Title

The system must log martian packets. (Cat III impact)

Discussion

Martian packets are packets containing addresses known by the system to be invalid. Logging these messages allows the SA to identify misconfigurations or attacks in progress.

Check Content

Determine if the system is configured to log martian packets. Examine the IPF rules on the system. # lsfilt -a There must be rules to log inbound traffic containing invalid source addresses, which minimally include the system's own addresses and broadcast addresses for attached subnets. If no such rules exist, this is a finding.

Fix Text

Configure the system to log martian packets. Add rules to log inbound traffic containing invalid source addresses, which minimally include the system's own addresses and broadcast addresses for attached subnets. For example, consider a system with a single network connection having IP address 192.168.1.10 with a local subnet broadcast address of 192.168.1.255. Packets with source addresses of 192.168.1.10 and 192.168.1.255 must be logged if received by the system from the network connection. Use the smit utility or genfilt command to add logging of martian packets (packets with a source address of 192.168.1.10 and 192.168.1.255). # smitty ipsec4 OR # genfilt -v4 -a P -s 192.168.1.10 -m 0.0.0.0 -d 0.0.0.0 -M -0.0.0.0 -c all -o any -O any -p 0 -P 0 -w I -l y -i en0 # genfilt -v4 -a P -s 192.168.1.255 -m 0.0.0.0 -d 0.0.0.0 -M -0.0.0.0 -c all -o any -O any -p 0 -P 0 -w I -l y -i en0

Additional Identifiers

Rule ID: SV-38868r1_rule

Vulnerability ID: V-22418

Group Title: GEN003611

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.