---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: V-38528 - The system must log martian packets
  sysctl:
    name: net.ipv4.conf.all.log_martians
    value: 1
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38528

# This is the default in Ubuntu 14.04
- name: V-38537 - The system must ignore ICMPv4 bogus error responses
  sysctl:
    name: net.ipv4.icmp_ignore_bogus_error_responses
    value: 1
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38537

# This is the default in Ubuntu 14.04
- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address
  sysctl:
    name: net.ipv4.icmp_echo_ignore_broadcasts
    value: 1
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38535

# This is the default in Ubuntu 14.04
- name: V-38539 - Enable TCP syncookies
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: "{{ sysctl_tunable['tcp_syncookies'] }}"
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38539

# This is the default in Ubuntu 14.04
- name: V-38596 - Enable virtual address space randomization
  sysctl:
    name: kernel.randomize_va_space
    value: 2
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38596

- name: V-38600 - Disable sending ICMPv4 redirects
  sysctl:
    name: net.ipv4.conf.default.send_redirects
    value: 0
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38600

- name: V-38601 - Disable sending ICMPv4 redirects on all interfaces
  sysctl:
    name: net.ipv4.conf.all.send_redirects
    value: 0
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38601

- name: V-38490 - Disable usb-storage module
  lineinfile:
    dest: /etc/modprobe.d/disable-usb-storage.conf
    line: "install usb-storage /bin/true"
    create: yes
  when: disable_usb_storage is defined and disable_usb_storage | bool
  tags:
    - kernel
    - cat2
    - V-38490