From 824eaa95f98eaee9f3b0fd15de8985e88d8855f6 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 15:52:08 -0500
Subject: [PATCH] V-38537: Ignore ICMPv4 bogus error messages

Implements: blueprint security-hardening

Change-Id: I203b74f711d7aafac2997fc19231931081834475
---
 doc/source/developer-notes/V-38537.rst      |  2 ++
 openstack-ansible-security/tasks/kernel.yml | 12 ++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38537.rst

diff --git a/doc/source/developer-notes/V-38537.rst b/doc/source/developer-notes/V-38537.rst
new file mode 100644
index 00000000..beea151d
--- /dev/null
+++ b/doc/source/developer-notes/V-38537.rst
@@ -0,0 +1,2 @@
+Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
+ensure that this default setting is maintained.
diff --git a/openstack-ansible-security/tasks/kernel.yml b/openstack-ansible-security/tasks/kernel.yml
index 467bad5f..a3cfe3ea 100644
--- a/openstack-ansible-security/tasks/kernel.yml
+++ b/openstack-ansible-security/tasks/kernel.yml
@@ -13,6 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# This is the default in Ubuntu 14.04
+- name: V-38537 - The system must ignore ICMPv4 bogus error responses
+  sysctl:
+    name: net.ipv4.icmp_ignore_bogus_error_responses
+    value: 1
+    state: present
+    sysctl_set: yes
+  tags:
+    - kernel
+    - cat3
+    - V-38537
+
 # This is the default in Ubuntu 14.04
 - name: V-38596 - Enable virtual address space randomization
   sysctl: