Add net-snmp CPE entry to detect if package is installed.

Author: ggbecker

debian10/cpe/debian10-cpe-dictionary.xml

@@ -76,4 +76,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

debian10/product.yml

@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_manager: "apt_get"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  net-snmp: "snmp"

debian9/cpe/debian9-cpe-dictionary.xml

@@ -76,4 +76,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

debian9/product.yml

@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_manager: "apt_get"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  net-snmp: "snmp"

fedora/cpe/fedora-cpe-dictionary.xml

@@ -111,4 +111,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

linux_os/guide/services/snmp/snmp_configure_server/group.yml

@@ -17,3 +17,5 @@ description: |-
     stations</li>
     <li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>
     <li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
+
+platform: net-snmp

linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml

@@ -16,11 +16,11 @@
     path: "/etc/snmp/snmpd.conf"
     regexp: 'public'
     replace: '{{ var_snmpd_ro_string }}'
-  when: snmpd.stat is defined and snmpd.stat.exists
+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)
 
 - name: "Replace all instances of SNMP RW strings"
   replace:
     path: "/etc/snmp/snmpd.conf"
     regexp: 'private'
     replace: '{{ var_snmpd_rw_string }}'
-  when: snmpd.stat is defined and snmpd.stat.exists
+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)

linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml

@@ -1,8 +1,7 @@
 <def-group>
   <definition class="compliance" id="snmpd_not_default_password" version="2">
     {{{ oval_metadata("SNMP default communities must be removed.") }}}
-    <criteria operator="OR">
-      <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed" />
+    <criteria>
       <criterion comment="SNMP communities" test_ref="test_snmp_default_communities" />
     </criteria>
   </definition>

linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y install net-snmp

linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+yum -y remove net-snmp

ol7/cpe/ol7-cpe-dictionary.xml

@@ -80,4 +80,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

ol8/cpe/ol8-cpe-dictionary.xml

@@ -75,4 +75,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

rhel6/cpe/rhel6-cpe-dictionary.xml

@@ -96,4 +96,8 @@
             <title xml:lang="en-us">System uses zipl</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

rhel7/cpe/rhel7-cpe-dictionary.xml

@@ -110,4 +110,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

rhel8/cpe/rhel8-cpe-dictionary.xml

@@ -80,4 +80,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>

shared/checks/oval/installed_env_has_net-snmp_package.xml

@@ -0,0 +1,38 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_net-snmp_package" version="1">
+    <metadata>
+      <title>Package net-snmp is installed</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Checks if package net-snmp is installed.</description>
+      <reference ref_id="cpe:/a:net-snmp" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package net-snmp is installed" test_ref="test_env_has_net-snmp_installed" />
+    </criteria>
+  </definition>
+
+{{% if pkg_system == "rpm" %}}
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+  id="test_env_has_net-snmp_installed" version="1"
+  comment="system has package net-snmp installed">
+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_net-snmp_installed" version="1">
+    <linux:name>net-snmp</linux:name>
+  </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+  <linux:dpkginfo_test check="all" check_existence="all_exist"
+  id="test_env_has_net-snmp_installed" version="1"
+  comment="system has package net-snmp installed">
+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
+  </linux:dpkginfo_test>
+  <linux:dpkginfo_object id="obj_env_has_net-snmp_installed" version="1">
+    <!-- dpkg systems differ in the package name -->
+    <linux:name>snmp</linux:name>
+  </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>

ssg/constants.py

@@ -500,6 +500,7 @@
     "systemd": "cpe:/a:systemd",
     "yum": "cpe:/a:yum",
     "zipl": "cpe:/a:zipl",
+    "net-snmp": "cpe:/a:net-snmp",
 }
 
 # Default platform to package mapping

wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml

@@ -79,4 +79,8 @@
             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:net-snmp">
+            <title xml:lang="en-us">Package net-snmp is installed</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
+      </cpe-item>
 </cpe-list>