search

dev-sec / puppet-os-hardening

This puppet module provides numerous security-related configurations, providing all-round base protection.
http://dev-sec.io/
Apache License 2.0
279 stars 101 forks source link

enable_log_martians to false are logged #277

Closed hdep closed 3 years ago

hdep commented 3 years ago

Describe the bug I use this module to disable, log martians on my system (Debian 9/10) using following hiera config : os_hardening::enable_log_martians: false

But my syslog still have log martians : 

2021-06-04 14:06:11 host:server [5551525.151041] IPv4: martian source 192.168.66.80 from 0.0.0.0, on dev eth0
2021-06-04 14:06:11 host:server [5551525.151051] ll header: 00000000: ff ff ff ff ff ff 00 00 00 09 02 01 08 00        ..............

Here is my /etc/sysctl.conf file : 

root@server:/var/log/apache2# cat /etc/sysctl.conf  | grep martian
#net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

Looking at sysctl output the issue come from the key _net.ipv4.conf.eth0.logmartians which is not managed by the module.

root@cefrsvc-lbneb12:/var/log/apache2# sysctl -a| grep martians
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

Expected behavior I expected the system to stop logging those messages in /var/log/syslog

2021-06-04 14:06:11 host:server [5551525.151041] IPv4: martian source 192.168.66.80 from 0.0.0.0, on dev eth0
2021-06-04 14:06:11 host:server [5551525.151051] ll header: 00000000: ff ff ff ff ff ff 00 00 00 09 02 01 08 00        ..............

for this the module must managed the key net.ipv4.conf.eth0.log_martians

Actual behavior log martian are in /var/log/syslog

Example code

OS / Environment Debian 9 Debian 10

Puppet Version

5.5.22

Additional context

module version used 2.2.5

mcgege commented 3 years ago

Hi @hdep , I understand that log_martians was somewhere enabled in this system and then you used os_hardening with this hiera setting to disable it, right? As os_hardening is only touching conf.all.log_martians and conf.default.log_martians, interface settings like conf.eth0.log_martians are not changed at runtime. After a system reboot I'd say this should be fine ... Have you rebooted this system since this change?

hdep commented 3 years ago

Hello,

Yes this is right, I think debian by default enable log_martian. I didn't reboot any server, I'll give a try and let you know.

hdep commented 3 years ago

After a reboot I have a weird config, log_martians are enabled :

root@serveer:~# sysctl -a | grep martian
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

After a few minutes the config is changed : 

root@server:~# sysctl -a | grep martian
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

I'm considering to avoid this issue to declare net.ipv4.conf.eth0.log_martians = 0with another module.

mcgege commented 3 years ago

Hmm ... that really looks like the system comes up with martians enabled (and therefore eth0 is also enabled), and then the sysctl settings from os_hardening disables all and default. I think the simplest solution would be to manually set net.ipv4.conf.eth0.log_martians in /etc/sysctl.conf or /etc/sysctl.d/ via a puppet rule.

mcgege commented 3 years ago

@hdep What should we do with this issue? Can we close this?

hdep commented 3 years ago

I close the issue,

here is what I deployed on all my servers : 


    sysctl { "net.ipv4.conf.${facts['networking']['primary']}.log_martians":
      ensure => present,
      value  => "0",
    }

Because all my servers didn't got the same interface name (eth0, bond0...)