{"description": "To set the runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.default.log_martians = 1</pre>", "rationale": "The presence of \"martian\" packets (which have impossible addresses)\nas well as spoofed packets, source-routed packets, and redirects could be a\nsign of nefarious network activity. Logging these packets enables this activity\nto be detected.", "severity": "unknown", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "2", "3", "7", "8", "9"], "cobit5": ["APO13.01", "BAI04.04", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS01.04", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.05", "DSS05.07", "DSS06.06"], "cui": ["3.1.20"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.2", "SR 7.1", "SR 7.2", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.1.3", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.17.2.1", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "SC-5(3)(a)"], "nist-csf": ["DE.CM-1", "PR.AC-3", "PR.DS-4", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "srg": ["SRG-OS-000480-GPOS-00227"], "cis": ["3.3.9"]}, "control_references": {"cis": ["3.3.9"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl net.ipv4.conf.default.log_martians</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must log IPv4 packets with impossible addresses by default.", "fixtext": "Configure Ubuntu 22.04 to log martian packets on IPv4 interfaces by default.\n\nAdd or edit the following line in a single system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.log_martians=1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "Verify Ubuntu 22.04 logs IPv4 martian packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.log_martians\n\nnet.ipv4.conf.default.log_martians = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.log_martians | tail -1\n\nnet.ipv4.conf.default.log_martians = 1\n\nIf \"net.ipv4.conf.default.log_martians\" is not set to \"1\" or is missing, this is a finding.", "vuldiscussion": "The presence of \"martian\" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected."}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_net_ipv4_conf_default_log_martians_value=xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_log_martians_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_conf_default_log_martians.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_conf_default_log_martians.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.conf.default.log_martians", "datatype": "int"}, "backends": {}}}