Cisco IOS: SNMP Community Config
Description
The Cisco IOS: SNMP Community Config test is used to check the properties of specific output lines from an SNMP configuration.
The snmpcommunity_object element is used by an snmpcommunity test to define the community name entity to be tested.
The snmpcommunity_state element defines the different information that can be used to evaluate the result of a specific ‘snmp community’ IOS command. This includes the community name and the corresponding options.
Technical Details
Artifact Parameters
cisco_ios.snmp_community
Name |
Type |
Description |
|---|---|---|
cisco_ios.snmp_community_name |
string |
The SNMP community name. Cannot be blank. |
Supported Test Types
Existence Test
Cisco IOS: SNMP Community Mode
Cisco IOS: SNMP Community IPv4 ACL
Cisco IOS: SNMP Community IPv6 ACL
Test Type Parameters
existence_test
Name |
Type |
Description |
|---|---|---|
value |
string |
Value. |
cisco_ios.snmp_community_mode
Name |
Type |
Description |
|---|---|---|
operation |
string |
Comparison operator. |
mode |
string |
The read-write privileges of the community. |
- NOTE: The
operationparameter is governed by a constraint allowing only the following values: bitwise and
bitwise or
case insensitive equals
case insensitive not equal
equals
greater than
greater than or equal
less than
less than or equal
pattern match
not equal
set white list
set is empty
- NOTE: The
modeparameter is governed by a constraint allowing only the following values: RO
RW
cisco_ios.snmp_community_ipv4_acl
Name |
Type |
Description |
|---|---|---|
operator |
string |
Comparison operator. |
ipv4_acl |
string |
The IPv4 ACL name applied to the community. |
- NOTE: The
operationparameter is governed by a constraint allowing only the following values: bitwise and
bitwise or
case insensitive equals
case insensitive not equal
equals
greater than
greater than or equal
less than
less than or equal
pattern match
not equal
set white list
set is empty
cisco_ios.snmp_community_ipv6_acl
Name |
Type |
Description |
|---|---|---|
operator |
string |
Comparison operator. |
ipv6_acl |
string |
The IPv6 ACL name applied to the community. |
- NOTE: The
operationparameter is governed by a constraint allowing only the following values: bitwise and
bitwise or
case insensitive equals
case insensitive not equal
equals
greater than
greater than or equal
less than
less than or equal
pattern match
not equal
set white list
set is empty
Generated Content
existence_test
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF
<xccdf:complex-check operator="OR">
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="cisco_ios.snmp_community_name">[cisco_ios.snmp_community_name.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="value">[value.value]</ae:parameter>
</ae:parameters>
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
</xccdf:complex-check>
SCAP
XCCDF
For cisco_ios.snmp_community existence_test artifacts, the XCCDF check looks like this. There is no Value element in the XCCDF for this artifact.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<snmpcommunity_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="[check_existence.value]"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
</snmpcommunity_test>
Object
<snmpcommunity_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<name>[name.value]</name>
</snmpcommunity_object>
State
N/A
YAML
artifact-expression:
artifact-unique-id: "[ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "cisco_ios.snmp_community_name"
dt: "string"
value: "[cisco_ios.snmp_community_name.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
- parameter:
name: "value"
dt: "string"
value: "[value.value]"
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "cisco_ios.snmp_community_name",
"type": "string",
"value": "[cisco_ios.snmp_community_name.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "value",
"type": "string",
"value": "[value.value]"
}
}
]
}
}
}
Generated Content
cisco_ios.snmp_community_mode
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF
<xccdf:complex-check operator="OR">
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="cisco_ios.snmp_community_name">[cisco_ios.snmp_community_name.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="operation">[operation.value]</ae:parameter>
<ae:parameter dt="string" name="mode">[mode.value]</ae:parameter>
</ae:parameters>
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
</xccdf:complex-check>
SCAP
XCCDF
For cisco_ios.snmp_community cisco_ios.snmp_community_mode artifacts, an XCCDF Value element is generated.
<Value
id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var"
type="string"
operator="[operator.value]">
<title>[RECOMMENDATION-TITLE]</title>
<description>This value is used in Rule: [RECOMMENDATION-TITLE]</description>
<value>[value.value]</value>
</Value>
For cisco_ios.snmp_community cisco_ios.snmp_community_mode artifacts, the XCCDF check looks like this.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export
export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<snmpcommunity_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="any_exist"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
<state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</snmpcommunity_test>
Object
<snmpcommunity_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<name>[name.value]</name>
</snmpcommunity_object>
State
<snmpcommunity_state
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<mode
operation="[operation.value]"
var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]">
Variable
<external_variable
id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
datatype="string"
comment="This value is used in Rule: [RECOMMENDATION-TITLE]"
version="1" />
YAML
artifact-expression:
artifact-unique-id: "[ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "cisco_ios.snmp_community_name"
dt: "string"
value: "[cisco_ios.snmp_community_name.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
- parameter:
name: "operation"
dt: "string"
value: "[operation.value]"
- parameter:
name: "mode"
dt: "string"
value: "[mode.value]"
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "cisco_ios.snmp_community_name",
"type": "string",
"value": "[cisco_ios.snmp_community_name.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "operation",
"type": "string",
"value": "[operation.value]"
}
},
{
"parameter": {
"name": "mode",
"type": "string",
"value": "[mode.value]"
}
}
]
}
}
}
Generated Content
cisco_ios.snmp_community_ipv4_acl
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF.
