ansible-hardening : V-38660 - The snmpd service must only use SNMPv3 or newer Bad Grep

Bug #1702553 reported by Anders Nelson on 2017-07-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Low
Major Hayden

Bug Description

If I run the ansible-hardening using the following var:

stig_version: rhel6

I get an error with the following task:

TASK [ansible-hardening : V-38660 - The snmpd service must only use SNMPv3 or newer]

I looked to see what it is checking in the code and it is running the following grep:

egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'

When I run this manually all I get are commented out sections of code;

# egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'

#rocommunity public7969d localhost
 rocommunity public7969d default -V systemonly
                                                 # settings, change the community string,
#rocommunity secret 10.0.0.0/16
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ow]user and r[ow]community, together with suitable views, should cover most requirements
                                    # send SNMPv1 traps
                                    # send SNMPv2c traps
                                    # send SNMPv2c INFORMs

It appears the regex in the grep is attempting to get rid of comments but it includes them.

The following removes comments correctly. the additional \ in the current grep might have been added to try to escape something unnecessarily

egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\s*#'

NOTE: This was run on ubuntu 14.04 LTS

Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
status: New → Confirmed
importance: Undecided → Low

An updated version of the role should have fixed this issue, could you confirm?

Changed in openstack-ansible:
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers