V-38535: Don't respond to ICMPv4 broadcast

Implements: blueprint security-hardening Change-Id: Ib1d3eaa0d0f4f15ba9b238c17f312170d2dcdde5
2015-10-07 15:39:22 -05:00 · 2015-10-07 15:39:22 -05:00 · 19d49e0ea7
commit 19d49e0ea7
parent fa99650739
2 changed files with 15 additions and 0 deletions
--- a/doc/source/developer-notes/V-38535.rst
+++ b/doc/source/developer-notes/V-38535.rst
@ -0,0 +1,3 @@
+By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
+The Ansible tasks for this STIG configuration ensures that the secure default
+setting is maintained.
--- a/openstack-ansible-security/tasks/kernel.yml
+++ b/openstack-ansible-security/tasks/kernel.yml
@ -36,6 +36,18 @@
    - cat3
    - V-38537

+# This is the default in Ubuntu 14.04
+- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address
+  sysctl:
+    name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: 1
+    state: present
+    sysctl_set: yes
+  tags:
+    - kernel
+    - cat3
+    - V-38535
+
 # This is the default in Ubuntu 14.04
 - name: V-38596 - Enable virtual address space randomization
  sysctl: