration.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of SRG-OS-99999-ESXI5

Associated with: CCI-000366

SV-51275r1_rule The system must ensure proper SNMP configuration.

Vulnerability discussion

If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack. SNMP must be configured on each ESXi host using Power/v CLI. vSphere PowerCLI is a command line tool used to automate vSphere management. PowerCLI is distributed as a Windows PowerShell snapin, and includes 300+ PowerShell cmdlets and use documentation.

Check content

From the Power/v CLI, run: "vicfg-snmp.pl --server -s" to determine if SNMP is being used. An alternative command option instead of the "-s" is "--show". If SNMP is not being used and "enabled" = 1, this is a finding. If the read-only community name is set to "public", this is a finding. If the read-write community name is set to private, this is a finding.

Fix text

If SNMP is not being used, configure "enabled" = 0. From the Power/v CLI, execute "vicfg-snmp.pl --server -D". If SNMP is being used, ensure the community name is configured: From the vSphere CLI, type "vicfg-snmp.pl --server hostname --username --password -c ". To enable SNMP from the vSphere CLI, type. # vicfg-snmp.pl --server --username --password --enable

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer