Merge "V-38660: SNMPv3"

This commit is contained in:
Jenkins 2015-10-29 17:41:03 +00:00 committed by Gerrit Code Review
commit bd649ec9f3
2 changed files with 46 additions and 0 deletions

View File

@ -0,0 +1,17 @@
Although neither Ubuntu 14.04 or openstack-ansible install or configure the
SNMP daemon by default, the Ansible tasks will check to see if the SNMP
configuration file is present. If the file is present, and the file contains
configurations for insecure SNMP protocols, an error will be
printed and the playbook will fail.
The task specifically looks for uncommented configuration lines containing:
* ``v1``
* ``v2c``
* ``com2sec``
* ``community``
`Red Hat's guide to SNMP`_ has some example configurations that deployers
can use to enable SNMPv3.
.. _Red Hat's guide to SNMP: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-System_Monitoring_Tools-Net-SNMP-Configuring.html

View File

@ -141,6 +141,35 @@
- cat3
- V-38656
- name: Check if SNMP daemon is installed (for V-38660)
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
register: v38660_snmpd_installed
changed_when: False
failed_when: False
tags:
- cat2
- V-38660
# We shouldn't get any output from this grep since it looks for configuration
# lines for the SNMP v1 and v2c protocols.
- name: Check for insecure SNMP protocols (for V-38660)
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
register: v38660_result
when: v38660_snmpd_installed.rc == 0
changed_when: False
failed_when: False
tags:
- cat2
- V-38660
- name: V-38660 - The snmpd service must only use SNMPv3 or newer
fail:
msg: "FAILED: Insecure SNMP configuration found -- use SNMPv3 only"
when: v38660_snmpd_installed.rc == 0 and v38660_result.rc == 0
tags:
- cat2
- V-38660
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf