Detections
Analytics
1.4.6 Do not Configure a Read Write SNMP Community String
Information
SNMP RW (Read-Write) access allows stations with Management access to both read and write SNMP MIB objects.Rationale:
SNMP is typically used for monitoring specific operational characteristics of the switch. These tasks typically only require read access. Permitting RW (Read-Write) access permits SNMP to modify some SNMP values.
Impact:
Permitting SNMP RW Access not only allows 'write' access to some SNMP MIB Objects, which allows a malicious attacker to modify some operational characterstics of the switch. By extension this access allows a malicious actor to collect the entire configuration of the device.
Solution
Only use RO groups for SNMPv2. The most common implementation is 'network-operator', because if you use the legacy syntax:switch(config)# snmp-server community <some complex string> ro
the switch will translate this to the new syntax, using 'network-operator' group
switch(config)# snmp-server community <some complex string> group network-operator
Default Value:
SNMP is not configured by default. The default SNMP Groups and permissions are:
switch# sho snmp group
Role: aaa-db-admin
Description: Predefined AAA DB admin, has no cli permissions. Allows RESTful A
PI
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: aaa-db-operator
Description: Predefined AAA DB operator, has no cli permissions. Allows RESTfu
l API
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: l3-db-admin
Description: Predefined L3 DB admin, has no cli permissions. Allows RESTful AP
I
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: l3-db-operator
Description: Predefined L3 DB operator, has no cli permissions. Allows RESTful
API
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: network-admin
Description: Predefined network admin role has access to all commands
on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: network-operator
Description: Predefined network operator role has access to all read
commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: nxdb-admin
Description: Predefined nxdb-admin role has no cli permissions.
Allows json-rpc get and set.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 deny command
Role: nxdb-operator
Description: Predefined nxdb-operator role has no cli permissions.
Allows json-rpc get.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 deny command
Role: vdc-admin
Description: Predefined vdc admin role has access to all commands within
a VDC instance
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: vdc-operator
Description: Predefined vdc operator role has access to all read commands
within a VDC instance
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: dev-ops
Description: Predefined system role for devops access. This role
cannot be modified.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
6 permit command conf t ; username *
5 permit command attach module *
4 permit command slot *
3 permit command bcm module *
2 permit command run bash *
1 permit command python *
Role: priv-15
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: priv-14
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: priv-13
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-12
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-11
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-10
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-9
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-8
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-7
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-6
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-5
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-4
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-3
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-2
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-1
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-0
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
10 permit command traceroute6 *
9 permit command traceroute *
8 permit command telnet6 *
7 permit command telnet *
6 permit command ping6 *
5 permit command ping *
4 permit command ssh6 *
3 permit command ssh *
2 permit command enable *
1 permit read
See Also
Item Details
Audit Name: CIS Cisco NX-OS L1 v1.0.0
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-4, CSCv7|9.2
Plugin: Cisco
Control ID: 3901f216de2136a6ff2e4c51ae812e593067011203ac284a4dee673b4bda1f1e