adding 5_snmp (#73)

* removing ruleset files

* adding 3_interface rules and refs

* Revert "adding 3_interface rules and refs"

This reverts commit 6ec630d.

* added 3_interfaces rules and refs again

* added 4_protocols tests

* restrctured 3_interfaces folder

* added 6_services

* 5_snmp

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: 2 people

CIS/Junos/5_snmp/rule_5_1_ensure_common_snmp_community_strings_are_not_used.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_5_1_ensure_common_snmp_community_strings_are_not_used',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_5_1_ensure_common_snmp_community_strings_are_not_used(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/5_snmp/rule_5_1_ensure_common_snmp_community_strings_are_not_used.ref

@@ -0,0 +1,11 @@
+.rule_5_1_ensure_common_snmp_community_strings_are_not_used
+
+Reference: Security Agency (NSA)
+Requirement 8.2.1 and 8.5
+
+Remediation: If you have deployed SNMPv1 or SNMPv2c on your router using one of these strings,
+rename the community using the following command under the [edit snmp] hierarchy;
+[edit snmp]
+user@host#rename community <old community> to community <new community>
+
+.

CIS/Junos/5_snmp/rule_5_2_ensure_snmpv1_2_are_set_to_read_only.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_5_2_ensure_snmpv1_2_are_set_to_read_only',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_5_2_ensure_snmpv1_2_are_set_to_read_only(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/5_snmp/rule_5_2_ensure_snmpv1_2_are_set_to_read_only.ref

@@ -0,0 +1,18 @@
+.rule_5_2_ensure_snmpv1_2_are_set_to_read_only
+
+Reference: Security Agency (NSA)
+Requirement 8.2.1 and 8.5
+
+Remediation: If you have deployed SNMP below Version 3 on your router with Read-Write access, delete
+the associated community using the following command under the [edit snmp] hierarchy;
+[edit snmp]
+user@host#delete community <community>
+
+
+
+Alternatively you can set the communities authorization level to Read Only with the
+following command from the [edit snmp <community>] hierarchy;
+[edit snmp]
+user@host#set community <community> authorization read-only
+
+.

CIS/Junos/5_snmp/rule_5_3_ensure_a_client_list_is_set_for_snmpv1_v2_communities.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_5_3_ensure_a_client_list_is_set_for_snmpv1_v2_communities',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_5_3_ensure_a_client_list_is_set_for_snmpv1_v2_communities(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/5_snmp/rule_5_3_ensure_a_client_list_is_set_for_snmpv1_v2_communities.ref

@@ -0,0 +1,34 @@
+.rule_5_3_ensure_a_client_list_is_set_for_snmpv1_v2_communities
+
+Reference: Configuration Guide, Juniper Networks
+(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-net-
+mgmt/configuring-the-snmp-community-string.html#id-10428981)
+
+Remediation: To configure a client list issue the following command under the [edit snmp] hierarchy;
+[edit snmp]
+user@host#edit client-list <client list name>
+
+[edit snmp client-list <client list name>]
+user@host#set default restrict
+user@host#set <ip address/range>
+user@host#set <ip address> restrict #optionally add exceptions
+user@host#up 1
+
+[edit snmp]
+user@host#edit community <community name>
+
+[edit snmp community <community name>]
+user@host#set client-list-name <community name>
+
+
+
+The set default restrict is covered in detail in the next recommendation.
+Additional IP Addresses may be permitted by repeating the set <ip address/range>
+command as needed.
+Optionally, addresses that you wish to deny from within a permitted range previously set
+can be configured with the set <ip address> restrict command.
+Note - Client-lists may also be defined directly under the [edit snmp community <community
+name> clients] hierarchy for use within the specified community with the same effect, but
+for ease of management and audit, the first method is preferred.
+
+.

CIS/Junos/5_snmp/rule_5_4_ensure_default_restrict_is_set_in_all_client_lists.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_5_4_ensure_default_restrict_is_set_in_all_client_lists',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_5_4_ensure_default_restrict_is_set_in_all_client_lists(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/5_snmp/rule_5_4_ensure_default_restrict_is_set_in_all_client_lists.ref

@@ -0,0 +1,19 @@
+.rule_5_4_ensure_default_restrict_is_set_in_all_client_lists
+
+Reference: Configuration Guide, Juniper Networks
+(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-net-
+mgmt/configuring-the-snmp-community-string.html#id-10428981)
+
+Remediation: To configure a client list issue the following command under the [edit snmp client-list
+<client list name>] hierarchy;
+[edit snmp client-list <client list name>]
+user@host#set default restrict
+Note - Client-lists may also be defined directly under the [edit snmp community <community
+name> clients] hierarchy for use within the specified community with the same effect, but
+for ease of management and audit, the first method is preferred.
+
+
+
+
+
+.

CIS/Junos/5_snmp/rule_5_5_ensure_snmp_write_access_is_not_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_5_5_ensure_snmp_write_access_is_not_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_5_5_ensure_snmp_write_access_is_not_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/5_snmp/rule_5_5_ensure_snmp_write_access_is_not_set.ref

@@ -0,0 +1,26 @@
+.rule_5_5_ensure_snmp_write_access_is_not_set
+
+Reference: Security Agency (NSA)
+Requirement 8.1.6 and 8.2.1
+
+Remediation: If you have deployed SNMP below Version 3 on your router with Read-Write access, delete
+the associated community using the following command under the [edit snmp] hierarchy;
+[edit snmp]
+user@host#delete community <community>
+Alternatively you can set the communities authorization level to Read Only with the
+following command from the [edit snmp <community>] hierarchy;
+
+
+
+[edit snmp]
+user@host#set community <community> authorization read-only
+If you have deployed SNMP Version 3 on your router with Write access, delete the write
+view using the following command under the [edit snmp v3 vacm access] hierarchy;
+[edit snmp v3 vacm access]
+user@host#delete group <group name> default-context-prefix security-model
+<security model> security-level <security level> write-view
+Complete the sections in <> with the details configured for your group/s. This command
+will leave any read or notify views for the group in place. If only a write-view is configured,
+the group can be deleted instead.
+
+.