AlmaLinux OS 9 must log packets with impossible addresses.

STIG ID: ALMA-09-019380  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269251

Vulnerability Discussion

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Check

Verify AlmaLinux OS 9 logs martian packets.

Check the value of the "log_martians" variables with the following command:

$ sysctl -a | grep log_martians

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp1s0.log_martians = 1
net.ipv4.conf.lo.log_martians = 1

If the returned lines do not all have a value of "1", this is a finding.

Fix

Configure AlmaLinux OS 9 to log martian packets.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.