Skip to content

Ensure System is Not Acting as a Network Sniffer

An XCCDF Rule

Description

The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:

$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off

Rationale

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.

ID
xccdf_org.ssgproject.content_rule_network_sniffer_disabled
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do
    ip link set dev $interface multicast off promisc off
done

Remediation - Ansible

- name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces
  ansible.builtin.command:
    cmd: ip link show
  register: network_interfaces
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags: