Ensure System is Not Acting as a Network Sniffer

An XCCDF Rule

Description

The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:

$ ip link | grep PROMISC

Promiscuous mode of an interface can be disabled with the following command:

$ sudo ip link set dev device_name multicast off promisc off

Rationale

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.

ID: xccdf_org.ssgproject.content_rule_network_sniffer_disabled
Severity: Medium
References: 1 11 14 3 9

APO11.06 APO12.06 BAI03.10 BAI09.01 BAI09.02 BAI09.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS04.05 DSS05.02 DSS05.05 DSS06.06

CCI-000366

4.2.3.4 4.3.3.3.7 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.4

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 SR 7.8

A.11.1.2 A.11.2.4 A.11.2.5 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.16.1.6 A.8.1.1 A.8.1.2 A.9.1.2

CM-6(b)

DE.DP-5 ID.AM-1 PR.IP-1 PR.MA-1 PR.PT-3

SRG-OS-000480-GPOS-00227

SLES-12-030440

SV-217297r603262_rule

CCE-83147-9

1.4.5
Updated: about 1 year ago

- name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces
  ansible.builtin.command:
    cmd: ip link show
  register: network_interfaces
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - CCE-83147-9
  - DISA-STIG-SLES-12-030440
  - NIST-800-53-CM-6(b)
  - PCI-DSSv4-1.4.5
  - low_complexity
  - low_disruption
  - medium_severity
  - network_sniffer_disabled
  - no_reboot_needed
  - restrict_strategy

- name: Ensure System is Not Acting as a Network Sniffer - Disable promiscuous mode
  ansible.builtin.command:
    cmd: ip link set dev {{ item.split(':')[1] }} multicast off promisc off
  loop: '{{ network_interfaces.stdout_lines }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - item.split(':') | length == 3
  tags:
  - CCE-83147-9
  - DISA-STIG-SLES-12-030440
  - NIST-800-53-CM-6(b)
  - PCI-DSSv4-1.4.5
  - low_complexity
  - low_disruption
  - medium_severity
  - network_sniffer_disabled
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do
    ip link set dev $interface multicast off promisc off
done
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure System is Not Acting as a Network Sniffer

Description

Rationale

Remediation - Ansible

Remediation - Shell Script