# 3.2.4 Ensure suspicious packets are logged
#
# Description
# ===========
# When enabled, this feature logs packets with un-routable source
# addresses to the kernel log.
#
# Rationale
# =========
# Enabling this feature and logging these packets allows an administrator
# to investigate the possibility that an attacker is sending spoofed
# packets to their system.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.conf.all.log_martians
#   net.ipv4.conf.all.log_martians = 1
#   # sysctl net.ipv4.conf.default.log_martians
#   net.ipv4.conf.default.log_martians = 1
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
#   net.ipv4.conf.all.log_martians = 1
#   net.ipv4.conf.default.log_martians = 1
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.conf.all.log_martians=1
#   # sysctl -w net.ipv4.conf.default.log_martians=1
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.conf.all.log_martians: 1
          net.ipv4.conf.default.log_martians: 1