SNMP default community strings and passphrases must be changed from vendor defaults.

Whether active or not, default SNMP passwords, users, and passphrases must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s).

Verify the Solaris 11 system does not use default SNMP community strings or passphrases. The root role is required. Find any occurrences of the snmpd.conf file delivered with Solaris packages: # pkg search -l -Ho path snmpd.conf | awk '{ print "/"$1 }' /etc/net-snmp/snmp/snmpd.conf For each listed file, use the following command to review its contents: # more [filename] Review SNMP trap configurations for default community strings: # grep trap /etc/net-snmp/snmp/snmpd.conf Identify any community names, trap communities, or user password configurations set to default values. Examples: public, private, trap, public@localhost, password If any default values are present, this is a finding.

The root role is required. Stop the SNMP service: # svcadm disable svc: /application/management/net-snmp:default Open the /etc/snmp/snmpd.conf file and remove any lines containing default values. # pfedit [/path/filename] Create a new SNMPv3 user with strong authentication and privacy keys (if the service is required). Restart the service (if the service is required). # svcadm enable svc: /application/management/net-snmp:default Ensure permissions on the configuration files are restricted: # chmod 600 /etc/snmp/snmp.conf