Title

The SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods. (Cat II impact)

Discussion

The SNMP service must use SHA-1 or a FIPS 140-2 approved successor for authentication and integrity.

Check Content

Check all SNMPv3 users for configured authentication protocols. # grep USM_USER /etc/snmpdv3.conf The 4th field contains the hash used in the authentication protocol. If an entry exists that does not use HMAC-SHA for the authentication protocol, this is a finding.

Fix Text

Edit the /etc/snmpdv3.conf file. Change any instances of the HMAC-MD5 authentication protocol in USM_USER entries to HMAC-SHA. For all changed USM_USER entries, regenerate authentication keys using the "pwtokey" command and replace the keys in the /etc/snmpdv3.conf file.

Additional Identifiers

Rule ID: SV-38890r1_rule

Vulnerability ID: V-22448

Group Title: GEN005306

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.