Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Description
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1
Rationale
The presence of “martian” packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.log\_martians from /etc/sysctl.d/\*.conf files
for f in /etc/sysctl.d/\*.conf /run/sysctl.d/\*.conf /usr/local/lib/sysctl.d/\*.conf /usr/lib/sysctl.d/\*.conf; do
matching\_list=$(grep -P '^(?!#).\*[\s]\*net.ipv4.conf.default.log\_martians.\*$' $f | uniq )
if ! test -z "$matching\_list"; then
while IFS= read -r entry; do
escaped\_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.log\_martians" matches to preserve user data
sed -i "s/^${escaped\_entry}$/# &/g" $f
done <<< "$matching\_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG\_FILE="/etc/sysctl.conf"
sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value=''
#
# Set runtime for net.ipv4.conf.default.log\_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.log\_martians="$sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value"
#
# If net.ipv4.conf.default.log\_martians present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.log\_martians = value" to /etc/sysctl.conf
#
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^net.ipv4.conf.default.log\_martians")
# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "$sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value"
# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log\_martians\\>" "${SYSCONFIG\_FILE}"; then
escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
LC\_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log\_martians\\>.\*/$escaped\_formatted\_output/gi" "${SYSCONFIG\_FILE}"
else
if [[ -s "${SYSCONFIG\_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG\_FILE}" || true)" ]]; then
LC\_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG\_FILE}"
fi
printf '%s\n' "$formatted\_output" >> "${SYSCONFIG\_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: List /etc/sysctl.d/\*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
- /usr/lib/sysctl.d/
contains: ^[\s]\*net.ipv4.conf.default.log\_martians.\*$
patterns: '\*.conf'
file\_type: any
register: find\_sysctl\_d
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable\_strategy
- low\_complexity
- medium\_disruption
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_log\_martians
- unknown\_severity
- name: Comment out any occurrences of net.ipv4.conf.default.log\_martians from config
files
replace:
path: '{{ item.path }}'
regexp: ^[\s]\*net.ipv4.conf.default.log\_martians
replace: '#net.ipv4.conf.default.log\_martians'
loop: '{{ find\_sysctl\_d.files }}'
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable\_strategy
- low\_complexity
- medium\_disruption
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_log\_martians
- unknown\_severity
- name: XCCDF Value sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value # promote to variable
set\_fact:
sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.log\_martians is set
sysctl:
name: net.ipv4.conf.default.log\_martians
value: '{{ sysctl\_net\_ipv4\_conf\_default\_log\_martians\_value }}'
sysctl\_file: /etc/sysctl.conf
state: present
reload: true
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable\_strategy
- low\_complexity
- medium\_disruption
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_log\_martians
- unknown\_severity
