enable_log_martians to false are logged

[hdep]

Describe the bug
I use this module to disable, log martians on my system (Debian 9/10) using following hiera config :
os_hardening::enable_log_martians: false

But my syslog still have log martians :

2021-06-04 14:06:11 host:server [5551525.151041] IPv4: martian source 192.168.66.80 from 0.0.0.0, on dev eth0
2021-06-04 14:06:11 host:server [5551525.151051] ll header: 00000000: ff ff ff ff ff ff 00 00 00 09 02 01 08 00        ..............

Here is my /etc/sysctl.conf file :

root@server:/var/log/apache2# cat /etc/sysctl.conf  | grep martian
#net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

Looking at sysctl output the issue come from the key net.ipv4.conf.eth0.log_martians which is not managed by the module.

root@cefrsvc-lbneb12:/var/log/apache2# sysctl -a| grep martians
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

Expected behavior
I expected the system to stop logging those messages in /var/log/syslog

2021-06-04 14:06:11 host:server [5551525.151041] IPv4: martian source 192.168.66.80 from 0.0.0.0, on dev eth0
2021-06-04 14:06:11 host:server [5551525.151051] ll header: 00000000: ff ff ff ff ff ff 00 00 00 09 02 01 08 00        ..............

for this the module must managed the key net.ipv4.conf.eth0.log_martians

Actual behavior
log martian are in /var/log/syslog

Example code

OS / Environment
Debian 9
Debian 10

Puppet Version

5.5.22

Additional context

module version used 2.2.5

[mcgege]

Hi @hdep , I understand that log_martians was somewhere enabled in this system and then you used os_hardening with this hiera setting to disable it, right? As os_hardening is only touching conf.all.log_martians and conf.default.log_martians, interface settings like conf.eth0.log_martians are not changed at runtime. After a system reboot I'd say this should be fine ...
Have you rebooted this system since this change?

[hdep]

Hello,

Yes this is right, I think debian by default enable log_martian.
I didn't reboot any server, I'll give a try and let you know.

[hdep]

After a reboot I have a weird config, log_martians are enabled :

root@serveer:~# sysctl -a | grep martian
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

After a few minutes the config is changed :

root@server:~# sysctl -a | grep martian
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.lo.log_martians = 0

I'm considering to avoid this issue to declare net.ipv4.conf.eth0.log_martians = 0 with another module.

[mcgege]

Hmm ... that really looks like the system comes up with martians enabled (and therefore eth0 is also enabled), and then the sysctl settings from os_hardening disables all and default. I think the simplest solution would be to manually set net.ipv4.conf.eth0.log_martians in /etc/sysctl.conf or /etc/sysctl.d/ via a puppet rule.

[mcgege]

@hdep What should we do with this issue? Can we close this?

[hdep]

I close the issue,

here is what I deployed on all my servers :

    sysctl { "net.ipv4.conf.${facts['networking']['primary']}.log_martians":
      ensure => present,
      value  => "0",
    }

Because all my servers didn't got the same interface name (eth0, bond0...)