<xccdf:complex-check operator="OR">
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="cisco_ios.snmp_community_name">[cisco_ios.snmp_community_name.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="operator">[operator.value]</ae:parameter>
<ae:parameter dt="string" name="ipv4_acl">[ipv4_acl.value]</ae:parameter>
</ae:parameters>
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
</xccdf:complex-check>
SCAP
XCCDF
For cisco_ios.snmp_community cisco_ios.snmp_community_ipv4_acl artifacts, an XCCDF Value element is generated.
<Value
id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var"
type="string"
operator="[operator.value]">
<title>[RECOMMENDATION-TITLE]</title>
<description>This value is used in Rule: [RECOMMENDATION-TITLE]</description>
<value>[value.value]</value>
</Value>
For cisco_ios.snmp_community cisco_ios.snmp_community_ipv4_acl artifacts, the XCCDF check looks like this.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export
export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<snmpcommunity_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="any_exist"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
<state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</snmpcommunity_test>
Object
<snmpcommunity_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<name>[name.value]</name>
</snmpcommunity_object>
State
<snmpcommunity_state
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<ipv4_acl
operation="[operation.value]"
var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]" />
Variable
<external_variable
id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
datatype="string"
comment="This value is used in Rule: [RECOMMENDATION-TITLE]"
version="1" />
YAML
artifact-expression:
artifact-unique-id: "[ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "cisco_ios.snmp_community_name"
dt: "string"
value: "[cisco_ios.snmp_community_name.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
- parameter:
name: "operator"
dt: "string"
value: "[operator.value]"
- parameter:
name: "ipv4_acl"
dt: "string"
value: "[ipv4_acl.value]"
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "cisco_ios.snmp_community_name",
"type": "string",
"value": "[cisco_ios.snmp_community_name.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "operator",
"type": "string",
"value": "[operator.value]"
}
},
{
"parameter": {
"name": "ipv4_acl",
"type": "string",
"value": "[ipv4_acl.value]"
}
}
]
}
}
}
Generated Content
cisco_ios.snmp_community_ipv6_acl
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF
<xccdf:complex-check operator="OR">
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="cisco_ios.snmp_community_name">[cisco_ios.snmp_community_name.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="operator">[operator.value]</ae:parameter>
<ae:parameter dt="string" name="ipv6_acl">[ipv6_acl.value]</ae:parameter>
</ae:parameters>
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
</xccdf:complex-check>
SCAP
XCCDF
For cisco_ios.snmp_community cisco_ios.snmp_community_ipv6_acl artifacts, an XCCDF Value element is generated.
<Value
id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var"
type="string"
operator="[operator.value]">
<title>[RECOMMENDATION-TITLE]</title>
<description>This value is used in Rule: [RECOMMENDATION-TITLE]</description>
<value>[value.value]</value>
</Value>
For cisco_ios.snmp_community cisco_ios.snmp_community_ipv6_acl artifacts, the XCCDF check looks like this.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export
export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<snmpcommunity_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="any_exist"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
<state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</snmpcommunity_test>
Object
<snmpcommunity_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<name>[name.value]</name>
</snmpcommunity_object>
State
<snmpcommunity_state
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<ipv6_acl
operation="[operation.value]"
var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]" />
Variable
<external_variable
id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
datatype="string"
comment="This value is used in Rule: [RECOMMENDATION-TITLE]"
version="1" />
YAML
artifact-expression:
artifact-unique-id: "[ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "cisco_ios.snmp_community_name"
dt: "string"
value: "[cisco_ios.snmp_community_name.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
- parameter:
name: "operator"
dt: "string"
value: "[operator.value]"
- parameter:
name: "ipv6_acl"
dt: "string"
value: "[ipv6_acl.value]"
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "cisco_ios.snmp_community_name",
"type": "string",
"value": "[cisco_ios.snmp_community_name.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "operator",
"type": "string",
"value": "[operator.value]"
}
},
{
"parameter": {
"name": "ipv6_acl",
"type": "string",
"value": "[ipv6_acl.value]"
}
}
]
}
}
}