openstack/ansible-hardening
Code Issues Proposed changes

V-38535: Don't respond to ICMPv4 broadcast

Browse Source 
Implements: blueprint security-hardening

Change-Id: Ib1d3eaa0d0f4f15ba9b238c17f312170d2dcdde5
This commit is contained in:
Major Hayden 2015-10-07 15:39:22 -05:00
parent fa99650739
commit 19d49e0ea7
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/developer-notes/V-38535.rst Normal file
View File

@ -0,0 +1,3 @@
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
The Ansible tasks for this STIG configuration ensures that the secure default
setting is maintained.

12
openstack-ansible-security/tasks/kernel.yml
View File

@ -36,6 +36,18 @@
- cat3 - cat3
- V-38537 - V-38537
# This is the default in Ubuntu 14.04
- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address
sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
state: present
sysctl_set: yes
tags:
- kernel
- cat3
- V-38535
# This is the default in Ubuntu 14.04 # This is the default in Ubuntu 14.04
- name: V-38596 - Enable virtual address space randomization - name: V-38596 - Enable virtual address space randomization
sysctl: sysctl: