Disable snmpd Service

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

The snmpd service can be disabled with the following command:

$ sudo systemctl mask --now snmpd.service

Rationale

Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q net-snmp && rpm --quiet -q kernel ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
  "$SYSTEMCTL_EXEC" stop 'snmpd.service'
fi
"$SYSTEMCTL_EXEC" disable 'snmpd.service'
"$SYSTEMCTL_EXEC" mask 'snmpd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then
    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
      "$SYSTEMCTL_EXEC" stop 'snmpd.socket'
    fi
    "$SYSTEMCTL_EXEC" mask 'snmpd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_snmpd_disabled

- name: Disable snmpd Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: ( "net-snmp" in ansible_facts.packages and "kernel" in ansible_facts.packages
    )
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_snmpd_disabled

- name: Disable snmpd Service - Ensure snmpd.service is Masked
  ansible.builtin.systemd:
    name: snmpd.service
    state: stopped
    enabled: false
    masked: true
  when:
  - ( "net-snmp" in ansible_facts.packages and "kernel" in ansible_facts.packages
    )
  - service_exists.stdout_lines is search("snmpd.service", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_snmpd_disabled

- name: Unit Socket Exists - snmpd.socket
  ansible.builtin.command: systemctl -q list-unit-files snmpd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ( "net-snmp" in ansible_facts.packages and "kernel" in ansible_facts.packages
    )
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_snmpd_disabled

- name: Disable snmpd Service - Disable Socket snmpd
  ansible.builtin.systemd:
    name: snmpd.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - ( "net-snmp" in ansible_facts.packages and "kernel" in ansible_facts.packages
    )
  - socket_file_exists.stdout_lines is search("snmpd.socket", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_snmpd_disabled
PREVIEWING: rtrieu/docs-10679-ref-table-use-cases