---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: V-38528 - The system must log martian packets
  sysctl:
    name: net.ipv4.conf.all.log_martians
    value: "{{ (security_sysctl_enable_martian_logging | bool) | ternary('1', '0') }}"
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38528

# This is the default in Ubuntu 14.04
- name: V-38537 - The system must ignore ICMPv4 bogus error responses
  sysctl:
    name: net.ipv4.icmp_ignore_bogus_error_responses
    value: 1
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38537

# This is the default in Ubuntu 14.04
- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address
  sysctl:
    name: net.ipv4.icmp_echo_ignore_broadcasts
    value: 1
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat3
    - V-38535

- name: V-38539 - Enable TCP syncookies
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: "{{ (security_sysctl_enable_tcp_syncookies | bool) | ternary('1', '0') }}"
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38539

# This is the default in Ubuntu 14.04
- name: V-38596 - Enable virtual address space randomization
  sysctl:
    name: kernel.randomize_va_space
    value: 2
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38596

- name: V-38600 - Disable sending ICMPv4 redirects
  sysctl:
    name: net.ipv4.conf.default.send_redirects
    value: 0
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38600

- name: V-38601 - Disable sending ICMPv4 redirects on all interfaces
  sysctl:
    name: net.ipv4.conf.all.send_redirects
    value: 0
    state: present
    sysctl_set: yes
  tags:
    - kernel
    - cat2
    - V-38601

- name: V-38490 - Disable usb-storage module
  lineinfile:
    dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf
    line: "install usb-storage /bin/true"
    create: yes
  when: security_disable_module_usb_storage | bool
  tags:
    - kernel
    - cat2
    - V-38490

- name: V-38514 - Disable DCCP
  lineinfile:
    dest: /etc/modprobe.d/V-38514-disable-dccp.conf
    line: "install dccp /bin/true"
    create: yes
  when: security_disable_module_dccp | bool
  tags:
    - kernel
    - cat2
    - V-38514

- name: V-38515 - Disable SCTP
  lineinfile:
    dest: /etc/modprobe.d/V-38515-disable-sctp.conf
    line: "install sctp /bin/true"
    create: yes
  when: security_disable_module_sctp | bool
  tags:
    - kernel
    - cat2
    - V-38515

- name: V-38516 - Disable RDS
  lineinfile:
    dest: /etc/modprobe.d/V-38516-disable-rds.conf
    line: "install rds /bin/true"
    create: yes
  when: security_disable_module_rds | bool
  tags:
    - kernel
    - cat3
    - V-38516

- name: V-38517 - Disable TIPC
  lineinfile:
    dest: /etc/modprobe.d/V-38517-disable-tipc.conf
    line: "install tipc /bin/true"
    create: yes
  when: security_disable_module_tipc | bool
  tags:
    - kernel
    - cat2
    - V-38517

- name: Disable IPv6
  sysctl:
    name: "{{ item }}"
    value: 1
    state: present
    sysctl_set: yes
  with_items:
    - net.ipv6.conf.all.disable_ipv6
    - net.ipv6.conf.default.disable_ipv6
  when: security_disable_ipv6 | bool
  tags:
    - kernel
    - cat2
    - V-38546

- name: V-38682 - Disable bluetooth module
  copy:
    src: V-38682-modprobe.conf
    dest: /etc/modprobe.d/disable-bluetooth.conf
  when: security_disable_module_bluetooth | bool
  tags:
    - kernel
    - cat2
    - V-38682

- name: V-38524 - The system must not accept ICMPv4 redirect packets on any interface
  sysctl:
    name: net.ipv4.conf.all.accept_redirects
    value: 0
    state: present
    sysctl_set: yes
  when: security_disable_icmpv4_redirects | bool
  tags:
    - kernel
    - cat2
    - V-38524

- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
  sysctl:
    name: net.ipv4.tcp_challenge_ack_limit
    value: 1073741823
    state: present
    sysctl_set: yes
  when: security_set_tcp_challenge_ack_limit | bool
  tags:
    - kernel
    - cat3
    - CVE-2016-5696

- name: V-38526 - The system must not accept ICMPv4 secure redirect packets on any interface
  sysctl:
    name: net.ipv4.conf.all.secure_redirects
    value: 0
    state: present
    sysctl_set: yes
  when: security_disable_icmpv4_redirects_secure | bool
  tags:
    - kernel
    - cat2
    - V-38526

- name: V-38548 - The system must ignore ICMPv6 redirects by default
  sysctl:
    name: net.ipv6.conf.all.accept_redirects
    value: 0
    state: present
    sysctl_set: yes
  when: security_disable_icmpv6_redirects | bool
  tags:
    - kernel
    - cat2
    - V-38548