Title

The system must log martian packets. (Cat III impact)

Discussion

Martian packets are packets containing addresses known by the system to be invalid. Logging these messages allows the SA to identify misconfigurations or attacks in progress.

Check Content

If the system is not a global zone, this vulnerability is not applicable. Determine if the system is configured to log martian packets. Examine the IPF rules on the system. Procedure: # ipfstat -i There must be rules logging inbound traffic containing invalid source addresses, which minimally include the system's own addresses and broadcast addresses for attached subnets. If such rules do not exist, this is a finding.

Fix Text

Configure the system to log martian packets using IPF. Add rules logging inbound traffic containing invalid source addresses, which minimally include the system's own addresses and broadcast addresses for attached subnets. For example, consider a system with a single network connection having IP address 192.168.1.10 with a local subnet broadcast address of 192.168.1.255. Packets with source addresses of 192.168.1.10 and 192.168.1.255 must be logged if received by the system from the network connection. Edit /etc/ipf/ipf.conf and add the following rules, substituting local addresses and interface names: block in log quick on ce0 from 192.168.1.10 to any block in log quick on ce0 from 192.168.1.255 to any Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf

Additional Identifiers

Rule ID: SV-226899r603265_rule

Vulnerability ID: V-226899

Group Title: SRG-OS-000062

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.