Detections
Analytics

3.3.1.17 Ensure net.ipv4.conf.default.log_martians is configured

Information

When enabled, this feature logs packets with un-routable source addresses to the kernel log.

net.ipv4.conf.default.log_martians controls if IPv4 packets with un-routable source addresses on a newly added network interface is logged to the kernel log.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Setting net.ipv4.conf.default.log_martians to 1 enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.

Solution

- Run the following command to comment out net.ipv4.conf.default.log_martians lines returned by the audit procedure that are not net.ipv4.conf.default.log_martians = 1 :

# sed -ri '^\s*net.ipv4.conf.default.log_martians\s*=\s*0/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv4.conf.default.log_martians\s*=\s*0/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.conf.default.log_martians = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/60-ipv4_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|6.2, CSCv7|6.3, Rule-ID|SV-257961r991589_rule, Rule-ID|SV-269251r1050133_rule, Rule-ID|SV-271867r1092313_rule

Plugin: Unix

Control ID: 39d7d4adcc06899e2f0a34eb029cc11a1f4261f90380e8ac40aab3476aa7ac6a