From 19d49e0ea738e306d28a89d84d4064097476fcb9 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 15:39:22 -0500
Subject: [PATCH] V-38535: Don't respond to ICMPv4 broadcast

Implements: blueprint security-hardening

Change-Id: Ib1d3eaa0d0f4f15ba9b238c17f312170d2dcdde5
---
 doc/source/developer-notes/V-38535.rst      |  3 +++
 openstack-ansible-security/tasks/kernel.yml | 12 ++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38535.rst

diff --git a/doc/source/developer-notes/V-38535.rst b/doc/source/developer-notes/V-38535.rst
new file mode 100644
index 00000000..fd9273bf
--- /dev/null
+++ b/doc/source/developer-notes/V-38535.rst
@@ -0,0 +1,3 @@
+By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
+The Ansible tasks for this STIG configuration ensures that the secure default
+setting is maintained.
diff --git a/openstack-ansible-security/tasks/kernel.yml b/openstack-ansible-security/tasks/kernel.yml
index bf388fe7..1e2aa39c 100644
--- a/openstack-ansible-security/tasks/kernel.yml
+++ b/openstack-ansible-security/tasks/kernel.yml
@@ -36,6 +36,18 @@
     - cat3
     - V-38537
 
+# This is the default in Ubuntu 14.04
+- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address
+  sysctl:
+    name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: 1
+    state: present
+    sysctl_set: yes
+  tags:
+    - kernel
+    - cat3
+    - V-38535
+
 # This is the default in Ubuntu 14.04
 - name: V-38596 - Enable virtual address space randomization
   sysctl: