Start of change

CSAPP_SNMPAGENT_PUBLIC_COMMUNITY

Description:
Checks to see if the SNMP agent has been configured with a community name of public.
Reason for check:
The community name of public is a well-known name and should not be used with community-based security because of security considerations. The community name can be defined by one of the following methods:
  • Specify the -c start parameter.
  • Configure a PW.SRC configuration file.
  • Configure the COMMUNITY or SNMP_COMMUNITY statements in the SNMPD.CONF configuration file.

Start of changeIf you use SNMPTRAP.DEST to configure trap information, the agent uses the hardcoded community name of public in the outbound traps. To configure specific community names for trap destinations, you must convert your SNMPTRAP.DEST information to a SNMPD.CONF configuration file format. End of change

z/OS® releases the check applies to:
Start of changez/OS V2R1 and later, with the PTFs for APARs PI51640 and OA50122 applied.End of change
User override of IBM values:
Start of changeThe following sample shows the defaults for customizable values for this check. Use this sample to make permanent check customizations in an HZSPRMxx parmlib member used at IBM Health Checker for z/OS startup. If you just want a one-time only update to the check defaults, omit the first line (ADDREPLACE POLICY) and use the UPDATE statement on a MODIFY hzsproc command. Note that using non-POLICY UPDATEs in HZSPRMxx can lead to unexpected results and is therefore not recommended.End of change
Start of changeADDREPLACE POLICY[(policyname)] [STATEMENT(name)]End of change
UPDATE
CHECK(IBMCS,CSAPP_SNMPAGENT_PUBLIC_COMMUNITY)
DATE('date_of_the_change')
REASON('Your reason for making the update.')
ACTIVE
SEVERITY(MEDIUM)
INTERVAL(ONETIME)
Debug support:
No
Verbose support:
No
Parameters accepted:
No
Reference:
For more information on configuring community names, see the following sections in z/OS Communications Server: IP Configuration Reference:
  • OSNMPD parameters
  • PW.SRC statement syntax
  • COMMUNITY entry
  • SNMP_COMMUNITY entry
  • Start of changeMigrating the PW.SRC file and SNMPTRAP.DEST file to the SNMPD.CONF fileEnd of change
Messages:
This check issues the following exception messages:
  • ISTH034E
See z/OS Communications Server: SNA Messages.
SECLABEL recommended for multilevel security users:
SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Parent topic: Communications Server checks (IBMCS)
End of change