Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bug fix cpu flags and change default for net.ipv4.conf.all.log_martians
- Loading branch information
1 parent
007a08f
commit bb7c532
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@chris-rock I'm confused about this change. If the intended behavior is to disable the logging[1], then wouldn't we want the parameter
net.ipv4.conf.all.log_martiansto be zero/off/false?The test matches what the chef-os-hardening cookbook sets by default[2], but doesn't appear to match the title or the description here?
I'm not sure if that means the title/description should be updated to match the test, or if the cookbook should default this to
0and the test was correct before? If we're talking about hardening, I'm leaning toward the title/description are right, and the cookbook+test are backwards?It gets even more dicey because the CIS level 1 standards say the martian logging should be on[3a][3b]. The Chef base/os compliance profile says the logging should be off, matching the description of this test, if not the dev-sec cookbook and test itself.
Edit: Corrected last sentence.
[1] https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
[2] https://github.com/dev-sec/chef-os-hardening/blob/master/attributes/sysctl.rb#L125-L126
[3a] https://github.com/Huddle/cis_centos6/blob/master/recipes/sysctl.rb#L30-L32
[3b] https://benchmarks.cisecurity.org/tools2/linux/cis_red_hat_enterprise_linux_6_benchmark_v1.1.0.pdf (page 78, section 4.2.4)