Baseline sysctl-17: Enable logging of martian packets

As this feature can produce large log files, it can be disabled via 'log_martians'

Signed-off-by: Michael Geiger <[email protected]>

README.md

@@ -23,6 +23,8 @@ This Puppet module provides secure configuration of your base OS with hardening.
 * `enable_ipv6_forwarding   = false`
   true if this system requires packet forwarding in IPv6 (eg Router), false otherwise
 * `enable_ipv6 = false`
+* `log_martians = true`
+  true to enable logging on suspicious / unroutable network packets, false otherwise **WARNING - this might generate huge log files!**
 * `arp_restricted = true`
   true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 * `extra_user_paths = []`

manifests/init.pp

@@ -54,6 +54,7 @@
   $enable_core_dump         = false,
   $enable_stack_protection  = true,
   $enable_rpfilter          = true,
+  $log_martians             = true,
 ) {
   # Validate
   # --------
@@ -131,6 +132,7 @@
       enable_core_dump        => $enable_core_dump,
       enable_stack_protection => $enable_stack_protection,
       enable_rpfilter         => $enable_rpfilter,
+      log_martians            => $log_martians,
     }
   }
 }

manifests/sysctl.pp

@@ -23,6 +23,7 @@
   $enable_core_dump        = false,
   $enable_stack_protection = true,
   $enable_rpfilter         = true,
+  $log_martians            = true,
 ){
 
   # set variables
@@ -161,7 +162,13 @@
   sysctl { 'net.ipv4.conf.default.send_redirects': value => '0' }
 
   # log martian packets (risky, may cause DoS)
-  #net.ipv4.conf.all.log_martians = 1
+  if $log_martians {
+    sysctl { 'net.ipv4.conf.all.log_martians': value => '1' }
+    sysctl { 'net.ipv4.conf.default.log_martians': value => '1' }
+  } else {
+    sysctl { 'net.ipv4.conf.all.log_martians': value => '0' }
+    sysctl { 'net.ipv4.conf.default.log_martians': value => '0' }
+  }
 
 
   # System