From a970bfd9a7fd6deda7207f070edc87b6b35450cd Mon Sep 17 00:00:00 2001
From: Michael Geiger <michael.geiger@telekom.de>
Date: Tue, 4 Jul 2017 07:42:22 +0200
Subject: [PATCH] Baseline sysctl-17: Enable logging of martian packets As this
 feature can produce large log files, it can be disabled via 'log_martians'

Signed-off-by: Michael Geiger <michael.geiger@telekom.de>
---
 README.md           | 2 ++
 manifests/init.pp   | 2 ++
 manifests/sysctl.pp | 9 ++++++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 41ccb8c..b4fda92 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,8 @@ This Puppet module provides secure configuration of your base OS with hardening.
 * `enable_ipv6_forwarding   = false`
   true if this system requires packet forwarding in IPv6 (eg Router), false otherwise
 * `enable_ipv6 = false`
+* `enable_log_martians = true`
+  true to enable logging on suspicious / unroutable network packets, false otherwise **WARNING - this might generate huge log files!**
 * `arp_restricted = true`
   true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 * `extra_user_paths = []`
diff --git a/manifests/init.pp b/manifests/init.pp
index d8869f3..3901b4e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -54,6 +54,7 @@
   $enable_core_dump         = false,
   $enable_stack_protection  = true,
   $enable_rpfilter          = true,
+  $enable_log_martians      = true,
 ) {
 
   # Validate
@@ -132,6 +133,7 @@
       enable_core_dump        => $enable_core_dump,
       enable_stack_protection => $enable_stack_protection,
       enable_rpfilter         => $enable_rpfilter,
+      enable_log_martians     => $enable_log_martians,
     }
   }
 
diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp
index 5d3c817..2e918b9 100644
--- a/manifests/sysctl.pp
+++ b/manifests/sysctl.pp
@@ -23,6 +23,7 @@
   $enable_core_dump        = false,
   $enable_stack_protection = true,
   $enable_rpfilter         = true,
+  $enable_log_martians     = true,
 ) {
 
   # set variables
@@ -161,7 +162,13 @@
   sysctl { 'net.ipv4.conf.default.send_redirects': value => '0' }
 
   # log martian packets (risky, may cause DoS)
-  #net.ipv4.conf.all.log_martians = 1
+  if $enable_log_martians {
+    sysctl { 'net.ipv4.conf.all.log_martians': value => '1' }
+    sysctl { 'net.ipv4.conf.default.log_martians': value => '1' }
+  } else {
+    sysctl { 'net.ipv4.conf.all.log_martians': value => '0' }
+    sysctl { 'net.ipv4.conf.default.log_martians': value => '0' }
+  }
 
 
   # System