2.5 Ensure SNMP is configured properly - 'community name private does not exist'

Information

Simple Network Management Protocol (SNMP) can be used to help manage hosts. Many organizations have other means in place of managing hosts and do not need SNMP enabled. If SNMP is needed, it should be configured properly to reduce the risk of misuse or compromise. For example, ESXi supports SNMPv3, which provides stronger security than SNMPv1 or SNMPv2, including key authentication and encryption. It is also important to configure the destination for SNMP traps.

Rationale:

If SNMP is not properly configured, monitoring data containing sensitive information may be sent to a malicious host and used to help exploit said host.

Solution

To correct the SNMP configuration, perform the following from the ESXi Shell or vCLI:

If SNMP is not needed, disable it by running:

esxcli system snmp set --enable false

If SNMP is needed, refer to the vSphere Monitoring and Performance guide, chapter 8 for steps to configure it.

Additionally, the following PowerCLI command may be used to implement the configuration:

# Update the host SNMP Configuration (single host connection required)
Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -ReadOnlyCommunity '<secret>'

Notes:

SNMP must be configured on each ESXi host

SNMP settings can be configured using Host Profiles

See Also

https://workbench.cisecurity.org/files/3473

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23, CSCv7|9.2

Plugin: VMware

Control ID: ff54fd58582aba0a0ccb275d257a62db403b9a23f95878026a5bc2bd4413f070