Bug 972520

Summary:

The snmpd service must use only SNMP protocol version 3 or newer.

Product:

Red Hat Enterprise Linux 6

Reporter:

Jason Pyeron <jpyeron>

Component:

net-snmp

Assignee:

Josef Ridky <jridky>

Status:

CLOSED WONTFIX

QA Contact:

BaseOS QE Security Team <qe-baseos-security>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

6.6

CC:

jason.j.pyeron.ctr, jrieden

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Clones:

1359119 (view as bug list)

Environment:

Last Closed:

2016-07-22 10:44:44 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1359119, 1359123

Attachments:

Description	Flags
srcrpm patch (specfile/sources)	none
srcrpm	none
srcrpm patch (specfile/sources)	none
srcrpm	none

Description Jason Pyeron 2013-06-09 20:25:05 UTC

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):

http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/net-snmp-5.5-44.el6_4.1.src.rpm

How reproducible:

Always

Steps to Reproduce:

perform a yum install

Actual results:

root@test /tmp/setup
# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'
com2sec notConfigUser  default       public
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser

Expected results:

# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'

There should be no output.

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html

Comment 1 Jason Pyeron 2013-06-09 20:27:41 UTC

Created attachment 758937 [details]
srcrpm patch (specfile/sources)

Comment 2 Jason Pyeron 2013-06-09 20:28:52 UTC

Created attachment 758938 [details]
srcrpm

Comment 3 Jason Pyeron 2013-06-09 20:32:56 UTC

Created attachment 758939 [details]
srcrpm patch (specfile/sources)

Comment 4 Jason Pyeron 2013-06-09 20:34:59 UTC

Created attachment 758940 [details]
srcrpm

Comment 6 Jan Safranek 2013-06-10 12:50:59 UTC

Thanks for the bug report. While I agree that the default snmpd.conf file is suboptimal, changing it in the middle of RHEL6 lifetime is dangerous. Please keep in mind that bugzilla is not a support tool or means of accessing support. Please contact Red Hat support at access.redhat.com, where this change can be properly tracked and reviewed.

Comment 7 RHEL Program Management 2013-10-14 03:23:14 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.