Skip to content

3.3.9 Ensure suspicious packets are logged

Audit#

Run the following script to verify the following kernel parameters are set in the running configuration and correctly loaded from a kernel parameter configuration file: - net.ipv4.conf.all.log_martians is set to 1 - net.ipv4.conf.default.log_martians is set to 1

Note: kernel parameters are loaded by file and parameter order precedence. The following script observes this precedence as part of the auditing procedure. The parameters being checked may be set correctly in a file. If that file is superseded, the parameter is overridden by an incorrect setting later in that file, or in a canonically later file, that "correct" setting will be ignored both by the script and by the system during a normal kernel parameter load sequence.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/usr/bin/env bash
{
a_output=(); a_output2=(); l_ipv6_disabled=""
a_parlist=("net.ipv4.conf.all.log_martians=1"
"net.ipv4.conf.default.log_martians=1")
l_ufwscf="$([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
f_ipv6_chk()
{
l_ipv6_disabled="no"
! grep -Pqs -- '^\h*0\b' /sys/module/ipv6/parameters/disable && l_ipv6_disabled="yes"
if sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\b" && \
sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\b"; then
l_ipv6_disabled="yes"
fi
}
f_kernel_parameter_chk()
{
l_running_parameter_value="$(sysctl "$l_parameter_name" | awk -F='{print $2}' | xargs)" # Check running configuration
if grep -Pq -- '\b'"$l_parameter_value"'\b' <<< "$l_running_parameter_value"; then
a_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_running_parameter_value\"" "in the running configuration")
else
a_output2+=(" - \"$l_parameter_name\" is incorrectly set to \"$l_running_parameter_value\"" \"in the running configuration" \"and should have a value of: \"$l_value_out\"")
fi
unset A_out; declare -A A_out # Check durable setting (files)
while read -r l_out; do
if [ -n "$l_out" ]; then
if [[ $l_out =~ ^\s*# ]]; then
l_file="${l_out//# /}"
else
l_kpar="$(awk -F= '{print $1}' <<< "$l_out" | xargs)"
[ "$l_kpar" = "$l_parameter_name" ] && A_out+=(["$l_kpar"]="$l_file")
fi
fi
done < <("$l_systemdsysctl" --cat-config | grep -Po '^\h*([^#\n\r]+|#\h*\/[^#\n\r\h]+\.conf\b)')
if [ -n "$l_ufwscf" ]; then # Account for systems with UFW (Not covered by systemd-sysctl --cat-config)
l_kpar="$(grep -Po "^\h*$l_parameter_name\b" "$l_ufwscf" | xargs)"
l_kpar="${l_kpar//\//.}"
[ "$l_kpar" = "$l_parameter_name" ] && A_out+=(["$l_kpar"]="$l_ufwscf")
fi
if (( ${#A_out[@]} > 0 )); then # Assess output from files and generate output
while IFS="=" read -r l_fkpname l_file_parameter_value; do
l_fkpname="${l_fkpname// /}";
l_file_parameter_value="${l_file_parameter_value// /}"
if grep -Pq -- '\b'"$l_parameter_value"'\b' <<< "$l_file_parameter_value"; then
a_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_file_parameter_value\"" \"in \"$(printf '%s' "${A_out[@]}")\"")
else
a_output2+=(" - \"$l_parameter_name\" is incorrectly set to \"$l_file_parameter_value\"" "in \"$(printf '%s' "${A_out[@]}")\"" \"and should have a value of: \"$l_value_out\"")
fi
done < <(grep -Po -- "^\h*$l_parameter_name\h*=\h*\H+" "${A_out[@]}")
else
a_output2+=(" - \"$l_parameter_name\" is not set in an included file" \"** Note: \"$l_parameter_name\" May be set in a file that's ignored by load procedure **")
fi
}
l_systemdsysctl="$(readlink -f /lib/systemd/systemd-sysctl)"
while IFS="=" read -r l_parameter_name l_parameter_value; do # Assess and check parameters
l_parameter_name="${l_parameter_name// /}";
l_parameter_value="${l_parameter_value// /}"
l_value_out="${l_parameter_value//-/ through }";
l_value_out="${l_value_out//|/ or }"
l_value_out="$(tr -d '(){}' <<< "$l_value_out")"
if grep -q '^net.ipv6.' <<< "$l_parameter_name"; then
[ -z "$l_ipv6_disabled" ] && f_ipv6_chk
if [ "$l_ipv6_disabled" = "yes" ]; then
a_output+=(" - IPv6 is disabled on the system, \"$l_parameter_name\" is not applicable")
else
f_kernel_parameter_chk
fi
else
f_kernel_parameter_chk
fi
done < <(printf '%s\n' "${a_parlist[@]}")
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}" ""
fi
}

Remediation#

Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in .conf: - net.ipv4.conf.all.log_martians = 1 - net.ipv4.conf.default.log_martians = 1

Example: 

# printf '%s\n' "net.ipv4.conf.all.log_martians = 1" "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf

Run the following script to set the active kernel parameters: 

1
2
3
4
5
6
#!/usr/bin/env bash
{
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
}
Note: If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten

Default Value: net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0